This site is an independent third-party technical service provider. Claude™ and Anthropic® are trademarks of Anthropic, PBC. This site has no affiliation, endorsement, or partnership with Anthropic.

Claude API Privacy Policy

Last updated:May 24, 2026

  • Operating Entity:NiceCloud LLC (Colorado limited liability company)
  • Covered Products:claudeapi.com website, console.claudeapi.com console, ClaudeAPI API gateway, and related ancillary services
  • Version:v1.1
  • Effective Date:May 24, 2026
  • Last Updated:May 24, 2026
  • Privacy Contact Email[email protected]

Important Preface (Please Read First)

  1. NiceCloud is a Colorado limited liability company in the United States. NiceCloud operates the Service from the United States. All infrastructure for the Service, including web servers, console, API gateway, databases, logging systems, backups, payment systems, and customer support systems, is deployed on Amazon Web Services in the United States and other regions outside mainland China, primarily us-east-1 / us-west-2. All of your information will be stored, transmitted, and processed outside the People’s Republic of China.
  2. The Service is not offered to users located in mainland China. Users located in that region may not register for or use the Service. If you are accessing the Service from that region, please stop immediately.
  3. Core commitments regarding your API request content: (a) NiceCloud does not, by default, persist your complete request content or model outputs as long-term business records; (b) NiceCloud itself will not use any of your inputs or outputs to train, fine-tune, distill, or evaluate any AI model; (c) NiceCloud will not sell your inputs or outputs to any third party; and (d) upstream model providers process your data under their own terms, including the public commitments by Anthropic’s commercial API and AWS Amazon Bedrock not to use commercial customer content to train their models.

1. Scope

This Claude API Privacy Policy (this “Policy”) explains how NiceCloud LLC (“NiceCloud,” “we,” “us,” or “our”) collects, uses, stores, shares, transfers, and protects your personal information and other related data when you use the Service, and describes the rights you may have with respect to your personal information.

This Policy applies whenever you access claudeapi.com, register for or use the console, create or use an API Key, call the API, top up your account, view logs, use the Playground, read documentation, contact customer support, manage your profile, or use other ClaudeAPI services.

This Policy and the ClaudeAPI Terms of Service together form the complete agreement between you and NiceCloud. If this Policy conflicts with the ClaudeAPI Terms of Service on matters involving the processing of personal information, this Policy controls.

Please read this Policy carefully before using the Service. By using the Service, you acknowledge that you have read, understood, and agreed to all data processing practices described in this Policy, including the transfer and storage of your data outside the People’s Republic of China.

2. Types of Information We Process

We process the following categories of information based on actual functionality and the principle of data minimization. The specific fields depend on the pages, APIs, and backend functions actually used.

2.1 Account and Identity Information

When you register, log in, bind an email address, change your password, request account recovery, use your profile, participate in activities, or contact customer support, we may process:

  • Email address, username, display name, account ID, registration time, login time, and device information;
  • Salted password hashes, multi-factor authentication (MFA) credentials, email verification codes, and security verification information;
  • Contact details, organization or team name, industry, usage description, identity description, and similar information that you voluntarily provide. Industry and application scenario / usage description are required when registering and applying for an API Key, as described in Section 4.8 of the ClaudeAPI Terms of Service;
  • Minimum necessary information authorized through third-party login, such as GitHub OAuth or Google OAuth, usually email address and username;
  • Account security settings, notification preferences, and privacy management settings;
  • Invitation relationships, including referrers and referred users.

2.2 API Keys, Developer Configuration, and Credential Metadata

When you create, edit, disable, delete, or use an API Key or Token, or configure Claude Code, Cline, Cursor, OpenCode, CC Switch, or other SDK / CLI / IDE plugins, we may process:

  • API Key / Token name, identifier, status, creation time, expiration time, permission scope, and associated model scope;
  • API Key hash values, used for verification; we do not store plaintext API Keys;
  • Key usage notes, operation logs, and related security event records;
  • Necessary metadata related to Base URL, model ID, and SDK configuration.

Except where a page explicitly displays it or you voluntarily copy it, we will not ask you to provide a complete plaintext API Key to customer support or any public channel. You should also avoid sending complete API Keys in support tickets, group chats, emails, screenshots, or video tutorials.

2.3 API Call Data and Logs

To provide the API gateway, billing, observability, troubleshooting, security protection, and customer support, we process:

A. Call metadata (retained by default for billing and security purposes; see Section 7 for retention periods):

  • Call timestamp, selected model / model ID, and API Key identifier;
  • Input token count, output token count, cached token count, and context length;
  • HTTP status code, upstream response code, and error code;
  • Request ID, response latency, and upstream routing information;
  • Source IP address, used for risk control and security audits;
  • User-Agent, SDK version, API endpoint path, and HTTP method;
  • Fees, currency, and account balance after deduction.

B. Request and response body (not persisted by default):

  • Input content, including prompts, system prompts, messages, files, images, audio, context, and parameters;
  • Model outputs, including text, code, structured data, tool calls, and embeddings.

By default, NiceCloud temporarily processes the above request and response bodies only while routing the request, and does not persist them after the request is completed. We only retain them briefly in the following exceptional cases, for no more than 30 days unless required by law or upstream review:

  • You voluntarily enable “full log mode” in the console for debugging. Enabling it is treated as your express consent, and you may turn it off at any time;
  • You voluntarily include request / response content in a support ticket or customer support communication;
  • Short-term audit is required for risk control, compliance, abuse detection, or security review;
  • An upstream provider, such as Anthropic or AWS, requests records from NiceCloud for an abuse investigation;
  • We need to handle billing disputes, refund disputes, third-party complaints, or legal requests.

2.4 Payment, Wallet, Credits, and Invoice Information

When you top up, subscribe, change payment methods, use redemption codes, view top-up records, or request invoices, we may process:

  • Top-up amount, currency, payment method, order number, payment status, settlement time, Credits balance, and consumption details;
  • Minimum necessary transaction information returned by payment service providers such as Stripe, PayPal, Wise, Mercury, and cryptocurrency payment providers. NiceCloud itself does not proactively store complete bank card numbers, payment account passwords, CVV codes, or similar sensitive payment credentials; those credentials are processed by payment service providers in environments that comply with standards such as PCI-DSS;
  • Invoice title, tax ID, address, phone number, recipient email address, invoicing records, and invoice status;
  • Redemption codes, discounts, refunds, abnormal transactions, chargebacks, and risk-control handling records;
  • On-chain transaction hashes for cryptocurrency payments, where applicable.

2.5 Support and Communication Information

When you contact us through online tickets, email, Telegram, Discord, Slack, community channels, or other support channels, we may process:

  • Issue descriptions, error time, Request ID, model name, request method, account identifier, screenshots, and log snippets that you submit;
  • Customer support communication records, handling status, internal notes, and resolution plans;
  • Information you voluntarily send in public communities.

Please do not send complete API Keys, account passwords, Credits balances, complete invoice information, private data, or other sensitive information in public communities or support ticket attachments.

2.6 Website, Device, Cookie, and Analytics Information

When you access claudeapi.com or the console, we process the following through cookies, local storage, pixel tags, logs, or similar technologies:

  • IP address, access time, page path, dwell time, browser type, operating system, device type, screen resolution, language preference, and referrer;
  • Login session identifiers, theme preferences, language preferences, and security risk-control identifiers;
  • Button clicks, form submissions, error events, performance metrics, crash logs, and basic statistics;
  • De-identified usage statistics collected by third-party analytics, error monitoring, and performance monitoring services, such as Google Analytics, Plausible, Sentry, and PostHog.

You may manage or delete cookies through your browser settings. Disabling necessary cookies may affect login, console, payment, security verification, or other functions. We respect Global Privacy Control (GPC) signals.

3. How We Use Information

We use the information described above for the following purposes:

  1. Providing and maintaining the Service: including the API gateway, console, model list, documentation, logs, wallet, Playground, customer support, and profile center;
  2. Account management and security: creating, authenticating, and protecting accounts; detecting abnormal logins, unauthorized access, and credential leaks;
  3. API Key and configuration management: creating, verifying, displaying, disabling, and rotating API Keys and related developer configurations;
  4. Request routing and billing: routing your API requests to the selected upstream model, returning outputs, calculating tokens and fees, deducting balances, and generating bills;
  5. Observability and troubleshooting: displaying call logs, consumption records, error information, and Request IDs so that you and we can investigate issues;
  6. Customer support: responding to tickets, diagnosing failures, handling complaints, and handling payment and invoice issues;
  7. Service notices: sending service notices, security reminders, balance alerts, policy updates, maintenance announcements, and necessary operational messages;
  8. Risk control and anti-abuse: preventing fraud, abuse, attacks, traffic manipulation, stolen payment use, and conduct that violates upstream policies or law. For this purpose, we may use automated technical measures such as sensitive-word recognition and third-party content safety detection APIs to perform real-time content safety screening of API requests and model outputs, and to block or reject content identified as illegal, non-compliant, or high-risk. Such screening is temporary processing and does not change the commitment in Section 2.3 that request / response bodies are not persisted by default;
  9. Legal compliance: satisfying laws and regulations, regulatory requirements, court orders, lawful government requests, and the need to enforce this agreement;
  10. Statistical analysis: analyzing product performance, model usage, cost, stability, and user experience in anonymized, de-identified, or aggregated form to improve the Service;
  11. Derived data generation: generating derived data from service operations, such as aggregated performance metrics, model routing statistics, abuse detection signals, and security intelligence, for improving and expanding the Service. Such data belongs to NiceCloud and is fully de-identified.

Commitment regarding AI model training:

  • NiceCloud does not use your API request content, whether inputs or outputs, to train NiceCloud-owned models; NiceCloud currently does not train any proprietary AI models.
  • NiceCloud has obtained upstream commitments, through Anthropic’s commercial API terms and AWS Amazon Bedrock terms, that customer content will not be used for model training:
    • Anthropic: “Anthropic may not train models on Customer Content from Services.” (Anthropic Commercial Terms of Service)
    • AWS: “AWS and the third-party model providers will not use any inputs to or outputs from Amazon Bedrock to train Amazon Nova, Amazon Titan, or any third-party models.” (Amazon Bedrock FAQ)
  • Content that you voluntarily submit through tickets or feedback may be used by NiceCloud for troubleshooting, risk control, dispute handling, and service improvement, but it will likewise not be used to train models.

4. API Request Content and Upstream Model Providers

As a third-party API access and routing gateway, NiceCloud must forward your request content and necessary parameters, files, images, context, system prompts, and similar data to upstream model providers, primarily Anthropic, PBC and service providers that provide models through AWS Amazon Bedrock, in order to complete model calls.

You acknowledge and agree that:

  1. Underlying technical architecture: NiceCloud’s Service is built on AWS Amazon Bedrock and the Anthropic API. Depending on the model you select and the routing strategy, your requests may be processed by AWS Bedrock regions or Anthropic servers located primarily in the United States or in other regions outside mainland China.
  2. Data processing location: Relevant data will be stored at rest in encrypted form in the AWS Bedrock region selected by the customer, or processed in Anthropic data centers in the United States or Europe.
  3. Independent application of upstream terms: Upstream providers process your data under their own terms and privacy policies:
  • Anthropic Privacy Policy: https://www.anthropic.com/legal/privacy
  • Anthropic Commercial Terms: https://www.anthropic.com/legal/commercial-terms
  • Anthropic Usage Policy: https://www.anthropic.com/legal/aup
  • AWS Privacy Notice: https://aws.amazon.com/privacy/
  • AWS Customer Agreement: https://aws.amazon.com/agreement/
  • AWS Service Terms (including Amazon Bedrock): https://aws.amazon.com/service-terms/
  1. Core upstream commitments: Anthropic’s commercial API and AWS Amazon Bedrock each expressly commit not to use customer content to train models. AWS Bedrock states that customer content is stored encrypted only in the selected AWS region and is not shared with any model provider. Feedback data for Anthropic’s commercial API, only where you voluntarily provide it, is retained for up to 5 years.
  2. Risk of upstream policy changes: Upstream policies may change as they are updated. NiceCloud will use reasonable efforts to monitor and publish material changes on its website, but NiceCloud is not responsible for specific changes to upstream policies.
  3. Your compliance obligations: If you process another person’s personal information, sensitive personal information, minors’ information, trade secrets, important data, or regulated data through the Service, such as PHI under HIPAA, payment card data under PCI-DSS, special categories of data under GDPR, or sensitive personal information under CCPA, you are responsible for ensuring that you have obtained sufficient authorization, provided necessary notices and consents, and satisfied all requirements of applicable law. When such data is involved, you should separately enter into a data processing agreement (DPA) or equivalent compliance agreement with NiceCloud by contacting [email protected].

5. How We Share, Entrust Processing of, or Disclose Information

NiceCloud does not sell your personal information and does not share your personal information for targeted advertising or cross-context behavioral advertising purposes. We share or entrust the processing of information only as necessary with the following categories of recipients:

  1. Upstream model providers: including Anthropic, PBC and service providers that provide models through AWS Amazon Bedrock, for completing the model calls you select.
  2. Cloud infrastructure providers: primarily Amazon Web Services, Inc., for hosting compute, storage, networking, databases, containers, CDN, DNS, WAF, and other infrastructure. AWS processes relevant data under its Customer Agreement and Privacy Notice.
  3. Security, risk-control, and observability providers: such as Cloudflare for DDoS protection and WAF, and error monitoring and log analysis services such as Sentry and Datadog, to protect the security and availability of the Service.
  4. Payment service providers: such as Stripe, PayPal, Wise, Mercury, and cryptocurrency payment channels, for processing top-ups, payments, refunds, reconciliation, and risk control. These providers process payment information independently as separate controllers of personal information under their own terms.
  5. Customer communication tools: such as email delivery services, ticketing systems, and instant messaging tools, for handling support requests and service notices.
  6. Professional service providers: such as accountants, tax advisors, external legal counsel, and auditors, for handling finance, tax, legal, and compliance matters.
  7. Affiliates or business successors: if a merger, division, acquisition, asset transfer, bankruptcy liquidation, or business restructuring occurs, your information may be transferred as a business asset. NiceCloud will notify you in advance by email or announcement.
  8. Judicial, administrative, regulatory, and law enforcement authorities: where required by law, court order, subpoena, or as necessary to protect legal rights, we must carefully evaluate the matter within the scope permitted by law and notify affected users where possible.
  9. Protection of legal rights: where we believe in good faith that disclosure is necessary to prevent fraud, security threats, personal injury, violations of law, or violations of this agreement.

We enter into appropriate agreements with third-party processors requiring them to process information only to the extent necessary for the relevant processing purpose and to adopt reasonable security safeguards. Where a third party independently provides services to you or independently determines the purposes and means of processing, such as payment service providers or independent upstream model providers, its own privacy policy applies independently.

6. Cross-Border Data Transfers

6.1 Offshore storage and processing. NiceCloud is a Colorado LLC in the United States, and the Service infrastructure is deployed on AWS in the United States and other regions outside mainland China. All data you submit, including account information, call metadata, and request / response bodies where necessary, will be transferred to and stored outside the People’s Republic of China. Your requests will be routed to servers of Anthropic or AWS Amazon Bedrock located in the United States or other regions outside mainland China, and processed by them under their respective terms.

6.2 Deemed consent. By voluntarily accessing, registering for, paying for, and using the Service, you are deemed to have independently evaluated and completed all compliance obligations under your jurisdiction relating to purchasing offshore services, cross-border data transfers, foreign exchange payments, and outbound transfers of personal information, and to have expressly consented to NiceCloud conducting the above cross-border transfers. NiceCloud is not responsible for your compliance obligations under the laws of your location.

6.3 EEA / UK / Swiss users. NiceCloud conducts cross-border transfers of EEA, UK, and Swiss user data under the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), or other transfer mechanisms permitted by law. EEA / UK / Swiss users who need SCCs or a DPA may contact [email protected].

6.4 California and other U.S. state users. NiceCloud provides users with rights under the California Consumer Privacy Act (CCPA/CPRA) and other state privacy laws, such as VCDPA, CPA, CTDPA, UCPA, and IDPA, as described in Section 8.

6.5 Please note: the data protection laws of the United States and the locations of upstream model providers may differ from the laws of your location, including with respect to government access mechanisms, regulatory requirements, and personal-rights remedies.

7. Information Storage and Retention

7.1 Storage Location. We store and process information primarily on AWS infrastructure in the United States and other jurisdictions where our service providers operate. Depending on your location, your information may be transferred to and processed in a country other than where you reside.

7.2 Retention periods. We retain information for the shortest period necessary to achieve the processing purpose, unless laws, regulations, regulatory requirements, tax, audit, dispute handling, security, or a separate agreement between the parties requires a longer period. The following retention periods apply as a reference:

Information Category

Default Retention Period

Notes

Basic account information

Account lifetime + 30 days after deletion

Used for short-term dispute handling after account deletion

Password hashes and MFA credentials

Account lifetime

Deleted immediately after account deletion

API Key hashes and metadata

Key lifetime + 90 days after revocation

Used for security audits

Call metadata (time, model, tokens, status code, fees)

2 months

Used for billing reconciliation and risk control

Request / response body

0 days by default; no more than 30 days when full log mode or an exceptional case applies

See Section 2.3

Risk-control / security audit records

24 months

Used to detect repeated abuse and security incidents

IP address (associated with call metadata)

2 months (same as call metadata)

Source IP summary

Payment and top-up records

7 years

Complies with U.S. tax and accounting audit requirements

Invoice and tax records

7 years

Complies with U.S. and applicable tax requirements

Customer support and ticket records

24 months

Used for support, complaints, and dispute handling

Legal hold (litigation hold) data

Duration of legal hold

Required by law or litigation

7.3 Expiration handling. Information beyond its retention period will be deleted or irreversibly anonymized. Anonymized information is no longer personal information and may continue to be retained for statistics and service improvement, unless laws or regulations require otherwise.

7.4 Backups. Information may exist in encrypted backups for disaster recovery. Backups will eventually be overwritten or deleted under standard rotation policies.

8. Your Rights

8.1 Basic rights. Depending on applicable law, you may have the following rights regarding your personal information:

  1. Right to know: to understand how we process your personal information;
  2. Right of access and copy: to access and obtain a copy of the personal information we hold about you;
  3. Right to portability: to obtain your personal information in a structured, commonly used, machine-readable format, or request that it be transmitted to a third party, where technically feasible;
  4. Right to correction and supplementation: to correct inaccurate personal information or supplement incomplete personal information;
  5. Right to deletion (“right to be forgotten”): to request deletion of your personal information to the extent permitted by law;
  6. Right to restriction of processing: to request restriction of processing in specific circumstances;
  7. Right to object: to object to processing based on legitimate interests or to automated decision-making;
  8. Right to withdraw consent: to withdraw consent previously given, without affecting processing already carried out based on consent before withdrawal;
  9. Right to non-discrimination: not to receive discriminatory treatment for exercising your rights;
  10. Opt-out of sale/share (California, Virginia, and similar state users only): to opt out of the sale of your personal information or the sharing of your personal information for targeted advertising or cross-context behavioral advertising. NiceCloud does not sell your personal information and does not share it for those purposes, and respects opt-out signals sent through mechanisms such as Global Privacy Control (GPC).
  11. Right to complain: to lodge a complaint with a regulator or seek judicial relief.

For automated risk-control measures that may materially affect you, such as automatic account suspension or termination, you have the right to request human review under Section 5.6 of the ClaudeAPI Terms of Service.

8.2 How to exercise rights. You may exercise your rights through the following methods:

  1. Console: access or update account information, API Key configuration, privacy preferences, or request account deletion;
  2. Email: send a request to [email protected] with the subject line “Privacy Request - [Right Type]” and include your account identifier and information sufficient to verify your identity.

8.3 Response timelines:

  1. Self-service operations through the console take effect immediately;
  2. For requests submitted by email, we will respond within 45 days after receiving valid identity verification materials. If the request is complex, we may extend once for up to an additional 45 days and will notify you by email of the reason for the extension;
  3. For requests involving California CCPA/CPRA users, we will process the request within the time limits required by applicable law;
  4. For requests involving EEA / UK GDPR users, we will respond within 30 days, which may be extended by two months where the request is complex.

8.4 Identity verification. To protect account and data security, we may require you to complete identity verification before responding to a rights request. Verification methods include making the request through your registered email address, providing your account ID, answering account verification questions, or providing a copy of a government-issued identity document where necessary. We will properly safeguard verification materials and use them only for verification purposes.

8.5 Circumstances where we may refuse to process a request. We may lawfully refuse or partially fulfill your request in the following circumstances and will explain the reason:

  1. Where the request relates to our performance of obligations under laws and regulations;
  2. Where the request is directly related to national security, defense security, criminal investigation, prosecution, trial, or enforcement of judgments;
  3. Where the request is directly related to public safety, public health, or major public interests;
  4. Where there is sufficient evidence that you have subjective malice or are abusing your rights;
  5. Where processing the request is necessary to protect your or another natural person’s major lawful rights and interests, such as life or property, but obtaining authorization is difficult;
  6. Where responding to your request would seriously harm the lawful rights and interests of another individual or organization;
  7. Where the request involves trade secrets;
  8. Other circumstances provided by laws or regulations.

8.6 Remedies. If you object to our processing or response, you may lodge a complaint with a data protection regulator in your location or another authority you believe has jurisdiction, or seek relief through the dispute-resolution clause in Section 16 of this Policy. California users may contact the California Attorney General’s Office; EEA users may contact the data protection authority in their country; other users may contact a local authority with jurisdiction.

9. Account Deletion and Data Deletion

9.1 You may request account deletion through the “Account Deletion” function in the console or by emailing [email protected]. We will begin processing within 7 business days after identity verification.

9.2 Account deletion will result in:

  1. You being unable to log in to the console or continue using the API;
  2. Your API Keys, Tokens, and configurations being immediately revoked;
  3. Your account information, API Key metadata, control configurations, and similar information being deleted or anonymized;
  4. Call metadata, risk-control records, and customer support records being retained under the default retention periods in Section 7 of this Policy and deleted or anonymized upon expiration;
  5. Information required to be retained for invoices, payments, tax, audit, regulatory, risk-control, dispute handling, or legal hold purposes being retained for the statutory period and deleted or anonymized immediately after the retention period expires;
  6. Credits balance handling being carried out under the refund rules in Section 8 of the ClaudeAPI Terms of Service.

9.3 Before deleting your account, you should confirm your balance, invoices, log exports, business migration, and API Key deactivation arrangements, and download and back up any data you need to retain.

10. Minors

10.1 The Service is not intended for natural persons under 18 years old. NiceCloud does not knowingly collect personal information from users under 18 years old.

10.2 If we discover that we have inadvertently collected information from a user under 18, or if law requires us to delete the relevant information, including information of children under 13 under the U.S. COPPA, or information of children under 14 under China’s Law on the Protection of Minors and Provisions on the Cyber Protection of Children’s Personal Information, we will immediately stop providing the Service and delete the relevant information.

10.3 If you are a parent or guardian and discover that a minor has used the Service without your consent, please contact us at [email protected] to request deletion.

10.4 If you process minors’ personal information through the Service, you are responsible for ensuring that you have obtained the guardian’s express consent and fulfilled special protection obligations.

11. Information Security

11.1 Technical and organizational measures. We take industry-reasonable technical and organizational measures to protect information security, including:

  • HTTPS / TLS 1.2+ encryption in transit;
  • At-rest encryption (AES-256): call metadata, logs, and backups are stored in encrypted form;
  • API Keys are stored only as hash values, not in plaintext;
  • Passwords are stored using salted hashes;
  • Role-based access control (RBAC), least-privilege principles, multi-person review, and audits of privileged operations;
  • Multi-factor authentication (MFA) support;
  • Network-layer WAF, DDoS protection, intrusion detection, and vulnerability scanning;
  • Access restrictions and audits for logs, payment, invoice, and customer support data;
  • Risk control, abnormal-call detection, abuse protection, and automatic suspension mechanisms;
  • Employee background checks, confidentiality agreements, regular security training, and security awareness assessments;
  • Security and confidentiality requirements for service providers and partners;
  • Regular external security assessments, penetration testing, and vulnerability reward programs, where applicable;
  • Information security incident response plans.

11.2 Data breach notification. If a security incident affects your personal information, we will promptly initiate incident response under applicable law, take measures to control the expansion of harm, and notify affected users and relevant regulators within the time limits required by applicable law. Where applicable law does not provide a longer grace period, we will use reasonable efforts to initiate the notification process no later than 72 hours after confirming the incident. The notice will include the basic facts of the incident, possible impact, remedial measures taken, protective measures you may take, and contact information.

11.3 Your security responsibilities. No internet environment can be guaranteed to be absolutely secure. Please:

  • Use strong passwords and change them regularly; enable MFA;
  • Properly safeguard your account, password, API Keys, tokens, backup codes, and local development environment;
  • Do not expose API Keys in public repositories, web pages, screenshots, communities, or untrusted tools;
  • Rotate API Keys regularly; use different Keys for different applications;
  • Stay alert to phishing emails and social-engineering attacks targeting you;
  • If you detect an abnormality, immediately change your password, revoke API Keys, and contact [email protected].

12.1 NiceCloud websites, console, or documentation may contain links to upstream model providers, cloud service providers, payment service providers, customer support tools, communities, third-party developer tools, SDKs, CLIs, IDE plugins, or other third-party websites.

12.2 These third-party services are independently operated by third parties, and their privacy policies and terms apply independently. Before accessing or using them, you should independently read and evaluate their terms, permissions, data processing practices, and security risks.

12.3 Third-party developer tools, such as Claude Code, Cline, Cursor, OpenCode, and CC Switch, may access your local file system, code, clipboard, and terminal environment. NiceCloud makes no guarantee and assumes no responsibility for the data processing practices of such tools. Please review their respective privacy policies.

13. Cookies and Similar Technologies

13.1 We may use cookies, local storage (LocalStorage / IndexedDB), pixel tags, log identifiers, or similar technologies to enable:

  1. Login session maintenance and security verification;
  2. Language, theme, time zone, and similar preferences;
  3. Security risk control and bot detection;
  4. Performance monitoring and error diagnosis;
  5. Anonymous statistical analysis.

13.2 You may manage cookies through your browser settings. Disabling necessary cookies may make login, console, security verification, payment, or other functions unavailable.

13.3 We respect Global Privacy Control (GPC) signals. We do not respond to Do Not Track (DNT) requests because the industry has not adopted a unified standard for DNT signals.

13.4 Third-party analytics and monitoring services, such as Google Analytics, Sentry, and PostHog, process relevant information under their own privacy policies. We have configured them to limit the scope of data collection where possible, such as enabling IP anonymization.

14. Supplemental Rights for California, the EEA, the UK, and Other Regions

14.1 California users (CCPA/CPRA):

  1. You have the right to request information about the categories and purposes of personal information we collected, used, and disclosed in the past 12 months;
  2. You have the right to request deletion of personal information we hold about you, subject to applicable exceptions;
  3. You have the right to request correction of inaccurate personal information;
  4. You have the right to limit the use of sensitive personal information;
  5. We do not sell your personal information and do not share your personal information for targeted advertising or cross-context behavioral advertising purposes; we respect opt-out signals that you send through mechanisms such as Global Privacy Control (GPC).
  6. We do not discriminate against you for exercising your rights;
  7. To exercise a request, please send it to [email protected].

14.2 EEA / UK / Swiss users (GDPR / UK GDPR):

  1. Legal bases for processing: performance of contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), legal obligations (tax and regulatory matters), and your consent (specific optional data collection);
  2. You have rights under GDPR Articles 15-22, including access, correction, deletion, restriction, portability, objection, and not being subject to automated decision-making;
  3. Cross-border transfers rely on SCCs or other transfer mechanisms permitted by law;
  4. You have the right to lodge a complaint with a data protection regulator in your place of residence, workplace, or place of alleged infringement.

14.3 Users in Brazil, Canada, Australia, and other regions: To the extent mandatorily required by applicable law, we will provide you with corresponding rights under local data protection laws, such as LGPD, PIPEDA, and the Privacy Act.

15. Policy Updates

15.1 We may update this Policy based on changes in laws and regulations, business, technology, upstream model policies, payment methods, or data processing practices.

15.2 Material changes, such as substantive changes to processing purposes, collection scope, sharing recipients, retention periods, or user rights, will be notified to you at least 14 days in advance through reasonable methods such as website notices, console prompts, in-site messages, or email.

15.3 Your continued use of the Service after an update takes effect means that you understand and accept the updated Policy. If you do not agree to the update, please stop using the Service and request account deletion under Section 9.

15.4 Historical versions of this Policy will be archived and available in the console.

16. Dispute Resolution

16.1 For disputes relating to this Policy or the processing of personal information, you may first contact us at [email protected] to seek an amicable resolution.

16.2 If no resolution is reached through consultation, the dispute will be handled under Section 18 (Governing Law and Dispute Resolution) of the ClaudeAPI Terms of Service. Those dispute-resolution terms, including mandatory individual arbitration, class-action waiver, jury-trial waiver, and application of Colorado law, also apply to disputes under this Policy.

16.3 If mandatory law in your jurisdiction grants you non-waivable remedies, you may still exercise your rights under those laws, and this Policy does not limit those statutory rights.

17. Contact Us

If you have any questions, complaints, or requests regarding this Policy, personal information protection, data deletion, account deletion, log processing, or other privacy matters, you may contact NiceCloud LLC as follows:

We will process your request within the time required by applicable law or within a reasonable period.

Language and Interpretation. This Privacy Policy may be translated into languages other than English for convenience. If any translated version conflicts with the English version, the English version will govern to the maximum extent permitted by applicable law.