← Back to ProxyLLM

Cookie Policy

Last updated: June 18, 2026

This Cookie Policy explains how ProxyLLM ("ProxyLLM", "we", "us", or "our"), operated by Sysdev TechStrategy & Consulting, uses cookies and similar device-storage technologies across our websites — the landing page at proxyllm.dev and the dashboard at app.proxyllm.dev.

It should be read together with our Privacy Policy and Terms of Service. Where this policy conflicts with the Privacy Policy on a cookie-specific matter, this policy controls. This Cookie Policy is provided for transparency and is governed by, and subject to the limitations of liability, warranty disclaimers, and governing-law and venue provisions of, our Terms of Service. Nothing here expands our obligations beyond those Terms or applicable law.

Because Sysdev TechStrategy & Consulting is established in Brazil, this policy is written LGPD-first (Lei nº 13.709/2018 and the ANPD's Guia Orientativo: Cookies e Proteção de Dados Pessoais). It also addresses the EU/EEA GDPR and the ePrivacy Directive (2002/58/EC) for visitors in Europe, and the CCPA/CPRA for California residents.

1. Who We Are (Controller)

ProxyLLM is operated by Sysdev TechStrategy & Consulting, a Brazilian legal entity, which acts as the controller (controlador) for the limited personal data described in this policy.

For any question about cookies, this policy, or to exercise your data-protection rights, our dedicated data-subject communication channel is:

This is the same channel referenced in our Privacy Policy and serves as our point of contact for data-subject requests.

2. What Cookies and Similar Technologies Are

A cookie is a small text file that a website stores on your device (computer, tablet, or phone) and can read back on later visits. Similar technologies include localStorage, sessionStorage, software development kits, pixels, and device fingerprinting — anything that stores information on, or reads information from, your device.

Under the ePrivacy Directive and the ANPD guidance, the legal obligation to obtain consent is triggered by the act of storing or reading information on your device — not by analytics in the abstract. A technology that neither writes to nor reads from your device does not, by itself, trigger that consent requirement (though any resulting processing of personal data still needs a lawful basis and a transparency notice, which this policy provides).

We group what we use into two categories:

  • Strictly-necessary (essential) cookies — required to deliver a service you explicitly request, such as keeping you signed in or securing a payment. These are exempt from prior consent.
  • First-party analytics — used to understand aggregate traffic. As described below, we currently run no analytics tool on our websites.

We do not use any advertising, marketing, retargeting, cross-site tracking, or social-media pixels anywhere in our stack.

3. The Landing Page (proxyllm.dev)

Our public landing page currently sets no analytics cookies and uses no analytics tool. It writes no cookie, localStorage, sessionStorage, or other persistent identifier to your device for analytics purposes, and it does not create a cross-site identifier.

Because no information is stored on or read from your device for analytics, no cookie consent banner is required for the landing page under the ePrivacy Directive or the ANPD cookie guidance, and none is presented.

The landing page does not load our authentication or payment providers, so it sets no Clerk or Stripe cookies.

Planned change. We intend to add Vercel Web Analytics, a cookieless analytics tool that sets no cookies and writes no persistent identifier to your device, counting visitors via a transient, server-side hash that is discarded within 24 hours and collecting only aggregated, non-identifying data points (such as page path, referrer, country-level geolocation, operating system, browser, and device type) without storing your IP address. When and if that tool is added to our build, we will update this section to describe it in the present tense and will process the limited associated personal data on the lawful basis of our legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f)) in understanding and improving our website. Because that tool would store nothing on or read nothing from your device, it would still require no consent banner.

4. The Dashboard (app.proxyllm.dev) Uses Strictly-Necessary Cookies Only

When you sign in to the dashboard or make a payment, our authentication and billing providers set a small number of strictly-necessary cookies. These are essential to deliver functionality you explicitly request (signing in, staying signed in, and securely processing a payment), and they are therefore exempt from prior consent under the ePrivacy Directive and the ANPD guidance.

Cookie inventory

CookieProviderCategoryPurposeRetention / Expiry
__sessionClerkStrictly necessaryShort-lived authentication token used to keep you signed inShort-lived (session JWT)
__clientClerkStrictly necessaryReferences your authenticated session; secure and HTTP-onlySession-scoped
__stripe_midStripeStrictly necessaryFraud prevention / payment security (machine identifier)Up to 1 year
__stripe_sidStripeStrictly necessaryFraud prevention / payment security (session identifier)30 minutes

Cookie names, attributes, and lifetimes are controlled by the respective providers (Clerk and Stripe) and may change without notice; consult each provider's own cookie policy for the current values.

Stripe cookies are set only when a payment surface (Stripe.js or Checkout) loads during a billing action; they are not present on ordinary dashboard pages. Clerk cookies are set only on the authenticated dashboard domain, never on the landing page.

We confirm that there are no advertising, marketing, or cross-site tracking cookies anywhere in the dashboard. Because the only cookies in use are strictly necessary, no consent banner is legally required, and the correct posture is a "strictly-necessary cookies only" notice — which this policy provides.

5. Legal Basis for Each Category

CategoryExamplesLawful basis (LGPD / GDPR)
Strictly-necessary cookiesClerk __session, __client; Stripe __stripe_mid, __stripe_sidExecution of a contract and our legitimate interest in providing and securing the requested service (LGPD Art. 7, V and IX; GDPR Art. 6(1)(b) and (f); ePrivacy strictly-necessary exemption)
First-party analyticsNone currently in use (see Section 3)If cookieless analytics is added: legitimate interest in measuring and improving our website (LGPD Art. 7, IX; GDPR Art. 6(1)(f)); no device-storage consent trigger would apply

We do not rely on consent for any cookie or device-storage technology, because we use none that would require it. If that ever changes (see Section 9), we will collect prior, granular, freely revocable consent before any non-essential technology loads.

6. Third Parties Involved

The technologies above, and our broader service, involve the following third-party providers (subprocessors). Each operates under its own privacy and cookie policies, which we encourage you to review. This is the complete list relevant to our websites and service:

  • Clerk — authentication and user management (sets the strictly-necessary session cookies above).
  • Stripe — payment processing and subscription billing (sets the strictly-necessary fraud-prevention cookies above; never receives or stores card numbers on our side).
  • Vercel — hosting for the landing page and dashboard. If we add the cookieless analytics described in Section 3, Vercel Web Analytics would be the provider.
  • Railway — hosting for our proxy server, PostgreSQL database, and Redis cache (where at-rest data lives).
  • OpenAI / OpenRouter — upstream LLM and embedding providers. In production, OpenRouter is the upstream (including for Anthropic-format traffic via its Anthropic-compatible endpoint), with OpenAI as the default-config fallback. These providers receive prompt content both for completion forwarding and for embedding generation (see Section 7).
  • Anthropic — upstream LLM provider for Claude-format (/v1/messages) requests (in production, reached via OpenRouter's Anthropic-compatible endpoint).
  • Resend — delivery of transactional emails (for example, welcome, usage, and billing notifications). Note that the welcome email sent on first workspace provisioning contains your workspace API key in the message body, so that credential transits and resides in Resend's email system; see our Privacy Policy for detail.
  • Sentry — application error tracking and performance monitoring.
  • UptimeRobot — external uptime monitoring and our public status page (health checks only; no visitor or customer data).

These providers do not receive cookie data through a sale or cross-context behavioral advertising "share"; they act as service providers/processors that help us deliver and secure the service.

7. How We Process Your Prompts and Cached Responses

This Cookie Policy concerns cookies and website device-storage. For completeness, and because it is a common point of confusion, note the following about the proxy service itself (the full detail is in our Privacy Policy):

  • Our request logs store metadata only — model, token counts, cost, latency, cache hit/miss, and any optional tag you supply. They do not contain the text of your prompts or model responses.
  • Our semantic cache (in Redis, scoped to your workspace) stores a SHA-256 hash of your prompt (system prompt plus last user message) as the cache key, an embedding vector derived from that prompt, and the full text of the corresponding model response. Cached entries automatically expire by plan tier (Free 24h / Pro 72h / Scale 168h).
  • To enable semantic matching, the cleartext text of your prompt (system prompt plus last user message) is transmitted to a third-party embedding provider (currently OpenAI/OpenRouter via the embedding API) on each cache write and each semantic lookup. We do not persist that cleartext ourselves, but it is processed by that subprocessor under its own terms.
  • Customer-provided upstream provider API keys (BYOK) are encrypted at rest using AES-256-GCM; the cleartext key is never returned in API responses. This encryption applies specifically to BYOK upstream keys; it does not describe how every credential in our system is stored — see our Privacy Policy for the full data-handling description.

None of this involves cookies. It is summarized here only so the two statements — "we do not log prompt or response content in our request logs" and "the cache stores response text" — are read together and not misunderstood.

8. International Data Transfers

Our website providers and subprocessors (including Vercel, Clerk, Stripe, Railway, OpenAI/OpenRouter, Anthropic, Resend, Sentry, and UptimeRobot) are located outside Brazil, principally in the United States. Any personal data associated with cookies or analytics is therefore transferred internationally.

We work to ensure that each subprocessor contract incorporates an appropriate LGPD transfer mechanism — the ANPD's Standard Contractual Clauses (Cláusulas-Padrão Contratuais) or an applicable exception under LGPD Arts. 33–36. For our own Brazil-based processing in respect of EU data subjects, we rely on the EU–Brazil mutual adequacy decision in force since 27 January 2026. For EU-to-US flows to non-adequate subprocessors, we work to ensure reliance on EU Standard Contractual Clauses and/or the applicable Data Privacy Framework. You may request information about the safeguards in place by contacting contact@proxyllm.dev.

9. When This Policy Would Change (Non-Essential Cookies)

Our "no consent banner" posture is valid only while our websites continue to use exclusively strictly-necessary cookies plus, at most, cookieless analytics.

If we ever add any non-essential technology — for example, a third-party analytics product that sets a cookie, an advertising or social-media pixel, retargeting, or A/B-testing that writes a device identifier — we will, before that technology loads:

  • present a clear, granular cookie consent banner where rejecting is as easy as accepting;
  • obtain your prior, specific, informed, and freely revocable consent (LGPD Art. 7, I and Art. 8; GDPR Art. 6(1)(a) and Art. 7; ePrivacy Art. 5(3));
  • honor opt-out preference signals such as Global Privacy Control where the CCPA/CPRA applies; and
  • update this policy accordingly.

10. How to Control Cookies

You can manage or delete cookies at any time through your browser settings. Most browsers let you block all cookies, block third-party cookies, or delete existing ones. Helpful guides are published by the makers of Chrome, Firefox, Safari, and Edge.

Please note that blocking strictly-necessary cookies will break core functionality — for example, you will not be able to sign in to the dashboard or complete a payment.

Because we do not use non-essential cookies, there is no in-product consent toggle to manage; if that changes, the banner described in Section 9 will provide granular controls.

11. Your Data-Protection Rights

In addition to browser-level controls, you have rights over your personal data under the LGPD (Art. 18), and equivalent rights under the GDPR and CCPA/CPRA, including the rights to:

  • confirm whether we process your data and access it;
  • correct incomplete, inaccurate, or outdated data;
  • request anonymization, blocking, or deletion of unnecessary or unlawfully processed data;
  • obtain data portability;
  • be informed about the entities with whom we have shared your data;
  • be informed about the possibility of refusing consent and the consequences of doing so; and
  • revoke consent where processing is based on consent.

To exercise any of these rights, contact us at contact@proxyllm.dev. We aim to respond within the timeframes set by applicable law (under the LGPD, within 15 days for the simplified declaration of access). You also have the right to lodge a complaint with the Brazilian data-protection authority, the Autoridade Nacional de Proteção de Dados (ANPD); EU/EEA visitors may complain to their local supervisory authority, and California residents may exercise their CCPA/CPRA rights as described in our Privacy Policy.

12. No Sale or Sharing of Personal Information (CCPA/CPRA)

We do not sell your personal information and do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding twelve months, and we do not knowingly sell or share the personal information of consumers under 16 years of age. Because we do not sell or share, we are not required to offer a "Do Not Sell or Share My Personal Information" opt-out — but we state this affirmatively so our position is clear.

13. Children

Our Service is not directed to children under 18, and our websites are intended for business and professional users. We do not knowingly use cookies to collect data from children.

14. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our technologies, our subprocessors, or the law. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the dashboard. Your continued use of our websites after an update constitutes acceptance of the revised policy.

15. Contact

For any question about this Cookie Policy or our use of cookies and similar technologies, contact:

Sysdev TechStrategy & Consulting Ltda. (CNPJ 37.016.893/0001-73) Av. Andrômeda, 433, Sala 515, Jardim Satélite, São José dos Campos – SP, CEP 12.230-000, Brazil Email: contact@proxyllm.dev