Privacy Policy

Last updated: 2026-05-25

Zero retention. Neither we nor Anthropic store your prompts or responses.

API traffic is proxied to Anthropic in real time. TypeGPT runs on a Zero Data Retention enterprise workspace upstream, so Anthropic doesn't keep the content either. We keep only metadata about the call (model, token counts, HTTP status, latency) — never the content of your messages or Claude's replies.

What we collect

  • Telegram identity: your numeric Telegram ID, handle (if public), and first name — this is your account identifier.
  • API usage logs: model used, input/output token counts, cache hit counts, plan tokens charged, HTTP status, latency, timestamp.
  • Payment metadata: invoice ID, plan, amount, cryptocurrency used, payment status. We do not see your wallet's private keys or balances.
  • Sessions: a signed HTTP-only cookie when logged in on the dashboard.

We do not collect: email, phone number, real name (unless provided in your Telegram profile), wallet keys, or any government-issued ID.

What we don't store

Prompts and responses are not stored by us. Your API requests are proxied to Anthropic in real time; we record metadata (tokens, model, status) but not the content of your messages or Claude's replies.

Anthropic's own data handling for your prompts is governed by Anthropic's Privacy Policy.

Why we collect what we do

  • Telegram identity — to authenticate you and provide the dashboard / bot UX.
  • Usage logs — to show you your own usage, bill correctly, and detect abuse.
  • Payment metadata — to fulfill orders, handle refunds, and meet basic accounting needs.

Who we share data with

  • Anthropic receives your prompts (since we proxy to their API). They never receive your TypeGPT account info — only the upstream API key the request is sent under.
  • OxaPay processes crypto payments. They receive the invoice amount, your optional email (if you supplied one), and your wallet payment.
  • Neon hosts our Postgres database within the EU.
  • Cloudflare sits in front of our origin and may log IP-level request metadata for DDoS protection.

We do not sell data to advertisers and have no third-party tracking pixels on this site.

Retention

  • Usage logs: retained 90 days, then aggregated and the row deleted.
  • Invoices: retained 2 years for accounting.
  • Account data: retained while your account is active; deleted within 30 days of account deletion.

Your rights

You can export your usage history from the dashboard at any time. You can delete your account permanently by messaging the bot or contacting support; deletion is irreversible and remaining tokens are forfeited.

EU/UK residents: you have the right to access, correct, and erase your data under GDPR. Contact support to exercise these rights.

Security

API keys are stored as SHA-256 hashes — we cannot recover a key after you generate it. Sessions are signed JWTs in HTTP-only cookies. Webhook traffic is verified via HMAC (OxaPay) or shared secret (Telegram). The database connection uses TLS with channel binding.

Contact

Privacy questions: [email protected].

← Back to home