Privacy policy

What Costr collects, how it's stored, and how to remove your data.

Last updated: May 21, 2026

What we collect

Account info — email address, name (if provided), password (hashed by Supabase Auth; Costr never sees the plaintext).
Provider keys — stored encrypted in transit, held in Supabase with row-level security so only your account can read them.
API call metadata — timestamp, provider, model, token counts, computed cost, end-user identifier (when you include the x-costr-user header), and feature tag (when you include the x-costr-feature header).
Payment info — handled entirely by Stripe. Costr stores only the Stripe customer ID and subscription ID. Card numbers and bank details are never transmitted to or stored by Costr.

What we do not collect

Prompt text or AI request bodies
AI response bodies
Any conversation content

Costr observes only the metadata envelope of each call — not the content flowing through the proxy.

How we use it

Display your usage in your dashboard
Bill you according to your tier via Stripe
Send transactional email (account confirmation, billing notifications)

Costr does not sell, share, or use your data for advertising.

Data retention

API call logs — retained per your tier: 7 days (Free), 90 days (Pro), 365 days (Team), custom (Enterprise).
Account data — retained while your account exists.
Account deletion — permanent and immediate. All data is removed within 7 days of deletion.

Third parties

Stripe — payment processing. Stripe's privacy policy.
Supabase — database and authentication. Supabase's privacy policy.
Vercel — hosting and edge functions. Vercel's privacy policy.
AI providers (OpenAI, Anthropic, Google) — your API calls route through Costr to these providers. Their privacy policies apply to the content of those calls.

Your rights

Export your data — CSV export is available on Pro and Team tiers from the dashboard.
Delete your account — Settings → Delete account. Permanent and immediate.
Data requests — email support@costr.dev for any access, correction, or deletion requests not handled by the dashboard.

Data Architecture and Tenant Isolation

Costr is built so customers cannot see each other's data, and so we collect the minimum information needed to compute cost.

What we store per API call: token counts, model name, provider, computed cost, the customer ID and feature tag you send via headers, and a timestamp.

What we never store: prompts, completions, system messages, function call payloads, or any other user-generated content. Costr proxies requests to the AI provider but does not inspect or persist their bodies.

Cross-tenant isolation: every database query is filtered by your account at the database layer using Postgres Row Level Security (RLS). You cannot read another Costr account's data, and they cannot read yours. This is enforced by the database itself, not by application code, so isolation holds even in the event of an application bug.

Customer IDs are opaque strings: the values you send in the x-costr-user and x-costr-feature headers are stored as-is and are meaningful only to you. We recommend using opaque identifiers (e.g., customer_12345) rather than personally identifiable information like email addresses in these headers, since you are the data controller for whatever you tag.

Contact

Privacy questions: support@costr.dev. Replies within 24 hours.

Security →Terms of service →Cookies →DPA →