Privacy Policy

What we collect

• Your email address and a password hash (PBKDF2-SHA256, 100 000 iterations, per-user salt) — we never store or log the plaintext password.
• Your timezone and personality mode preferences, saved as user-profile fields.
• The provider API keys you paste in (OpenAI, Anthropic, OpenRouter, etc.), stored AES-256-GCM encrypted at rest with a per-row initialisation vector.
• Usage data we sync from each provider on your behalf — model names, token counts, dollar amounts, and dates. Scoped to your account.
• Session tokens in Cloudflare KV with a 30-day TTL for keeping you logged in.

We do not collect analytics cookies, track you across sites, or sell any data.

Where it lives

Application data (accounts, connections, usage records, alerts) lives in Cloudflare D1 (SQLite at the edge), replicated across Cloudflare's global network. Session tokens and rate-limit counters live in Cloudflare KV.

When you use the LLM Proxy, per-request metadata (model, token counts, cost, latency, status code) is sent to Keplor, a self-hosted log aggregator running on a private VM. Keplor stores this metadata for real-time dashboards and quota enforcement. It never receives prompt content, completion text, or provider API keys.

There are no third-party analytics cookies, no tracking scripts, and no data brokers in the pipeline.

Encryption

Provider API keys are encrypted with AES-256-GCM using the Web Crypto API before being written to the database. Each key has its own random IV and auth tag. The master encryption key is stored as a Cloudflare Pages secret and is never written to the database or log output.

Passwords are hashed with PBKDF2-SHA256 at 100 000 iterations (the Cloudflare Workers cap) with a 16-byte per-user salt. We use a constant-time comparison on verify to prevent timing attacks.

Third parties

Three data processors handle your data outside Cloudflare:

• Razorpay — billing processor for all payments. Handles subscription management, card/UPI/PayPal/netbanking processing, and tax collection. They receive your email and payment details directly when you upgrade; Obol never sees card numbers.
• Keplor (self-hosted) — our log aggregator for the LLM Proxy. Receives per-request metadata: model name, token counts, cost, latency, HTTP status, and your user/session tags if you set them. Does not receive prompt content, completion text, provider API keys, or your email address. Data is stored with zstd compression on a private VM we control.
• Gmail SMTP (Google) — alert emails, budget notifications, and password reset links are delivered from useoboltrack@gmail.com via Gmail's SMTP service. Google sees the recipient address and message content at delivery time.

Retention

Usage records are retained for the length of your plan's history window: 7 days on Free, 90 days on Pro. Older records are automatically purged by our daily cleanup cron. Sync logs (records of each provider fetch) are kept for 7 days regardless of plan.

When you delete your account, every related row is cascaded via database foreign keys: connections, usage records, daily rollups, alerts, alert history, anomaly logs, and sync logs. Session tokens in KV are explicitly destroyed. Deletion is immediate and irreversible.

Your rights

• Export — download your usage history as CSV or JSON via Settings → Export (Pro plan).
• Delete — remove your account and all associated data via Settings → Danger Zone. The delete happens immediately and cannot be undone.
• Change password — rotate your credentials via Settings → Security. All other sessions are invalidated automatically.

Cookies

Obol uses exactly one cookie: session, an httpOnly + secure + sameSite=lax token that keeps you logged in across page loads. There are no analytics cookies, tracking pixels, or third-party embeds.

Contact

Questions or requests about your data: useoboltrack@gmail.com

Changes to this policy

If we change this policy in a way that affects how your data is handled, we'll bump the "last updated" date above and — if the change is material — email you before it takes effect.