Terms of service
Last updated: 2026-05-26. Plain English. Read it.
1. What we are
Phantom is an anonymous proxy to TEE-attested AI inference. You pay in cryptocurrency. You receive an API key. The key burns down as you spend it. We forward your requests to an upstream TEE provider (Intel TDX + NVIDIA Confidential Computing). We do not store the contents of your prompts or completions.
Phantom is operated by an individual operator, not a registered company. The service is provided as-is, with no contractual relationship beyond these terms.
2. Payment, credit, refunds
- Crypto only. Pay in XMR, BTC, ETH, USDT (TRC20 / ERC20 / BSC), USDC (Ethereum / Solana), LTC, SOL, or DOGE. Payments routed through a third-party payment processor (PSP). They mint a per-invoice address and convert to XMR for the operator's payout.
- Per-coin minimums apply. The PSP enforces minimum-amount thresholds that vary by coin (often $5-$25 USD-equivalent). Phantom's minimum purchase is $10. If your selected coin's minimum is higher, pick a cheaper-network coin.
- Credit is non-refundable. Once your key is issued, the credit balance is locked to that key. We do not store return addresses. We cannot send funds back even if we wanted to.
- Partial payments expire. If you send less than the invoice amount, the PSP marks the order partially paid; phantom treats this as expired and does not issue a key.
- Wrong-asset payments require manual review. If you send the wrong coin or wrong network, the order may not auto-complete. Contact via PGP (see footer) with the payment ID.
- Key recoverable via payment ID. At issuance the plaintext key is AES-256-GCM encrypted under HKDF(payment_id) and stored as ciphertext. Anyone holding the payment ID can re-derive the key and decrypt it, so the payment ID is bearer-equivalent to the key itself: lose it, lose the key. Auth-side, only SHA-256(key) is stored.
- Validity windows. Each key expires after the bundle's validity period (small/medium: 90 days, large: 180, whale: 365, custom: 90). Unspent credit at expiry is forfeit.
3. Acceptable use
You may use Phantom for any purpose lawful in your jurisdiction. You may not use it for:
- Generating, soliciting, or distributing sexual content involving minors (CSAM).
- Targeted harassment, stalking, or doxxing of specific individuals.
- Generating content used to commit financial fraud (phishing kits, impersonation of real persons or businesses for fraud).
- Material designed to plan or facilitate violence against specific persons or groups.
- Activity prohibited by U.S. export controls (e.g., weapons of mass destruction, ITAR-controlled defense articles).
- Automated scraping that violates the target site's terms (the inference layer doesn't see this, but you accept legal responsibility).
We do not read prompts. Enforcement is reactive: if a credible report reaches us, we may revoke the offending key. We have no way to refund the remaining balance on a revoked key.
Some models in our catalog are intentionally uncensored. They do not refuse requests on content-policy grounds. You remain responsible for the lawfulness of your use.
4. Privacy commitments
These are the commitments we make in code, not just policy. Inspect the operator-published source if you want to verify.
- No IP logs. Caddy access logs are discarded. Uvicorn access logs are disabled. Rate-limit buckets key off a SHA-256 hash of the API key or client IP, kept in memory only, never persisted.
- No prompt or completion logs. Our database stores token counts only, never request bodies, never response bodies.
- No account. We collect no email, name, phone, billing address, country, or other personal identifier.
- Encrypted database at rest. SQLCipher (AES-256). Passphrase + API keys live in a mode-0400 env file on the same host. Defense-in-depth against partial-file leaks (swap, coredump, exfiltrated backup), not snapshot-proof. The "we can't read your prompts" guarantee comes from the upstream TEE, not from this DB layer.
- Hashed keys. Plaintext API keys leave our server exactly once at issuance. We store only SHA-256(key).
- Body whitelist. Only a strict set of fields is forwarded to the upstream TEE provider. Identifying fields (user, metadata, etc.) are dropped before forwarding.
- Payment routing. Payments flow through a third-party payment processor (PSP). They mint a per-invoice deposit address, collect funds, and forward XMR to the operator's cold wallet. The PSP KYCs the operator, not the buyer. Buyer-side chain privacy depends on the pay coin: XMR is opaque both ways; BTC/ETH/USDT/USDC are publicly traceable on their own ledgers regardless of phantom's posture.
Things we do not control:
- The upstream TEE receives the cleaned prompt body. Its attested binary is open and can be verified per request via
/v1/inference-attest. - The PSP logs your pay tx + IP at checkout (per their privacy policy). They do not share buyer identity with phantom; phantom receives only order-id + payment-status via webhook.
- Your network path to
phantom.codesis visible to your ISP unless you use Tor or a trusted VPN.
5. Trust boundaries
Phantom's privacy posture has four tiers. Things hardware + code can prove. Things our code refuses to do. Code-level commitments that depend on the source. And real trade-offs we can't fully control. Honesty on all four.
Backed by hardware + code, not promises.
- TEE inference. Upstream TEE (Intel TDX + NVIDIA CC). Verify per-request via
/v1/inference-attest. - Per-invoice payment address. The PSP mints a fresh address per order. XMR payers stay opaque on-chain. Transparent chains (BTC/ETH/USDT) are traceable on their own ledger.
- SHA-256 key storage. Auth gate stores only the hash. Plaintext recoverable only via customer-held payment_id (decrypts the ciphertext blob).
- SQLCipher AES-256. DB encrypted at rest. Passphrase on the same host. Defense-in-depth, not snapshot-proof.
- Tor hidden service. Same API, no exit node required.
verifiable in the published source, not externally enforced
- No prompt, completion, or token-content logging.
- No IP, user-agent, or request-header logging.
- No PII. No emails. No identifiers.
- Rate-limit keys hashed; never persisted.
things phantom will never become
- Custodial wallet. Keys are bearer.
- Identity provider. No accounts, no email support.
- Refund desk. Start with the $10 bundle.
- Logging service. No data to help debug.
limits of running on the public web
- Proxy is a VPS. Prompts pass through RAM plaintext between you and the upstream TEE provider. Host could in principle dump memory.
- Provider could MITM TLS. Verify cert via CT logs.
- Operator identifiable via VPS contract. Customers stay anonymous.
- Payment routed via a third-party payment processor (PSP). They see your pay tx + IP. They do NOT share buyer identity with phantom. Phantom only receives order-id + payment-status webhooks. The PSP KYCs the operator.
6. No warranty, limited liability
Service is provided as-is. No uptime guarantee. No availability SLA. No guarantee that any specific model remains in the catalog. Operator may discontinue the service at any time. Any unspent credit at discontinuation is forfeit.
To the extent permitted by law, operator's total liability to you under these terms is capped at the unspent credit balance on your API key at the time of the claim.
7. Changes
These terms may change. Existing keys continue under the terms in effect at issuance for the duration of the validity period. Material changes will be noted on this page with an updated date at the top.
8. Contact
Encrypted contact only. PGP public key published at /pgp.txt (fingerprint 09654A79076956E6042D11946296DEC4E954FC76). Send abuse reports or operational issues encrypted to this key. We don't maintain plaintext support channels because they would create customer-identifying logs.
<< back to home