Get started

Privacy Policy

Last updated: March 12, 2026

1. Introduction

This Privacy Policy explains how Humanleap Ltd ("we", "us", "our") collects, uses, and protects your information when you use ToolRouter ("the Service").

2. Information We Collect

Account Information

When you create an account, we collect your email address and name through our authentication provider (Clerk). We do not store passwords directly.

API Keys

API key secrets are hashed with SHA-256 before storage. We never store or log plaintext API keys after initial creation.

Usage Data

We record tool calls including: tool name, skill name, timestamp, latency, cost, and status (success/error). This data is used for billing, rate limiting, and service improvement.

Provider Keys (BYOK)

When you provide your own API keys via BYOK headers, these are used for the duration of the request only and are never stored on our servers. CLI-configured provider keys are stored locally on your machine at ~/.toolrouter/config.json.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or payment details directly. See Stripe's Privacy Policy for details.

3. How We Use Your Information

  • To provide and maintain the Service
  • To process billing and usage-based charges
  • To enforce rate limits and prevent abuse
  • To send service-related notifications (billing alerts, security notices)
  • To improve the Service based on aggregated, anonymized usage patterns

4. Data Storage and Security

Account data and usage records are stored in Convex (cloud-hosted database). API key secrets are hashed before storage. All data in transit is encrypted via TLS. We implement industry-standard security practices including rate limiting, input validation, and webhook signature verification.

5. Data Sharing

We do not sell your personal information. We share data only with:

  • Stripe — for payment processing
  • Clerk — for authentication
  • Convex — for data storage
  • Third-party tool providers — only the input data you send when calling their tools

We may disclose information if required by law or to protect the rights, safety, or property of our users or the public.

6. Data Retention

Usage records are retained for billing and audit purposes. You may request deletion of your account and associated data at any time by contacting us. API call logs are retained for 90 days after account deletion.

7. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing of your data
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@toolrouter.com.

8. Cookies

We use essential cookies for authentication (via Clerk) and session management. We do not use advertising or tracking cookies.

9. Children's Privacy

The Service is not intended for users under 16. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via email or the dashboard. Continued use of the Service after changes constitutes acceptance.

11. Google Workspace APIs (Gmail, Drive, Calendar, Docs, Sheets, Slides)

When you connect a Google Workspace account to ToolRouter, the Service uses the Google Workspace APIs. By connecting your account you also agree to the Google Terms of Service and Google Privacy Policy. ToolRouter's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What Google data we access

With your explicit consent at OAuth time, ToolRouter accesses only the Google data required for the tools you invoke:

  • Gmail — read, send, and organise messages in your own mailbox when a Gmail tool is invoked.
  • Drive — read, create, or modify files and folders you own or have shared with you, when a Drive tool is invoked.
  • Calendar — read or create events on calendars you own or have access to.
  • Docs, Sheets, Slides — read, create, or modify documents you own or have access to.
  • Profile + Email — your email address and display name, used only to label the connection on your dashboard.

How we use it (Limited Use disclosure)

Google user data is used only to fulfil the specific tool invocation that requested it. We do not use Google user data for:

  • Serving advertising.
  • Developing, improving, or training generalised or general-purpose AI or machine-learning models. User-generated content is never fed back into model training pipelines.
  • Selling, renting, or transferring to third parties (except to subprocessors strictly necessary to deliver the service).
  • Profiling the user or their contacts.

Human access to Google user data is restricted to: (a) with your explicit consent; (b) for security purposes (e.g. investigating abuse); (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised.

Storage and retention

OAuth tokens for your Google account are stored encrypted at rest and are used only to authenticate API calls you initiate. API response bodies are held only as long as needed to return a result to the invoking agent (typically seconds); we do not maintain a persistent copy of your Gmail messages, Drive files, or Calendar events. Tool-call metadata (timestamps, scope used, user id) is retained for 30 days for operational and abuse-detection purposes, then aggregated.

Your controls

You can revoke ToolRouter's access at any time from your Google account security settings, or by disconnecting the connector from the ToolRouter dashboard — both actions cause us to delete the stored tokens within 24 hours. To request deletion of any Google-derived data held by ToolRouter, email privacy@toolrouter.com.

12. YouTube API Services

When you connect a YouTube account to ToolRouter, the Service uses YouTube API Services. By connecting your YouTube account you are also agreeing to be bound by the YouTube Terms of Service and the Google Privacy Policy.

What YouTube data we access

With your explicit consent at OAuth time, ToolRouter accesses only the YouTube data required for the tools you invoke: channel metadata (title, description, thumbnails), video metadata for videos on your own channel, and — if you grant the upload scope — the ability to upload videos you submit via the Service to your own channel. We do not access videos, playlists, or channel data belonging to other users.

How we use it

YouTube data is used only to fulfil the specific tool invocation that requested it (for example, publishing a video you supplied, or reading analytics for a channel you own). We do not use YouTube data for advertising, profiling, or training AI models. YouTube data is never sold, rented, or shared with third parties.

Storage and retention

OAuth tokens for your YouTube account are stored encrypted at rest and are used only to authenticate API calls you initiate. We cache short-lived API responses (seconds to minutes) to reduce redundant calls. You can revoke ToolRouter's access at any time from your Google account security settings, or by disconnecting the connector from the ToolRouter dashboard — both actions cause us to delete the stored tokens.

Contact for YouTube-related requests

To request deletion of YouTube data held by ToolRouter, contact privacy@toolrouter.com.

13. Contact

For privacy-related inquiries, contact us at privacy@toolrouter.com.

Humanleap Ltd
United Kingdom