Get started

Privacy Policy

Last updated: March 12, 2026

1. Introduction

This Privacy Policy explains how Humanleap Ltd ("we", "us", "our") collects, uses, and protects your information when you use ToolRouter ("the Service").

2. Information We Collect

Account Information

When you create an account, we collect your email address and name through our authentication provider (Clerk). We do not store passwords directly.

API Keys

API key secrets are hashed with SHA-256 before storage. We never store or log plaintext API keys after initial creation.

Usage Data

We record tool calls including: tool name, skill name, timestamp, latency, cost, and status (success/error). This data is used for billing, rate limiting, and service improvement.

Provider Keys (BYOK)

When you provide your own API keys via BYOK headers, these are used for the duration of the request only and are never stored on our servers. CLI-configured provider keys are stored locally on your machine at ~/.toolrouter/config.json.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or payment details directly. See Stripe's Privacy Policy for details.

3. How We Use Your Information

  • To provide and maintain the Service
  • To process billing and usage-based charges
  • To enforce rate limits and prevent abuse
  • To send service-related notifications (billing alerts, security notices)
  • To improve the Service based on aggregated, anonymized usage patterns

4. Data Storage and Security

Account data and usage records are stored in Convex (cloud-hosted database). API key secrets are hashed before storage. All data in transit is encrypted via TLS. We implement industry-standard security practices including rate limiting, input validation, and webhook signature verification.

5. Data Sharing

We do not sell your personal information. We share data only with:

  • Stripe — for payment processing
  • Clerk — for authentication
  • Convex — for data storage
  • Third-party tool providers — only the input data you send when calling their tools

We may disclose information if required by law or to protect the rights, safety, or property of our users or the public.

6. Data Retention

Usage records are retained for billing and audit purposes. You may request deletion of your account and associated data at any time by contacting us. API call logs are retained for 90 days after account deletion.

7. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing of your data
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@toolrouter.com.

8. Cookies

We use essential cookies for authentication (via Clerk) and session management. We do not use advertising or tracking cookies.

9. Children's Privacy

The Service is not intended for users under 16. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via email or the dashboard. Continued use of the Service after changes constitutes acceptance.

11. Contact

For privacy-related inquiries, contact us at privacy@toolrouter.com.

Humanleap Ltd
United Kingdom