What this covers
This policy applies to everything you do on tokenroute.io and api.tokenroute.io — the dashboard, the REST API, and the admin console. TokenRoute is operated by alayion.
What we collect
•
Account data. Your email (from the identity provider you signed in with), display name, and the timestamp of your first and most recent sign-in.
•
Request metadata. For every API call: timestamp, model used, token counts (input / output), cost in USD, HTTP status, and which of your API keys was used. We do NOT persist prompt content or completion text by default.
•
Payment data. Stripe handles card collection end-to-end — we never see your card number. We store the Stripe session id of each top-up for bookkeeping.
•
Diagnostic logs. Server access logs (IP, URL, status, user-agent) are kept for 30 days for security and debugging.
What we don't collect
•
We do not log the bodies of your prompts or completions unless you explicitly enable request debugging for a specific key (and even then, retention is capped at 7 days and the debug log is deleted when the key is revoked).
•
We do not use third-party analytics or advertising trackers on the dashboard.
•
We do not sell, rent, or trade your data to any third party.
What we share, and with whom
•
Upstream LLM providers. Your prompts are forwarded (over TLS) to whichever model you selected — OpenAI, Anthropic, Google, etc. They see the content; they keep it under their own policies. Smart routing (tokenroute-auto) picks one of these providers deterministically per request.
•
Stripe. Top-up flow redirects you to Stripe Checkout. Stripe handles card data directly. We receive back a payment confirmation with the session id and the amount.
•
Logto. Your authentication (email verification code, session cookie) is handled by Logto at auth.tokenroute.io. Logto stores your email and sign-in history.
•
Infrastructure providers. Our servers are hosted with Alibaba Cloud. TLS certificates come from Let's Encrypt. These providers see network traffic but not application data in plaintext beyond what TLS exposes.
Where data lives
Customer accounts, API keys (as hashes — never in plaintext after the moment of creation), usage logs, and the credit ledger live in a Postgres database hosted in Alibaba Cloud Singapore. Backups run nightly and are retained for 14 days.
How long we keep it
•
Account records: until you delete your account, plus 30 days.
•
Usage metadata and ledger entries: 7 years (required for tax records in most jurisdictions).
•
Server access logs: 30 days.
•
Revoked API keys: hash only is retained indefinitely to prevent reuse.
Cookies
We set one authentication cookie when you sign in. It's HTTP-only, SameSite=Lax, and expires after 14 days or when you sign out. No analytics or marketing cookies.
Your rights
Contact
service@tokenroute.io to export all data we hold about you, delete your account, or correct inaccurate data. We respond within 30 days.
Children
TokenRoute is not directed at children under 16. If you believe a minor has signed up, contact us and we'll delete the account.
Changes
Material changes to this policy will be announced by email or dashboard banner at least 14 days before taking effect.
This privacy notice describes what the service actually does today. Policies and implementation can drift; if something here doesn't match what you observe, tell us and we'll reconcile the two.