Privacy Policy

Effective Date: April 12, 2026 · Last Updated: April 12, 2026

1. Who We Are

Carrot Labs AI, Inc.(“Carrot Labs,” “we,” “us,” or “our”) operates SuperPenguin, an AI cost management platform that helps teams track, attribute, and optimize LLM spend across providers like OpenAI and Anthropic.

This Privacy Policy explains how Carrot Labs collects, uses, stores, and shares your personal information when you use SuperPenguin, our website, SDK, and any related services (collectively, the “Services”).

If you have questions about this policy or your data, contact us at [email protected].

2. Information We Collect

2.1 Information You Provide

  • Account Information: When you create an account, we collect your name, email address, and authentication credentials.
  • Provider API Keys: If you connect an OpenAI or Anthropic admin key for billing sync, we store those keys encrypted at rest.
  • Communications: When you contact us for support or inquiries, we collect the content of your messages and contact details.

2.2 SDK Telemetry Data

When you use the SuperPenguin SDK, the following cost metadata is collected for each LLM request:

  • AI provider and model name
  • Input and output token counts
  • Estimated cost in USD
  • Request latency
  • Attribution metadata you attach (such as customer_id, feature, team, environment, prompt_key, prompt_version)

The SDK does NOT collect, transmit, or store prompt content, response content, images, tool arguments, or your provider API keys.

2.3 Automatically Collected Information

  • Usage Data: Pages visited, features used, interactions with our Services, timestamps, and referring URLs.
  • Device Information: Browser type, operating system, device identifiers, and IP address.
  • Cookies & Analytics: We may use analytics tools to understand how our Services are used and to improve the user experience.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve SuperPenguin and our Services.
  • Authenticate your identity and manage your account.
  • Display cost analytics, attribution data, and spend dashboards.
  • Sync billing data from connected AI providers.
  • Respond to your support requests and inquiries.
  • Analyze usage patterns to improve product functionality and user experience.
  • Comply with legal obligations and enforce our Terms of Service.

4. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party vendors who perform services on our behalf (e.g., hosting, analytics, payment processing), bound by contractual obligations to protect your data.
  • Legal Requirements: When required by law, legal process, or to protect the rights, property, or safety of Carrot Labs, our users, or others.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

We do not share your data with third parties for advertising, market research, or with data brokers.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specifically:

  • Account Data: Retained for the duration of your account. When you delete your account, we will delete or anonymize your data within 30 days, unless retention is required for legal or compliance reasons.
  • SDK Telemetry Data: Cost metadata from SDK requests is retained for the duration of your account to power analytics and dashboards.
  • Provider API Keys: Deleted immediately when you disconnect a provider or delete your account.
  • Usage Analytics: Aggregated, anonymized usage data may be retained indefinitely for product improvement purposes.

6. Data Deletion & Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your personal data.
  • Export your data in a portable format.
  • Disconnect provider integrations at any time through the Settings page.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. Provider API keys are stored encrypted at rest. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Third-Party Services

Our Services may connect to third-party AI providers (such as OpenAI and Anthropic) to retrieve billing data. This Privacy Policy does not apply to those providers. We encourage you to review the privacy policies of any third-party service you interact with.

9. Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. For material changes, we will provide notice through our Services or by email. Your continued use of the Services after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: