Privacy Policy
What we collect, why, how long we keep it, and your rights.
Draft. Engineering draft pending counsel review prior to GA launch. Questions: privacy@tokenone.io.
Last updated: 21 April 2026
1. Controller
One Group Inc. (trading as TokenOne®) is the data controller for personal data we hold about you. Contact: privacy@tokenone.io.
2. What we collect
- Account data: email, name, password hash, tenant memberships, role, MFA enrollment state.
- Usage data: LLM calls (provider, model, token counts, timestamps, tenant + project + user context), API key activity, session logins (IP + user-agent + country code).
- Content you submit: prompts, uploads (audio/image/ video/text), project configuration, support messages, bug reports.
- Connector data: credentials for Git / DB / Issue / Docs providers (stored AES-256-GCM encrypted) + whatever we sync on your instruction (commits, rows, tickets, docs).
- Billing data: top-ups, balances, invoices, payment metadata (card last-4 via Stripe; we never store full card numbers).
- Cookies: a minimum set of functional + preference cookies. Analytics + marketing cookies are opt-in; see the Cookie Policy.
3. Why we process it
- To provide the service (lawful basis: contract). Authentication, routing AI calls, billing you.
- Legitimate interests in running + securing the business: fraud detection, abuse prevention, capacity planning, aggregated analytics.
- Legal obligations: retaining billing and audit records required by tax and financial-services regulation.
- Consent for marketing comms, optional cookies, and model-training (we do not train on your content without explicit written consent).
4. Who we share it with
Full list with purpose + region + DPA link at /sub-processors. Headline categories: cloud infrastructure, LLM providers we route to (Anthropic, OpenAI, Google, OpenRouter, Fireworks, and similar), payment processor (Stripe), email provider, error monitoring, analytics (opt-in only).
5. International transfers
Where data leaves the UK or EEA, transfers are governed by the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses with each sub-processor.
6. Retention
- Account data: for the life of your account + 30 days after closure.
- Usage / LLM call logs: 24 months (hot tier 90 days, cold tier 22 months).
- Billing records: 7 years (tax requirement).
- Audit logs: 5 years.
- Connector credentials: deleted on disconnect.
- Failed bug reports / abandoned sessions: 30 days.
7. Your rights
Under UK GDPR / EU GDPR / CCPA you have the right to access, rectify, delete, restrict, port, and object. Exercise any of these from your in-app Privacy dashboard or email privacy@tokenone.io. We respond within 30 days.
One-click export (Article 20): JSON bundle delivered by email. One-click deletion (Article 17): 7-day grace period so you can cancel; after that, permanent.
8. Security
Details on the Security page. Summary: AES-256-GCM at rest, TLS 1.3 in transit, row-level DB tenant isolation, audit trail on every access, annual pen-test, SOC 2-track.
9. Children
TokenOne® is not intended for under-16s. If you believe a child created an account, email privacy@tokenone.io and we will delete it.
10. Complaints
You can complain to your local data-protection authority. In the UK, that’s the ICO (ico.org.uk). We would prefer you email us first so we can put things right quickly.
Questions: privacy@tokenone.io