Privacy Policy

A2 Labs Inc. (d/b/a Makora Inc.) (“Company,” “we,” “us,” or “our”) operates an inference platform that hosts and serves open-source machine-learning models via API and related interfaces (the “Service”). This Privacy Policy explains what information we collect, how we use and share it, how long we keep it, and the choices and rights you have.

Effective date: June 11, 2026 Last updated: June 11, 2026

This policy is published at https://makora.com/privacy, and prior versions are archived for audit purposes.

  1. Scope and How to Read This Policy

This Policy applies to all visitors, account holders, and end users who access the Service, regardless of subscription tier. It covers:

  • Information about you as our customer (the person or entity that holds an account and pays for the Service); and

  • Inputs and Outputs (the prompts, files, context, and other content you submit to a model, and the content the model returns).

Where you use the Service to process personal data belonging to your own end users, you are typically the controller of that personal data and we act as your processor (or “service provider”). In those cases, the data-processing terms in our Data Processing Agreement (“DPA”) govern, and they control over this Policy to the extent of any conflict. See Section 11.

The Company acts as the data controller for account and billing data, and as a processor for customer Inputs and Outputs.

  1. The Information We Collect

2.1 Information you provide to us

  • Account and identity data: name, business email, company name, job title, and login credentials.

  • Billing data: billing address, tax identifiers (e.g., VAT ID), and payment-method metadata. Card numbers are collected and stored solely by our third-party payment processor and never touch our servers.

  • Support and communications data: messages you send to support, survey responses, and similar correspondence.

  • Inputs and Outputs: the content you submit to models and the content models generate in response. Inputs may contain personal data if you choose to include it.

2.2 Information we collect automatically

  • Usage and telemetry data: API request metadata such as timestamps, model name, endpoint, token counts (input/output), latency, HTTP status, request ID, and error logs.

  • Device and connection data: IP address, user-agent, and approximate location derived from IP.

  • Cookies and similar technologies: used on our website and dashboard for authentication, security, and analytics. See Section 9.

2.3 Information from third parties

  • Identity/authentication providers (e.g., Google, GitHub) if you sign in via SSO.

  • Payment processor for transaction status and fraud signals.

  • Security and anti-abuse vendors for bot/fraud detection.

We do not purchase or enrich personal data from data brokers, and we do not intentionally collect special-category (sensitive) data. If you may submit sensitive data via Inputs, see Section 8.

  1. Tiers, Data Retention, and Zero Data Retention (ZDR)

A core part of this Policy is how we handle the Inputs and Outputs you send to and receive from models. Handling depends on your subscription tier.

Tier Inputs/Outputs Retained? Used to Train or Improve Models? Default Retention Window
Starter Yes — retained No (not used for training) 30 days
Developer Yes — retained No (not used for training) 30 days
Developer Pro No — Zero Data Retention (ZDR) No Not durably retained; transient processing only (on-host cache evicted on a rolling, space-available basis — see §3.1)
Pay-as-you-go No — Zero Data Retention (ZDR) No Not durably retained; transient processing only (on-host cache evicted on a rolling, space-available basis — see §3.1)

3.1 What ZDR means

For Developer Pro and Pay-as-you-go, the Service operates in Zero Data Retention mode. This means:

  • Inputs and Outputs are processed transiently — primarily in volatile memory — only for as long as needed to generate and return a response, and are not written to our durable application storage (such as our databases, long-term object storage, or backups).

  • To improve performance, an inference cache (for example, a prefix/context cache) may hold Inputs, Outputs, or values derived from them in volatile memory. In some configurations this cache may also write content to local solid-state (SSD) storage attached to the inference host; any such on-disk cache content is encrypted at rest through full-disk encryption and is not part of our durable retained-content stores or backups.

  • Cached content is evicted on a rolling, space-available basis. We do not currently guarantee deletion of cached content within a fixed time window; cached content may remain on the inference host until it is evicted to make room for new data. Once an entry is evicted or the cache process terminates, the content is no longer retained by us and is not recoverable.

  • Inputs and Outputs are never used to train, fine-tune, evaluate, or otherwise improve any model, ours or a third party’s.

“Zero Data Retention” means we do not durably retain Input/Output content in our databases, object storage, or backups, while still allowing transient in-memory and short-lived on-host cache processing and the retention of non-content operational metadata (see 3.3).

3.2 What retention means for Starter and Developer

For Starter and Developer, Inputs and Outputs are retained for the window above to support features such as debugging, abuse prevention, usage history, and customer support. We do not use this content to train or improve models. After the retention window, content is deleted or irreversibly anonymized on a rolling basis.

Access to retained content is restricted to authorized personnel on a need-to-know basis. Starter and Developer customers cannot opt out of retention except by upgrading to a ZDR tier. Retained content is encrypted at rest using AES-256.

3.3 Operational metadata applies to all tiers (including ZDR)

Regardless of tier — including ZDR tiers — we retain limited operational metadata that does not include the substance of your Inputs/Outputs: timestamps, token counts, model and endpoint used, latency, status codes, request IDs, and account identifiers. We use this for billing, security, capacity planning, and legal compliance. Operational metadata is retained for 12 months and then deleted or aggregated.

3.4 Abuse detection and ZDR

Even on ZDR tiers, automated safety and abuse classifiers may inspect Inputs and Outputs in memory at request time. No content is persisted as a result of this inspection unless a request is flagged, in which case the flagged content may be retained for the limited period necessary to investigate the issue and to comply with a legal or safety hold.

  1. How We Use Information

We use the information described above to:

  • Provide and operate the Service, including routing requests to models and returning Outputs.

  • Authenticate users and secure accounts.

  • Bill and collect payment, including metering token usage.

  • Provide support and respond to your requests.

  • Maintain security, prevent fraud and abuse, and enforce our terms and acceptable-use policy.

  • Monitor, debug, and improve the reliability and performance of the platform (using telemetry/metadata, and — only for non-ZDR tiers and only as permitted — retained content).

  • Comply with legal obligations and respond to lawful requests.

  • Communicate with you about service, security, and (where permitted) product updates.

We do not use customer Inputs/Outputs from any tier to train or improve models.

5.Legal Bases for Processing (EEA/UK)

Where the GDPR or UK GDPR applies and we act as a controller, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you have signed up for and to bill you.

  • Legitimate interests — to secure the Service, prevent abuse and fraud, and improve reliability (balanced against your rights).

  • Legal obligation — to meet tax, accounting, and other statutory duties.

  • Consent — for optional analytics/marketing cookies and marketing emails, where required.

Where we act as a processor for customer Inputs/Outputs, our customer is responsible for establishing a legal basis for that processing.

  1. How We Share Information

We share information only as described here:

  • Subprocessors / service providers who process data on our behalf under contract (see Section 7).

  • Payment processor to complete transactions.

  • Professional advisors (lawyers, auditors, accountants) under confidentiality.

  • Legal, safety, and compliance — to comply with law, enforce terms, or protect the rights, property, or safety of the Company, our users, or the public.

  • Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising. The Company does not engage in any “sale” or “sharing” of personal data as those terms are defined under the CCPA/CPRA.

  1. Subprocessors

We use the following categories of subprocessors. The current list is maintained at https://makora.com/subprocessors and customers may subscribe to update notifications.

Subprocessor Purpose Processing Location Applies to ZDR Content?
Amazon Web Services, Inc. (AWS) Compute / inference hosting infrastructure United States Transient processing only; no durable storage of ZDR content
TensorWave, Inc. GPU compute / inference hosting infrastructure United States Transient processing only; no durable storage of ZDR content
Stripe, Inc. Payment processing US / EU No
Microsoft Azure (Azure Database for PostgreSQL — flexible server) Storage of account + (non-ZDR) retained content United States (East 2) No — ZDR content is not stored here
Microsoft Azure (CDN / WAF / DDoS protection) Edge delivery, web-application firewall, DDoS protection United States (East 2) Transient only
Microsoft Azure (logging / metrics) Logging, metrics, telemetry (metadata only) United States (East 2) Metadata only, no Input/Output content
Microsoft Azure (transactional email) Account & security emails United States No
PostHog, Inc. Website / product analytics United States No

All subprocessor rows reflect the infrastructure team’s confirmed answers (AWS and TensorWave for inference compute; Stripe for payments; Microsoft Azure for storage, CDN/WAF, logging, and transactional email; PostHog for analytics). If you want the specific Azure service names itemized publicly (e.g., Azure Front Door, Azure Monitor, Azure Communication Services), confirm and I will expand those rows.

  1. Sensitive Data and Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under 16.
You should not submit special-category/sensitive personal data (e.g., health, biometric, or government-ID data) as model Inputs unless you have a lawful basis and appropriate safeguards in place; you remain responsible for any such data you choose to submit. The Service is not certified for PCI cardholder data in prompts, and you should not submit it. As with all content, any data you submit is never used to train or improve models on any tier.

  1. Cookies and Analytics

On our website and dashboard we use:

  • Strictly necessary cookies for authentication and security (cannot be disabled).

  • Analytics cookies to understand usage and improve the product (used with consent where required).

You can manage non-essential cookies via our cookie banner or your browser settings. The API endpoints do not set cookies; cookies are limited to the web dashboard and marketing site.

  1. International Data Transfers

We may process and store information in the United States and other countries. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by technical and organizational measures. The Company is not certified under the EU–US Data Privacy Framework and relies on the SCCs for transfers. The Company’s primary processing region is the United States.

  1. Data Processing Agreement

If you are a business customer subject to the GDPR or UK GDPR and we process personal data on your behalf, our Data Processing Agreement (DPA) applies and is incorporated by reference. The DPA includes the SCCs and our subprocessor commitments. To request a countersigned DPA, contact privacy@makora.com.

  1. Your Rights and Choices

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you;

  • Correct inaccurate data;

  • Delete your data;

  • Port your data to another provider;

  • Object to or restrict certain processing;

  • Withdraw consent at any time; and

Lodge a complaint with a supervisory authority (EEA/UK) or your local regulator.

To exercise rights regarding your account data, email privacy@makora.com. For rights requests concerning Inputs/Outputs you processed on behalf of your own end users, the request should be directed to you as controller; we will assist you as your processor under the DPA.

We will respond within the timeframe required by applicable law (generally 30 days under the GDPR/CPRA, extendable where permitted). We will not discriminate against you for exercising your rights.

We maintain an authorized-agent process and an identity-verification process for CPRA requests.

13. Data Security

We maintain technical and organizational measures designed to protect personal data, including encryption in transit (TLS 1.3 for external connections, with encrypted internal transport) and at rest (AES-256), access controls, least-privilege permissions, audit logging, and regular security reviews. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Makora maintains a SOC 2 Type II report and a documented incident-response plan, and notifies affected controllers of a personal data breach without undue delay after becoming aware of it.

14. Data Retention Summary

  • ZDR-tier Inputs/Outputs (Developer Pro, Pay-as-you-go): not durably retained in our databases, object storage, or backups; transiently held on-host inference-cache content is evicted on a rolling, space-available basis with no guaranteed fixed deletion window (see Section 3.1).

  • Non-ZDR Inputs/Outputs (Starter, Developer): 30 days, then deleted/anonymized.

  • Operational metadata (all tiers): 12 months.

  • Account and billing records: retained for the life of the account and thereafter as required for tax/legal purposes (typically 7 years for financial records).

  • Support communications: 24 months.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by posting the updated Policy with a new “Last updated” date and, where appropriate, by email or in-product notice. Your continued use of the Service after an update constitutes acceptance of the revised Policy.

16. Contact Us

Privacy / Data Protection: privacy@makora.com Mailing address: A2 Labs Inc. (d/b/a Makora Inc.), 11 E Loop Rd, Suite #381, New York, NY 10044 EU / UK representatives: We are in the process of appointing representatives in the European Union and the United Kingdom under Article 27 of the GDPR and UK GDPR. Their contact details will be published here once the appointments are complete. In the meantime, individuals in the EU and UK may contact us at privacy@makora.com.

No Data Protection Officer is appointed, as the Company’s processing does not require one under Article 37 GDPR.