LeemerLabs

Privacy & compliance

Your data stays where
the law says it should.

LeemerLabs is built for organisations that need serious privacy answers, not bullet points. European compute, no training on your data, and an architecture that treats GDPR as a primitive — not a policy PDF taped to a US API.

Contact privacy@leemerlabs.ieRequest a DPA

0

Prompts logged by default

100%

EU-hosted compute

0

Models trained on your data

≤30d

GDPR response window

Four principles

How we handle your data.

01 / 04

No prompt or response logging

On the free tier and the default paid tier, prompt content and model output are not written to disk. Metered usage records only count tokens and model aliases — the text itself is processed in memory and discarded.

02 / 04

EU-only compute

Every inference request is served from GPUs physically located inside the European Union. Ireland (Waterford, Dublin) with failover in Frankfurt. No request is ever routed through a non-EU region.

03 / 04

No training on your data

We do not use any prompt, response, embedding, or artifact produced through the LeemerLabs gateway to train, fine-tune, evaluate, or distil any model. Ever. Your traffic is not a product.

04 / 04

Sub-processors list

We publish a complete list of sub-processors we rely on for hosting, payments, and email. We notify customers in advance of any addition to that list.

What we guarantee

  • Physical compute in the EU (Ireland primary · Frankfurt failover)
  • No prompt content written to persistent storage (default)
  • No model training on customer traffic
  • TLS 1.3 in transit · AES-256 at rest
  • Signed Data Processing Agreement available on request
  • GDPR Article 15–22 request channel (erasure, portability, access)
  • Data residency attestations for regulated customers
  • Optional zero-retention mode on every endpoint

What we don't do

  • Route your requests through US clouds
  • Log prompt or response bodies by default
  • Sell, share, or share for advertising any data
  • Train on customer traffic
  • Require a DPA to deliver basic privacy guarantees
  • Ask for data we don't need

Request lifecycle

From your client to our GPU and back.

  1. 01

    TLS 1.3 terminates in Dublin

    Your request arrives at the Irish gateway and is decrypted inside the EU boundary. Nothing is cached here.

  2. 02

    Auth + rate limit

    Your API key is verified. A metered record is opened (timestamp, token counts — never body).

  3. 03

    Dispatched to H200 inference

    Prompt is forwarded in-memory to an H200 worker in Waterford or Dublin. Never written to disk.

  4. 04

    Response streamed back

    Model output streams straight to your client. Worker memory is freed at end of request.

  5. 05

    Metered record finalised

    Token counts and latency are written. Under zero-retention mode, even this is purged after reconciliation.

Sub-processors

The full list.

We publish every company that touches customer data. If this list changes, customers are notified at least 30 days in advance.

Sub-processorPurposeLocationData scope
Equinix DB1 / DB4ColocationDublin, IECompute (encrypted)
Digital Realty DUB9Colocation (failover)Dublin, IECompute (encrypted)
Stripe Payments EuropePaymentsDublin, IEBilling only
FastmailTransactional emailSydney → EUEmail addresses
Cloudflare EUDDoS + TLSEU PoPsRequest metadata

FAQ

The honest answers.

Where exactly is my data processed?+

Requests hit our gateway in Dublin, Ireland. Inference is served from H200 GPUs in Waterford and Dublin. Failover, when triggered, routes to Frankfurt, Germany. Nothing leaves the EU.

What is retained about my requests?+

By default: a metered record of (timestamp, API key prefix, model alias, input tokens, output tokens, latency, status code). That's it. No prompt body, no response body.

What is zero-retention mode?+

Available on every endpoint. When enabled, even the metered record is purged after invoicing reconciliation. The only thing that survives is the aggregate monthly total.

Do you train on my data?+

No. We do not use prompts, completions, embeddings, or fine-tuning artifacts produced through LeemerLabs to train or improve any model.

How do I exercise a GDPR request?+

Email privacy@leemerlabs.ie with the nature of the request (access, erasure, portability, rectification, objection). We respond within 30 days per Article 12(3).

Can I get a Data Processing Agreement?+

Yes. Standard DPA at /legal/dpa. Custom DPAs for regulated industries (health, finance, public sector) on request.

What sub-processors do you use?+

Hosting: Equinix DB1/DB4 and Digital Realty DUB9 (Ireland). Email: Fastmail (Australia → EU mail). Payments: Stripe Payments Europe (Ireland). That is the full list today.

Is the AI Act relevant to me as a LeemerLabs customer?+

We operate as an infrastructure provider. Depending on your use case you may be a deployer or provider of a GPAI or high-risk system — in which case we provide the technical documentation and transparency artifacts required to support your compliance.

Questions about privacy

Email our privacy lead directly.

Regulated industry? Public sector? Running a GPAI deployment? We handle DPAs, sub-processor attestations, and data residency documentation for teams that have real compliance obligations.

privacy@leemerlabs.ieBook a call