AICostPass
Privacy Policy
Last updated: July 2026
Your AI API keys never touch our servers
This is the most important thing to understand about AICostPass: we do not store your provider API keys (Anthropic, OpenAI, etc.) in our database — ever.
When you connect a provider key, it is stored locally in your browser's storage (localStorage), scoped to your account on your device. The key is sent directly from your browser to the provider's API when syncing usage. It is never transmitted to, stored on, or readable by our servers.
Key point: If you clear your browser storage or switch devices, your keys are gone — you'll re-enter them. That's by design. Your keys never leave your browser.
What we do store
- Account data: email, name (optional), and a scrypt hash of your password. We never store plaintext passwords.
- Subscription data: your plan (free/solo/agency) and your Paddle customer ID for billing.
- 2FA secret: if you enable two-factor auth, an encrypted TOTP secret is stored with your account.
- Email verification & password reset tokens: time-limited tokens used only for account setup and recovery.
- Usage records: when you use our API proxy for real-time tracking, we store the provider name, model name, token counts, and computed cost so your dashboard can display it. We do NOT store your prompts, completions, or API keys.
- CLI tokens: hashed tokens (sha256) used to authenticate proxy requests. The raw token is shown once at creation and never stored.
What we don't store
- Your provider API keys
- Your AI prompts or completions
- Your client list or project details (stored in your browser only)
- Payment card details (processed entirely by Paddle, our payment processor)
How we use your data
- To provide and maintain the service (authentication, billing, usage tracking)
- To send you transactional emails (email verification, password resets, spend alerts, weekly summaries)
- To prevent abuse and fraud
- To comply with legal obligations
We do NOT sell your data. We do NOT use your data for advertising. We do NOT share your data with third parties except as required for the service (Paddle for payments, Resend for email delivery) or as required by law.
Cookies
We use one strictly-necessary cookie: a session cookie (so you stay logged in). We do not use tracking, advertising, or analytics cookies.
Data retention
- Account data: retained until you delete your account.
- Usage records: retained until you delete your account or delete individual records.
- Tokens (verification, password reset): deleted after use or after 24 hours / 1 hour respectively.
- CLI tokens: retained until you revoke them.
Your rights
You can export or delete your account data at any time. Because your usage data and API keys live in your browser, clearing your browser storage removes them immediately — no request to us required. To delete your account, email [email protected].
Third-party services
Security
Passwords are hashed with scrypt. Sessions use signed JWTs in httpOnly cookies. 2FA via TOTP is available. See our Terms of Service for full details on acceptable use.
Children's privacy
AICostPass is not intended for users under 13. We do not knowingly collect data from children.
Changes to this policy
We may update this privacy policy. Material changes will be announced via email to active accounts.
Contact
Questions about privacy? Email [email protected].
© 2026 AICostPass. All rights reserved.