Calculate Tokens

Privacy Policy

Effective date: 6 June 2026. Last updated: 6 June 2026.

Calculate Tokens (“we”, “us”) operates calculatetokens.com. This policy explains exactly what data we collect, what we do not collect, and your rights as a visitor.

What is collected

We collect limited, anonymised usage data to understand how the calculator is used and to detect errors. We do not collect personal identifiers.

Cloudflare Web Analytics (page-level)

  • Page URL visited
  • Referrer URL (if provided by your browser)
  • Browser and operating system (aggregated)
  • Country (derived from IP at the edge; IP is not stored)
  • Core Web Vitals: LCP, CLS, FID/INP, TTFB

Umami (custom events)

When you interact with the calculator, Umami records the following eight events. No event ever encodes prompt text — the only numeric payload is a quantised character count (rounded to the nearest 100, per GDPR data minimisation obligations).

Event namePayload
tokenizetokenizer_type, char_count (quantised to nearest 100)
preset_selectedpreset_name
share_url_copiedmode
output_slider_adjustedvalue (0–8000)
thinking_toggle_enabledmodel
scaling_simulator_used(no payload)
compare_tab_switchedtab_name
token_highlighter_toggled(no payload)

What is not collected

Core privacy guarantee: The text you paste into the calculator is processed entirely inside your browser using WebAssembly. It is never transmitted to any server — not to us, not to analytics services, not encoded in URLs. Shareable URLs encode only configuration (slider values, model selection, toggle states).
  • Prompt text or any portion of textarea contents
  • Name, email address, or any personal identifier
  • IP addresses (Cloudflare and Umami both operate without storing raw IPs)
  • Cookies (we set none)
  • Cross-site tracking identifiers
  • Payment or financial information
  • Device fingerprints

Third-party scripts

Cloudflare Web Analytics

Provided by Cloudflare, Inc. (US). Privacy-first analytics with no cross-site tracking. See Cloudflare's privacy policy.

Umami Analytics (self-hosted)

We self-host an Umami instance on Railway (US region). Umami is open-source and collects no personally identifiable information. Event payloads are limited to the eight events listed above.

Google AdSense (pending approval)

We have applied for Google AdSense. If approved, Google's advertising scripts will be loaded on the site. Google may use cookies and similar technologies for personalised advertising. See Google's privacy policy and the opt-out instructions in the Opt-out section below. Tokenization accuracy is unaffected by AdSense — all tokenizers continue to run via WebAssembly regardless of ad configuration.

Data residency

  • Umami custom events — stored on Railway (US East region, AWS us-east-1).
  • Cloudflare Web Analytics— processed at Cloudflare's distributed global edge network. Aggregate data is stored in Cloudflare's US data centres.
  • Static site assets — served from Cloudflare Pages edge nodes globally.
EU users — important notice:Umami custom event tracking is disabled for EU users in v1. No Data Processing Agreement (DPA) is in place with Railway free tier as required under GDPR for EU data subjects. Until a DPA is established, EU visitors will not have Umami events recorded. Cloudflare Web Analytics (page-level only) continues to apply under Cloudflare's EU SCCs.

Data retention

  • Umami — event data retained for a maximum of 90 days, then purged automatically.
  • Cloudflare Web Analytics— retained per Cloudflare's own data retention policy (currently up to 6 months for analytics data). Consult Cloudflare's privacy policy for the current schedule.
  • We hold no database of our own. There is no user account system.

Your rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR / UK GDPR:

  • Right of access — request a copy of data we hold about you.
  • Right to erasure(“right to be forgotten”) — request deletion of your data. Because we collect no personal identifiers, we cannot guarantee we can isolate your records; we will delete all anonymised session data from the relevant date range on request.
  • Right to restriction — request that we restrict processing pending resolution of a dispute.
  • Right to data portability — request your data in a machine-readable format.
  • Right to object — object to processing based on legitimate interests.

To exercise any right, email privacy@calculatetokens.com. We will respond within 30 days.

Opt-out options

  • Umami — Umami respects the browser Do Not Track (DNT) header. Enabling DNT in your browser settings will prevent Umami from recording events for your session.
  • Cloudflare Web Analytics — Cloudflare does not currently offer a visitor-level opt-out mechanism. You may use a content blocker that blocks static.cloudflareinsights.com.
  • Google AdSense (when active) — opt out of personalised advertising via My Ad Center or the NAI opt-out tool.

Breach notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay (GDPR Article 34).

Given that we do not store personal identifiers, the risk surface is limited to aggregated analytics data. Nonetheless, we treat any suspected breach with the same urgency.

Contact

For privacy enquiries, data subject rights requests, or concerns about this policy:

We are not required to appoint a Data Protection Officer under current processing volumes, but we take privacy obligations seriously and respond to all enquiries within 30 days.

Security policy

We take security vulnerabilities seriously. If you discover a security issue in calculatetokens.com, please report it responsibly.

How to report

Email security@calculatetokens.com with a description of the issue, steps to reproduce, and the potential impact. We do not currently operate a bug bounty programme, but we will acknowledge responsible disclosures publicly if you wish.

Response commitments

  • 7-day acknowledgement SLA: We will acknowledge receipt of your report within 7 days and confirm whether we consider it a valid security issue.
  • 90-day resolution SLA: We aim to remediate confirmed vulnerabilities within 90 days. Critical vulnerabilities affecting user data will be prioritised for immediate resolution.

Scope

In-scope: the calculatetokens.com domain, JavaScript and WebAssembly code delivered to browsers, and the Cloudflare Pages deployment configuration.

Out-of-scope: third-party services (Google, Cloudflare, Railway, Umami) — report those directly to the respective vendors.

Coordinated disclosure

We ask that you give us the 90-day resolution window before public disclosure. We will coordinate a disclosure timeline with you if the issue requires more time.

Machine-readable policy

See /.well-known/security.txt for our machine-readable security disclosure policy.

This policy may be updated to reflect changes in our data practices or applicable law. Material changes will be reflected in the “Last updated” date at the top of this page.