Privacy Policy

This Privacy Policy explains how squiz ("we", "us", "our") collects, uses, and protects personal data when you use squiz.sh and the squiz service (the "Service"). squiz is operated as a sole proprietorship based in Israel and is the data controller for the personal data described here. For privacy questions or to exercise your rights, contact [email protected].

1. Information we collect

Account information. When you sign up we collect your email address, a password (stored only as a salted scrypt hash — never in plain text), and, optionally, a display name.

Configuration you provide. When you connect a deployment you may give it a name and tell us the GPU type, model, inference engine, and (optionally) a metrics URL. API keys you create are stored only as hashes; the full key is shown to you once and never again.

Anonymized agent telemetry (opt-in). If you enable telemetry, the squiz agent sends anonymized measurements: GPU type, model, engine, quantization, regime, your measured "knee" cost per million tokens, the concurrency at that knee, a coarse traffic-volume bucket, and the agent version, tied to a random per-deployment identifier. The agent never sends your prompts, request contents, IP address, or identity.

Billing information. Payments are processed by Paddle (see Section 4); we do not receive or store your full payment-card details. We store your plan and subscription status and the identifiers Paddle provides (such as a customer ID and subscription ID).

Technical and security logs. To operate and secure the Service we record your IP address, timestamps, and the actions you take (an audit log), plus basic HTTP access logs. We deliberately do not log request query strings, so that sensitive tokens are never captured.

Communications. If you email us, we keep your message and contact details so we can respond.

Cookies. We use only strictly necessary cookies: a signed session cookie and a CSRF-protection cookie, both marked HttpOnly and SameSite=Lax (and Secure over HTTPS). We do not use advertising, analytics, or cross-site tracking cookies, so no cookie-consent banner is required to use the Service.

2. How we use your information, and our legal bases

Under the GDPR and UK GDPR we rely on the following legal bases:

• To provide the Service — create your account, run your dashboards, and deliver features (performance of our contract with you).
• To process payments — manage subscriptions and meet tax and accounting rules (contract and legal obligation; handled with Paddle).
• To secure the Service — authentication, rate-limiting, fraud and abuse prevention, and audit logging (our legitimate interest in keeping the Service safe).
• To improve the Service — analyze anonymized telemetry to refine our cost models (your consent when you opt in, and our legitimate interest in product improvement).
• To communicate with you — service and account messages (contract); marketing only with your consent, which you can withdraw at any time.
• To comply with law — meet legal obligations and respond to lawful requests.

3. How we share information

We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising. We disclose data only to the service providers (subprocessors) that help us run squiz, under contracts that require them to protect it:

• Paddle — payment processing and Merchant of Record (billing, tax, receipts, refunds).
• Cloud hosting provider — to host the Service and its database.
• Content-delivery / security network (Cloudflare) — TLS termination, content delivery, and protection against attacks.
• Email delivery provider — to send verification, password-reset, and account emails.
• Error monitoring (optional) — if enabled, to capture diagnostic error reports; it is configured to exclude personal data, request bodies, and IP addresses.

We may also disclose data where required by law, to enforce our agreements, or in connection with a business transfer — always subject to this Policy.

4. Payments and Merchant of Record

Paddle.com is the Merchant of Record for purchases of paid plans. When you pay, your card and billing details are collected and processed by Paddle under Paddle's privacy policy; we receive only the limited billing identifiers needed to manage your subscription. See our Refund & Cancellation Policy for how billing and refunds work.

5. International data transfers

We and our subprocessors may process your data in countries other than your own, including outside the EEA, the UK, and Israel. Where we transfer personal data internationally, we rely on an adequacy decision where one is available, or on appropriate safeguards such as the European Commission's Standard Contractual Clauses (with the UK Addendum where relevant). You can request a copy of these safeguards by emailing us.

6. Data retention

We keep your account data for as long as your account is active and as needed to provide the Service. You can delete your account at any time from your settings; doing so permanently erases your account, deployments, API keys, reports, subscription records, and audit entries from our database. We retain limited records where the law requires (for example, tax and billing records held by Paddle), and security logs for the limited period needed to detect and investigate abuse.

7. Your rights

EU/EEA and UK (GDPR / UK GDPR). You have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time. You also have the right to lodge a complaint with your data-protection supervisory authority (in the UK, the Information Commissioner's Office; in the EEA, your national authority).

California (CCPA/CPRA). You have the right to know what personal information we collect and how we use it, to access and delete it, to correct it, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information — and not to be discriminated against for exercising these rights. We do not sell or share personal information, and we do not use sensitive personal information to infer characteristics. We aim to acknowledge requests within 10 business days and respond within 45 days.

Israel. Under Israel's Protection of Privacy Law you may review and request correction of personal data we hold about you, and may complain to the Israeli Privacy Protection Authority.

To exercise any right, email [email protected]. Many requests can also be self-served: you can export your data and delete your account directly from your settings.

8. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Our cost models analyze hardware and engine telemetry, not individuals.

9. How we protect your data

We use industry-standard safeguards, including encryption in transit (TLS/HSTS), salted scrypt password hashing, signed HttpOnly session cookies, CSRF protection, hashed API keys, parameterized database queries, protection against server-side request forgery, rate-limiting, and strict per-account isolation so that one customer cannot access another's data.

10. Children

The Service is a business tool not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. We will post the new version here and update the "Last updated" date, and will provide additional notice for material changes.

12. Contact

Data controller: squiz — [email protected].