Privacy Policy
Last Updated: May 2026

1. Overview

This Privacy Policy explains what information AI Mocker ("we", "us", the "Service") collects when you use the Mock Record Generator, why we collect it, how it is processed, and the choices you have. By using the Service you consent to the practices described here. If you do not agree, please do not use the Service.

2. Information We Collect

2.1. Account information. If you sign in with GitHub or Google (NextAuth.js), we receive the basic profile fields the provider returns — typically your name, email address, avatar URL, and provider account ID. We use this only to identify your account and associate your saved schemas, generation history, and API keys with you.

2.2. Schemas, examples and generation history. When you save a schema or run a generation while signed in, we store the schema text, optional examples, output format and record count, plus a timestamp and a success/error flag. These are stored in our hosted Redis database (Upstash on Vercel) so you can review them on your dashboard. We do not sell or share this data.

2.3. API keys you create on AI Mocker. If you generate an AI Mocker API key (for use against /api/v1/generate) we store a salted PBKDF2 hash of the key — never the plaintext — along with a label, creation date, expiry date, last-used timestamp, and usage counter. Once you copy the plaintext key during creation, we cannot retrieve it again. You can revoke a key at any time from the API Keys page.

2.4. Anonymous usage. You can generate records without an account. For anonymous traffic we use the request IP address (read from x-forwarded-for / x-real-ip) only as a daily-rate-limit identifier (5 generations per IP per day). The IP is not stored against any user profile and is not used for tracking, profiling, or marketing.

2.5. Operational logs. We keep short-retention server logs of generation events — user or anonymous identifier, schema name, record count, output format, success/error flag, and timestamp — capped at 1000 entries (trimmed to 500). These let you see your own generation history and let us debug failures. We do not log the full prompt content of normal traffic.

2.6. Cookies. NextAuth.js sets a session cookie when you sign in. We do not use third-party advertising or analytics cookies on this Service.

3. Third-Party AI Provider Keys (Bring-Your-Own-Key)

The Service can call external AI providers (OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Azure OpenAI). Two key paths are supported:

3.1. Server-provided key (free tier). We use a single OpenAI API key configured server-side to process requests for the free tier. Your prompt content is sent to the provider; their privacy policy applies to that data once it leaves our servers.

3.2. Bring-your-own (BYO) key. If you save your own provider API key in Settings:

  • The plaintext key is stored only in your browser's localStorage. It is not persisted in our database.
  • The key is transmitted to our server only when you trigger a generation, attached to that single request, and used in-memory to authenticate the outbound call to the AI provider.
  • We do not log the key, do not write it to any persistent store on our servers, and do not associate it with your account or your generation history.
  • You are responsible for any usage charges that the AI provider bills against your key.
  • Clearing your browser storage, signing out, or using the "delete my data" option in Settings will remove the key from localStorage.

3.3. Why we transmit your BYO key. The AI provider's API endpoint requires authentication on the request itself, and CORS rules prevent the browser from calling many of these endpoints directly. The key must therefore travel through our server to reach the provider. We have minimised the surface area of that transmission: it occurs only during an active generation request, the key is not echoed back, and a server-side guard refuses to forward your key to any caller-chosen URL or with caller-chosen headers unless you explicitly opt-in by also supplying that override on the same request.

4. Prompt Content and Generated Output

The schema, examples, and output you generate are sent to the chosen AI provider for processing. Generated output is returned to you in the response and, for signed-in users, stored in your generation history. Prompts are not logged in full as part of normal traffic; we only retain the metadata described in section 2.5.

For abuse prevention, requests that trigger our pre-flight intent checks (jailbreak phrases or clearly off-topic wording) are rejected before reaching the AI provider. We may, in future, retain short-retention copies of rejected prompts to tune the abuse filters — if and when that is implemented, this policy will be updated.

5. How We Use Information

  • Authenticate you and personalise your dashboard, saved schemas, and API keys.
  • Process generation requests and return results to you.
  • Enforce per-user / per-IP rate limits and concurrency caps.
  • Detect, investigate and prevent abuse (prompt injection, off-topic abuse, quota drain).
  • Maintain the Service, debug failures and improve reliability.

We do not use your prompts, schemas, or generated output to train any machine-learning model.

6. Sharing and Disclosure

We share information only with:

  • AI providers you choose to use (OpenAI, Anthropic, Google, Cohere, Mistral, Azure) — their handling is governed by their own privacy policies.
  • Hosting and infrastructure providers — Vercel (hosting and edge), Upstash Redis (storage of your account data, schemas, history, and hashed API keys).
  • Authentication providers — GitHub or Google when you choose to sign in with them.
  • Legal authorities where required by law.

We do not sell your information to advertisers and we do not use it for marketing.

7. Data Retention

  • Generation event logs are capped at 1000 entries and trimmed to 500.
  • Saved schemas and per-user history persist until you delete them or delete your account.
  • API key records persist until you revoke them or until they expire (90 days).
  • BYO provider keys live in your browser only; we never persist them.
  • Anonymous-use IP rate-limit counters reset daily at 00:00 UTC.

8. Your Choices and Rights

  • Delete saved data. Use the option in Settings to remove your saved schemas, history and locally-stored BYO keys.
  • Revoke API keys. Manage and revoke AI Mocker API keys from the API Keys page.
  • Request account deletion. Contact us via our GitHub repository to delete your account record.
  • Use the Service anonymously. You can generate records without signing in, subject to the daily IP rate limit.

9. Security

We use TLS for all traffic, store AI Mocker API keys only as PBKDF2 hashes with a unique salt per key, and apply per-user / per-IP rate limits, concurrency caps and prompt-injection defences on the generation endpoints. No system is perfectly secure, however; we cannot guarantee that information transmitted over the Internet is immune to interception.

10. Children

The Service is not directed at children under 13 (or under 16 in jurisdictions that apply that threshold). We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can remove it.

11. International Use

The Service is hosted on infrastructure that may store and process data in multiple regions. By using the Service you consent to your information being processed in those regions, which may have different data-protection laws than your own.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of the page reflects the most recent revision. Material changes will be highlighted on this page; your continued use of the Service after a revision constitutes acceptance of the updated policy.

13. Contact

For privacy questions or requests, please contact us through our GitHub repository.