Legal

Privacy Policy

Last updated: June 10, 2026

KillToken™ is operated as a DBA of LenderFuel.Media, LLC, based in Tucson, Arizona, USA. This policy describes what we collect when you use the KillToken™ optimization gateway, dashboard, and website at killtoken.io, and how we handle it. Questions any time: support@killtoken.io.

What we collect

Account and contact information — the email address and name you (or your administrator) provide for dashboard access and support.
Tenant, user, and admin information — tenant identifiers, dashboard user accounts, roles, and the configuration of your workspace.
API usage metrics — request counts, token estimates, latency, cache status, cost and savings figures, provider and model names, and similar operational telemetry, scoped per tenant.
Billing and subscription metadata from Stripe — plan, subscription status, and billing period references. Card numbers are handled by Stripe and never touch KillToken™ servers.
Provider credential metadata — which providers a tenant has connected, labels, non-secret configuration, and timestamps. The credential secrets themselves are encrypted (see below).
Prompt content, only if you turn it on — by default KillToken™ does not store raw prompt content; we keep fingerprints and metrics instead. Storing raw prompt content is an explicit, off-by-default configuration choice.

Strict BYOK: your provider keys stay yours

KillToken™ is strict bring-your-own-key. Provider API keys (OpenAI, Anthropic, and the other supported providers) are tenant-owned. They are encrypted at rest with AES-256-GCM, shown in full exactly once at creation or rotation, and never intentionally exposed afterward — not in dashboards, logs, exports, errors, or support channels. We never sell provider keys or any other customer data, and we never use your keys for anything other than the requests you send through the gateway.

Your model usage is billed by your provider on your own account. KillToken™ bills only the gateway subscription — we never resell or mark up provider usage.

Cookies and sessions

The dashboard uses a signed, HttpOnly session cookie to keep you logged in. We do not use advertising cookies or cross-site tracking on killtoken.io. Public pages work without accepting anything.

Subprocessors

We use a small set of infrastructure providers to run the service, limited to these categories: hosting (application servers), database (managed MongoDB), cache (managed Redis-compatible storage), payments (Stripe), monitoring (uptime and operational alerting), and email/support (support correspondence). Each receives only what its function requires; none receive decrypted provider credentials.

Your choices and contact

You can revoke API keys and provider credentials at any time from the dashboard, manage your subscription through the billing portal, and request account or data deletion by emailing support@killtoken.io. We will update this page when our practices change and revise the date above.