What leaves your machine
The TokenMoth CLI parses your Claude Code session transcripts locally and sends one aggregated usage summary per session. The transcript itself never leaves your machine. This page lists every field — it's the dev-readable version of the privacy policy.
| session id | random id of the Claude Code session — used to de-duplicate |
| repo name | basename only, e.g. "tokenmoth" — never the absolute path |
| model names | which Claude models the session used |
| token counts | input, output, cache read, cache creation — plain integers |
| hook overhead | total + per-hook token cost; includes hook/plugin names |
| MCP servers | server names + call counts; no arguments, no results |
| turn series | token counts per turn (downsampled) — powers the session chart |
| end time | when the session ended |
Don't take our word for it — print the exact payload for your most recent session. No key needed, nothing is sent:
$ npx tokenmoth report --dry-run- transcript content — prompts, completions, thinking
- your code, diffs or file contents
- file paths, directory names, usernames
- git remotes, branches, commit messages
- environment variables or credentials
Enforced in code, not just promised: the payload is built by a single whitelist function, and a unit test (telemetry_body_only_whitelisted_fields_no_absolute_path) fails the build if a field is added or an absolute path slips through.
A repo basename, hook or MCP server name can itself be sensitive — for example when a folder is named after a client. If that applies to you, rename the folder, or skip our servers entirely:
The whole stack (API + Postgres) runs locally with docker compose up, and the CLI points anywhere:
$ tokenmoth setup --key <key> --api-url http://localhost:8080Nothing reaches tokenmoth.com. Remove the hook anytime with tokenmoth uninstall.
Settings → danger zone deletes your account and all usage data permanently (GDPR Art. 17). No soft delete, no retention window.