Privacy Policy
Last Updated: May 23, 2026
Effective Date: May 23, 2026
Not Diamond, Inc. ("Not Diamond," "we," "us," or "our") builds infrastructure that routes, optimizes, and serves large language model ("LLM") workloads for developers and enterprises. This Privacy Policy explains what personal information we collect, how we use and share it, how long we keep it, and what choices you have. It applies to our websites, APIs, SDKs, dashboards, and related products (collectively, the "Services").
This Privacy Policy is incorporated by reference into our Terms of Use. Capitalized terms not defined here have the meanings given in the Terms of Use.
If you have questions about anything in this policy, contact us at legal@notdiamond.ai.
Table of Contents
1. Introduction
2. Scope of This Policy
3. Information We Collect
4. How We Use Information
5. AI Systems and Model Training
6. Inputs, Outputs, and Content
7. Derived Data
8. AI-Generated Outputs and Disclaimers
9. Subprocessors and Third-Party Providers
10. Analytics and Tracking Technologies
11. Cookies and Similar Technologies
12. Data Location and International Transfers
13. Data Retention
14. Security Practices
15. User Rights and Privacy Choices
16. California Privacy Rights (CCPA/CPRA)
17. Do Not Sell or Share
18. Sensitive Personal Information
19. Automated Decision-Making and Profiling
20. GDPR and International User Rights
21. Children's Privacy
22. Account Termination and Data Deletion
23. Business Transfers and Corporate Transactions
24. Changes to This Privacy Policy
25. Contact Information
1. Introduction
Not Diamond develops model routing and optimization infrastructure for AI applications. Our Services help customers send each prompt to the model best suited to handle it, improve quality and latency, evaluate LLM performance, and - for select offerings - provide hosted model inference directly.
2. Scope of This Policy
This Privacy Policy applies to personal information processed by Not Diamond in connection with:
- our websites, including notdiamond.ai;
- our developer dashboard, console, and account portals;
- our APIs, SDKs, proxy components, and client libraries;
- our documentation, community forums, and support channels; and
- our marketing, events, recruiting, and business communications.
Our role depends on the product and the relationship. For our routing and optimization Services, Not Diamond typically acts as a service provider to our customers under the CCPA and a processor under GDPR with respect to customer data, and as a business/controller for personal information collected directly from website visitors, account holders, and prospects. For our hosted model offerings, we may act as a processor or controller depending on the configuration and the underlying agreement. Where we act as a processor or service provider, our customer's agreement (including any Data Processing Addendum) governs how we handle data on their behalf.
This Privacy Policy does not modify our obligations under those customer agreements and does not apply to third-party websites or services linked from our Services.
3. Information We Collect
We collect personal information from three sources: directly from you, automatically through your use of the Services, and from third parties.
3.1 Information You Provide
Account information. Name, email address, password, organization, role, and profile details when you sign up or update your account.
Billing information. Billing contact, address, tax information, and payment method details. Card data is collected and stored by our third-party payment processor; we receive only summary billing information (such as last four digits and billing zip code).
Workspace and configuration data. API keys, routing configurations, evaluation datasets, model preferences, and similar settings you create within the Services.
Inputs and Outputs. As described in Section 6 and subject to the Terms of Use.
Communications. Information you provide when you contact support, request a demo, sign up for newsletters, respond to surveys, or otherwise correspond with us.
Recruiting. If you apply for a role at Not Diamond, the information in your application materials, including your resume, references, and any voluntary diversity information.
3.2 Information Collected Automatically
Usage and telemetry. API call metadata, latency and routing telemetry, model selection events, error logs, feature usage, and similar operational information generated as you use the Services.
Device and connection data. IP address, browser type, operating system, device identifiers, language settings, time zone, referring URLs, and approximate location derived from IP address.
Cookies and similar technologies. As described in Section 11.
3.3 Information From Third Parties
We may receive personal information from:
- identity providers such as Google or GitHub when you use single sign-on;
- payment processors and tax service providers in connection with billing;
- business partners, resellers, and event organizers who refer you to us; and
- publicly available sources for sales prospecting, compliance screening, and security research.
4. How We Use Information
We use personal information to:
- Operate the Services: authenticate users, route and optimize prompts, serve model inferences, deliver Outputs, and process transactions.
- Maintain reliability and security: monitor system health, prevent abuse and fraud, enforce our Terms of Use, and investigate incidents.
- Improve the Services: diagnose issues, evaluate routing performance, develop new features, and benchmark model behavior, primarily using Derived Data (defined in Section 7).
- Communicate with you: respond to inquiries, send service and security notices, and (where permitted) send marketing communications you can opt out of at any time.
- Comply with law: meet legal, regulatory, tax, and accounting obligations, and respond to lawful requests, including requests from third parties who claim a violation of their rights as permitted under our Terms of Use.
- Use product feedback and quality signals: collect and analyze user-submitted feedback (such as thumbs-up/down ratings, comparison results, evaluation labels, and other quality signals) to improve routing, evaluate model performance, and surface defects in the Services.
- Aggregate and de-identify: produce non-identifying analytics, benchmarks, and research outputs that we may use and share for any lawful purpose. When we de-identify personal information, we remove or hash direct identifiers (such as names, email addresses, account IDs, and IP addresses), aggregate the data to a level that prevents re-identification of any individual, and contractually prohibit any recipient from attempting to re-identify the data. Aggregated and de-identified data is no longer personal information under the CCPA and is not subject to the rights described in Section 16.
We do not sell your personal information. We do not use it for cross-context behavioral advertising. See Section 17.
5. AI Systems and Model Training
Because we operate AI infrastructure, this section explains how your data interacts with our models and the third-party models we connect to.
Foundation model training. Not Diamond does not use Customer Data to train generally available third-party foundation models. We seek to use provider configurations and contractual protections designed to limit retention and model training on Customer Data where commercially and technically available, and we periodically review those terms.
Routing and optimization models. Our core technology is a router that selects among models. We train and improve the router and related systems primarily using Derived Data (see Section 7) and de-identified or aggregated signals. Where we use Input or Output content for this purpose, we apply technical and contractual safeguards to minimize personal information.
Hosted model offerings. For Services where Not Diamond hosts or supplies underlying LLM models directly, full payload processing is required to deliver the inference. In those Services, opt-out from payload processing is not available; data handling, including any use for service quality improvements, is governed by the applicable customer agreement and this Privacy Policy.
Enterprise controls. Enterprise customers may have access to additional data-handling controls, configuring options, and contractual restrictions that vary by deployment model and customer agreement.
California AI training transparency. Not Diamond provides disclosures regarding model-development practices where required by applicable law. If you are a California resident and would like a copy, contact legal@notdiamond.ai.
6. Inputs, Outputs, and Content
As defined in our Terms of Use, "Input" means data you provide to the Services, "Output" means the data the Services return based on the Input, and "Content" means Input and Output together. You retain ownership of Input, and you own the Output, as further described in the Terms of Use.
Local analysis at the customer edge. For our proxy-based routing Services, Input may be analyzed locally on customer infrastructure or within Not Diamond-managed infrastructure, depending on the Service configuration and deployment model. The proxy generates Derived Data (see Section 7) and transmits only what is necessary to route, log, or evaluate the request. Full payload transmission to Not Diamond servers may vary depending on the Service configuration, deployment model, customer settings, and applicable agreement.
Transmission to model providers. To deliver inferences, Input is transmitted to the third-party LLM provider selected by the router (or, for hosted model offerings, to our infrastructure). Third-party providers process Input under their own terms; we seek to implement commercially reasonable contractual, technical, and operational measures designed to limit retention and training use where available.
Sensitive content. You are responsible for the Input you submit. You should not submit information you are not authorized to share or that you do not want processed by Not Diamond or the model providers we route to. Do not submit highly sensitive information — such as government identifiers, payment card data, biometric information, or protected health information — unless we have explicitly agreed in writing to support it.
Abuse and safety monitoring. We may inspect Content to investigate suspected violations of our Terms of Use or Acceptable Use Policy, to comply with law, and to protect users and the platform.
7. Derived Data
This section is specific to Not Diamond and central to how our Services work.
"Derived Data" means data that Not Diamond generates from analyzing Input, rather than the Input itself. Examples of Derived Data include:
- prompt complexity signals (such as estimated difficulty);
- inferred intent or task type (for example, code generation, summarization, classification);
- token counts and length metrics;
- context features (such as language, structure, and embedding representations);
- latency, cost, and quality outcomes associated with model selection; and
- other derived metrics we may add over time to improve routing, evaluation, and model quality.
Where Derived Data is generated. For proxy-based routing Services, Derived Data may be generated on customer infrastructure, within Not Diamond-managed infrastructure, or through a combination of both, depending on the Service configuration and deployment model. Only the Derived Data needed to route, log, or evaluate the request is transmitted to Not Diamond's servers.
Where Derived Data is stored. Derived Data transmitted to Not Diamond is stored in infrastructure operated by Not Diamond and its service providers, including in the United States and other locations as permitted by applicable law, customer agreement, or Service configuration. For hosted model offerings and international deployments, Derived Data may be stored in the customer's environment or another region designated by the applicable customer agreement or local law.
How we use Derived Data. We use Derived Data to operate the Services, improve routing and evaluation models, conduct research and development, generate benchmarks and analytics, and improve product quality.
Retention. Derived Data is retained for periods reasonably necessary to support service quality, product development, evaluation, and audit, generally not exceeding eighteen (18) months unless a longer period is required or permitted by law, customer agreement, or legitimate business need. Enterprise customers may negotiate a shorter retention window.
Expansion of Derived Data categories. As the Services evolve, we may collect additional categories of Derived Data. We will update this Privacy Policy to describe material additions before they take effect, except where law or security requires otherwise.
8. AI-Generated Outputs and Disclaimers
LLMs produce probabilistic, non-deterministic results. Outputs may be incomplete, inaccurate, biased, or otherwise unsuitable for your purpose. Do not rely on Outputs as a sole source of truth, and do not use them as a substitute for professional advice (legal, medical, financial, or otherwise).
You are responsible for reviewing Outputs before relying on them and for any decisions you make based on them. Where Outputs concern an identifiable individual, you should consider whether the Output is accurate and lawful to use and should follow any applicable correction procedures.
9. Subprocessors and Third-Party Providers
We use a focused set of subprocessors to operate the Services. The list of Subprocessors is provided below. This list may be updated from time to time.
- Render (Ohio, USA): Receive, display, making routing decisions based on customer data.
- Datadog (USA): Receive and persist logs and traces, which may contain customer data. Logs and traces are persisted for up to 15 days.
- Amazon Web Services, S3 (Virgina, USA): Persist customer data.
We require subprocessors to maintain appropriate security and confidentiality standards and to process personal information only for the purposes we authorize.
10. Analytics and Tracking Technologies
We use a small set of first-party and third-party analytics tools to understand how the Services are used, identify performance issues, and improve features. These tools may collect device, network, and usage information, including pages viewed, actions taken, and feature engagement.
We do not use analytics tools to build cross-site advertising profiles, and we do not share usage data with advertising networks.
11. Cookies and Similar Technologies
We use cookies, local storage, and similar technologies for a variety of purposes, including:
- Strictly necessary: to authenticate sessions, secure the Services, and remember basic preferences.
- Functional: to remember settings such as theme, region, and language.
- Analytics: to measure aggregate usage as described in Section 10.
You can control non-essential cookies through your browser settings or through our cookie preferences interface, where available. Disabling certain cookies may degrade functionality. We honor recognized opt-out preference signals (such as Global Privacy Control) where required by law.
12. Data Location and International Transfers
Not Diamond is based in the United States, and we generally process personal information in the United States, including through infrastructure operated by Not Diamond and its service providers. The Services are intended for users and customers in jurisdictions where the Services may lawfully be offered and used, including the United States.
International deployments. For select international enterprise customers, we deploy the Services to run locally within the customer's own infrastructure, so that Content and Derived Data remain in that environment rather than transiting Not Diamond's United States facilities.
EEA, UK, and Switzerland. We do not actively offer the Services in the European Economic Area, the United Kingdom, or Switzerland, except under specific enterprise arrangements with appropriate safeguards. Where we transfer personal information from those regions to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards — including, where appropriate, the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or other lawful transfer mechanisms available under applicable law.
If you access the Services from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.
13. Data Retention
We retain personal information for as long as needed to provide the Services and for the purposes described in this Privacy Policy. Retention periods reflect the type of information, why we collected it, our legal obligations, and our product development needs.
Default retention guidelines:
- Account records: retained for the life of the account and for ninety (90) days after closure, after which we delete or de-identify account information except limited records retained for security, fraud, and audit purposes for up to one (1) year.
- Billing and tax records: retained for seven (7) years to meet tax, accounting, and audit obligations.
- API logs, telemetry, and Derived Data: retained for up to eighteen (18) months from collection, supporting service quality, evaluation, security, and product development. Enterprise customers may negotiate a shorter retention period.
- Input and Output content: retained only as configured for the relevant product or contract. Where retention is enabled, retention periods may vary by Service, deployment model, customer settings, legal obligations, and applicable agreement, and are generally expected to be approximately ninety (90) days, subject to a maximum retention period of eighteen (18) months.
- Product feedback and quality signals: retained for up to eighteen (18) months from collection or such longer period as reasonably necessary for product development, evaluation, security, compliance, or business operations.
- Support tickets and correspondence: retained for periods reasonably necessary to support customer service, legal compliance, dispute resolution, and business operations, generally not exceeding twenty-four months.
- Marketing records: retained until you opt out or for thirty-six (36) months of inactivity, whichever is sooner, unless a longer retention period is permitted or required by law.
- Backups: purged on a rolling thirty-five (35) day schedule or another reasonable backup lifecycle implemented by Not Diamond from time to time.
- Records required by law or contract: retained for the period required by applicable tax, accounting, regulatory, or litigation-hold obligations.
When personal information is no longer needed, we delete or de-identify it. Backups are purged on a rolling schedule. In some circumstances, we may retain information for longer periods where necessary to comply with legal obligations, resolve disputes, enforce agreements, protect the security or integrity of the Services, or support legitimate business purposes.
14. Security Practices
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and loss. These may include, as appropriate to the Services and risk profile:
- encryption of data in transit and at rest;
- role-based access controls and least-privilege principles;
- network segmentation and endpoint protection;
- vulnerability management, penetration testing, and continuous monitoring;
- secure software development practices and code review;
- vendor security review and ongoing oversight;
- written security policies, employee training, and background checks where permitted; and
- a documented incident response program.
Internal access controls. Access to Customer Data and Derived Data by Not Diamond personnel is limited to authorized employees and contractors with a documented operational need (such as engineering, security, abuse response, customer support, or compliance) and is governed by role-based access controls, the principle of least privilege, and centralized authentication. Privileged access may be audited and logged. We limit access to Customer Data for specific purposes, including to operate the Services, respond to a customer's support request, investigate suspected security or abuse violations, or comply with law.
No security program is perfect. If you believe your account or any Content has been compromised, contact us immediately at security@notdiamond.ai.
15. User Rights and Privacy Choices
Depending on where you live, you may have the right to:
- access the personal information we hold about you;
- correct inaccurate or incomplete personal information;
- delete personal information, subject to certain exceptions;
- receive a portable copy of personal information you have provided;
- restrict or object to certain processing;
- withdraw consent where processing is based on consent; and
- opt out of marketing communications.
To exercise these rights, email legal@notdiamond.ai or use the request form in your account. We will verify your identity using information already on file (typically email confirmation; for sensitive requests, additional verification). You will not be discriminated against for exercising your rights.
Authorized agents. If you submit a request as an authorized agent on behalf of a consumer, we will require proof of authorization (such as a written, signed permission or a valid power of attorney) and may require the consumer to verify their identity directly.
Appeals. If we deny your request, you may appeal by replying to our response. We will respond to appeals as required by applicable law.
Customer Data. If your request relates to personal information we process on behalf of a Not Diamond customer (for example, your employer), we will refer the request to that customer and assist them in responding, consistent with our customer agreement.
16. California Privacy Rights (CCPA/CPRA)
If you are a California resident, this section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA").
16.1 Categories of Personal Information We Collect
In the past twelve months, we have collected the following categories of personal information:
- Identifiers: name, email, account ID, IP address, online identifiers.
- Customer records: billing contact, phone, and address.
- Commercial information: products purchased, subscription history.
- Internet or network activity: API usage, dashboard interactions, browsing within our Services.
- Geolocation: approximate location derived from IP address.
- Professional information: job title, employer, role (for business contacts and job applicants).
- Inferences: inferences drawn from the above to characterize preferences, behavior, and product needs.
- Sensitive personal information: account credentials, used to authenticate users, secure accounts, prevent fraud and abuse, and operate the Services.
16.2 Sources
We collect personal information from the sources described in Section 3.
16.3 Business Purposes
We use personal information for the purposes described in Section 4 and Sections 5–10.
16.4 Disclosures
In the past twelve months, we have disclosed the categories above to:
- subprocessors and service providers, as described in Section 9;
- professional advisors (lawyers, accountants, auditors, insurers);
- government authorities where legally required; and
- counterparties to corporate transactions, as described in Section 23.
16.5 California Rights
California residents have the right to:
- know what categories and specific pieces of personal information we have collected, used, and disclosed;
- delete personal information, subject to statutory exceptions;
- correct inaccurate personal information;
- limit our use and disclosure of sensitive personal information;
- opt out of the sale or sharing of personal information (we do not sell or share);
- opt in to processing of categories of sensitive personal information where opt-in consent is required; and
- non-discrimination for exercising any of these rights.
16.6 How to Exercise Rights
Contact legal@notdiamond.ai or use the request form linked from our website. We will verify your identity using information already on file. For sensitive requests, additional verification may be required.
16.7 Authorized Agents
You may use an authorized agent to submit a request. We will require written, signed authorization or a valid power of attorney, and we may verify the underlying consumer's identity directly.
16.8 Notice of Financial Incentives
We do not offer financial incentives in exchange for personal information.
16.9 Shine the Light
California residents may request a list of third parties to whom we have disclosed personal information for those third parties' direct marketing purposes. We do not share personal information with third parties for their own direct marketing.
17. Do Not Sell or Share
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the prior twelve months and have no current plans to begin.
We honor recognized opt-out preference signals, including the Global Privacy Control, where required by applicable law.
18. Sensitive Personal Information
The CCPA defines certain categories of personal information as "sensitive." We collect a limited set of these, primarily account credentials used to authenticate you, and use them only for purposes permitted under the CCPA without an opt-out right, including to provide the Services, secure the platform, prevent fraud, and comply with law. We do not use sensitive personal information to infer characteristics about you.
Opt-in for certain categories. For categories of sensitive personal information that require affirmative consent under California law (such as precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail/email/text messages where Not Diamond is not the intended recipient, genetic data, biometric identifiers, or health, sex life, or sexual orientation information), Not Diamond will not collect or process such categories from California residents without first obtaining opt-in consent, except where permitted by law.
You may also ask us to limit our use of sensitive personal information by contacting legal@notdiamond.ai. Some Services may not function without authentication credentials.
19. Automated Decision-Making and Profiling
The Services include automated decision-making in a technical sense: our router automatically selects among models for each prompt based on signals such as Derived Data, latency, cost, and historical quality. These routing decisions are operational and do not produce legal or similarly significant effects on individuals.
We do not use personal information to make automated decisions about creditworthiness, employment, housing, insurance, education, or other determinations with legal or similarly significant effects on you. If our practices change, we will update this Privacy Policy and provide any additional rights required by law.
20. GDPR and International User Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, Not Diamond is the controller of personal information processed under this Privacy Policy unless we are acting as a processor for a customer, in which case the customer is the controller. As noted in Section 12, the availability of the Services may vary by jurisdiction and applicable legal requirements.
Lawful bases. We rely on the following bases for processing:
- Contract: to provide and administer the Services you've requested.
- Legitimate interests: to secure the platform, improve our products, prevent fraud, and conduct routine business operations, balanced against your interests and rights.
- Consent: for marketing communications and other limited purposes where consent is required; you can withdraw consent at any time.
- Legal obligation: to comply with tax, accounting, and other legal requirements.
Your rights. In addition to the rights in Section 15, you have the right to lodge a complaint with your local data protection authority. We would appreciate the chance to address your concerns first; please contact us at legal@notdiamond.ai.
21. Children's Privacy
The Services are intended for business users and are not directed to children under the age of 16. We do not knowingly collect personal information from children under 13.
California residents aged 13–15. Under the CCPA, the sale or sharing of personal information of California residents between 13 and 15 years of age requires affirmative opt-in consent from the consumer. We do not sell or share personal information (see Section 17). If our practices change, we will obtain the required opt-in before processing personal information of California residents under 16 in any manner that constitutes a sale or share. Parental consent is required for the sale or sharing of personal information of California residents under 13.
If you believe a child has provided us with personal information, contact legal@notdiamond.ai and we will take appropriate steps to delete it.
22. Account Termination and Data Deletion
You may close your Not Diamond account at any time. We may also suspend or terminate accounts as permitted by our Terms of Use.
When an account is closed or terminated:
- account credentials and active session tokens are disabled;
- personal information associated with the account is deleted or de-identified within the retention periods described in Section 13, subject to legal obligations and the need to retain limited records for security, dispute resolution, and audit;
- residual Derived Data that has been aggregated or de-identified in accordance with applicable law may be retained; and
- enterprise customers may have additional deletion options and timelines under their customer agreement.
23. Business Transfers and Corporate Transactions
If Not Diamond is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred as part of the transaction. We will seek to ensure that personal information transferred in connection with such a transaction remains subject to protections that are materially consistent with those described in this Privacy Policy, subject to applicable law and the requirements of the transaction.
24. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For non-material changes (clarifications, formatting, contact updates), we will post the updated policy at this URL and revise the "Last Updated" date.
Your continued use of the Services after the effective date of any update means you accept the revised Privacy Policy.
25. Contact Information
Not Diamond, Inc. is the controller of personal information processed under this Privacy Policy, except where we act as a processor or service provider on behalf of a customer.
For privacy questions, requests, or complaints:
Email:legal@notdiamond.ai
Security issues:security@notdiamond.ai
Mail: Not Diamond, Inc., 1292 Noe Street, San Francisco, California 94114, USA
We will respond to verifiable requests as soon as reasonably practicable and within the time required by applicable law.