Privacy Policy

TokenBurn ("we", "our", "us") is an AI API cost tracking service. This Privacy Policy describes how we collect, use, and protect your information when you use our service at tokenburn.dev.

Account Information: When you sign up, we collect your name and email address via Google or GitHub OAuth. We do not store passwords.

API Keys: When you connect a provider, we store your API key encrypted with AES-256-GCM encryption. Keys are used solely to pull usage data from provider APIs. We never make API calls (such as completions or generations) on your behalf.

Usage Data: We collect and store AI API usage data (token counts, costs, model names, dates) pulled from your connected providers. This data is used to power your dashboard, alerts, and summaries.

Analytics: We use privacy-friendly analytics (Umami) to understand how our website is used. No personal data is collected by our analytics. We do not use cookies for tracking.

We use your information to:
• Provide the TokenBurn dashboard and cost tracking features
• Send alert emails and daily summaries (when enabled)
• Improve our service

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your data to train AI models.

Your API keys are encrypted at rest using AES-256-GCM, an industry-standard encryption algorithm. Keys are decrypted only momentarily during usage data sync operations and are never logged or exposed. You can disconnect a provider at any time, which deactivates the stored key.

Your data is stored on Supabase (PostgreSQL) with Row Level Security (RLS) enabled, meaning each user can only access their own data. Our database is hosted in the United States.

We use the following third-party services:
• Supabase — Database and authentication
• Vercel — Application hosting
• Resend — Transactional emails (alerts, summaries)
• Umami — Privacy-friendly analytics
• Dodo Payments — Payment processing (when applicable)

Each service has its own privacy policy. We only share the minimum information necessary for each service to function.

We retain your usage data for as long as your account is active. When you delete your account, all associated data (profile, API keys, usage records, alerts) is permanently deleted from our database.

You have the right to:
• Access your data (available through the dashboard)
• Delete your account and all associated data (Settings → Delete Account)
• Disconnect providers and remove stored API keys at any time
• Opt out of email notifications (Settings → Notifications)

TokenBurn is not intended for children under 13. We do not knowingly collect information from children under 13.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on our website.

If you have questions about this Privacy Policy, contact us at privacy@tokenburn.dev.