Users in the EU, EEA, and UK have rights under GDPR and UK GDPR to access, correct, delete, restrict processing of, and obtain a portable copy of their personal data held by OpenRouter.
This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy acknowledges GDPR and UK GDPR rights for EEA and UK users but does not specify the lawful basis for processing under GDPR Article 6, which may be material for users or regulators assessing the adequacy of OpenRouter's data processing compliance.
Interpretive note: The policy does not specify the GDPR lawful basis for processing or international data transfer mechanisms, creating uncertainty about the completeness of GDPR compliance as disclosed.
Complete removal of GDPR rights disclosure for EEA and UK users eliminates transparency about statutory data protection rights in the main privacy policy document.
View full change record →EEA and UK users can contact OpenRouter to exercise data subject rights including access, rectification, erasure, and portability, and the policy states users may lodge complaints with their local data protection authority if they believe their rights have been violated.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
OpenRouter has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection law. These may include the right to (i) request access and obtain a copy of your personal data, (ii) request rectification or erasure; (iii) object to or restrict processing of your personal data; and (iv) portability of your personal data.— Excerpt from OpenRouter's OpenRouter Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR (Regulation 2016/679) and UK GDPR, enforced by national data protection authorities within the EEA and by the UK Information Commissioner's Office respectively. The policy does not identify OpenRouter's GDPR lawful basis for processing, its EU or UK representative, or its approach to international data transfers, which are standard disclosure elements under GDPR Articles 13 and 14. 2. GOVERNANCE EXPOSURE: High for EU and UK deployments. The absence of disclosed lawful bases, transfer mechanisms, and a named EU or UK representative creates potential compliance gaps under GDPR transparency requirements. Organizations subject to GDPR that use OpenRouter as a processor or sub-processor should request a Data Processing Agreement before deploying the service with EEA user data. 3. JURISDICTION FLAGS: All EEA member states and the UK are directly affected. Organizations headquartered or operating in Germany, France, or the Netherlands, which have active data protection enforcement environments, face heightened exposure. The policy does not specify whether OpenRouter has a lead supervisory authority within the EEA. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams in EU and UK organizations should request confirmation of Standard Contractual Clauses or an equivalent transfer mechanism for any personal data transferred to OpenRouter's US infrastructure. The absence of transfer mechanism disclosure in the published policy is a gap that should be addressed prior to onboarding. 5. COMPLIANCE CONSIDERATIONS: Legal teams should request OpenRouter's Records of Processing Activities, its Article 30 records, and any DPA template before executing enterprise agreements. A data protection impact assessment may be warranted for high-volume or sensitive-data API deployments. Users can exercise GDPR rights by contacting privacy@openrouter.ai and may escalate to their national DPA if requests are not fulfilled.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy acknowledges GDPR and UK GDPR rights for EEA and UK users but does not specify the lawful basis for processing under GDPR Article 6, which may be material for users or regulators assessing the adequacy of OpenRouter's data processing compliance.
EEA and UK users can contact OpenRouter to exercise data subject rights including access, rectification, erasure, and portability, and the policy states users may lodge complaints with their local data protection authority if they believe their rights have been violated.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.