Tokenmaxx is operated by Gfeller Web Solutions, Luzern, Switzerland. Contact: mail@maxgfeller.com. This policy explains what Tokenmaxx collects, why it is used, what is public, and how to exercise privacy rights.
Tokenmaxx collects GitHub OAuth profile data needed for login: GitHub ID, username, display name, avatar URL, session timestamps, and session token hashes. Tokenmaxx does not request GitHub repository access. Tokenmaxx sets an authentication cookie for web sessions and stores desktop session tokens locally on your device.
The desktop app processes supported local AI coding assistant usage records to calculate token usage. The normal sync uploads device ID, device name, platform, project display name, hashed project/path identifiers, hashed session identifiers, tool, provider, model, token counts, estimated list-price cost, event/session counts, rollup dates, and first/last seen timestamps. The normal sync does not upload prompts, responses, source code, raw file paths, raw session IDs, or raw local usage files.
Some data is public by default: GitHub username, display name, avatar, aggregate weekly/all-time token and estimated-cost stats, contribution graph data, leaderboard placement, public profile data, and badge image output. Tokenmaxx does not publicly expose device names, project names, project counts, raw paths, raw session IDs, prompts, responses, or code.
Tokenmaxx uses personal data to authenticate users, operate dashboards, sync desktop usage, show public aggregate stats, generate badges, estimate costs, prevent abuse, debug and secure the service, improve product functionality, honor legal requests, process privacy requests, and record acceptance of Terms and Privacy Policy. Legal acceptance records may include accepted document versions, timestamp, source, user agent, and a hashed IP-derived audit value.
Tokenmaxx may use product analytics, diagnostics, and session replay tools, including PostHog or similar services. If enabled, these tools may collect page views, feature interactions, button clicks, navigation paths, browser/device metadata, approximate location derived from IP address, referrer, session identifiers, web app screen recordings, and error/debug events. Session replay applies to the Tokenmaxx web app, not local AI coding assistant usage records, prompts, responses, source code, or raw local usage files. Tokenmaxx will not use product analytics for advertising, cross-context behavioral advertising, or sale of personal data.
Tokenmaxx uses service providers for hosting, authentication, release delivery, analytics, diagnostics, security, and related operations. These providers, including GitHub and analytics providers such as PostHog, may process data as service providers or processors.
Tokenmaxx does not sell personal data and does not share personal data for cross-context behavioral advertising. Tokenmaxx does not use advertising cookies. Non-essential analytics cookies or similar browser storage will only be used where allowed by law.
Web and desktop sessions expire automatically unless renewed. Account, usage, analytics, and acceptance records are kept while your account is active and then deleted or anonymized when no longer needed, unless retention is required for security, dispute, backup, or legal reasons. Local source usage files remain on your device unless you separately share them.
You may request access, correction, deletion, portability, objection, or restriction by emailing mail@maxgfeller.com. Tokenmaxx will verify the request against your GitHub identity or another reasonable method. You may also complain to a competent data protection authority. Tokenmaxx is not directed to children under 13 and should not be used by anyone who cannot consent to this policy.
Tokenmaxx protects data with reasonable technical and organizational measures, including HTTPS transport, HttpOnly web session cookies, hashed server-side session tokens, scoped GitHub OAuth, and data minimization. No system is perfectly secure.