Skip to main content
cost.botzone.ai
Sign in

Privacy

Last updated: May 2026. Effective for the Cost product at cost.botzone.ai.

Don't take our word for it. Read the SDK.

The Cost SDKs are MIT-licensed and public. Every field described below is generated by the wrap() function you can audit at github.com/botzone-ai/cost-sdk-ts (TypeScript) and cost-sdk-py (Python). If our description below contradicts the source, the source is the truth.

1. Who we are

Botzone Ltd (Botzone, we, us) is registered in Ireland. We operate the botzone.ai platform and the Cost product at cost.botzone.ai. For data protection enquiries, contact privacy@botzone.ai.

2. Information we collect

Account data

When you sign in with Google we receive your name, email address, profile picture, and the OAuth refresh token needed to keep your session active. We do not request access to Gmail, Drive, Calendar, or any other Google service.

LLM call metadata (the core of the product)

The Cost SDK transmits the following fields for each LLM call you choose to wrap:

  • Provider name (anthropic, openai, gemini)
  • Model identifier (e.g. claude-sonnet-4-6, gpt-4o-mini)
  • Token counts: prompt, completion, cached, cache-creation
  • Computed USD cost based on our published pricing tables
  • Latency in milliseconds
  • Route name and feature tag you supplied via wrap() options
  • SHA-256 hash of the prompt text (used to detect missing cache_control)
  • SHA-256 hash of the end-user identifier you supplied (if any). We never receive the raw identifier.

Optional: raw prompt and response bodies

By default, the SDK ships metadata only. Raw request and response JSON are sent only when you explicitly pass captureBodies: true to wrap()for a given route. This opt-in is what powers the verify-downgrade feature, which replays a sample of your real traffic on a cheaper model and judges whether the swap preserves quality. Stored raw bodies are purged automatically after the retention window in section 5.

Billing data

Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers.

3. How we use your information

  • Providing the service: rendering your spend dashboard, computing cost attribution by route, generating recommendations.
  • Verify-downgrade: replaying a sample (up to 50 events) of your captured calls on a proposed cheaper model and judging output quality with Claude Haiku, so we only surface model-swap recommendations that pass an eval. For each judged sample we record a content-free audit log row (prompt hash, baseline model, replay model, judge model, dimension scores, verdict, timestamp). The audit log is what we point external reviewers at; the underlying prompt and response samples are stored only when you opt in with captureBodies: true and are visible only to the project owner.
  • Billing: managing subscriptions and enforcing plan limits.
  • Communication: spend alerts (if you connect Slack), occasional service updates.

We do not use your captured data to train AI models. Our sub-processor agreements (Anthropic, OpenAI, Google) prohibit the use of customer data for model training. We do not sell your data and we do not share it with third parties beyond the sub-processors listed below.

4. Sub-processors

We use the following third-party services to operate the platform:

  • Amazon Web Services (AWS): infrastructure hosting, container runtime, secrets storage. EU region (eu-west-1, Ireland).
  • Lightsail PostgreSQL: primary database, also in eu-west-1.
  • Stripe: payment processing and subscription management.
  • Anthropic (Claude API): the Claude Haiku judge for the verify-downgrade feature, plus customer-facing replays of Claude traffic.
  • OpenAI (Chat Completions API): customer-facing replays of OpenAI traffic during verification.
  • Google (Gemini API): customer-facing replays of Gemini traffic during verification.
  • Frankfurter.app: daily EUR/USD exchange rate for dashboard display only. No customer data sent.
  • Google Identity (OAuth): account sign-in only. We do not call other Google APIs.

5. Data retention

  • LLM call metadata: retained as long as your project exists. You can delete a project from the dashboard at any time, which cascade-deletes all associated events and recommendations.
  • Raw prompt and response bodies (only present when you opt in with captureBodies: true): retained for 30 days on the free tier and 90 days on paid plans, then automatically purged by a daily worker. Verify-downgrade only samples from the last 7 days. To request immediate deletion ahead of the retention window, email privacy@botzone.ai.
  • Account data: retained until you delete your account. Email privacy@botzone.ai to request deletion.

6. Your rights (GDPR)

If you are in the EU, EEA, or UK you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your account and all associated data
  • Export your data in a portable format (JSON)
  • Object to processing or restrict it to certain purposes

Send all data subject requests to privacy@botzone.ai. We respond within 30 days.

7. Security

All data is transmitted over TLS 1.3 and stored encrypted at rest. API keys are hashed with SHA-256 before being persisted; we never store the plaintext. End-user identifiers you supply are hashed in your SDK before transmission, so we never see the raw values.

8. Contact

Privacy enquiries: privacy@botzone.ai.

General contact: hello@botzone.ai.

Back to home