Do you store my prompts or AI outputs?

No, we are privacy-first. Fenra only stores usage metadata (token counts, model names, costs) and the context fields you send. We never store prompts, completions, or any AI-generated content by default. However, since we allow any custom metadata, you can choose to send prompts if you wish, but the choice is entirely yours. Your sensitive data stays private.

How long does integration take?

About 5 minutes. After your AI provider call, send one fetch request to our API with the usage data. No SDK required, no complex setup. Building your own tracking solution would take weeks, but we give it to you instantly.

Which AI providers do you support?

We support all major AI providers: OpenAI (gpt-4, gpt-3.5, o1, dall-e), Anthropic (claude models), Google (gemini), AWS Bedrock, xAI, DeepSeek, and custom providers. If you need a provider that isn't listed, contact us and we can typically add it to the platform within 72 hours.

What happens if I exceed my transaction limit?

We'll notify you via email when you're approaching your limit. You can upgrade your plan or contact us for custom limits. We never charge surprise fees or block your account. We will continue to track your transactions so your service is never interrupted, but overage data will not be visible in your dashboard until you upgrade. We keep these overages for 30 days before dropping them if no upgrade occurs.

Can I track costs by custom dimensions?

Yes! You can send any context fields you want (feature, environment, user, team, customer_id, etc.) and use them for filtering, grouping, and alerts. This is how you answer questions like "Which customer is driving the most spend?" or "Is our chat feature profitable?"

Fenra

Fenra Data Processing Addendum

Last updated: 17.12.2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between O.D. Hechim ("Provider," "Fenra," "Processor," "we," "us") and the customer entity entering into the Terms ("Customer," "Controller," "you").

This DPA applies only to the extent Provider processes Customer Personal Data on behalf of Customer in connection with the Service.

If there is a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA controls. All other terms remain unchanged.

1. Definitions

Capitalized terms not defined in this DPA have the meanings in the Terms.

"Applicable Data Protection Laws" means laws and regulations applicable to the processing of Customer Personal Data under the Terms, including where applicable the EU General Data Protection Regulation ("GDPR") and any local implementing laws.
"Customer Data" has the meaning in the Terms.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Customer Personal Data" means Personal Data included in Customer Data that Provider processes on behalf of Customer.
"Processing" has the meaning given in GDPR Article 4.
"Subprocessor" means a third party engaged by Provider to process Customer Personal Data.
"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Roles and Scope

2.1 Customer as Controller

Customer determines the purposes and means of processing Customer Personal Data. Customer is responsible for ensuring it has a lawful basis to collect and provide Customer Personal Data to Provider, including providing required notices and obtaining required consents.

2.2 Provider as Processor

Provider will process Customer Personal Data only on documented instructions from Customer, as set out in the Terms, this DPA, and Customer’s configuration and use of the Service, unless Provider is required to do otherwise by applicable law.

If Provider is required by law to process Customer Personal Data other than as instructed, Provider will inform Customer of that requirement unless prohibited by law.

2.3 Provider as Controller for Provider Controlled Data

This DPA does not apply to personal information that Provider processes as an independent controller, such as account administration, billing, fraud prevention, and communications with Customer. Those activities are covered by the Privacy Policy.

2.4 Excluded Data

The Service is not designed to process special categories of personal data (sensitive data) such as health data, biometric data, precise location data, political opinions, religious beliefs, or information about children.

Customer must not submit such data to the Service unless the parties expressly agree in writing.

3. Details of Processing

The subject matter, duration, nature, and purpose of processing, and the categories of data and data subjects are described in Annex 1.

4. Customer Instructions

Customer instructs Provider to process Customer Personal Data to provide the Service, including authentication, organization and user management, transaction ingestion and analytics, alerts and notifications, billing administration related to the Service, and support.

Customer’s documented instructions include:

The Terms, this DPA, and Customer’s use of Service features and configurations.
Support requests submitted by Customer or its authorized Users.

Provider may refuse to comply with instructions that are unlawful, outside the scope of the Service, inconsistent with this DPA, or not technically feasible.

4.1 Customer Controls

Customer is responsible for configuring the Service, including roles, permissions, invitations, API Keys, and metadata fields.

Customer is responsible for determining whether and how to include Personal Data in transaction payloads, custom metadata, notification content, dashboards, or reports.

4.2 Prompts and Model Outputs

The Service does not require and does not collect prompt text or model output content as a product feature.

However, Customer may choose to include prompt text, model outputs, or other content within metadata fields or payloads. If Customer does, that content is Customer Data, and Customer is responsible for ensuring it is lawful and appropriate to submit.

4.3 High Risk Use

Customer must not use the Service for decisions producing legal or similarly significant effects about individuals where the underlying inputs include Customer Personal Data, unless Customer has implemented appropriate safeguards and has all required lawful bases.

4.4 Cost, Usage, and Estimation Outputs

Provider may generate estimates and analytics based on Customer provided data, public pricing information, and internal configurations. Customer remains responsible for verifying outputs and for any actions taken based on them.

5. Confidentiality

Provider will ensure persons authorized to process Customer Personal Data are subject to confidentiality obligations.

6. Security Measures

Provider will implement appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents, taking into account the nature of processing and risks.

Measures may include:

Logical access controls and role based authorization within the Service.
Encryption in transit using HTTPS.
Segregation of Customer data using organization scoped access controls.
Secure secret handling through managed secret storage.
Monitoring and logging for security and reliability.
Backup and recovery practices.

Customer acknowledges that no system is completely secure. Provider’s obligation is to implement reasonable and appropriate measures, not to guarantee absolute security.

7. Subprocessors

7.1 Authorized Subprocessors

Customer authorizes Provider to use Subprocessors to provide the Service.

Provider currently uses Subprocessors such as:

Supabase for authentication and related services.
SendGrid for email delivery.
AWS for hosting, compute, storage, database, and messaging.
A payment provider for subscription payments.

7.2 Subprocessor Obligations

Provider will impose data protection obligations on Subprocessors that are consistent with Provider’s obligations under this DPA.

7.3 Subprocessor Changes

Provider may add, replace, or remove Subprocessors.

Where required by Applicable Data Protection Laws, Provider will provide a mechanism to notify Customer of material Subprocessor changes.

Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice to support@fenra.io within fifteen (15) days of notice. If the parties cannot resolve the objection within a reasonable period, Provider may, at its discretion, not use the Subprocessor for Customer Personal Data, provide a commercially reasonable alternative, or allow Customer to terminate the affected Services.

To the extent permitted by law, such termination is Customer’s sole and exclusive remedy for Subprocessor changes.

8. International Transfers

Customer acknowledges that Customer Personal Data may be processed in countries other than Customer’s country, depending on Provider’s infrastructure and Subprocessors.

Where GDPR applies and Customer Personal Data is transferred to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses ("SCCs"). If needed, Provider will make available SCCs or an equivalent transfer mechanism.

9. Assistance

9.1 Data Subject Requests

Considering the nature of processing, Provider will provide reasonable assistance to Customer to help Customer respond to data subject requests, to the extent Customer cannot do so through the Service.

Customer is responsible for responding to data subject requests. Provider may require verification of the request and Customer’s authority.

9.2 DPIAs and Prior Consultation

Where required and appropriate, Provider will provide reasonable assistance with data protection impact assessments and prior consultations, taking into account the information available to Provider and the nature of processing.

Provider may charge reasonable fees for assistance under this Section 9, unless prohibited by law.

10. Security Incidents

Provider will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data.

Provider’s notification will be sent to Customer using the contact details associated with the Customer account, or to another address designated by Customer in writing.

Provider’s notification will include, to the extent known:

A description of the Security Incident.
The categories of Customer Personal Data affected.
Steps Provider has taken or plans to take to mitigate.
Information reasonably necessary for Customer to comply with its notification obligations.

Customer is responsible for notifications to regulators and individuals unless required by law for Provider to do so.

11. Deletion and Return

Upon termination or expiration of the Services, Provider will delete Customer Personal Data in accordance with the Terms, Customer’s configurations, and applicable law.

Customer acknowledges that deletion may not immediately remove data from backups. Backups are retained for limited periods and protected, and will be deleted in the ordinary course.

If Customer requests a return of Customer Personal Data in a commonly used format, Provider may provide export functionality available within the Service or may provide a reasonable export upon request, subject to technical feasibility and reasonable fees.

12. Audits

12.1 Audit Information

Provider will make available information reasonably necessary to demonstrate compliance with this DPA.

12.2 Audit Requests

Where GDPR applies, Customer may audit Provider’s compliance with this DPA no more than once per year and only with at least thirty (30) days prior written notice.

Audits must:

Be limited to data protection controls relevant to Customer Personal Data.
Be conducted during normal business hours.
Not unreasonably interfere with Provider’s operations.
Be subject to confidentiality.

Provider may satisfy audit obligations by providing third party reports, summaries, or evidence that reasonably demonstrates compliance.

Customer will bear its audit costs and reimburse Provider for reasonable time and expenses associated with supporting an audit.

13. Customer Obligations

Customer will:

Ensure lawful collection and provision of Customer Personal Data.
Avoid submitting sensitive data unless expressly agreed.
Configure access controls and roles responsibly.
Secure API Keys and credentials.
Use the Service in compliance with Applicable Data Protection Laws.

14. Limitation of Liability

The limitation of liability in the Terms applies to this DPA to the maximum extent permitted by law.

15. Order of Precedence

If there is a conflict between this DPA and the Terms relating to processing of Customer Personal Data, this DPA controls.

16. Signatures

This DPA is effective when Customer accepts the Terms and uses the Service, or when otherwise executed by the parties.

Annex 1. Processing Details

A. Subject Matter

Provision of the Service, including account and organization management within the Service, API key management, ingestion of LLM transaction records, analytics and reporting, alerts and notifications, and support.

B. Duration

For the term of the Services, plus any retention period described in the Terms, plan limits, the Privacy Policy, and as required by applicable law.

C. Nature and Purpose

Authenticate users and manage sessions.
Manage organizations, team members, and invitations.
Store API key records as hashed values and related metadata.
Ingest and process LLM transaction records and related metadata.
Compute analytics, dashboards, reports, and notifications.
Provide customer support and incident response.
Maintain security, operational monitoring, and audit logs.

D. Categories of Data Subjects

Customer’s authorized users.
Customer’s personnel whose details appear in invitations, alerts, or billing contacts.
Individuals whose identifiers or information may be included by Customer in transaction payloads or metadata.

E. Categories of Personal Data

Contact information such as name and email.
Organization membership and role.
Authentication identifiers and session related information.
Invitation and notification recipient data.
Billing contact data.
Technical data such as IP address and user agent.
Any Personal Data Customer chooses to include in transaction payloads or metadata.

F. Special Categories of Data

Not intended. Customer must not submit special categories unless expressly agreed in writing.

Annex 2. EU SCCs. Optional Module

If GDPR applies and SCCs are required for an international transfer, the parties will incorporate the applicable SCC module(s) by reference and complete the relevant annexes.

Provider can provide a completed SCC package for signature on request.