← Back to home

Privacy Policy

Last updated: February 2026

1. What We Collect

Tokengrip collects the minimum data necessary to provide AI cost tracking and optimization:

  • Account information — email address, name, and hashed password when you register.
  • Usage records — provider, model name, token counts, latency, cost, and timestamps sent via the SDK or API.
  • Content samples (opt-in only) — if you enable captureContent, truncated prompt and response text (max 500 characters each) is stored to power AI-driven optimization recommendations.

2. How We Use Your Data

  • Display dashboards, charts, and usage analytics to you.
  • Generate cost optimization recommendations (rule-based and, if opted-in, AI-powered via Anthropic's Claude API).
  • Enforce budget limits and trigger alerts.
  • Calculate accurate cost attribution using model pricing data.

3. AI-Powered Analysis

When you run AI analysis, anonymized usage statistics and content samples (if captured) are sent to Anthropic's API for processing. This data is not retained by Anthropic beyond the API call. AI analysis is entirely opt-in and only runs when you explicitly request it.

4. Self-Hosted Deployments

When you self-host Tokengrip, all data stays on your infrastructure. No data is sent to Tokengrip's servers. The only external request is pricing sync from LiteLLM's open-source database (GitHub), and AI analysis calls to Anthropic (if configured). Both are optional and can be disabled for fully air-gapped deployments.

5. Data Retention

Usage data is retained based on your plan (7 days for Free, 90 days for Pro, custom for Enterprise). You can export your data at any time in CSV or JSON format. You can delete your account and all associated data at any time via the API.

6. Data Sharing

We do not sell, rent, or share your data with third parties. Usage data is only accessible to you (and your team members, if you use organization features). The only third-party data processing is Anthropic's API for AI analysis, which is opt-in.

7. Security

  • Passwords are hashed with bcrypt (12 rounds).
  • Sessions use signed JWTs with HttpOnly, Secure cookies.
  • API keys are stored as SHA-256 hashes; the full key is shown only once at creation.
  • Auth endpoints are rate-limited to prevent brute-force attacks.

8. Contact

For privacy questions, contact us at privacy@tokengrip.com.