typed

typed Privacy Policy

Effective date: 2026-05-11

Tier-aware sections: Several sections below distinguish between the solo tiers (Starter, Pro, Max -- single-user subscriptions, local-only codebase context) and the team tiers (Team, Team Max -- multi-user accounts with opt-in server-side hosted codebase indexing). The data we collect, process, store, and share is materially different between the two; the sections labeled "Team / Team Max only" apply only to customers who have explicitly subscribed to those tiers and uploaded codebases for indexing.

1. Who We Are

typed is a coding-assistant SaaS operated by Yaw Labs LLC (a Delaware limited liability company, "Yaw Labs," "we," "us," "our"). typed lives at typed.cloud, app.typed.cloud, api.typed.cloud, and status.typed.cloud. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the typed service.

If you have questions, contact us at privacy@typed.cloud.

2. What This Policy Covers

This Privacy Policy covers:

  • The typed marketing site (typed.cloud and subdomains).
  • The typed dashboard (app.typed.cloud).
  • The typed API endpoint (api.typed.cloud).
  • The typed status page (status.typed.cloud).
  • Email and customer-support communications with typed.

It does NOT cover third-party services that you may use alongside typed (e.g., Claude Code itself, your IDE, your git host). Those services have their own privacy policies.

3. What Data We Collect

3.1 Account data

When you sign up, we collect:

  • Email address (required for magic-link authentication and account recovery).
  • Billing information (processed by our payment processor, Lemonsqueezy -- we do not store card details).
  • API keys you generate (we store a salted hash, not the raw key).

3.2 Usage data

When you use the typed API, we record:

  • Timestamp of each request.
  • Internal model identifier used (typed-max, typed-xhigh, typed-high, typed-medium, typed-low, typed-minimal). Legacy aliases (typed-pro, typed-fast, typed-long-context) still resolve for backward compatibility and are recorded under their canonical identifier.
  • Input token count, output token count, cached token count.
  • Internal routing identifier (which upstream model destination served the request -- for our ops visibility, never returned to you).
  • Request latency.
  • API key used (by hash reference).
  • HTTP status code returned.

We do NOT store the content of your prompts or responses by default. See §3.4 for the limited exceptions.

3.3 Source code (solo tiers -- Starter / Pro / Max)

We do not store your source code. On the solo tiers, typed is pure routing; local context (file content, codebase indexing, retrieval) is handled by the client you use (the typed CLI, Claude Code, Cursor, Continue, Aider, or any other Anthropic-API-compatible client) on your machine. Whatever your client decides to include in a prompt does flow through us at request time (see §3.4), but we do not persistently store source code or build a server-side index of your repository on the solo tiers.

3.3a Source code (Team / Team Max only -- opt-in via subscription)

If you subscribe to a Team or Team Max tier and use the hosted codebase-indexing feature, the following applies. Subscribing to a Team-class tier IS the consent: by checking out a Team / Team Max plan you affirmatively authorize the processing described in this section. Customers on the solo tiers never trigger this surface.

When you upload a codebase via the dashboard or POST /v1/codebases/{id}/files:

  • The uploaded files are stored at rest in our database (AWS RDS, US-region). Storage is encrypted at rest (AES-256) per §9.
  • The files are chunked (function / class boundaries via tree-sitter) and embedded via Voyage AI (voyage-code-3 model, see §5.1) into a vector index in our database.
  • At request time, when your client sends x-typed-codebase: <id> on a /v1/messages call, we run server-side retrieval against the indexed codebase, select the most relevant chunks for your request, and inject those chunks into the inference request alongside your prompt.

What flows where:

  • Codebase content at rest stays in our database (AWS RDS, US-region). It is not forwarded verbatim to OpenRouter or to upstream model providers.
  • Retrieved chunks (the small subset of codebase content that is most relevant to a given request) flow through the standard inference path described in §5.1, exactly like the rest of your prompt content. They are subject to the same ZDR + no-training routing constraints (§5.3).
  • Embeddings are computed by Voyage AI (see §5.1); the embedding request sends the chunk text to Voyage for embedding generation. Voyage's terms govern that processor relationship.

Retention: codebase content is retained for the duration of your active Team / Team Max subscription, plus a 30-day post-cancellation grace period to allow for resubscription without re-upload. After the grace period, codebase content is hard-deleted from our database and backups within 14 days. You can purge any codebase immediately at any time by emailing privacy@typed.cloud from the address on your account; we will hard-delete the named codebase from our live database and rolling backups within 14 days.

3.4 Prompt and response content (default OFF; opt-in only for support)

By default, we do not retain the content of your prompts or model responses. The internal proxy reads them in-memory to perform routing and translation, but discards them after the request completes.

Exceptions (opt-in only):

  • If you explicitly request support for a specific request, we may retain that request's content for up to 30 days for debugging purposes. You opt in per-request when contacting support.
  • Aggregate usage statistics (request counts, token counts, latency) are retained per §3.2 and do not contain content.

4. How We Use Your Data

We use the data described in §3 to:

  • Provide the typed service (route your requests, enforce quotas, bill correctly, surface usage metrics in your dashboard).
  • Improve the service (debug failures, plan capacity, evaluate routing decisions). For this use, we use the metadata in §3.2, NOT the content in §3.4.
  • Communicate with you (account notifications, billing notifications, security advisories).
  • Comply with legal obligations (tax reporting, response to lawful process).

We do NOT:

  • Train AI models on your prompts, responses, or code.
  • Sell your data to third parties.
  • Share your data with advertisers.

5. Third-Party Services in Our Data Flow

To deliver the typed service, we send your requests through a chain of third-party processors. This section is the data-flow chain disclosure required by GDPR Article 13.1.f and FTC material-disclosure principles. Read carefully.

5.1 The data-flow chain

When you make a request to api.typed.cloud:

  1. typed (Yaw Labs LLC) -- US-based. Authenticates your request, enforces your quota, applies our coding-tuned system prompt, performs prompt-cache lookup. Servers are operated in AWS (us-west region by default).

  2. Voyage AI -- US-based. Voyage is used for two distinct embedding flows:

    • Knowledge layer (every paid tier, always on). The latest user-text turn of your prompt is embedded by Voyage at request time to retrieve relevant snippets from a knowledge corpus typed authors and maintains. The matched snippets are prepended to your prompt before inference.
    • Hosted codebase indexing (Team / Team Max only, opt-in via subscription). Source-code chunks you upload are embedded by Voyage at upload time into a vector index in our database; per-request queries are embedded at request time to retrieve the most relevant chunks for injection. See §3.3a for the codebase-storage details and retention semantics.

    Voyage's privacy policy lives at https://www.voyageai.com/legal/privacy-policy. Embedding requests are stateless; Voyage does not retain or train on the inputs per its standard terms.

  3. OpenRouter Inc. -- US-based (Delaware). Receives the request from typed via https://openrouter.ai/api/v1. OpenRouter forwards the request to the appropriate underlying model provider based on typed's per-request routing. OpenRouter's privacy policy lives at https://openrouter.ai/privacy.

  4. Underlying model providers:

    • MiniMax (Shanghai Xiyu Information Technology Co. Ltd.) -- a Chinese AI company providing inference for typed's text traffic at effort tiers high and above (max / xhigh / high). Their published terms live at https://intl.minimaxi.com/protocol/terms-of-service. Data sent to MiniMax may be processed on infrastructure located in mainland China.
    • DeepSeek -- a Chinese AI company providing inference for typed's lower-effort text traffic (medium / low / minimal tiers). Their published terms live at https://chat.deepseek.com/downloads/DeepSeek%20Terms%20of%20Use.html. Data sent to DeepSeek may be processed on infrastructure located in mainland China.
    • Moonshot AI PTE. LTD. -- a Singapore-registered AI company providing inference for typed's multimodal traffic (any request containing image or video content). Their published terms live at https://platform.kimi.ai/docs/agreement/modeluse. Data sent to Moonshot may be processed on infrastructure that includes mainland China routing.

5.2 Cross-border data transfer

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your request data is transferred outside the EEA to:

  • The United States (typed's servers, OpenRouter's servers, Voyage AI's servers).
  • China (MiniMax's and DeepSeek's infrastructure, when your request routes to those providers).
  • Singapore and potentially China (Moonshot's infrastructure, when your request routes to Moonshot).

Tier-aware addendum (Team / Team Max). If you subscribe to a Team or Team Max tier and upload codebases for hosted indexing (per §3.3a), your codebase content at rest is stored only in our US-region AWS infrastructure. It is not transferred to MiniMax, DeepSeek, Moonshot, or any non-US processor in its full form. The only codebase content that crosses borders is the small subset of chunks that retrieval selects for a given inference request -- those chunks travel through the same inference path as the rest of your prompt (US-based typed.cloud -> US-based OpenRouter -> the routed model provider). Voyage AI (US-based, see §5.4) processes embedding requests for the chunks at indexing time and at request time, which is a US-to-US transfer.

We rely on the following lawful bases for these transfers under GDPR Article 49:

  • Performance of a contract (Article 49.1.b) -- the transfer is necessary to provide the service you have purchased.
  • Explicit consent (Article 49.1.a) -- by accepting this Privacy Policy at signup, you explicitly consent to the cross-border transfer described in this section.

We do NOT currently rely on Standard Contractual Clauses (SCCs) or adequacy decisions with respect to the China leg of the transfer. The China data flow happens via OpenRouter's contractual relationship with the underlying providers. If transfer to China is unacceptable for your use case, do not use typed for that work. We are working on offering an EU-routing-only tier in a future release; until then, our service should not be used for data that cannot lawfully be transferred to China.

5.3 OpenRouter privacy configuration (key fact)

Our OpenRouter account is configured for:

  • Zero Data Retention (ZDR): OpenRouter does not retain the content of your prompts or responses beyond the duration of the request. OpenRouter's ZDR feature is documented at https://openrouter.ai/docs/guides/features/zdr.
  • No-training routing: OpenRouter is configured to route only via underlying providers that have contractually agreed to not train their models on customer prompts. OpenRouter's provider routing policy is documented at https://openrouter.ai/docs/guides/privacy/logging.

In plain English: even though your request transits OpenRouter and an underlying model provider, neither of them retains your prompts beyond the moment of inference, and neither of them uses your prompts to train future models.

If at any time the routing constraint above cannot be satisfied for a specific request (e.g., the no-training-compliant providers are all unavailable), our system will return an error rather than fall back to a non-compliant provider.

5.4 Other third-party processors

In addition to the inference data flow, we use:

  • Lemonsqueezy -- US-based. Processes billing. Lemonsqueezy's privacy policy lives at https://www.lemonsqueezy.com/privacy. Data sent: billing information, subscription state.
  • AWS -- US-based. Hosts typed's servers, database, and cache. Data: all customer data typed itself stores.
  • AWS SES -- US-based. Sends transactional email (magic-link sign-in, billing notices). Data sent: your email address + the email body.

6. Who We Share Your Data With

Beyond the third-party processors in §5, we share your data only:

  • With your explicit consent (case-by-case).
  • To comply with legal process (subpoena, court order, etc.).
  • To protect our rights and safety (fraud prevention, abuse response).
  • In connection with a merger, acquisition, or sale of business assets (we will notify you before such a transfer occurs).

We do not sell personal data.

7. Data Retention

Data type Retention
Account email + auth metadata Until account deletion + 90 days
API keys (hashed) Until you revoke; revoked keys retained for 90 days for audit
Usage records (timestamps, token counts, no content) 24 months
Prompt / response content Not retained, except per §3.4 opt-in for support (30 days max)
Uploaded codebases (Team / Team Max only) Active subscription + 30-day post-cancellation grace, then hard-deleted within 14 days
Codebase embeddings (Team / Team Max only) Same as the codebase content -- deleted with the codebase
Billing records 7 years (US tax law minimum)
Server logs (request metadata, no content) 30 days

You can request deletion of your account at any time. We will delete account data within 30 days of your request, subject to legal-retention requirements (e.g., billing records). For uploaded codebases (Team / Team Max only), you can additionally trigger immediate deletion of a specific codebase by emailing privacy@typed.cloud from the address on your account without affecting the rest of your account.

8. Your Rights

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your personal data.
  • Restriction: ask us to limit how we process your data.
  • Portability: receive a copy of your data in a portable format.
  • Objection: object to certain types of processing (we honor opt-outs).
  • Withdraw consent: if our processing relies on consent, withdraw it at any time (this does not affect processing before withdrawal).

If you are in California, you have analogous rights under the CCPA:

  • Right to know what personal data we collect.
  • Right to delete personal data.
  • Right to opt out of "sale" of personal data (we do not sell).
  • Right to non-discrimination for exercising these rights.

To exercise any of these rights, email privacy@typed.cloud from the email address on your typed account. We respond within 30 days for GDPR and 45 days for CCPA.

Team / Team Max codebase erasure. If you are a Team or Team Max subscriber and want to delete a specific uploaded codebase without affecting your account or other codebases, email privacy@typed.cloud from the address on your account and name the codebase to be removed. Embeddings and chunks are removed from our live database and from rolling backups within 14 days.

9. Security

We protect your data with the following technical and organizational measures:

  • TLS 1.3 in transit (enforced by Caddy at the ingress).
  • AES-256 encryption at rest for database and cache (AWS RDS + ElastiCache encryption-at-rest).
  • API keys stored as salted hashes, never in plaintext.
  • AWS IAM role separation between typed application and infrastructure.
  • AWS Secrets Manager for third-party credentials.
  • ZDR + no-training routing on the OpenRouter account (§5.3); enforced per-request via the data_collection: 'deny' flag (defense in depth).
  • Network policy isolation between typed and other namespaces in our Kubernetes cluster.
  • Codebase content (Team / Team Max) is stored only in our US-region AWS infrastructure; access is gated by your tier subscription and your account credentials.

No system is perfectly secure. If you suspect unauthorized access to your account, contact security@typed.cloud immediately.

10. Cookies and Tracking

We use:

  • Essential cookies -- session authentication on app.typed.cloud. Cannot be disabled.
  • Functional cookies -- remembering UI preferences. Can be disabled in browser settings.

We do NOT use:

  • Marketing cookies.
  • Advertising tracking pixels.
  • Third-party analytics that share data with advertisers.

For server-side analytics (request counts, page views, anonymized), we use our own infrastructure (Prometheus + internal aggregation). No third-party analytics provider sees identifiable data.

11. Children's Privacy

typed is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided data to us, contact privacy@typed.cloud for deletion.

12. Changes to This Policy

We may update this Privacy Policy. When we do:

  • Material changes (new data-sharing categories, changes to retention, changes to the data-flow chain in §5) will trigger an email notification to active customers at least 30 days before the change takes effect.
  • Non-material changes (clarifications, formatting, contact info updates) will be reflected in this document with an updated effective date.

The current version is always available at typed.cloud/privacy. Past versions are kept on request; email privacy@typed.cloud.

13. Contact

  • General privacy questions: privacy@typed.cloud
  • Security incidents: security@typed.cloud
  • GDPR Data Protection Officer: Not currently appointed. Yaw Labs LLC does not meet the GDPR Article 37 mandatory-DPO thresholds (250+ employees, public-authority status, or large-scale systematic monitoring of data subjects). We will appoint a DPO if processing volume crosses those thresholds; the appointment will be reflected here.