This Privacy Policy informs you under Art. 13/14 GDPR what personal data we process when you use GetMoreToken (getmorecredits.com), for what purposes, on which legal basis, and for how long.
1. Controller
The controller within the meaning of the GDPR is the operator named in the imprint. Please address privacy enquiries to privacy@getmorecredits.com.
2. What data we process
- Account data: email address, name (optional), password as bcrypt hash, selected tier, language preference.
- Usage data: model slug, input/output tokens, latency, HTTP status, timestamp, IP address at the time of the call (for rate-limiting and abuse detection).
- Payment data: Stripe customer ID, invoice amounts, billing address. Card data is processed exclusively by Stripe and never transmitted to us (PCI-DSS Level 1).
- Content (prompts/outputs): Prompts and model outputs are not persistently stored. For the duration of an API call they are buffered to forward to the selected model provider. In the optional chat history conversations can be stored in your account at your request; you can delete them at any time.
3. Purposes and legal bases
- Service provision — authentication, request forwarding, billing. Legal basis: Art. 6(1)(b) GDPR (contract performance).
- Abuse detection — rate-limits, anomaly detection. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service integrity).
- Compliance with legal obligations — retention of invoices under §§ 147 AO, 257 HGB. Legal basis: Art. 6(1)(c) GDPR.
4. Recipients and processors
We share data only with the following processors: Vercel Inc. (hosting, EU region Frankfurt), Neon Inc. (PostgreSQL database, EU region), Stripe Payments Europe Ltd. (payments, Ireland), Resend (transactional emails, EU). Model calls are forwarded to the selected AI provider (OpenAI, Anthropic, Google, …) — details and third-country safeguards in the DPA (/dpa).
5. Retention
- Account data: until you delete the account.
- Usage and billing logs: 90 days rolling, then aggregated for anonymous statistics.
- Invoices: 10 years (commercial and tax retention obligation).
6. Your rights
You have the right at any time to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21) regarding the processing. You may lodge a complaint with a supervisory authority. Requests to privacy@getmorecredits.com.
7. International data transfers
Where data is transferred to third countries (e.g. the United States) — such as when calling US-based model providers — this happens on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU Commission adequacy decision under the EU-US Data Privacy Framework.
8. Cookies and tracking
We use only strictly necessary cookies (session cookie for authentication, locale preference). No tracking, no profiling, no advertising cookies.
9. Security
We apply industry-standard technical and organisational measures: TLS encryption in transit, AES-256 at rest in the database, bcrypt password hashing, separated test and production environments, regular backups, access control on a need-to-know basis. Details in the DPA (/dpa).