Privacy Policy
Last updated: March 9, 2026
This Privacy Policy describes how OLIVIAJ LLC ("Company", "we", "us"), operating TokenCost at gettokencost.com, collects, uses, and protects your information.
1. Information We Collect
Information you provide:
- Account information: Email address and name (via email signup or Google OAuth).
- API Keys: Admin API Keys from AI providers (OpenAI, Anthropic). These are encrypted at rest using AES-256-GCM encryption and are never stored in plaintext.
- Organization settings: Organization name, monthly budget, alert preferences.
- Fixed cost entries: Subscription names, amounts, and provider names you manually enter.
- Payment information: Processed by Stripe. We do not store credit card numbers.
Information collected automatically:
- Usage data: Token counts, costs, and model usage retrieved from your connected AI provider accounts via their billing APIs.
- Authentication data: Session cookies managed by Supabase for maintaining your login state.
- Basic analytics: Page views and feature usage to improve the Service.
Information we do NOT collect:
- Your AI prompts, conversations, or model outputs.
- Your AI provider account passwords.
- Data from AI models (we only access billing/usage endpoints).
2. How We Use Your Information
We use your information to:
- Provide the Service: connect to AI providers, retrieve usage data, display dashboards.
- Send alert notifications via email or Slack when triggered by your alert rules.
- Process payments through Stripe.
- Communicate with you about your account and the Service.
- Improve and maintain the Service.
We do NOT:
- Sell your personal information to third parties.
- Use your data for advertising.
- Share your AI usage data with other users or organizations.
- Access or use your API Keys for any purpose other than reading billing and usage data.
3. Data Storage and Security
- Hosting: The Service is hosted on Vercel (United States).
- Database: Data is stored in Supabase (PostgreSQL) in the United States.
- Encryption: API Keys are encrypted at rest using AES-256-GCM. The encryption key is stored separately from the encrypted data.
- Row Level Security: Database access is enforced at the database level, ensuring users can only access data belonging to their own organization.
- Data isolation: Each organization's data is completely isolated from other organizations.
4. Third-Party Services
We use the following third-party services to operate TokenCost:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication | Email, account data, usage records |
| Vercel | Hosting | Request data, logs |
| Stripe | Payment processing | Email, payment method |
| Resend | Email notifications | Email address, alert messages |
| Inngest | Job orchestration | Connection IDs, processing metadata |
| OpenAI API | Usage data retrieval | Admin API Key (encrypted in transit) |
| Anthropic API | Usage data retrieval | Admin API Key (encrypted in transit) |
Each third-party service has its own privacy policy governing their handling of data.
5. Data Retention
- Free plan: Usage data is retained for 7 days.
- Pro plan: Usage data is retained for the duration of your subscription.
- After account deletion: All data, including encrypted API Keys and usage records, is deleted within 30 days.
- Stripe: Payment records are retained by Stripe per their own retention policy.
6. Your Rights
You have the right to:
- Access: View all data we hold about you through the Service dashboard.
- Export: Download your usage data as CSV (Pro plan).
- Delete: Request deletion of your account and all associated data by contacting us.
- Disconnect: Revoke API Key access at any time through your AI provider's dashboard.
- Cancel: Cancel your subscription at any time.
7. Cookies
We use minimal cookies:
- Authentication session: A session cookie managed by Supabase to keep you logged in. This is essential for the Service to function and cannot be disabled.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Children
TokenCost is not intended for use by anyone under the age of 18. We do not knowingly collect information from children.
9. International Users
The Service is hosted in the United States. By using the Service, you consent to the transfer of your data to the United States. If you are located in the European Economic Area (EEA), please be aware that your data is processed in the US.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at lucas.piresnabais@gmail.com.