Privacy Policy

1. At a glance

• We collect the minimum data needed to operate the Service: account, billing, prompts you submit, and basic device/usage information.
• Your prompts are transmitted to the third-party API providers you select. We do not sell prompts and we do not use them to train any machine-learning model.
• You can export and delete your data at any time. You have rights under U.S. state law, the EU GDPR, and similar frameworks.
• We are based in the United States. Some of our subprocessors are outside the U.S. We rely on Standard Contractual Clauses and equivalent mechanisms for international transfers.

2. Who we are (the “data controller”)

The entity responsible for the personal information processed through ToolAudition.com is:

If we appoint a Data Protection Officer or an EU/UK representative under the GDPR, we will update this section accordingly.

3. Scope

This Policy applies to ToolAudition.com and any related software, APIs, or pages we operate under the same brand (the “Service”). It does not apply to the websites, services, or processing activities of the third-party API providers to whom your prompts are routed — those are governed by each provider’s own privacy policy. See the Provider Disclosure.

4. Information we collect

4.1 Account information

When you create an account, we collect your email address, a hashed password (or an OAuth token from a supported identity provider), display name, and a unique account identifier.

4.2 Billing information

When you purchase credits, our payment processor (currently Stripe, Inc.) collects payment-method details. We receive only the last four digits of your card, the card brand, an expiration month/year, the billing country, and a tokenized identifier we can use to reference the payment method. We do not store full card numbers, CVCs, or full bank account numbers on our servers.

4.3 Prompts, inputs, and outputs

When you run a query, we receive and process your prompt text, any attached files or media, the providers and models you selected, the output token cap, and the responses returned by the providers (collectively, “Query Content”). We use Query Content to deliver the comparison, calculate cost, populate your query history, and operate the Service. We do not sell Query Content and we do not use it to train any model we own or control. See Section 6 for additional detail.

4.4 Device and usage information

We automatically collect technical information when you access the Service, including IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and approximate location derived from IP. This information is used for security, abuse prevention, debugging, and aggregated analytics.

4.5 Cookies and similar technologies

We use a small set of strictly necessary cookies (session token, CSRF token, theme preference) and analytics tags. See our Cookie Policy for the full list and your choices.

4.6 Communications with us

If you contact support, legal, or billing, we keep a record of your message and our response so we can help you and improve the Service.

4.7 Information we do not collect

We do not knowingly collect Social Security numbers, government IDs, biometric identifiers, precise (GPS-level) geolocation, or special-category data (such as health, race, religion, or sexual orientation) about you. If you submit such data inside a prompt, please understand the prompt will be transmitted to the third-party providers you chose; we strongly recommend redacting sensitive data before submission.

5. Why we use information (purposes and legal bases)

Purpose	Categories	GDPR legal basis
Provide and operate the Service	Account, prompts, device	Contract (Art. 6(1)(b))
Process payments and credits	Billing, account	Contract; legal obligation
Prevent fraud, abuse, and security incidents	Device, usage	Legitimate interests (Art. 6(1)(f))
Send transactional and service messages	Account, billing	Contract; legitimate interests
Send marketing emails (only with opt-in)	Account	Consent (Art. 6(1)(a))
Analytics and product improvement	Usage, device	Legitimate interests; consent where required
Comply with law, respond to legal requests	Any	Legal obligation (Art. 6(1)(c))

6. Your prompts and outputs (the important section)

ToolAudition is a routing and comparison layer. When you click Run:

1. We transmit your prompt and parameters to each provider you selected, over TLS-encrypted connections.
2. Each provider processes your prompt under its own terms and privacy policy and may log it according to its own retention rules. We have no control over a provider’s internal logging.
3. We store the prompt, the providers used, the output token cap, the responses returned, latency, and actual cost on our own infrastructure, associated with your account, so you can see them in Query History.
4. You can delete an individual query — or your entire history — at any time from your account dashboard. Deletion from our infrastructure happens within seven (7) days of your request.
5. We do not sell Query Content. We do not use it to train, fine-tune, or evaluate any machine-learning model owned by us or by an affiliate.
6. Enterprise customers may purchase a zero-log mode in which we do not persist Query Content beyond the duration of the request.

7. Who we share information with

• Third-party API providers you select. See Provider Disclosure.
• Service providers and subprocessors who operate parts of our infrastructure under written contracts that restrict their use of personal data. These currently include: Stripe (payments), our hosting and edge providers (e.g., Cloudflare, Render or equivalent), our database and cache providers (e.g., Supabase/Neon, Upstash), our email sender (e.g., Resend or Postmark), our error monitoring (Sentry), and our analytics tool (PostHog or Plausible).
• Authentication providers when you choose to sign in with them (e.g., Google).
• Legal and safety recipients when required by law, subpoena, or to protect rights, safety, or property.
• Business transfers. If we are involved in a merger, acquisition, or asset sale, personal information may be transferred. We will notify you of any change in ownership or use of your information.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law. If we add ad networks in the future, this section will be updated and you will be given the choice to opt out before any such sharing occurs.

8. International transfers

Our servers are located in the United States. Some of our subprocessors are located outside your country, including in the European Economic Area and the United Kingdom. Where required, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

9. How long we keep information

Category	Retention period
Account record	For the life of the account, plus 30 days after deletion
Query Content (prompts + outputs)	Until you delete it, or until account closure + 30 days
Billing records and invoices	7 years (U.S. tax retention)
Security and audit logs	12 months
Email metadata	24 months

10. Security

We use TLS in transit, AES-256 at rest, hashed passwords (Argon2 or bcrypt), role-scoped database access, and audit logging. No system is perfectly secure; we will notify affected users and applicable regulators of a personal-data breach as required by law.

11. Your rights

Subject to local law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your information.
• Port your information in a structured, machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@toolaudition.com from the address associated with your account, or use the self-service tools in your account dashboard. We will respond within thirty (30) days, or longer where law permits.

12. California disclosures (CCPA / CPRA)

In the prior twelve (12) months we have collected the categories of personal information described in Section 4, used for the purposes in Section 5, and disclosed to the categories of recipients in Section 7. We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We do not knowingly process the personal information of consumers under 16. California consumers have the rights to know, delete, correct, opt out of sale/sharing (not applicable here), and limit use of sensitive personal information, and to be free from retaliation for exercising these rights. To submit a request, see Section 11. You may authorize an agent in writing to act on your behalf.

13. Oregon disclosures (Oregon Consumer Privacy Act)

Effective July 1, 2024, Oregon residents have rights similar to those described above, including the right to obtain a list of specific third parties to whom we have disclosed their personal data. Email privacy@toolaudition.com to submit such a request. You may appeal a denial by replying to our response within sixty (60) days; if your appeal is denied, you may contact the Oregon Attorney General at justice.oregon.gov.

14. EEA and UK disclosures (GDPR)

If you are in the EEA, UK, or Switzerland, the legal bases for processing are listed in Section 5. You have the rights listed in Section 11 and may complain to your national supervisory authority. If you would like an EU/UK representative contact, email privacy@toolaudition.com; we will appoint one before any material EU-facing launch.

15. Children

The Service is not directed at children under 13 and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided information to us, contact privacy@toolaudition.com and we will delete it.

16. Changes to this Policy

We will post any material changes at least thirty (30) days before they take effect, including by email or in-app banner. The “Last updated” date at the top reflects the most recent revision.

17. Contact