mintoken
Start free →
Last updated · May 2, 2026

Privacy Policy

Mintoken ("we", "us") operates the hosted proxy at api.mintoken.dev and the website at mintoken.dev. This page explains, in plain terms, what data we collect, what we never touch, and how long we keep it.

1. What we collect

We only collect what we need to bill you and route your requests:

  • Email address — for account login and transactional email (receipts, password reset, security notices).
  • Hashed Mintoken API keys — we store a one-way hash of your mt_live_... keys so we can authenticate proxy requests. The plaintext is shown to you exactly once at creation.
  • Usage records — for every proxied request: timestamp, model name, provider, input/output token counts, status code, and which Mintoken key was used. We do not store the request body or the response body.
  • Billing metadata — plan tier, Razorpay subscription/payment IDs, invoice history. We do not store full card numbers; Razorpay handles that.

2. What we never store

The most sensitive thing flowing through Mintoken is your upstream provider key (OpenAI, Anthropic, Google, etc.). We designed the proxy so we never need to keep it.

  • Your X-Provider-Key header is read in memory, forwarded to the upstream provider, and dropped at the end of the request. It is never written to disk, never logged, never put in a database.
  • Request prompts and model responses are never persisted. We only count tokens.
  • We do not sell, rent, or share your data with advertisers. No third-party tracking pixels run on the dashboard.

3. Retention

  • Usage records: kept for 90 days, then deleted or aggregated to monthly totals.
  • Account data (email, hashed keys, billing): kept while your account is active. Deleted within 30 days of account deletion, except where we are legally required to keep invoices for tax purposes (up to 7 years under Indian law).
  • Backups: rolling 14-day encrypted snapshots, then overwritten.

4. Subprocessors

We rely on a small set of vendors to run the service. Each is under their own data-processing terms:

  • Supabase — Postgres database and authentication.
  • Hetzner — server hosting (EU region).
  • Vercel — frontend hosting and CDN.
  • Razorpay — payment processing (India).
  • Upstream LLM providers — only the data you send through the proxy reaches them, scoped to that single request.

5. Your rights

You can export your usage history, change your email, or permanently delete your account from the settings page in the dashboard. For anything that page does not cover — including requests under Indian data-protection law — email hello.mintoken@gmail.com and we will respond within 30 days.

6. Security

All traffic is HTTPS only. API keys are hashed with a strong one-way function before storage. Database access is restricted via row-level security so one user cannot read another's rows. We do not store provider keys at all, which is the strongest possible mitigation against a key leak.

7. Children

Mintoken is a developer tool and is not directed at anyone under 18. We do not knowingly collect data from minors.

8. Changes to this policy

If we make a material change we will email all active users at least 14 days before it takes effect. Minor edits (typos, clarifications) are reflected by updating the date at the top of this page.

9. Governing law

This policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka.

10. Contact

Questions about privacy, data export, or deletion: hello.mintoken@gmail.com.