Privacy Policy
Effective May 24, 2026. Written in plain English. If anything here is unclear, mail [email protected] and we'll fix the wording.
TL;DR
- We collect the minimum data needed to show you cost / latency / errors of your LLM calls.
- Request and response payloads are encrypted at rest and you can disable payload storage per workspace.
- We do not sell your data. We never train models on it.
- Sub-processors: Cloudflare (edge proxy + CDN), Hetzner (DB + app), Polar (payments), Resend (email), PostHog (product analytics).
- Export or delete your data any time from Settings or by emailing [email protected].
1. Who we are
Tokenwise (“we”, “us”) is operated from France. Contact: [email protected]. For privacy-specific requests: [email protected].
2. What we collect
Account data
Email, name, hashed password (via Better-Auth), workspace memberships, billing plan, timezone. Required to run the product.
Proxy traffic metadata
For every LLM call routed through Tokenwise: timestamp, provider, model, input/output token counts, latency, cost estimate, status code, cache-hit flag. Always stored.
Proxy traffic payloads
Request body and provider response body. Encrypted at rest before being written to Postgres. Opt-out: toggle Payload storage off in workspace settings; we then drop payloads at ingest and only keep metadata.
Provider API keys
Stored encrypted at rest with per-workspace keys, separate from payload encryption. Only the first 6 + last 4 characters are ever shown back to you in the UI.
Cookies + analytics
A first-party session cookie for auth. Product analytics via PostHog (events tied to your user id; you can opt out by emailing us). No third-party trackers, no ads.
3. How we use it
- To run the product (showing your dashboard, sending alerts).
- To bill you (via Polar, our merchant of record).
- To send the weekly insights email and product updates.
- To investigate abuse / debug platform issues.
We do not use your payloads to train models, sell your data, or share it with third parties beyond the sub-processors listed below.
4. Sub-processors
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare | Edge proxy, CDN, KV cache, Vectorize | Global (edge) |
| Hetzner | App server + Postgres database | Germany (Falkenstein) |
| Polar | Payments + invoicing (merchant of record) | EU / US |
| Resend | Transactional + insights emails | US |
| PostHog | Product analytics | EU |
5. Retention
- Request log: 60 days on Indie, 180 days on Pro (plan-driven; we delete rows older than the limit nightly).
- Account data: until you delete your account, then 30 days for billing reconciliation, then full purge.
- Backups: Daily snapshots, encrypted, retained 14 days.
6. Your rights (GDPR / CCPA)
You can: access, export, correct, or delete your data. Most of this is self-service in Settings. For anything else, email [email protected] — we respond within 30 days.
7. Security
See our security page for the full breakdown: encryption at rest and in transit, hashed access keys, hardened response headers, rate limiting, and a strict allowlist for outbound webhooks.
8. Changes
We’ll email logged-in users 30 days before any material change. The current effective date is at the top of this page.