Legal

Privacy Policy

Effective date: March 10, 2026

Overview

Token Limits (“we,” “us,” “our”) is a SaaS tool that compresses tool responses in AI coding sessions to reduce token usage. It works with Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, JetBrains, and other MCP-compatible tools. We are committed to protecting your privacy. This policy explains what data we collect, what we do not collect, and how your information is handled.

What Data We Collect

We collect the minimum amount of data necessary to operate the service:

Account information: your email address and hashed password, collected when you create an account

License key verification: when Token Limits starts, it sends your license key to tokenlimits.app/api/verify to confirm your subscription status. The result is cached locally so subsequent startups do not require a network call

Usage count: the number of compressed requests, used for subscription verification

Session tokens: hashed session tokens for website authentication

What Data We Do NOT Collect

We want to be explicit about what we never collect, transmit, or store:

File contents: your source code, documents, and file contents pass through our servers in memory for compression and are never stored or logged.

Conversations: your Claude conversations, prompts, and responses are never captured or logged

API keys: authorization headers pass through our server to reach the Anthropic API but are never stored or logged.

Usage analytics: we do not run any analytics, telemetry, or behavioral tracking

Device fingerprinting: we do not fingerprint your device or browser

Third-party tracking: we do not use Google Analytics, Mixpanel, Segment, or any other tracking service

How Compression Works

Both the Claude Code proxy and all MCP tools route requests through tokenlimits.app for compression. Data passes through our servers in memory, is compressed, and is forwarded to its destination (Anthropic or your local filesystem tool). Nothing is written to disk or retained after the request completes.

Claude Code (proxy): API requests from Claude Code are routed through tokenlimits.app/api/proxy, compressed, then forwarded to the Anthropic API. Your API key and conversation content pass through in memory only and are never stored or logged. Dashboard statistics are generated locally and served at localhost:4800 -- this data never leaves your machine. If AI summaries are enabled, large tool outputs may be sent directly to Anthropic's Haiku model using your API key -- this goes to Anthropic, not to our servers.

MCP tools (Claude Desktop, Cursor, Windsurf, VS Code, JetBrains, Codex): The binary runs locally to perform filesystem operations and shell commands. Raw output is sent to tokenlimits.app/api/compress with your license key for compression, and the compressed result is returned. Nothing is written to disk or retained after the request completes. Sensitive paths (.ssh, .env, .aws, etc.) are blocked locally and never transmitted.

Third-Party Data Sharing

We do not sell, rent, trade, or share your data with any third parties. The only external service involved is Stripe, which processes payments. We do not store your credit card information. Stripe handles all payment data according to their privacy policy.

Cookies

We use a single session cookie (tl_session) to keep you logged in on the website. No tracking cookies, no analytics cookies, no third-party cookies.

Data Retention

Account data (email, hashed password, license key, usage count) is retained for as long as your account is active. When you delete your account, all associated data is permanently removed from our servers.

Local data (cached license verification, dashboard stats, configuration) is stored on your machine and can be removed at any time by running token-limits uninstall.

Data Deletion

To remove all local files, run token-limits uninstall. This removes the binary, configuration, cached license data, and dashboard files from your machine.

To delete your account and all server-side data, email us at [email protected] and we will permanently remove your account within 30 days.

Platform Support

Token Limits runs on macOS, Linux, and Windows (via WSL for Claude Code, native for Claude Desktop). The same privacy guarantees apply across all platforms. Compression is local by default regardless of operating system.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you

Rectification: request correction of inaccurate data

Erasure: request deletion of your personal data

Portability: request your data in a machine-readable format

Objection: object to processing of your personal data

To exercise any of these rights, email [email protected]. We will respond within 30 days.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information.

Security and Breach Notification

We use industry-standard security measures to protect your data, including encrypted connections (TLS), hashed passwords, and secure payment processing via Stripe. If we become aware of a data breach affecting your personal information, we will notify affected users by email within 72 hours and take steps to mitigate the impact.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice on the service at least 14 days before the changes take effect. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

Contact

Questions or concerns about this privacy policy? Email us at [email protected].