Privacy Policy

ASKTHREEBOTS PRIVACY POLICY

Effective date: 15 June 2026

Last updated: 15 June 2026

This Privacy Policy explains how AskThreeBots ("we", "us", "our") collects, uses, and shares information when you use our website, applications, and related services (collectively, the "Service").

We encourage you to read this policy together with our Terms of Service and, where you pay for the Service, any checkout text that references Stripe. If you do not agree with this policy, please do not use the Service.

1. WHO WE ARE

AskThreeBots operates the Service. The business is based in the Hong Kong Special Administrative Region of China ("Hong Kong"). For data-protection purposes, the data user / controller of personal data under this policy is Giant Niche Limited, a company incorporated and registered in the Hong Kong Special Administrative Region, at Suit A2, 16th Floor, Luard Road, Wanchai, Hong Kong. You can contact us about privacy at: privacy@askthreebots.com

If you are in Hong Kong, our collection and use of your personal data may be subject to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), in addition to other laws that may apply depending on your location.

2. INFORMATION WE COLLECT AND PROCESS

2.1 Account and authentication

- Contact and profile: such as your email address and, if you provide it, your name.

- Account credentials and security: data needed to create and protect your account (for example, authentication and session data in line with our auth setup).

- Subscription and billing references: identifiers we receive from or store in connection with Stripe (for example, customer and subscription IDs). We do not store full card numbers on our own servers; card processing is handled by Stripe under their terms and security standards (PCI-DSS).

2.2 Chats, prompts, and generated content

The Service is designed for AI-assisted verification and conversation. To make that work and to show you history and continuity in your sessions, we store content you provide and content generated for you, including for example messages, attachments (and related metadata as implemented), chat titles, and, where we use them, conversation summaries or context that help the product function.

This means the Service is not a "zero data retention" product on our own systems with respect to your chat content: we retain what you and the Service generate as part of running the product for you, subject to this policy and your rights below.

2.3 Usage, credits, and operations

We process operational and billing-related data about your use of the Service, for example: timestamps, credit and token usage, which models or features were used, success or failure of requests, and internal identifiers used for reliability and cost accounting (for example, references returned by our AI gateway where applicable). Some records may include short titles or similar fields that reflect what a conversation is about, for support and usage reporting.

We use this information to: deliver the Service; enforce fair use and security; run billing and credits; troubleshoot; and improve stability and performance of the Service in line with our Terms.

2.4 AI processing via OpenRouter and model providers

To generate answers, we send prompts and necessary context to OpenRouter, which routes requests to third-party model providers (for example, various frontier models you select or we configure). Those providers process content under their own terms and privacy policies. OpenRouter and these third-party model providers operate as independent upstream processors. While we utilize secure routing pipelines, you acknowledge that AskThreeBots does not own, operate, or exert direct structural control over the internal server environments or data-handling infrastructure of OpenRouter or any third-party model networks. Upstream processing is bound entirely by the operational availability and privacy compliance of these independent third-party providers, and we disclaim liability for any data incidents occurring within their respective platforms.

Where available and enabled for a given model or provider, we may use OpenRouter settings that request reduced or zero data retention (ZDR) style handling for the upstream (provider-side) path. ZDR and similar options are not available for every model we use: they depend on OpenRouter and each third-party model provider's capabilities, product settings, and public terms. For any model or route where ZDR is not supported, upstream processing follows that provider's standard retention and privacy rules. None of this changes the fact that we still store chats and account data on AskThreeBots as described above.

No training of foundation models by us: we do not use your prompts or messages to train our own or third-party base models, except insofar as a model provider or OpenRouter might process inputs under their inference and agreements; our policy is to rely on upstream arrangements that are consistent with a "no training for model improvement on your data" intent where the provider offers that, but you should review OpenRouter and the relevant model providers' public terms for the exact scope of their processing.

2.5 Cookies, CookieYes, and Google Analytics

- CookieYes: we use CookieYes to manage cookie consent and to control how non-essential cookies and similar technologies are set, where required in your region. You can review and change your choices through the CookieYes interface on the site.

- Google Analytics: we use Google Analytics to understand how visitors use the site and product (for example, traffic, navigation, and high-level usage). Google may set cookies or use identifiers as described in Google's policies. You may opt out of or limit certain analytics in line with your CookieYes settings and Google's tools.

- Essential and functional cookies: we use cookies and similar storage for necessary operations such as session, security, and UI preferences (for example, layout or model preferences where we store them in a cookie), as further described in our cookie list in CookieYes where we maintain one.

2.6 Communications and support

If you contact us, we process the information you send (for example, email content) to respond and, if needed, to defend or document the relationship, as permitted by law.

2.7 Legal and safety

We may process information as required or permitted by law (for example, tax, accounting, or regulatory obligations; fraud prevention; and safety). We may also need to process data to enforce our Terms or to protect the Service and users.

2.8 Geographic location and model availability (country / provider restrictions)

Third-party model providers (for example, OpenAI / ChatGPT, Anthropic / Claude, Google / Gemini, and others) set their own terms for which countries, regions, or use cases can access which models. Restrictions can reflect export control, local law, provider policy, or other rules.

We follow those requirements. As a result, in some countries or regions—including, depending on the provider and the current rules, places such as Hong Kong—specific models (for example, a given Claude or OpenAI/ChatGPT option) may be unavailable, hidden, or substituted in the product, while other models may remain available. What you can select in the app reflects what we are allowed to offer for your account, connection, or region at that time, and the list of models and geographies can change when providers or we update the Service.

To apply these rules, we may use technical and operational measures such as geolocation or region signals (for example, derived from your request or network metadata where available), your account or region settings, and our administrative country-to-model configuration. This involves processing the minimum data needed to determine which models you may use (such as a country or region code). It does not change the rest of this policy about what we store for chats and account data.

3. HOW AND WHY WE USE YOUR INFORMATION (PURPOSES)

We use the information above to:

- Provide the Service: accounts, chat, credits, model routing, and features you request.

- Billing and finance: subscriptions, top-ups, invoices, and tax handling via Stripe and our internal records.

- Security and abuse: detecting fraud, abuse, and misuse; rate limits; protecting accounts.

- Support: responding to you and operating admin or support tools as needed.

- Analytics and improvement: Google Analytics and internal metrics to understand usage and improve the product, subject to consent where required.

- Comply with law: meeting legal, tax, and accounting requirements and responding to lawful requests; and honoring model-provider and country/region rules as described in Section 2.8.

Legal bases (EEA/UK and similar): we rely on contract (to provide the Service), legitimate interests (security, product operation, and analytics where not overridden by your rights or consent), legal obligation where applicable, and consent where we must obtain it (for example, non-essential cookies or certain analytics, via CookieYes as implemented).

Hong Kong: we describe our practices in this policy in line with the data protection principles under the PDPO where they apply to our processing. The PDPO is enforced by the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD); you may have rights of access, correction, and other remedies under the Ordinance, subject to the law.

4. SHARING OF INFORMATION

We do not sell your personal information in the conventional sense. We share data only as needed in these situations:

- Service providers and subprocessors who process data on our instructions, including at least: Amazon Web Services (AWS), including Amazon EC2 and other AWS services in the Asia Pacific (Singapore) region (ap-southeast-1) for primary hosting, compute, and data storage; Stripe (payments); OpenRouter (model routing; upstream AI processing); CookieYes (consent); Google (Analytics); and Google Workspace for infrastructure and communications. We require appropriate contracts and safeguards.

- Model providers receive prompts and context as part of inference through OpenRouter as described in Section 2.4. These providers act as independent data controllers or processors regarding your inference inputs. By using the Service to query specific models, you instruct us to transmit this data to these upstream networks, which process your inputs under their own privacy frameworks and local regional jurisdictions.

- Legal and safety: if we in good faith believe disclosure is required by law, court order, or to protect rights, safety, or the Service.

- Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you where required.

A non-exhaustive subprocessor list may be made available on request or on our site; we will update it when we add or replace material processors in line with our contracts.

5. INTERNATIONAL TRANSFERS

The Service and our vendors may process data in countries and territories including, without limitation: where you are located; Hong Kong, where we have our place of business and from which the Service is operated; Singapore, where our primary AWS infrastructure (EC2 and related services in the ap-southeast-1 region) is hosted; and the United States and other regions where Stripe, Google, OpenRouter, model providers, and AWS (see AWS regional documentation) may process or support the service. Personal data may therefore be transferred from Hong Kong to other jurisdictions, including to Singapore and the United States, for the purposes described in this policy. If we transfer personal data from the EEA, UK, or Switzerland, we use appropriate safeguards (such as Standard Contractual Clauses and supplementary measures) where required by law and as described in our DPA where applicable. Cross-border transfer from Hong Kong is subject to the PDPO and PCPD guidance; we use contractual and technical measures in line with our role as data user, as appropriate.

6. RETENTION

- Account and chat: we keep account and chat data for as long as your account is active and for a reasonable period after closure for backup, legal, and dispute purposes, unless the law or your deletion request requires a different approach, subject to Section 7.

- Upstream (OpenRouter / providers): retention of inference data on OpenRouter or each model provider is governed by their terms and by any ZDR (or similar) settings that actually apply to that model or route where supported. Where a model does not support ZDR, the provider’s standard retention rules apply; see their documentation. This is in addition to (and separate from) your AskThreeBots-stored data described in this policy.

- Tax and accounting: we may keep limited billing records for legally required retention periods.

7. YOUR RIGHTS AND CHOICES

Depending on where you live, you may have the right to (for example, under the GDPR, UK GDPR, or the PDPO in Hong Kong, where they apply to us):

- Access a copy of your personal data,

- Correct inaccurate data,

- Delete data subject to legal and contractual exceptions,

- Export or port data in a portable format where applicable,

- Restrict or object to certain processing,

- Withdraw consent for optional cookies or analytics (via CookieYes and Google tools, where available), and

- Lodge a complaint with a data protection authority.

How to exercise rights: contact us at [privacy@askthreebots.com]. We will respond in line with applicable law. If you are in Hong Kong and are not satisfied with our response, you may contact the PCPD: https://www.pcpd.org.hk (or as updated on their site). You can also use in-product controls (where we offer them) to delete or manage chats and account settings, and use CookieYes to manage cookies.

For corporate or enterprise users requiring formalized cross-border data transfer mechanisms under the GDPR, a standard Data Processing Addendum (DPA) incorporating the European Commission’s Standard Contractual Clauses is available upon request by contacting privacy@askthreebots.com.

We may need to retain certain data where legally required, for fraud prevention, or to defend claims even after a deletion request, as permitted by law.

8. SECURITY

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (such as HTTPS), access controls, and vendor security for critical systems. No system is 100% secure; please use a strong password and protect your account.

9. CHILDREN

The Service is not intended for use by children under 16 (or a higher age if required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The "Last updated" date at the top will change, and for material changes we may also notify you by email or a notice in the product. Continued use of the Service after the effective date means you accept the updated policy, except where the law requires your explicit consent for certain changes.

11. CONTACT

AskThreeBots

Giant Niche Limited

Suit A2, 16th Floor, Luard Road

Wanchai, Hong Kong SAR

Email: privacy@askthreebots.com

Third-party privacy links (for your reference; URLs may change):

Stripe: https://stripe.com/privacy

OpenRouter: see OpenRouter's site for current Privacy and Terms: https://openrouter.ai

Google (Analytics): https://policies.google.com/privacy

CookieYes: see CookieYes' documentation and privacy information on their site.

Amazon Web Services (hosting, Singapore region and related services): https://aws.amazon.com/privacy

PCPD (Office of the Privacy Commissioner for Personal Data, Hong Kong; complaints and guidance on the PDPO): https://www.pcpd.org.hk