Text or data you type into the OpenRouter service that contains personal information is collected by OpenRouter, subject to the handling rules described in the Terms of Service for prompts.
This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy states that Inputs containing personal data are collected by OpenRouter, which means content submitted through the service interface, such as names, contact details, or other identifiable information embedded in messages, is subject to OpenRouter's data collection and sharing practices.
Interpretive note: The scope of what constitutes an 'Input' versus a 'prompt' governed by ToS section 5 is not fully clarified in the policy text, creating some ambiguity about which user-submitted content is subject to each set of rules.
Any personal information you include in text or data submitted through the OpenRouter service may be collected and retained by OpenRouter under this policy, in addition to being transmitted to the downstream AI model provider handling the request.
Cross-platform context
See how other platforms handle User Inputs Collected as Personal Data and similar clauses.
Compare across platforms →Monitoring
OpenRouter has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Any text or data (excluding prompts you send to the Service, which are governed by section five of the Terms of Service section 5) you input into the Service ("Inputs") that include personal data will also be collected by us.— Excerpt from OpenRouter's OpenRouter Privacy Policy
1. REGULATORY LANDSCAPE: Collection of personal data embedded in user Inputs engages GDPR, CCPA, and other applicable privacy frameworks depending on user location. Where Inputs contain special categories of personal data under GDPR Article 9 (such as health information, biometric data, or political opinions), heightened processing restrictions apply. HIPAA may be relevant where Inputs contain protected health information. 2. GOVERNANCE EXPOSURE: High for enterprise and developer users who may be submitting third-party personal data through the API. The collection of Input data by OpenRouter, combined with the disclaimer of responsibility for downstream LLM provider handling, creates a dual data processing relationship that may require separate contractual and compliance analysis. 3. JURISDICTION FLAGS: EU and UK users face exposure where Inputs contain special category data under GDPR. US users processing health information face potential HIPAA implications. California users retain CCPA rights over Input data collected by OpenRouter. 4. CONTRACT AND VENDOR IMPLICATIONS: API users and developers should assess whether their application design results in users submitting personal data as Inputs, and should implement appropriate notices and consent mechanisms for their end users. Procurement teams should confirm that OpenRouter's DPA covers Input data collection. 5. COMPLIANCE CONSIDERATIONS: Developers building applications on the OpenRouter API should conduct a data flow analysis to identify whether end-user Inputs will contain personal data, and should ensure appropriate disclosures are made to their own users. Where Inputs may contain sensitive categories of data, a data protection impact assessment may be warranted.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy states that Inputs containing personal data are collected by OpenRouter, which means content submitted through the service interface, such as names, contact details, or other identifiable information embedded in messages, is subject to OpenRouter's data collection and sharing practices.
Any personal information you include in text or data submitted through the OpenRouter service may be collected and retained by OpenRouter under this policy, in addition to being transmitted to the downstream AI model provider handling the request.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.