Privacy Policy

Last updated: May 15, 2026 · Effective: May 15, 2026

We collect the minimum we need to run tooled.dev. Anonymous use of the tools isn’t tied to you. Signed-in accounts and Pro subscribers get standard product analytics on what they click and run — never the content of what they type into a tool.

The short version

• Anonymous tool use: rate-limited by IP, logged for the rate limiter only, never tied to identity.
• Signed-in users: we store email, name (optional), and a hashed session token. We log usage events (tool name, model tier) but not the input or output of any tool run.
• Pro subscribers: Stripe holds your payment details — we never see your card number. We store the Stripe customer ID and subscription status only.
• Saved patterns / history (Pro): we store the regex pattern, flags, and any label you give it. You can delete any saved item from your account page; we delete it immediately and permanently.
• We do NOT train AI on your inputs. Inputs go to the upstream model provider (Google or Anthropic) for inference only and are not retained for training per their respective terms.

1. Who we are

tooled.dev is operated by Keller Concepts (418 S Chisholm St, Caldwell, KS 67022, USA). For privacy questions, email privacy@tooled.dev.

2. Information we collect

2.1 You give us directly

• Account: email address (required), display name (optional), profile image (only if you sign in with an OAuth provider that returns one).
• Payment: processed by Stripe. We receive a customer ID, plan, and subscription status — never the card number, CVV, or full billing address.
• Saved content: patterns, labels, and notes you explicitly save (Pro only). You control deletion.
• Support communication: if you email us, we retain the thread until the issue is resolved, then archive for one year.

2.2 We collect automatically

• Rate-limiter counters: a counter keyed by your IP (anonymous) or user ID (signed-in), incremented on each AI tool call. No content stored.
• Usage events: when you run an AI tool, we log the event name (e.g. regex.generate), the tier (free/pro), the model used, and the timestamp. We never log the prompt text, generated output, or test input.
• Product analytics:page views and click events via Vercel Analytics (cookie-free, IP-anonymized). We may add PostHog later for funnel analysis — when we do, you’ll be able to opt out.
• Server logs: request method, path, status code, response time, and truncated user-agent. Retained 14 days.

2.3 We do NOT collect

• The text content of patterns, prompts, test strings, or AI outputs (beyond the ephemeral processing required to run the tool).
• Cookies for tracking across other websites.
• Device fingerprints.
• Precise location data.
• Anything from anonymous users beyond a rate-limit counter.

3. How we use information

• Provide the tools you ask for.
• Authenticate your account (via Better Auth — magic-link email, optionally GitHub/Google OAuth).
• Bill Pro subscriptions through Stripe.
• Send transactional emails (sign-in links, receipts, security alerts). We do not send marketing email without explicit opt-in.
• Enforce rate limits and prevent abuse.
• Improve the product based on aggregate usage trends (never on individual content).
• Comply with legal obligations.

4. AI inference and your inputs

When you run an AI-powered tool, your input (e.g. a natural-language regex description) is sent to the upstream model provider over an encrypted connection:

• Free tier: Google Gemini 3.1 Flash-Lite via the Gemini API. Google’s Gemini API terms state that paid-tier traffic is not used to train models; tooled.dev uses paid-tier API access for all production calls.
• Pro tier: Anthropic Claude Sonnet 4.6 via the Claude API. Anthropic does not use API inputs or outputs to train models.

Neither provider stores your inputs beyond a short operational window required for abuse detection. We do not store inputs ourselves.

5. Who we share with

We share data only with subprocessors strictly necessary to run the service:

We do not sell your data. We do not share it with advertisers. We will disclose data only if compelled by valid legal process; we will challenge overbroad requests.

6. Your rights

You can, at any time:

• Access the data we hold on you — visit /account for the live view, or email us for a complete export.
• Delete your account. This permanently removes your user record, sessions, saved patterns, API keys, and usage events. Subscription records are retained per accounting/tax requirements; we anonymize them.
• Cancel your subscription at any time from the billing portal. Access continues through the end of the paid period.
• Object to processing — email privacy@tooled.dev.
• Lodge a complaint with your local data-protection authority.

EU/UK users: we process data under legitimate interest (running the service you requested) and contract (paid subscriptions). California users: we don’t sell personal information.

7. Data retention

• Anonymous rate-limit counters: rolling 24-hour window.
• Usage events for signed-in accounts: 12 months, then aggregated and the per-user record deleted.
• Account data: until you delete the account.
• Subscription records: 7 years (US accounting standards).
• Server logs: 14 days.
• Backup snapshots: 30 days, encrypted.

8. Security

See our security page for details. In short: data at rest is encrypted, data in transit uses TLS 1.3, secrets are rotated when staff leave, and we publish a vulnerability disclosure policy.

9. Children

tooled.dev isn’t directed at children under 13. If we learn we’ve collected data from a child, we will delete it. If you believe we have, email privacy@tooled.dev.

10. Changes to this policy

We’ll post material changes here and notify signed-in users by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

11. Contact

Keller Concepts — 418 S Chisholm St, Caldwell, KS 67022, USA
Privacy: privacy@tooled.dev
General: hello@tooled.dev