Legal

Terms of Service

Last updated: March 2026

Contents

1. Agreement to Terms

By accessing or using ekuri.ai ("Service"), operated by EKURI ("Company", "we", "us", "our"), you agree to be bound by these Terms of Service. If you disagree with any part of these terms, you do not have permission to access the Service.

2. Description of Service

ekuri.ai provides managed infrastructure for running AI assistants. The Service includes:

Managed Plans (Starter, Pro, Max): Dedicated servers on Hetzner with AI model access included via a credit-based usage system. AI credits are included in your subscription.

Bring Your Own Plan ($15/mo): Dedicated server infrastructure only. AI model access is not included. You must provide your own API keys or AI provider subscriptions (e.g. Anthropic Claude, OpenAI ChatGPT) to use AI features. Ekuri provides the server, networking, security, and maintenance — you provide the AI access. Without connected API keys or subscriptions, the server cannot process AI requests.

3. Account Registration

To use the Service, you must:

  • Be at least 18 years old
  • Provide accurate and complete registration information
  • Maintain the security of your account credentials
  • Accept responsibility for all activities under your account

4. Subscription and Billing

The Service offers the following plan structures:

Monthly subscriptions: Starter ($39/mo), Pro ($79/mo), Max ($149/mo) with monthly credit allowances for multi-model AI usage; and Bring Your Own ($15/mo) for infrastructure-only access where you supply your own AI provider credentials.

Payments are processed through Polar. By subscribing, you agree to:

  • Pay all fees associated with your selected plan
  • Automatic renewal unless cancelled before the billing date
  • Provide valid payment information
  • Understand that the Bring Your Own plan provides infrastructure only — AI model access requires your own API keys or provider subscriptions and is billed separately by those providers

5. Cancellation

You may cancel your subscription at any time through your account settings. Cancellation takes effect at the end of your current billing period. You will retain access until then.

6. Acceptable Use

You agree not to use the Service to:

  • Violate any applicable laws or regulations
  • Generate harmful, illegal, or abusive content
  • Attempt to circumvent usage limits or security measures
  • Register with false, disposable, temporary, or deceptive email addresses to evade verification, billing, or abuse controls
  • Resell or redistribute the Service without authorization
  • Interfere with the Service's operation or other users' access

We may suspend or permanently ban accounts that use disposable email services, abuse trials, evade enforcement, or otherwise violate these Terms. We may also terminate and reclaim associated VPS resources immediately in those cases.

7. Service Availability

We strive for 99.9% uptime but do not guarantee uninterrupted service. We may modify, suspend, or discontinue features with reasonable notice when possible.

8. Limitation of Liability

To the maximum extent permitted by law, ekuri.ai shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or business opportunities.

9. Changes to Terms

We may update these Terms at any time. Continued use of the Service after changes constitutes acceptance. Material changes will be communicated via email or Service notification.

Privacy Policy

10. Information We Collect

Account Information: Email address, name, and payment details when you register. We may also process email-domain and mail-routing metadata, such as MX records, to detect disposable email services and prevent abuse.

Usage Data: Conversation history with your AI assistant, preferences, and reminders. API usage metrics (model, token counts, credits charged) for billing and abuse prevention.

Technical Data: IP address, browser type, device information, and access logs.

Audit Logs: Administrative access events such as SSH break-glass sessions are logged with timestamps and reason codes for accountability.

Bring Your Own Plan — API Keys and Tokens: If you use the Bring Your Own plan, any API keys, OAuth tokens, or provider credentials you supply are written to your dedicated VPS for runtime use and also retained in encrypted form in Ekuri's control plane database for connection management, masked status display, and disconnect/account-deletion workflows. These credentials are never stored in plaintext in D1 or KV.

11. How We Use Your Information

  • Provide and maintain the AI assistant service
  • Process payments and manage subscriptions
  • Enable AI memory features that personalize your experience
  • Send service-related communications
  • Ensure security and prevent abuse

12. Data Storage

Your data is stored on dedicated Hetzner servers located in EU data centres. Traffic is routed through Cloudflare Tunnel with no publicly exposed ports. SSH access is disabled by default and can only be temporarily enabled through an audited break-glass process with automatic 1-hour revocation. Account and billing data is stored on Cloudflare's global infrastructure (Workers, KV, D1). Cloudflare maintains SOC 2 Type II, ISO 27001, and other security certifications.

All user data at rest — including conversations, workspace files, and VPS backups — is encrypted using AES-256-GCM with per-user keys derived via HKDF-SHA256. Encryption keys are never stored alongside the data they protect.

13. AI and Conversation Data

Managed Plans: Your conversations are encrypted at rest and stored to provide memory features. We do not use your conversations to train AI models or share content with third parties. Conversation data is forwarded to your selected AI provider through our credit-metered proxy solely to generate responses and is subject to that provider's data handling policies.

Bring Your Own Plan: Your conversations flow directly from your VPS to the AI provider(s) you have connected using your own credentials. This traffic does not pass through Ekuri's proxy and we do not meter, inspect, or log the content of these requests. You are solely responsible for compliance with your AI provider's terms of service and data handling policies. We have no visibility into the data exchanged between your VPS and your connected providers.

14. Third-Party Services

We integrate with the following third-party services, each with their own privacy policies:

  • AI providers (Managed Plans): Anthropic, OpenAI, Google, Mistral, DeepSeek, Groq — requests are proxied and metered by Ekuri
  • AI providers (Bring Your Own Plan): Any provider you connect via API key or OAuth subscription — requests go directly from your VPS to the provider without Ekuri involvement
  • Messaging: Telegram
  • Infrastructure: Cloudflare (hosting, networking, storage), Hetzner (VPS servers)
  • Payments: Polar
  • Authentication: Google OAuth, Apple Sign-In

15. Data Security

We implement the following security measures:

  • Encryption in transit (TLS/HTTPS everywhere) and at rest (AES-256-GCM with per-user derived keys via HKDF-SHA256)
  • Isolated per-user VPS instances with no shared state between users
  • Zero publicly exposed ports on VPS servers — all traffic routed through Cloudflare Tunnel
  • Cloudflare Access (Zero Trust) with email-based verification for VPS web access
  • SSH disabled by default with audited break-glass access and automatic 1-hour revocation
  • OAuth CSRF protection with KV-stored nonces and Origin header validation on all state-changing requests
  • Constant-time token and signature comparison across all authentication and webhook endpoints
  • Rate limiting on login and signup endpoints to prevent brute-force attacks
  • Webhook replay protection via deduplication with 24-hour TTL
  • Atomic credit reservation to prevent concurrent usage abuse — credits are pre-reserved before API calls and adjusted to actual usage after completion
  • Content Security Policy, HSTS, and Permissions-Policy headers on all responses
  • UFW firewall, fail2ban, and automatic unattended security updates on all VPS servers
  • All secrets stored as encrypted environment variables — never in code, URLs, or command-line arguments

Security reports can be submitted via our security disclosure policy. We target acknowledgment within 48 hours and, if we confirm a material customer-data incident, notification to affected customers within 72 hours of confirmation.

Bring Your Own Plan — credential storage: API keys and OAuth tokens you provide are written to your dedicated VPS and also retained in encrypted form in Ekuri-managed storage. These credentials are protected by the same infrastructure security (Cloudflare Tunnel, firewall, no SSH by default) as all VPS instances. When you remove a provider connection or delete your account, credentials are erased from the VPS and deleted from Ekuri-managed storage.

16. Your Rights (GDPR)

If you are in the EEA, you have rights to access, rectify, erase, port, object to, and restrict processing of your data. Contact [email protected] to exercise these rights.

17. Data Retention and Account Deletion

You can configure your data retention period from the dashboard privacy settings. Available options are 30 days, 90 days, 365 days, or indefinite retention. Data older than your chosen retention period is automatically purged by our enforcement system.

You can delete your account at any time from the dashboard settings (requires email confirmation). Upon deletion:

  • Account data is removed immediately
  • All encrypted conversations and workspace files are erased from storage
  • Active subscriptions are cancelled
  • VPS instances are terminated and server data is destroyed
  • Encrypted backups are purged from object storage
  • Session and file sync tracking records are deleted

You can also request a full export of your data from the dashboard privacy settings before deletion.

18. Cookies

We use essential cookies for authentication and session management only. Session cookies are HttpOnly, Secure, and SameSite=Lax. No tracking, analytics, or advertising cookies are used.

Refund Policy

19. Refund Policy

All refund requests are evaluated on a case-by-case basis. Due to the nature of our service — which provisions dedicated infrastructure and consumes third-party API resources upon activation — we are unable to offer automatic or unconditional refunds.

We may, at our sole discretion, issue a full or partial refund based on factors including but not limited to: the duration of service usage, the extent of resources consumed, the reason for the request, and the timing relative to your billing cycle.

Bring Your Own Plan: The Bring Your Own plan provides server infrastructure only. AI model access is not included and is clearly stated at the time of purchase. Refund requests based on the expectation that AI access was included will not be approved. You are responsible for providing your own API keys or AI provider subscriptions.

Credit Pack Purchases: All credit pack purchases are final and non-refundable.

20. How to Request a Refund

To submit a refund request, contact our billing team with the following information:

  • Email [email protected]
  • Include your account email address and the date of the charge
  • Provide a brief explanation of the reason for your request

We aim to respond to all refund requests within 3 business days. If approved, refunds are processed within 5-10 business days to the original payment method.

22. Contact

For questions about these terms, contact us at [email protected] or visit our contact page.