A transparent, technical breakdown of what happens when you make an API call to JuiceFactory — from the moment your request arrives to the moment it is discarded.
JuiceFactory AB is a Swedish company (EU jurisdiction). All processing occurs within the EU/EEA.
Every API request follows the same five-step pipeline. No step persists your prompt or completion to disk.
Your HTTPS request arrives at our API gateway in Stockholm, Sweden. TLS 1.3 terminates at the edge — your payload is encrypted in transit.
We validate your API key and check rate limits. No request body content is logged during authentication.
Your prompt is forwarded to the inference engine and held exclusively in volatile memory (RAM). It is never written to disk, object storage, or any persistent logging system.
The model completion is streamed back to you over the same TLS connection. For streaming requests, tokens are delivered as server-sent events.
Once the response is fully delivered, the prompt and completion are purged from memory. The only record created is a billing metadata entry (see below).
We retain only the minimum billing metadata required to invoice you accurately and meet our accounting obligations under Swedish law (Bokforingslagen). None of these fields contain your prompt or response content.
| Field | Purpose |
|---|---|
| Timestamp | UTC time the request was processed — required for billing and usage reporting. |
| Token count | Input and output token counts — used to calculate usage-based billing. |
| Model identifier | Which model was invoked (e.g. claude-sonnet, llama-3) — needed for per-model pricing. |
| Request ID | A random UUID for idempotency and support troubleshooting. Contains no payload data. |
| HTTP status code | Whether the request succeeded or failed — used for uptime monitoring and SLA reporting. |
The following data categories are never written to disk, logged, cached, or retained in any form after your API response is delivered. This is guaranteed by our zero-retention architecture and codified in the DPA.
Under GDPR Article 28, any entity that processes personal data on behalf of a controller must have a Data Processing Agreement in place. Our DPA covers:
The DPA is available for download and electronic signature at portal.juicefactory.ai.
As the data controller (GDPR Article 4(7)), you determine the purposes and means of processing personal data sent through our API. Here is how our stateless architecture intersects with data subject rights under GDPR Articles 15–21.
No prompt or completion data exists in our systems to disclose. Billing metadata (token counts, timestamps) is available in the portal and does not contain personal data from your requests.
Since inference data is not retained, there is nothing to rectify on our side. Billing metadata can be corrected upon request.
Zero-retention means erasure is automatic — data is purged from memory after each response. For billing metadata deletion, contact support or use the portal.
You can stop sending data at any time by revoking your API key. No historical inference data needs to be restricted because none is stored.
Billing metadata and usage reports are exportable from the portal in standard formats. No inference content is available because it is never persisted.
We process data only to deliver the service you requested — there is no profiling, automated decision-making, or secondary processing to object to.
Our stateless architecture simplifies DSAR responses: because no personal data from inference requests is retained, the primary obligation shifts to confirming this fact to the data subject.
Per GDPR Article 28(2), we disclose all sub-processors involved in delivering the inference service. Changes to this list require prior written notification to customers with DPAs in place.
| Entity | Role | Location | Legal basis |
|---|---|---|---|
| JuiceFactory AB | Inference processing, API gateway, billing | Stockholm, Sweden (EU) | Data processor under GDPR Article 28 DPA |
| Hetzner Online GmbH | Compute infrastructure (dedicated GPU servers) | Helsinki, Finland (EU) | Sub-processor under GDPR Article 28(2) with prior authorization |
All sub-processors are EU/EEA-incorporated entities. No data transfers to third countries occur. Last updated May 2026.
No. Your prompts and completions are never used for model training, fine-tuning, RLHF, or any form of model improvement. This is contractually guaranteed in our Data Processing Agreement (DPA) under GDPR Article 28. We process your data solely to deliver the inference response you requested.
All inference runs on dedicated GPU servers located in EU datacenters — specifically in Stockholm (Sweden) and Helsinki (Finland). Data never leaves EU/EEA jurisdiction. There are no US-based sub-processors in our chain, which means CLOUD Act and FISA 702 do not apply to your data.
As the data controller (GDPR Article 4(7)), you decide what data to send. Our zero-retention architecture means personal data included in prompts is processed in volatile memory and discarded immediately after the response is delivered. It is never persisted, which significantly reduces risk. However, we recommend you minimize personal data in prompts per GDPR Article 5(1)(c) — the data minimization principle.
Because we operate a stateless inference pipeline with zero retention, there is no stored prompt or completion data to retrieve, rectify, or erase. For a DSAR under GDPR Articles 15-21, we confirm that no personal data from inference requests exists in our systems. Billing metadata (token counts, timestamps) does not contain personal data from your prompts.
Yes. A GDPR Article 28-compliant DPA is available for download and electronic signature in the JuiceFactory portal at portal.juicefactory.ai. The DPA covers all processing obligations including sub-processor disclosure, breach notification timelines (Article 33), data deletion, and audit rights.
Zero retention. EU-only infrastructure. GDPR Article 28 DPA included. Start building with confidence.