Sign inTry free

GDPR Notice

Last updated · May 13, 2026

This page summarises your rights under the EU General Data Protection Regulation (GDPR) when you use Token Harbor. It complements our Privacy Policy, which covers the full lifecycle of personal data handled by the service.

Data controller

Token Harbor Ltd. acts as the data controller for personal data collected through tokenharbor.ai. You can reach our privacy team at legal@tokenharbor.ai.

What we process

  • Account data — email address, authentication tokens, and account metadata (created-at, last sign-in).
  • Billing data — top-up amounts, currency, payment processor reference IDs. Card numbers never touch our servers; we pass them through to PayPal Hong Kong (SVF0008).
  • Usage data — API requests, model identifiers, token counts, and the resulting cost / cashback ledger entries.
  • Content data — prompts you send to models, the responses they return, and any files you upload. Retention is described in our Privacy Policy.

Legal basis

We process personal data on three legal bases under GDPR Article 6: contract (running the gateway you signed up for), legitimate interest (fraud prevention, abuse detection, system health), and consent (any optional analytics or marketing emails — withdrawable at any time from your profile page).

Your rights

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate or incomplete personal data.
  • Right to erasure — request deletion of your account and the personal data tied to it. Some records (anonymised billing ledger entries, abuse audit logs) are retained as legally required.
  • Right to restriction — pause processing while a dispute is investigated.
  • Right to data portability — export your account, billing, and conversation history in a structured machine-readable format.
  • Right to object — opt out of processing based on legitimate interest, including profiling.
  • Right to withdraw consent— for anything you opted into; doesn't affect prior lawful processing.

How to exercise your rights

Email legal@tokenharbor.ai from the address tied to your account. We respond within 30 days (extendable by 60 days for complex requests, with notice). There is no fee unless requests are manifestly unfounded or excessive.

International transfers

Token Harbor's infrastructure runs on cloud providers based in the United States. Where personal data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 modules) with our vendors and apply supplementary measures such as encryption in transit and at rest. Vendor list available on request.

Retention

Account data is retained for the lifetime of your account plus 30 days after deletion (to handle reversal requests). Conversation history is retained until you delete it or close your account; anonymised billing ledger entries are retained for seven years to meet accounting obligations.

Automated decision-making

We do not subject users to solely automated decisions producing legal or similarly significant effects. The smart-routing layer chooses upstream providers based on availability and cost, but does not change the model you requested — see our Safety policyfor the “we won't swap your model” commitment.

Right to lodge a complaint

You can complain to your local data protection authority. A directory is published by the European Data Protection Board at edpb.europa.eu.

Changes

We will publish material changes to this notice on this page and, for signed-in users, in-app. The “Last updated” date at the top of the page reflects the most recent revision.