Privacy Policy

Last updated: May 9, 2026

This policy explains what information TokenFlow collects, why we collect it, and what we do with it. We try to keep this short and free of legalese — if something is unclear, email us at hello@tokenflow.dev.

What we collect

When you create an account:

• Your email address
• A hashed version of your password (we never see the plaintext)
• Billing information you provide for paid plans (handled by our payment processor)

When you use the API:

• Request metadata — token counts, latency, status codes, model used, timestamp, the API key prefix used. We use this for billing, your usage dashboard, and operational monitoring.
• Your IP address — used for rate limiting, fraud prevention, and abuse detection. Stored at most 30 days.
• Errors — if a request fails, we may briefly retain error metadata for debugging. Purged within 24 hours.

What we don't keep

• Prompt content and response content are not retained after a request completes. We don't train on your data, we don't share it with anyone, we don't keep it.
• One exception: temporarily during a request, content passes through our servers in transit. It's not written to long-term storage.

How we use your data

• To run the service and keep your account working
• To bill you accurately for what you use
• To show you your own usage data in the dashboard
• To detect and prevent abuse
• To send you essential service emails (billing, security, important changes)
• If you opt in, to send you product updates and tips

We don't sell your data. We don't share it with advertisers. We don't run ad networks.

Third parties

Some functions require sharing limited data with vendors:

• AI providers — your prompts are forwarded to the model provider that fulfils the request. We don't pick providers that train on your data without your consent.
• Payment processor — handles your card or crypto payment data. We don't store full card numbers.
• Email delivery — handles transactional email (verification, billing notifications).
• Cloud infrastructure — runs the gateway servers. They process data on our behalf and don't access it for their own purposes.

Your rights

You can:

• Export your usage history at any time from the dashboard
• Delete your account, which deletes your usage history and personal data within 30 days
• Correct any inaccurate personal data
• Object to processing for marketing emails (we'll stop)
• Lodge a complaint with your local data protection authority if you believe we've mishandled your data

Email privacy@tokenflow.dev for any of the above and we'll handle it within 30 days.

Cookies

We use cookies to keep you logged in and remember basic preferences. We don't use third-party tracking cookies, advertising cookies, or fingerprinting. If you block our cookies, you won't be able to log in.

Security

Passwords are hashed. API keys are hashed at rest. All traffic is over TLS. We follow industry best practices for secure development. No system is perfectly secure, but we take this seriously.

If you find a security issue, please report it to security@tokenflow.dev rather than disclosing publicly.

Data retention

• Account information: while your account is active, plus 30 days after deletion
• Usage metadata: per your plan (7 days free, 30 days Starter, 90 days Pro)
• Billing records: 7 years (legal requirement in most jurisdictions)
• Prompt and response content: not retained (see above)

Changes

We may update this policy. Material changes will be announced by email at least 14 days before taking effect. The "last updated" date at the top will always show when this was last changed.

Contact

Questions about privacy? Email privacy@tokenflow.dev.