TokenMoth
ENDE
← home
legal

Privacy policy

Last updated: 2026-06-10

Draft — pending legal review. This text is a template and not yet legally approved. Have it reviewed by a lawyer before publishing (see docs/legal/anwalt-briefing.md).

1. Controller

Controller for data processing on tokenmoth.com within the meaning of the GDPR:
[TODO_AUSFÜLLEN], [TODO_AUSFÜLLEN], [TODO_AUSFÜLLEN], Deutschland
Email: legal@tokenmoth.com
Full details in the legal notice.

2. What data we process

a) Account & authentication

When you sign in (OAuth login via Supabase) we process your email address and a user ID. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

b) Usage / telemetry data

TokenMoth records metrics about your Claude Code usage: token counts, estimated cost, model names, repository names, session metadata and plugin/hook overhead. The locally installed hook sends these via an API key to our API. Transcripts/source code are not transmitted. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

c) Server logs

When you access the website, technically necessary data (e.g. IP address, timestamp, user agent) is processed by our hosting provider. Legal basis: legitimate interest in operation and security (Art. 6(1)(f) GDPR).

d) Product analytics (consent only)

With your consent we use PostHog to analyse usage and improve TokenMoth. Without consent no analytics take place. Legal basis: consent (Art. 6(1)(a) GDPR, § 25(1) TDDDG). You can withdraw consent at any time via Cookie settings in the footer.

e) Payment data

For paid plans, payment data is processed by a payment provider. We do not store full payment instrument data ourselves. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3. Cookies & local storage

Technically necessary cookies (e.g. to keep your Supabase login session) are set on the basis of § 25(2) TDDDG without consent. Your cookie/analytics choice is stored locally in your browser. Optional analytics cookies are only set after your consent.

4. Recipients / processors

To provide the service we use the following providers. Data processing agreements under Art. 28 GDPR are in place (or will be concluded before go-live):

ServicePurposeRegionTransfer
SupabaseAuthentifizierung & Datenbank (Account, Nutzungsdaten)EU/USA — Hosting-Region prüfenEU-Region wählen bzw. SCC / EU-US DPF
VercelHosting & Auslieferung der Web-App, Server-LogsUSASCC / EU-US Data Privacy Framework
PostHogProdukt-Analytics (nur nach Einwilligung)EU (eu.i.posthog.com)EU-Region — kein Drittlandtransfer geplant
AnthropicClaude Code erzeugt die Nutzungsdaten lokal; TokenMoth sendet keine Transcripts/PII an AnthropicUSA (nur clientseitig durch Nutzer:in selbst)nicht durch TokenMoth — klären
Zahlungsdienstleister (z. B. Stripe)Abwicklung kostenpflichtiger PläneUSA/EUSCC / EU-US DPF

Note: verify regions, third-country transfer mechanisms (SCC / EU-US DPF) and DPAs before go-live (see docs/legal/subprozessoren.md).

5. Retention

We store account and usage data for as long as your account exists. After account deletion the associated data is deleted; statutory retention obligations (e.g. tax law for invoices) remain unaffected. Specific retention periods: [TODO_AUSFÜLLEN].

6. Your rights

Under the GDPR you have in particular the following rights:

  • access to the data stored about you (Art. 15)
  • rectification of inaccurate data (Art. 16)
  • erasure (Art. 17) — directly via “Delete account” in settings
  • restriction of processing (Art. 18)
  • data portability / export (Art. 20) — via the export function in the dashboard
  • objection to processing based on legitimate interests (Art. 21)
  • withdrawal of consent with effect for the future (Art. 7(3))

An email to legal@tokenmoth.com is sufficient to exercise these. You also have the right to lodge a complaint with a supervisory authority.

7. Changes

We adapt this privacy policy when processing changes. The version published on this page applies.