fastrepl · yujonglee · Feb 22, 2026 · Feb 22, 2026
diff --git a/apps/web/content/docs/faq/10.ai-models-and-privacy.mdx b/apps/web/content/docs/faq/10.ai-models-and-privacy.mdx
@@ -156,7 +156,7 @@ An analytics event is also fired when auto-enhance runs — it includes only the
 
 **Where it goes depends on your setup:**
 
-- **Pro curated models:** Requests are proxied through `pro.hyprnote.com` and forwarded to a curated LLM provider. Nothing is stored by our proxy.
+- **Pro curated models:** Requests are proxied through `pro.hyprnote.com` and forwarded to a curated LLM provider via [OpenRouter](https://openrouter.ai). Nothing is stored by our proxy. We have [Zero Data Retention (ZDR)](https://openrouter.ai/docs/guides/features/zdr) enabled on our OpenRouter account, so all requests are routed exclusively to endpoints where the provider does not store your data.
 - **BYOK providers:** Requests are sent directly to the provider you selected (OpenAI, Anthropic, Google, or Mistral).
 - **Local LLMs:** Everything stays on your device. See [Local LLM Setup](/docs/faq/local-llm-setup).
 

diff --git a/apps/web/content/docs/faq/3.technical.mdx b/apps/web/content/docs/faq/3.technical.mdx
@@ -22,7 +22,7 @@ Char supports 9 cloud speech-to-text providers: Deepgram, AssemblyAI, Soniox, Fi
 
 ## How does Char route cloud LLM requests?
 
-When using cloud AI (Char Pro), LLM requests are routed through [OpenRouter](https://openrouter.ai). OpenRouter acts as a unified gateway to multiple model providers (OpenAI, Anthropic, Google, and others), so Char can switch between models without requiring separate API keys for each provider. A single `OPENROUTER_API_KEY` is all that's needed for cloud LLM access.
+When using cloud AI (Char Pro), LLM requests are routed through [OpenRouter](https://openrouter.ai). OpenRouter acts as a unified gateway to multiple model providers (OpenAI, Anthropic, Google, and others), so Char can switch between models without requiring separate API keys for each provider. A single `OPENROUTER_API_KEY` is all that's needed for cloud LLM access. We have [Zero Data Retention (ZDR)](https://openrouter.ai/docs/guides/features/zdr) enabled on our OpenRouter account, ensuring all requests only route to endpoints where providers do not retain your data.
 
 ## How does in-app search work?
 

diff --git a/apps/web/content/docs/pro/2.cloud.mdx b/apps/web/content/docs/pro/2.cloud.mdx
@@ -128,9 +128,11 @@ All requests are rate-limited and authenticated using your Pro subscription.
 
 All Pro LLM requests go through [OpenRouter](https://openrouter.ai), which routes to the actual model provider (OpenAI, Anthropic, Moonshot AI).
 
+**We have enabled [Zero Data Retention (ZDR)](https://openrouter.ai/docs/guides/features/zdr) on our OpenRouter account.** This means all Pro requests are routed exclusively to endpoints that have a Zero Data Retention policy — model providers cannot store your prompts or completions, even temporarily.
+
 | Policy | Details |
 |--------|---------|
-| **Data retention** | Zero by default — prompts and completions are not stored unless you opt in on your OpenRouter account |
+| **Data retention** | Zero — ZDR is enforced on our account, so only ZDR-compliant endpoints are used |
 | **Training** | Does not train on API data |
 | **Compliance** | SOC 2 |
 | **Data location** | US (default) |

diff --git a/apps/web/content/legal/dpa.mdx b/apps/web/content/legal/dpa.mdx
@@ -141,7 +141,7 @@ We implement the following technical and organizational measures:
 | [Deepgram](https://deepgram.com)       | For cloud-based speech-to-text transcription             | USA          | SOC 2 Type II, HIPAA compliant, GDPR-aligned DPA, encryption in transit and at rest, no training on customer data, data deletion on request                   |
 | [AssemblyAI](https://assemblyai.com)   | For cloud-based speech-to-text transcription             | USA          | SOC 2 Type II, HIPAA compliant, GDPR-aligned DPA, encryption in transit and at rest, no training on customer data, data deletion on request                   |
 | [Soniox](https://soniox.com)           | For cloud-based speech-to-text transcription             | USA          | Encryption in transit and at rest, GDPR-aligned privacy practices, no training on customer data, data deletion on request                                     |
-| [OpenRouter](https://openrouter.ai)    | For routing requests to AI language models               | USA          | Encryption in transit, no training on customer data, GDPR-aligned privacy practices, data deletion on request                                                  |
+| [OpenRouter](https://openrouter.ai)    | For routing requests to AI language models               | USA          | Encryption in transit, no training on customer data, GDPR-aligned privacy practices, data deletion on request, [Zero Data Retention (ZDR)](https://openrouter.ai/docs/guides/features/zdr) enforced on our account |
 | [Supabase](https://supabase.com)       | For authentication and database services                 | USA          | SOC 2 Type II, HIPAA compliant, GDPR-aligned DPA, encryption in transit and at rest, role-based access controls, audit logging                                 |
 | [Fly.io](https://fly.io)               | For hosting backend API services                         | USA          | SOC 2 Type II, encryption in transit and at rest, isolated compute environments, GDPR-aligned DPA, data residency options                                      |
 | [Netlify](https://netlify.com)         | For hosting web application                              | USA          | SOC 2 Type II, GDPR-aligned DPA, encryption in transit and at rest, access controls, audit logging                                                             |