Privacy Policy
Last updated: June 2025
Plain English Summary
- We collect your email address and usage spend data from your AI providers.
- Your API keys are encrypted with AES-256-GCM before storage. We cannot read them.
- We never sell your data. We never show you ads.
- You can delete your account and all data at any time.
- We use Supabase (database), Vercel (hosting), Stripe/Razorpay (payments), Resend (email).
- We do not track you across the web.
- We do not share your data with third parties except as described below.
1. Who We Are
TryTokka is an AI spend monitoring tool operated as an independent product. We help software builders track and manage their AI API costs across multiple providers. For privacy inquiries, contact us at privacy@trytokka.com.
2. Data We Collect
2.1 Account Data
When you sign up: your email address and a hashed password (managed by Supabase Auth).
2.2 Provider API Keys
When you connect an AI provider, we receive your API key. We immediately encrypt it using AES-256-GCM before storing it in our database. The encryption key is stored separately in our server environment and is never written to the database. We cannot read your plaintext API keys.
Your keys are decrypted only in server memory during scheduled sync operations (every 6 hours), used to make one HTTPS API call to your AI provider, then discarded. They are never logged, never returned in API responses, and never stored anywhere except the database in encrypted form.
2.3 Usage Data
We fetch your AI API spend data from your connected providers and store it as daily cost totals per model. This includes: provider name, model name, date, token counts, and cost in USD. We keep 90 days of history.
2.4 Payment Data
We use Stripe (international) and Razorpay (India) for billing. We never see or store your card number. Payment processors handle all card data under PCI-DSS compliance. We store only a customer ID and subscription status.
2.5 Technical Data
Standard server logs including IP addresses and request timestamps. Used for security monitoring and debugging. Retained for 30 days.
2.6 Key Access Audit Log
We log every time your API keys are accessed (sync events): timestamp, provider, success/failure. This log is visible to you in your account settings and is used for security monitoring.
3. How We Use Your Data
- To display your AI spend dashboard
- To send you spend-threshold alert emails (only if you configure an alert)
- To send you account and billing emails
- To sync your usage data from AI providers on a schedule
- To manage your subscription (trial expiry, Pro status)
We do not use your data to train AI models, run analytics, or sell to third parties.
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database & Auth | Email, encrypted keys, usage data |
| Vercel | Hosting & Cron | Server logs, environment variables |
| Stripe | Payments (international) | Email, payment info |
| Razorpay | Payments (India) | Email, payment info |
| Resend | Transactional email | Email address, alert content |
| Sentry | Error monitoring | Anonymous user id, stack traces, request path (no API keys; PII scrubbed) |
5. Your Rights
You have the right to:
- Access — request a copy of all data we hold about you
- Deletion — delete your account and all associated data from your settings page
- Correction — update your email in account settings
- Portability — export your usage data as CSV from the dashboard
- Objection — contact us at privacy@trytokka.com to object to any processing
Indian users have rights under the Digital Personal Data Protection Act 2023 (DPDP Act). EU/UK users have rights under GDPR/UK GDPR. To exercise any right, email privacy@trytokka.com.
6. Data Retention
- Account data: until you delete your account
- API keys (encrypted): until you disconnect a provider or delete your account
- Usage snapshots: 90 days rolling
- Server logs: 30 days
- Payment records: 7 years (legal requirement)
7. Security
See our Security page for a detailed description of how we protect your API keys. In summary: AES-256-GCM encryption, keys decrypted only in memory at sync time, full audit log of every key access, HTTPS everywhere.
8. Cookies
We use essential session cookies (Supabase) and optional error-reporting beacons via Sentry when enabled — no advertising, analytics, or session-replay cookies.
9. Changes to This Policy
We will notify active users by email if we make material changes to this policy. The “Last Updated” date at the top reflects the most recent revision.
10. Contact
Email: privacy@trytokka.com