Privacy Policy

We hold the minimum we need to run the product: your email, optional profile fields you give us, a secure copy of the AI provider credentials you connect, the metered usage we pull from those providers (token counts and cost only, never prompts or completions), and the offset estimate selections you make in the app.

We use that data to bill the right amount, calibrate the published estimate bands shown on /docs/methodology, and produce aggregated, de-identified insights that may be shared with research, sustainability, and partner initiatives Token Offset determines align with the platform's mission. We never see your AI prompts, the content of your model responses, or your consumer-app conversations, and we never share directly-identifying data with third parties for their independent marketing.

The controller of your personal data is Token Offset. For privacy questions, email privacy@tokenoffset.com.

We collect:

• Account identifiers. Your email address, and verification timestamps from the magic-link sign-in flow.
• Profile you provide. Your display name and, optionally, your company, role, and how you heard about us (collected during onboarding; all optional except name).
• Connected provider credentials. API keys you connect, encrypted at rest with AES-GCM using a key only Token Offset infrastructure can decrypt. We display only the first six characters of the key in your settings; the plaintext is never returned through any API after submission.
• Provider usage and cost samples.The metered token counts, model / service-tier breakdowns, and cost figures returned by the AI provider APIs you connect, together with the running 90-day projection we derive from them. See "AI provider data we read" below for the specifics, and /docs/connections for refresh cadence.
• Estimate selections and contribution plan. The recurring monthly contribution amount you select, the estimate source you picked (e.g. one of our published tier bands — Casual / Worker / Agentic / Extreme , a custom amount you typed, or the sampled-usage projection from a connected admin key), the token-volume assumption used to size the plan, simulated billing records, and the bookkeeping that supports them.
• Organization and membership. If you belong to a client organization (for example, an integration partner), the membership and role linking you to that org.
• Agent and API metadata. If an AI agent created your account via our public agent API or you authorized one to act on your behalf, we record the agent identifier, status of the authorization (pending, approved, revoked), and approval timestamps. We store a salted SHA-256 hash of any agent API key, never the plaintext.
• Communications. Outbound emails we send to you (sign-in links, transactional notices, partner outreach), plus delivery and engagement events from our email provider (delivered, opened, clicked, bounced). For messages you send to hello@ or partnerships@, we retain the message and the conversation thread for support and partnership history.
• Legal acceptance records. The version of the Terms of Service and Privacy Policy you accepted, the time of acceptance, where in the product you accepted, and (where the request carries it) limited request metadata such as an IP address or user-agent string.
• Operational logs. Standard application-server logs (timestamps, request paths, response codes, error traces) generated by our hosting and database providers, used to operate and secure the service.

When you connect an AI platform API key, Token Offset uses that key only to call the vendor's usage and cost reporting endpoints. For Anthropic, that is the Admin API usage and cost reports. For OpenAI, that is the Admin Usage endpoints. For vendors we integrate in the future, the equivalent platform reporting endpoints will be used.

What we read is metered metadata describing usage: token counts (broken out into uncached input, cached input, cache creation, and output tokens), the model and service tier they were used on, the date of the bucket, and the cost figure the provider returns. We may also read introspection data the provider exposes about the connected account (organization name and identifier) so we can label your connection in settings.

We sample the trailing 90 days on first connect and refresh it weekly while the connection is active so that the running monthly estimate stays current. The samples and the derived projection are retained for as long as your connection exists; see "How long we keep it" below.

We do not collect, and we do not have a mechanism to collect, any of the following:

• Your prompts. The text you send to AI models is never returned by the provider usage endpoints we call and is never seen by Token Offset.
• Model responses. The text models return to you is similarly never read by Token Offset.
• Conversation histories. Chats from Claude.ai, ChatGPT, Cursor, IDE plugins, the Claude Code CLI, the Codex CLI, or any consumer surface are not accessible to platform usage reporting APIs and are not seen by Token Offset.
• The plaintext of your provider API keys. After you submit one, we encrypt it immediately and never return the plaintext through any API or to any user interface.
• Payment instruments today. Token Offset does not yet process real payments. When real-money billing is introduced, payment processing will be handled by a regulated third-party processor (such as Stripe); full card numbers and bank credentials will not be stored on Token Offset systems.
• Government identifiers.We do not collect government-issued identifiers (social-security, passport, driver's-license numbers, etc.).
• Sensitive special-category data. We do not collect biometric, genetic, health, racial or ethnic origin, religious belief, political opinion, sexual-orientation, or trade-union-membership data, and ask that you not submit it.
• Third-party advertising or cross-site tracking identifiers. We do not use third-party advertising networks and do not sell personal data.

We use the data we hold to:

• operate, secure, and improve Token Offset;
• authenticate you, send magic-link sign-in emails, and protect against abuse;
• compute and display the environmental estimates and contribution amounts described in our methodology;
• record and direct your contributions in accordance with the Terms of Service;
• send transactional and service notices, occasional product updates, and replies to messages you send us;
• Calibrate the published estimate bands and methodology constants. The estimate selections you make (which band you pick, custom amounts you set, and the projected monthly token-volume we derive from any connected admin key) are retained and analyzed in aggregate so that the bands published on /docs/methodology stay grounded in what people actually use. We may publish statistics about distributions, growth rates, and median behavior that do not identify any individual user or organization;
• Produce aggregated, de-identified insights for research, sustainability, and partner programs. Where Token Offset believes doing so advances the platform's environmental mission, we may compile, analyze, and share aggregated and de-identified usage and estimate data with academic researchers, sustainability non-profits, ecosystem partners, foundation-model providers, ESG-data licensees, journalists, and other recipients that Token Offset, in its sole and ongoing discretion, determines are appropriate. Such sharing may be commercial, including for compensation; the data we share for these purposes will not, on its own, identify you;
• meet legal, accounting, audit, and tax obligations, respond to lawful requests, and enforce our Terms.

If you are in the European Economic Area or the United Kingdom, we process your personal data on these bases: performance of a contract with you (operating your account and processing contributions); our legitimate interests (operating, improving, and securing the service, responding to you, and developing the business), balanced against your rights and interests; your consent (where we ask for it, for example to accept these documents); and compliance with legal obligations.

We do not sell personal data. We share data only with the categories of recipients below, and only as needed:

• Service providers that host our database and serverless functions (Convex), host our web application and edge workers (Cloudflare, Vercel), deliver our transactional email (the email provider configured in our infrastructure), and provide developer tools, monitoring, and security services. These providers act on our instructions under written contracts.
• AI providers you connect. Our calls to their APIs use the credentials you supplied; the provider sees those calls as activity by that account.
• Partner organizations that operate an integration with Token Offset (for example, ONCE APP, LLC), limited to the data necessary to operate the integration and the read-only summaries described in the relevant partner agreement and in the Terms of Service.
• Research, sustainability, and ecosystem recipients that receive the aggregated, de-identified insights described above under "How we use it." These recipients may include academic researchers, sustainability non-profits, foundation-model providers, hyperscaler sustainability teams, ESG-data licensees, journalists, and other organizations that Token Offset, in its sole and ongoing discretion, determines further the platform's mission. Token Offset selects, adds, and removes these recipients without notice. The data shared for these purposes does not, on its own, identify you; we do not sell directly-identifying personal information.
• Professional advisors (accountants, auditors, lawyers, insurers) under duties of confidentiality.
• Authorities or third parties where required by law, valid legal process, or to protect the rights, property, or safety of Token Offset, our users, or others.
• Acquirers or successors in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction. We will require the recipient to honor this Privacy Policy with respect to the transferred data.

We retain account, contribution, estimate-selection, and legal-acceptance records for as long as your account is active and for a reasonable period after closure to satisfy legal, tax, audit, and dispute-resolution obligations. Provider usage and cost samples are retained for as long as needed to render historical dashboards, support re-sampling, and contribute to the aggregated calibration data described above. Email logs and inbound messages are retained for ordinary support and history. Encrypted provider credentials are deleted promptly when you disconnect the integration; the corresponding sampled usage rows are retained in de-identified, aggregated form and may continue to inform our published methodology after disconnect.

We periodically prune logs and aggregate or delete data we no longer need.

We use industry-standard administrative, technical, and physical safeguards to protect your data, including encryption in transit, encryption at rest for connected provider credentials, hashed agent API keys, principle-of- least-privilege access controls, and audit logging. No system is perfectly secure; if we become aware of a security incident that affects you, we will notify you and applicable authorities as required by law.

Token Offset uses strictly necessary cookies and similar technologies (e.g. session storage) for sign-in, security, and basic preference state. We do not use third-party advertising cookies or cross-site tracking. We may add privacy-preserving, first-party analytics in the future; if we do, we will update this section.

Depending on where you live, you may have the right to access a copy of your personal data; correct inaccurate data; delete your data; object to or restrict certain processing; port your data to another controller; and withdraw consent where we rely on it. You also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@tokenoffset.com. We will respond within the timeframes required by applicable law.

Token Offset is operated from the United States, and our service providers may process data in the United States or other jurisdictions. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses or the equivalent UK addendum).

Token Offset is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will delete it.

If you are a California resident, the California Consumer Privacy Act gives you the right to know what personal information we collect, disclose, and (if applicable) sell; to request deletion or correction; to opt out of the sale or sharing of personal information; and to be free from discrimination for exercising these rights. We do not sell personal information and do not share it for cross-context behavioral advertising.

If an AI agent (for example, a Claude or Cursor session acting on your behalf) creates a Token Offset account for you, that fact is recorded on your account, and you receive an emailed approval link before the agent is granted ongoing access. You may revoke an agent's authorization at any time from the dashboard.

We may update this Privacy Policy from time to time. When we make a material change, we will revise the version number and effective date above and, where appropriate, notify you by email or in-product banner. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Privacy questions or requests? Email privacy@tokenoffset.com.