Moxus AI is a model gateway. Request content is forwarded to the upstream model provider you choose. Each provider may have its own data retention, training, and compliance-region rules. Review the selected provider’s policy before sending sensitive production data.
Data Moxus AI handles
| Data type | Examples | Purpose |
|---|---|---|
| Account data | Username, email, account status, created time, last login time | Login, account identification, security notices, and recovery |
| Login credentials | Password hash, passkey binding data, login sessions | Identity verification and account protection |
| Third-party login IDs | Google account ID | Account binding when you use Google sign-in |
| API key settings | Key name, status, quota, expiration, model limits, IP limits, group limits | Authentication, quota control, permission isolation, and abuse prevention |
| Usage and billing data | Request count, input tokens, output tokens, consumed quota, top-ups, refunds | Billing, balance display, usage analysis, and reconciliation |
| API activity records | Time, key name, model, token counts, cost, request ID, IP, latency, stream status | Troubleshooting, cost attribution, abuse prevention, and reports |
| Request metadata | Request parameters, error messages, upstream request ID, system state | Debugging failed requests and improving stability |
| Conversation and file input | Text, images, PDFs, Markdown files, and other content you send through Conversation or APIs | Forwarded to models so they can process and answer |
Information Moxus AI does not ask for
Moxus AI support and docs do not ask you to provide:- Plaintext API keys.
- Login passwords.
- Payment passwords, card passwords, or verification codes.
- Private repository access tokens.
- Identity documents, contacts, or local files unrelated to model calls.
How request content flows
- Your client sends a request to Moxus AI with an API key.
- Moxus AI authenticates the key, checks limits, reserves balance, and processes parameters.
- The request content is forwarded to the upstream provider for the selected model.
- After the upstream response returns, Moxus AI settles usage and records necessary activity logs.
- You can view request activity and cost in Usage.
Retention and visibility
| Data | Visibility | Notes |
|---|---|---|
| Account profile | Current user | Used for profile, security settings, and recovery |
| API key list | Current user | Full keys are shown only once at creation; lists usually show masked keys |
| API activity | Current user | Shows request time, model, token counts, and cost summaries |
| System and error logs | User-visible summary; more diagnostic fields for administrators | Admin-only fields are stripped from normal user views |
| Upstream-processed content | Depends on provider | Request content is sent to the selected model provider; provider policy controls its retention |
Platform protections
- Passwords are stored as hashes, not plaintext.
- API keys are shown in full only once after creation and are masked in lists.
- API keys can have quota, expiration, model, and source IP limits.
- Passkeys are supported for stronger login security.
- Admin-only diagnostic fields are hidden from normal user log views.
- Some privacy-sensitive request fields are filtered or controlled by platform settings, such as
safety_identifier.
What you can do
- Create separate API keys for development, production, and external tools.
- Set low quotas for browser extensions, desktop tools, and test scripts.
- Use source IP limits for server-side projects with fixed outbound IPs.
- Delete keys that are no longer used.
- Never expose keys in frontend code, public repositories, screenshots, or chat messages.
- Review the target provider’s data policy before sending sensitive business data.
If something looks wrong
Balance decreased unexpectedly
Balance decreased unexpectedly
An API key may be leaked
An API key may be leaked
Delete or disable the key immediately, create a new key, and update your app configuration. Then review recent API activity for unusual calls.
The account may be compromised
The account may be compromised
Change the login password, review passkeys and API keys, and delete unknown keys. If the issue continues, contact support with the time range, account email, and request IDs.
