TokenRouter Privacy Policy

Updated January 2025

In addition to this Privacy Policy, we provide data and privacy information embedded in our products and certain features that ask to use your personal data. You will be given an opportunity to review this product-specific information before using these features. You also can view this information at any time in your account settings or online at tokenrouter.io/privacy.

You can familiarize yourself with our privacy practices, accessible via the headings below, and contact us if you have any questions.

What Is Personal Data at TokenRouter?

At TokenRouter, we believe strongly in fundamental privacy rights — and that those fundamental rights should not differ depending on where you live in the world. That's why we treat any data that relates to an identified or identifiable individual or that is linked or linkable to them by TokenRouter as "personal data," no matter where the individual lives. This means that data that directly identifies you — such as your name — is personal data, and also data that does not directly identify you, but that can reasonably be used to identify you — such as your API key or account identifier — is personal data. Aggregated data is considered non‑personal data for the purposes of this Privacy Policy.

This Privacy Policy covers how TokenRouter handles personal data whether you interact with us on our websites, through TokenRouter APIs and SDKs, via our dashboard and management console, or through customer support. TokenRouter may also link to third-party AI providers (such as OpenAI, Anthropic, Google, and others) on our services. TokenRouter's Privacy Policy does not apply to how third parties define personal data or how they use it. We encourage you to read their privacy policies and know your privacy rights before interacting with them.

Your Privacy Rights at TokenRouter

At TokenRouter, we respect your ability to know, access, correct, transfer, restrict the processing of, and delete your personal data. We have provided these rights to our global customer base and if you choose to exercise these privacy rights, you have the right not to be treated in a discriminatory way nor to receive a lesser degree of service from TokenRouter. Where you are requested to consent to the processing of your personal data by TokenRouter, you have the right to withdraw your consent at any time.

To exercise your privacy rights and choices, visit your account settings at tokenrouter.io/dashboard/settings or contact us at privacy@tokenrouter.io. To help protect the security of your personal data, you must sign in to your account and your identity will be verified. You also have the right to lodge a complaint with the applicable regulator.

There may be situations where we cannot grant your request — for example, if you ask us to delete your transaction data and TokenRouter is legally obligated to keep a record of that transaction to comply with law. We may also decline to grant a request where doing so would undermine our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous or vexatious, or would be extremely impractical or unreasonable.

If you live in California and you cannot access TokenRouter's Data and Privacy page, you or your authorized agent can make a request at privacy@tokenrouter.io.

Personal Data TokenRouter Collects from You

At TokenRouter, we believe that you can have great products and great privacy. This means that we strive to collect only the personal data that we need. The personal data TokenRouter collects depends on how you interact with TokenRouter.

When you create a TokenRouter Account, purchase a subscription, generate an API key, configure routing rules, connect to our services, contact us (including by social media), participate in an online survey, or otherwise interact with TokenRouter, we may collect a variety of information, including:

Account Information

Your TokenRouter Account and related account details, including email address, name, organization name, account status, subscription tier, and account creation date.

Device Information

Data from which your device could be identified, such as IP address, user agent, browser type, operating system, and SDK version when using TokenRouter SDKs.

Contact Information

Data such as name, email address, organization name, or other contact information you provide when creating an account or contacting support.

Payment Information

Data about your billing address and method of payment, such as bank details, credit, debit, or other payment card information. Payment information is processed securely through our payment processor (Stripe) and TokenRouter does not store complete payment card numbers.

Transaction Information

Data about purchases of TokenRouter subscriptions and services, including subscription tier, billing history, and payment receipts.

Fraud Prevention Information

Data used to help identify and prevent fraud, including device fingerprints, IP addresses, rate limit violations, and unusual usage patterns.

Usage Data

Data about your activity on and use of our offerings, including:

• API request metadata (timestamps, endpoints accessed, HTTP methods, status codes)
• Model and provider routing information (model requested, provider selected, routing mode)
• Token usage (input tokens, output tokens, total tokens, estimated costs)
• Performance metrics (latency, response time, streaming vs. non-streaming)
• Dashboard usage (pages visited, features accessed, configuration changes)
• Error logs and diagnostic data (API errors, failed requests, debug information)
• SDK usage patterns and integration data

API Keys and Authentication Data

TokenRouter API keys you generate, their permissions, usage patterns, and revocation history. When you provide provider API keys (for OpenAI, Anthropic, Google, etc.) through our inline mode, these keys are encrypted at rest and in transit. TokenRouter uses strong encryption to protect provider API keys and never logs or exposes them in plaintext.

Configuration Data

Your routing rules, firewall rules, provider key configurations, model preferences, and other service configuration settings.

Content Data

"Content" refers to prompts, inputs, messages, files, data, and outputs you submit to or receive from the TokenRouter service. By default, TokenRouter only processes Content to:

• Route requests to the appropriate AI provider based on your configuration
• Transform requests between OpenAI-compatible format and provider-specific formats
• Return responses back to you
• Apply firewall rules and security filters

Unless you opt‑in to features such as request history, debugging assistance, or support requests, we do not retain raw Content beyond what is technically necessary to deliver the Service (typically seconds to minutes for request processing). Usage metadata (token counts, models used, timestamps) is retained separately from Content for billing and analytics purposes.

Support and Communication Data

Details such as the content of your communications with TokenRouter, including interactions with customer support, feature requests, bug reports, and contacts through social media channels or email.

You are not required to provide the personal data that we have requested. However, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to requests you may have.

Personal Data TokenRouter Receives from Other Sources

TokenRouter may receive personal data about you from other individuals, from businesses or third parties acting at your direction, from our partners who work with us to provide our services and assist us in security and fraud prevention, and from other lawful sources.

At Your Direction

You may direct other individuals or third parties to share data with TokenRouter. For example, you may authorize a teammate to manage your organization's TokenRouter account, or integrate TokenRouter with third-party development platforms that send requests on your behalf.

OAuth and Authentication Providers

When you choose to sign in to TokenRouter using OAuth providers (such as GitHub or Google), we receive basic profile information from those providers, including your name, email address, and profile photo, as permitted by your OAuth provider settings.

TokenRouter Partners

We may validate the information you provide — for example, when creating a TokenRouter Account or updating payment information — with a third party for security and fraud-prevention purposes.

AI Provider Partners

When you use TokenRouter to route requests to third-party AI providers, we may receive metadata from those providers regarding request processing, errors, or service availability. We do not receive Content from providers except as necessary to return responses to you.

TokenRouter's Use of Personal Data

TokenRouter uses personal data to power our services, to process your transactions, to communicate with you, for security and fraud prevention, and to comply with law. We may also use personal data for other purposes with your consent.

TokenRouter uses your personal data only when we have a valid legal basis to do so. Depending on the circumstance, TokenRouter may rely on your consent or the fact that the processing is necessary to fulfill a contract with you, protect your vital interests or those of other persons, or to comply with law. We may also process your personal data where we believe it is in our or others' legitimate interests, taking into consideration your interests, rights, and expectations. If you have questions about the legal basis, you can contact us at privacy@tokenrouter.io.

Power Our Services

TokenRouter collects personal data necessary to power our services, which may include personal data collected to improve our offerings, for internal purposes such as auditing or data analysis, or for troubleshooting. For example:

• Routing your API requests to the most appropriate AI provider based on your configuration, model requested, and routing mode (fast, balanced, quality)
• Transforming requests and responses between OpenAI-compatible format and provider-specific formats
• Applying firewall rules to protect against abuse and ensure compliance with acceptable use policies
• Monitoring service health, performance, and availability
• Improving routing algorithms and provider selection logic
• Developing new features and capabilities

Process Your Transactions

To process transactions, TokenRouter must collect data such as your name, organization, subscription tier, usage data (token counts, API calls), and payment information. This data is used to:

• Calculate accurate billing based on your token usage and selected pricing tier
• Generate invoices and payment receipts
• Process subscription upgrades, downgrades, and cancellations
• Track usage quotas and rate limits
• Reconcile usage with third-party provider costs

Communicate with You

To respond to communications, reach out to you about your account or transactions, provide service updates, share relevant information about new features, or request feedback. From time to time, we may use your personal data to send important notices, such as communications about:

• Service outages or maintenance windows
• Changes to our terms, conditions, and policies
• Security alerts and account notifications
• Billing issues or payment failures
• Usage approaching quota limits

Because this information is important to your interaction with TokenRouter, you may not opt out of receiving these important notices. You may opt out of marketing communications.

Security and Fraud Prevention

To protect individuals, employees, and TokenRouter and for loss prevention and to prevent fraud, including to protect individuals, employees, and TokenRouter for the benefit of all our users. This includes:

• Detecting and preventing unauthorized access to accounts and API keys
• Identifying and blocking abusive usage patterns, such as excessive rate limit violations or attempts to bypass firewall rules
• Monitoring for security threats, including DDoS attacks and credential stuffing
• Scanning for potentially harmful content or requests that violate acceptable use policies
• Protecting against fraudulent payment methods and chargebacks
• Investigating security incidents and potential violations of our terms of service

Analytics and Service Improvement

TokenRouter uses aggregated, de-identified usage data to understand how customers use our services and to improve service quality, such as:

• Analyzing which AI models and providers are most popular
• Understanding performance characteristics and optimization opportunities
• Identifying common error patterns to improve reliability
• Measuring the effectiveness of routing algorithms
• Planning capacity and infrastructure improvements

Comply with Law

To comply with applicable law — for example, to satisfy tax or reporting obligations, or to comply with a lawful governmental request, subpoena, or court order.

TokenRouter does not use algorithms or profiling to make any decision that would significantly affect you without the opportunity for human review. TokenRouter also does not use or disclose sensitive personal data for any purposes that would require a user to exercise a right to limit processing according to California law.

Data Retention

TokenRouter retains personal data only for so long as necessary to fulfill the purposes for which it was collected, including as described in this Privacy Policy, or as required by law. We will retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Policy. When assessing retention periods, we first carefully examine whether it is necessary to retain the personal data collected and, if retention is required, work to retain the personal data for the shortest possible period permissible under law.

Specific retention periods:

• Account data: Retained while your account is active and for a reasonable period after closure for legal compliance and fraud prevention
• Content data: Retained only as technically necessary to process requests (typically seconds to minutes), unless you opt-in to history features
• Usage metadata: Retained for billing reconciliation, typically for the current billing period plus 13 months for audit purposes
• Billing records: Retained for 7 years for tax and legal compliance
• Security logs: Retained for 90 days for fraud prevention and security investigations
• Aggregated analytics: May be retained indefinitely as it cannot identify individuals

TokenRouter's Sharing of Personal Data

TokenRouter may share personal data with service providers who act on our behalf, our partners, AI providers, or others at your direction. TokenRouter does not share personal data with third parties for their own marketing purposes.

AI Provider Partners

When you route requests through TokenRouter, Content and necessary metadata are transmitted to the selected third‑party AI model provider (e.g., OpenAI, Anthropic, Google, DeepSeek, Mistral, and others). This is the core function of TokenRouter's service. The specific provider selected depends on:

• The model you specify in your request
• Your routing configuration and rules
• The routing mode selected (fast, balanced, quality, or specific provider)
• Provider availability and service status

Your use of these AI providers through TokenRouter is also subject to their privacy policies and terms of service. We encourage you to review the privacy policies of:

• OpenAI: openai.com/privacy
• Anthropic: anthropic.com/privacy
• Google: policies.google.com/privacy
• Other providers as listed in our documentation

Service Providers

TokenRouter may engage third parties to act as our service providers and perform certain tasks on our behalf, such as processing or storing data, including personal data, in connection with your use of our services. Our service providers include:

• Infrastructure providers: Cloud hosting, database services, and content delivery networks
• Payment processors: Stripe for payment processing and subscription management
• Email services: Transactional email delivery for account notifications and support communications
• Analytics providers: Service monitoring, error tracking, and usage analytics
• Customer support tools: Support ticket management and communication platforms

TokenRouter service providers are obligated to handle personal data consistent with this Privacy Policy and according to our instructions. They cannot use the personal data we share for their own purposes and must delete or return the personal data once they've fulfilled our request.

Business Partners

At times, TokenRouter may partner with third parties to provide services or other offerings. TokenRouter requires its partners to protect your personal data and use it only for the purposes for which it was shared.

At Your Direction

TokenRouter may share personal data with others at your direction or with your consent, such as when:

• You add team members to your organization account
• You integrate TokenRouter with third-party platforms or tools
• You authorize specific individuals to access your usage data or billing information
• You request support and provide us with data to help diagnose issues

Legal and Compliance

We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate. We may also disclose information about you where there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions or to protect our operations or users, or in the event of a reorganization, merger, or sale.

TokenRouter does not sell your personal data including as "sale" is defined in Nevada and California. TokenRouter also does not "share" your personal data as that term is defined in California.

Protection of Personal Data at TokenRouter

At TokenRouter, we believe that great privacy rests on great security. We use administrative, technical, and physical safeguards to protect your personal data, taking into account the nature of the personal data and the processing, and the threats posed. We are constantly working to improve on these safeguards to help keep your personal data secure.

Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 or higher. Sensitive data including provider API keys is encrypted at rest using AES-256 encryption.
• API Key Security: TokenRouter API keys use secure random generation and are hashed before storage. Provider API keys supplied by customers are encrypted using strong encryption with keys managed separately from the data.
• Access Controls: Strict access controls limit who can access personal data, with multi-factor authentication required for administrative access.
• Network Security: Firewalls, intrusion detection systems, and DDoS protection secure our infrastructure.
• Secure Development: Security reviews, code audits, and vulnerability scanning are integrated into our development process.

Administrative Safeguards

• Background checks for employees with access to customer data
• Privacy and security training for all employees
• Incident response procedures and security monitoring
• Regular security audits and compliance reviews
• Data minimization and retention policies

Physical Safeguards

• Our infrastructure providers maintain SOC 2 Type II compliance
• Data centers feature physical access controls, surveillance, and environmental protections
• Redundant systems and backup procedures protect against data loss

Your Security Responsibilities

While we implement strong security measures, security is a shared responsibility. You are responsible for:

• Keeping your API keys secure and not sharing them publicly
• Using strong, unique passwords for your TokenRouter account
• Enabling multi-factor authentication when available
• Rotating API keys if you suspect they may be compromised
• Monitoring your account for unauthorized usage
• Reporting security concerns promptly to security@tokenrouter.io

No system is completely secure, and we cannot guarantee absolute security. If we learn of a security breach that affects your personal data, we will notify you in accordance with applicable law.

Children and Personal Data

TokenRouter understands the importance of safeguarding the personal data of children, which we consider to be an individual under the age of 13, or the equivalent age as specified by law in your jurisdiction. That is why TokenRouter has implemented processes and protections to help keep children's personal data safe.

TokenRouter's services are not directed to children under 13 (or under 16 in the European Economic Area), and we do not knowingly collect personal information from children. If we learn that a child's personal data was collected without appropriate authorization, it will be deleted as soon as possible.

If you believe that a child has provided personal data to TokenRouter, please contact us at privacy@tokenrouter.io so that we can take appropriate action.

Cookies and Other Technologies

TokenRouter's websites, dashboard, and services may use "cookies" and other technologies such as web beacons and local storage. These technologies help us to better understand user behavior including for security and fraud prevention purposes, tell us which parts of our websites people have visited, and facilitate and measure the effectiveness of our services.

Types of Cookies We Use

Communications Cookies

These cookies are used to enable network traffic to and from TokenRouter's systems, including by helping us detect any errors and ensure reliable service delivery.

Strictly Necessary Cookies

These cookies are set as required to provide a specific feature or service that you have accessed or requested. For example, they allow us to:

• Authenticate your account and maintain your login session
• Remember your preferences and settings
• Provide security features and prevent fraud
• Enable core service functionality

Analytics and Performance Cookies

These cookies are used to understand how visitors interact with our websites and services, including by helping us to assess performance and improve user experience. TokenRouter also uses these cookies to remember choices you make while using our services, so we can provide you with a better experience.

Managing Cookies

If you prefer that TokenRouter not use cookies, we provide you with the means to disable their use. If you want to disable cookies and you're using the Safari web browser, choose "Block all cookies" in Safari's privacy settings. If you are using a different browser, check with your provider to find out how to disable cookies. Certain features of the TokenRouter website and dashboard may not be available if all cookies are disabled.

Other Technologies

In addition to cookies, TokenRouter uses other technologies that help us achieve similar objectives:

• Local Storage: We use browser local storage to cache certain data and improve performance
• Web Beacons: Small graphic images that may be included in our email communications to help us understand email engagement
• SDKs: Our client SDKs collect technical data necessary to provide service functionality

TokenRouter generally treats data we collect using these cookies and similar technologies as non-personal data. However, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered personal data by local law, we also treat these identifiers as personal data in those regions. In addition, TokenRouter sometimes combines non-personal data collected from these technologies with other personal data TokenRouter holds. When we combine data in this way, we treat the combined data as personal data for purposes of this Privacy Policy.

Transfer of Personal Data Between Countries

TokenRouter products and services connect you to AI providers around the world. To make that possible, your personal data may be transferred to or accessed by entities around the world to perform processing activities such as those described in this Privacy Policy in connection with your use of our products and services. TokenRouter complies with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be.

TokenRouter is based in the United States. Personal data collected by TokenRouter worldwide is generally stored in the United States and may be processed by TokenRouter and our service providers in the United States or other countries. When you use TokenRouter to route requests to third-party AI providers, your Content may be processed by those providers in their respective locations (which may include the United States, Europe, Asia, and other regions depending on the provider).

European Economic Area, United Kingdom, and Switzerland

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, TokenRouter's international transfer of personal data is governed by Standard Contractual Clauses approved by the European Commission. We implement appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy. If you have questions or would like a copy of TokenRouter's Standard Contractual Clauses, you can contact us at privacy@tokenrouter.io.

Consistent Protection

Regardless of where your personal data is stored or processed, TokenRouter maintains the same high level of protection and safeguarding measures described in this Privacy Policy. We ensure that our service providers and partners comply with appropriate data protection standards.

Our Companywide Commitment to Your Privacy

To make sure your personal data is secure, we communicate our privacy and security guidelines to TokenRouter employees and strictly enforce privacy safeguards within the company. All employees with access to personal data are required to:

• Complete privacy and security training
• Understand and follow our data protection policies
• Access personal data only when necessary for their job functions
• Report any suspected privacy or security incidents immediately
• Handle personal data in accordance with this Privacy Policy and applicable laws

We regularly review our privacy practices and update our policies and procedures to ensure we maintain the highest standards of data protection. Privacy is not an afterthought at TokenRouter — it's built into everything we do.

Privacy Questions

If you have questions about TokenRouter's Privacy Policy or privacy practices, or you would like to contact our Data Protection Officer, you can contact us at:

You can also ask us questions about how to submit a privacy complaint and we will endeavor to help.

TokenRouter takes your privacy questions seriously. A dedicated team reviews your inquiry to determine how best to respond to your question or concern, including those inquiries received in response to an access or download request. In most cases, all substantive contacts receive a response within seven days. In other cases, we may require additional information or let you know that we need more time to respond.

Where your complaint indicates an improvement could be made in our handling of privacy issues, we will take steps to make such an update at the next reasonable opportunity. In the event that a privacy issue has resulted in a negative impact on you or another person, we will take steps to address that with you or that other person.

You may at any time — including if you are not satisfied with TokenRouter's response — refer your complaint to the applicable regulator. If you ask us, we will endeavor to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

Changes to This Privacy Policy

When there is a material change to this Privacy Policy, we'll post a notice on this website at least one week in advance of doing so and contact you directly about the change if we have your contact information on file. We will also update the "Updated" date at the top of this Privacy Policy.

We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personal data.

© 2025 TokenRouter. All rights reserved.