Privacy Policy

Last updated: February 19, 2026

1. Overview

TokenShrink (“we”, “us”, “our”) respects your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.

2. What We Collect

Account Information

  • Email address — from your OAuth provider (GitHub or Google), used for account identification and billing communications
  • Display name — from your OAuth provider, shown in your dashboard
  • Profile image URL — from your OAuth provider, displayed in the navbar

Usage Statistics

  • Word counts (original and compressed)
  • Compression ratios and strategy used
  • Token savings and estimated dollar savings
  • Number of compressions per billing period

Payment Information

Payment processing is handled entirely by Stripe. We store only your Stripe customer ID — we never see or store your credit card number, expiration date, or CVC.

3. What We Do NOT Collect

  • Prompt text — your original text is never stored, logged, or transmitted to third parties
  • Compressed output — the compressed result is never stored on our servers
  • Third-party API keys — we do not accept or store API keys from OpenAI, Anthropic, Google, or any other AI provider
  • Browsing history — we do not track pages you visit outside of TokenShrink

4. How We Use Your Data

  • To provide and operate the compression service
  • To track your usage against your plan’s word quota
  • To display your savings history in the dashboard
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (billing confirmations, quota warnings)

We do not sell your data. We do not use your data for advertising. We do not share your data with AI model providers.

5. Cookies

We use only essential cookies required for authentication (session cookies via NextAuth.js). We do not use tracking cookies, analytics pixels, or advertising identifiers. No third-party cookies are set.

6. Third-Party Services

Stripe — payment processing. See Stripe’s Privacy Policy.

Neon — database hosting (PostgreSQL). Stores account info and usage statistics only.

Vercel — application hosting. See Vercel’s Privacy Policy.

GitHub / Google — OAuth authentication only. We receive your public profile information during sign-in.

7. Data Retention

  • Usage statistics — retained for the duration of your account
  • Account data — retained until you request deletion
  • API key hashes — retained until revoked; revoked keys are soft-deleted
  • Prompt text — never stored (processed in-memory only)

8. Your Rights (GDPR / CCPA)

You have the right to:

  • Access — request a copy of all data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and all associated data
  • Export — request a machine-readable export of your data
  • Objection — object to processing of your data

To exercise any of these rights, contact us at privacy@tokenshrink.com. We will respond within 30 days.

9. Security

We protect your data using industry-standard measures: encrypted connections (TLS), hashed API keys (SHA-256), OAuth authentication (no passwords stored), and access controls on our database. No system is 100% secure, and we cannot guarantee absolute security.

10. Children

TokenShrink is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, contact us immediately.

11. Changes

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Material changes will be communicated via email.

12. Contact

Questions about privacy? Contact us at privacy@tokenshrink.com.