This policy describes what limitlesstokens collects, why, and what we deliberately do not collect. The guiding principle: we run on anonymized survey/task data and sponsor content, not on surveilling your code or your conversations with Claude.

1. What We Collect

• Wallet id. A locally generated random wallet identifier (adt_…) that ties your earnings and spends together. For anonymous wallets, this is the only identifier and it is not linked to you personally.
• Account credentials (accounts only). If you create an account, your email address and a one-way hash of your passcode (via scrypt). We never store the passcode itself.
• Ledger of credits and spends. An append-only record of Tokens earned (source and amount) and spent (model and measured token counts). This is the financial record of your balance.
• Survey and task answers. The responses you submit to in-terminal or in-browser surveys and tasks.
• Fraud signals on surveys/tasks. Your IP address and user-agent at the time you submit a survey or task, used to detect velocity abuse, multiple accounts, and automation.
• Tracked pane-minutes. The amount of time the sponsor ad pane is visible, which determines passive earnings. We track duration, not the contents of your terminal.

2. What We Explicitly Do NOT Collect

• BYO-key turns are forwarded under your key and never logged, parsed, or stored. When you bring your own Anthropic key, the request is forwarded to Anthropic under your key. It transits our proxy on the way (so the server momentarily handles the request in memory), but we do not meter, parse, store, or log the key, your prompt, or the completion.
• Wallet-funded turns stream through unlogged. Wallet-path turns are proxied to Anthropic to fund them with our key, but the proxy pipes the request and response through byte-for-byte and reads only the token-usage counts needed to bill you — it does not parse, store, or log your prompt or the model’s completion text. (This matches our proxy implementation, which tees out only the usage block — input/output token counts and model name — from the stream and discards the rest.)
• Local tag derivation. Where the CLI derives context tags from a local log tail (e.g. to choose relevant sponsor content), that derivation happens locally on your machine and only short category names — not your code or prompts — are sent to us.

3. How We Use Data

• Operate the wallet: issue credits, settle spends, show your balance and history.
• Fraud prevention: use IP/user-agent and velocity signals to detect and stop abuse, multiple accounts, and automation, and to void fraudulent credits.
• Anonymized research resale: aggregate and anonymize survey/task responses and sell the resulting anonymized aggregates to third parties. This funds the service. Buyers do not receive data that identifies you.

4. Data Retention & Redaction

The financial ledger is append-only and retained for accounting, audit, and fraud-prevention integrity; we do not delete ledger entries. Personally identifying information (such as your email) is redactable on request — a redaction path exists that scrubs PII while preserving the integrity of the append-only financial record. Survey and task content is retained in anonymized form for research.

5. Sharing & Processors

• Data buyers receive only anonymized aggregates — never raw, identifiable responses.
• Fly.io — application hosting and database infrastructure.
• Anthropic — processes wallet-path inference requests (the AI turn itself). Your prompt content goes to Anthropic to generate the response, governed by Anthropic’s terms; we do not retain it.
• Resend — transactional email delivery (account passcodes and recovery).

6. Your Rights

• Access: view your balance, earn history, and spend history on your wallet page at any time.
• Redaction: request redaction of your PII; we redact while preserving the append-only ledger.
• EU/UK users: PLACEHOLDER — attorney: GDPR/UK-GDPR lawful basis (consent vs. legitimate interest) for each processing purpose, data-subject request handling, international-transfer mechanism (SCCs), and whether a representative/DPO is required.

7. Security

Passcodes are stored only as one-way scrypt hashes. Wallet ids are treated like API keys: they key your wallet, ledger, and account records (and are additionally captured in an internal, access-controlled administrative audit trail used for fraud investigation and abuse response), but they are never echoed to other users or shared externally. Traffic to the proxy is over TLS. Local credential files are written with restrictive permissions. For account-holding wallets, short-lived session tokens mean that possessing a bare wallet id alone is no longer full account control; note that a session token, if leaked, remains replayable until it expires. Database backups are configured for point-in-time recovery.

8. Contact

Questions or requests (including redaction): privacy@limitlesstokens.com PLACEHOLDER — attorney: confirm contact address, mailing address if required, and any jurisdiction-specific notice requirements.