Privacy Policy

Token Harbor PTE. LTD. (“Token Harbor”, “we”, “us”, “our”) operates tokenharbor.ai and its related web, mobile applications, and API services. As a foundational economic and routing infrastructure for AI models, privacy and data control are central to our platform.

This policy explains what information we collect, how it is routed, and your rights regarding your data. By using Token Harbor, you agree to the collection and use of information as described below.

1. How We Process AI Data (Model Routing)

Because Token Harbor acts as a universal router to various AI models, how we treat your API request (prompts) and response content (completions) depends strictly on the model tier you choose.

Paid Models & Zero Data Retention (ZDR)

For all paid models, Token Harbor enforces a Zero Data Retention policy. We do not use your request or response content to train any machine-learning models, nor do we allow our downstream Model Providers (e.g., OpenAI, Anthropic) to use it for training. Your prompts are routed securely, processed for the completion, and immediately discarded by the provider. Only required billing metadata (token counts, timestamps) is retained.

Free Models & Data Sharing

Certain models (such as DeepSeek) are offered entirely for free. These models are free because the underlying provider may retain requests and responses to improve their service. Free models are disabled by default. You must explicitly opt-in via your dashboard to use them, serving as your consent to this data use. Enabling free models does not affect your paid model routing, which remains strictly confidential.

Observability & Conversation History

If you use our web or mobile chat interfaces, Token Harbor retains your conversation history on our secure servers purely so you can resume previous chats across sessions. You may delete this history or export it at any time.

2. Information We Collect

To operate our services and maintain a secure payment ecosystem, we collect the following:

• Account & Identity Information: Your email address and password (passwords are securely hashed by Supabase Auth; we never see them). If you use Single Sign-On (SSO), we receive basic profile details.
• Wallet and Transaction Data: Your credit balance, top-up history, token consumption, cashback, and referral rewards. This is maintained as an append-only ledger on our servers.
• Telemetry & Metadata: We log routing metadata—such as the number of prompt/completion tokens, latency, and model selection—to power billing, rate-limiting, and model performance rankings. This metadata never contains the actual content of your messages.
• Device & Security Information: A persistent device identifier generated in your browser's local storage and your IP address at signup to prevent coordinated fraud and duplicate account abuse.

3. Google User Data Policy

If you choose to sign in with Google (“Sign in with Google”), Token Harbor accesses Google user data through Google's OAuth 2.0 flow. In accordance with the Google API Services User Data Policy, we adhere to the following strict guidelines:

• What we access: We request only the minimum OAuth scopes: openid (unique identifier), email (login identifier), and profile (name and avatar for UI personalization). We cannot and do not access Gmail, Drive, Calendar, Contacts, or any other Google data.
• How we use it: We use this data exclusively to authenticate your session, link existing accounts, send transactional emails, and prevent abuse. We do not use Google user data to train AI models, nor do we sell, trade, or use it for advertising.
• How it is protected: Your Google data is encrypted in transit (TLS 1.2+) and at rest (AES-256) in our Supabase-hosted Postgres database. Row-Level Security ensures only you can access your data. Service keys are stored in Vercel encrypted environment variables.
• Retention and Deletion: Google user data is retained only while your account exists. You can revoke access anytime via your Google Account Permissions or email us for complete account deletion.

4. Third Parties & Data Sharing

Token Harbor does not sell your personal data. To provide borderless AI access, we share necessary data strictly with trusted infrastructure vendors:

• AI Model Providers: Your message content is securely routed to the provider that powers your selected model. For paid tiers, we mandate enterprise terms prohibiting data retention for training.
• Supabase: Manages our authentication and database hosting securely.
• Vercel & Cloudflare: Provides web hosting, edge infrastructure, DNS, edge caching, and bot mitigation.
• PayPal Hong Kong (Licence SVF0008): Processes payments for credit top-ups. We do not store your card number or PayPal credentials; we only store order and capture identifiers for reconciliation.

5. Data Retention & Security

We retain your account data for as long as your account is active. Financial transaction records and anonymized telemetry data may be retained for up to seven (7) years to comply with international accounting, tax, and anti-money laundering (AML) laws, even after an account is deleted.

All user data is protected by industry-standard administrative, technical, and physical safeguards. However, no internet transmission is universally secure; you are responsible for maintaining the confidentiality of your account credentials.

6. Your Rights & Controls

You maintain total control over your data. At any time, you can:

• Access & Export: View your data in the in-app Activity view, or email us to export your complete conversation history.
• Correct: Update the email or profile details associated with your account.
• Delete: Request full account deletion. We will purge your personal and conversational data within 30 days, exempting legally required financial records.
• Opt-Out: Unsubscribe from non-transactional or product-update emails at any time.

7. Cookies & Tracking

We use a minimal footprint of essential cookies required for site functionality: an authenticated session cookie, a temporary preview-access gate cookie, and a CDN routing cookie. We do not use third-party advertising cookies.

We utilize first-party analytics to understand site usage. These analytics are entirely optional. We record no tracking data until you explicitly accept our consent banner. You can revoke this choice at any time by clearing your th_cookie_consent cookie.

8. International Data Transfers & Children

Global Transfers: Our core servers are located in the United States. By using Token Harbor from outside the US, you acknowledge that your data will be transferred to, and processed in, the United States.

Age Requirements: Token Harbor is not intended for children under 13. If you believe a minor has provided us with personal information without parental consent, please contact us immediately for deletion.

9. Changes to this Policy

We may update this Privacy Policy as regulatory landscapes and AI industry standards evolve. Material changes will be communicated via email to your registered address and updated on this page.

10. Contact Us

For questions regarding your data, privacy, or this policy, please reach out to our legal team:

Email: legal@tokenharbor.ai