Legal/Privacy Policy

Privacy Policy

Last updated May 14, 2026

01Introduction

This Privacy Policy explains how MAGE BROS LIMITED, the company behind AllToken, collects, uses, and protects information when you use our APIs, dashboard, website, billing features, and support channels.

AllToken is a multi-model AI gateway. When you use the service, your inputs are routed to one or more third-party AI model providers for processing. This policy explains what we collect, what we share with those providers, and the choices you have.

By using AllToken, you acknowledge the practices described in this Privacy Policy.

02Third-Party Model Providers and Data Flows

When you use AllToken, your prompts, inputs (including any text, images, audio, or documents you submit), and the resulting model outputs are transmitted to one or more third-party AI model providers for processing. The selection of provider depends on the model you choose or on our routing logic based on your configured priorities (cost, speed, reliability, provider preference).

Third-party providers that may receive your data include, without limitation:

  • Anthropic (including via AWS Bedrock)
  • OpenAI
  • Google (Google AI / Vertex AI / Gemini)
  • Amazon Web Services (Bedrock)
  • Meta (Llama models)
  • Mistral AI
  • DeepSeek
  • Other providers listed on our Providers page

2.1 Provider Responsibility and User Obligations

Each provider processes your data under its own privacy policy and data handling terms. We recommend reviewing the policies of any provider whose models you use. AllToken does not control the data handling practices of third-party providers.

You should not submit personal data, confidential information, or regulated data (such as protected health information, payment card data, or information of minors) unless:

  • (a) you have the legal right to do so;
  • (b) you have obtained any required consents from the data subjects; and
  • (c) the selected provider supports such processing under its terms.

2.2 Zero Data Retention

Where a provider offers Zero Data Retention (ZDR) or enterprise data protection options, we will indicate this on our Models or Providers pages where applicable. Selecting ZDR-capable providers does not guarantee ZDR unless explicitly configured and confirmed for your account.

03Data We Collect

We collect the following categories of information when you use AllToken:

  • Account data: your name, email address, authentication credentials, company or organization name (if provided), and verification metadata.
  • Billing data: wallet balances, invoices, transaction history, and payment events. Payments are processed by our payment processors; we do not store raw card numbers.
  • Usage metadata: timestamps, model selected, provider routed to, token counts, latency, HTTP status or error codes, and approximate request size.
  • Security and abuse logs: IP address, user agent, API key identifiers, and operational events used for authentication, rate-limit enforcement, fraud detection, and abuse investigation.
  • Support and communications data: information you send us when you contact support or participate in our community channels.

3.1 Prompt and Output Logging

AllToken does not retain the full content of your prompts or model outputs by default. We may temporarily capture request or response content in limited circumstances, including when you explicitly enable request logging for debugging, when required to investigate a suspected policy violation or security incident, or when required to resolve a billing dispute. Any content captured in this way is access-controlled, kept for no longer than needed for the specific purpose, and ordinarily deleted within 30 days.

Some third-party model providers may retain prompt and output data under their own terms. See Section 2 for details.

3.2 Image Generation Logs

When you submit an image generation request through AllToken (e.g., to gpt-image-2), we record the following metadata about the request, separate from the content of the prompt and the generated image:

  • Your account identifier;
  • The selected moderation level (auto, low, etc.);
  • The task identifier and timestamps;
  • Aggregate counts of the model, image size, and quality parameters used, for billing reconciliation.

3.3 Image-to-Image Upload Logs

When you upload a source image or mask image to AllToken’s image-to-image features (edit, mask edit, or variation modes), we record the following metadata about the upload, separate from the uploaded image bytes themselves:

  • Your account identifier;
  • The selected mode (i_edit, mask_edit, or variation) and moderation level (auto, low, etc.);
  • The uploaded image’s file size, MIME type, and pixel dimensions;
  • The task identifier and timestamps;
  • Aggregate counts for billing reconciliation.

04How We Use Your Information

We use the information described above for the following purposes:

  • Service delivery: routing your requests, returning model responses, operating API key management, and providing the dashboard.
  • Billing: processing charges, credits, top-ups, invoices, and usage reconciliation.
  • Security and abuse prevention: detecting policy violations, enforcing rate limits, preventing fraud, and protecting the service from attacks.
  • Analytics and service improvement: aggregated and anonymized analysis of usage patterns and performance to improve reliability, developer experience, and support.
  • Legal compliance: responding to lawful requests from authorities, meeting tax and accounting obligations, and enforcing our Terms.
  • Communications: service updates, billing notices, security alerts, and responses to your support inquiries.

4.1 AI Model Training

We do not use your prompts or model outputs to train, fine-tune, or otherwise improve AllToken’s own AI models. Whether a third-party provider uses data for its own training depends on that provider’s terms and any data-handling options selected for your requests. See Section 2.

05Data Sharing and Disclosure

We do not sell your personal information. We share information only in the following circumstances:

  • With third-party model providers, as necessary to fulfill your requests (see Section 2).
  • With service providers and infrastructure vendors who support the operation of AllToken, including cloud hosting, observability, authentication, email delivery, and payment processing. These providers act on our behalf under contractual obligations.
  • With payment processors, who receive the billing details required to complete transactions.
  • With professional advisors, auditors, regulators, or legal authorities, when required by law, legal process, or to establish, exercise, or defend legal claims, or to protect the safety and rights of users, the public, or AllToken.
  • In connection with a corporate transaction (merger, acquisition, reorganization, or sale of assets), subject to appropriate confidentiality safeguards.

06Data Retention

We retain information for as long as needed to provide the service, meet legal and regulatory obligations, resolve disputes, and enforce our agreements. Typical retention periods:

  • Account data: for the duration of your account, plus a reasonable period after closure for legal, security, and dispute-resolution purposes.
  • Billing records: typically retained for up to 7 years to meet tax, accounting, and audit obligations.
  • Usage metadata (token counts, model, latency, etc.): retained for operational, billing, and reporting purposes, generally for up to 24 months.
  • Security and abuse logs: generally retained for 30 to 90 days, with extended retention for active investigations.
  • Prompt and output content (if captured under Section 3.1): ordinarily deleted within 30 days, unless required for a longer period for an ongoing investigation, dispute, or legal hold.
  • Support communications: retained for as long as needed to handle your request and for a reasonable period afterward.

07Data Security

We use technical and organizational measures designed to protect your information. These include:

  • TLS encryption for data in transit between your applications, AllToken, and third-party providers.
  • Encryption at rest for sensitive stored data where technically appropriate.
  • Role-based access controls and least-privilege policies for internal systems.
  • Authentication controls, API key hashing, and support for key rotation.
  • Monitoring, logging, and alerting for security-relevant events.

7.1 Limitations

No method of storage or transmission is completely secure. While we work to protect your information, we cannot guarantee absolute security and encourage you to follow good security practices, including protecting your credentials and API keys.

08Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to remember preferences, keep you signed in, analyze site behavior, and improve performance. Where required by law, we obtain your consent before setting non-essential cookies. You can control cookies through your browser settings; disabling some cookies may affect functionality.

09Your Rights

Depending on your jurisdiction, you may have rights under data protection laws such as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Hong Kong Personal Data (Privacy) Ordinance (PDPO). These may include:

  • Access to the personal data we hold about you.
  • Correction of inaccurate or incomplete personal data.
  • Deletion of personal data, subject to legal and operational retention requirements.
  • Restriction of, or objection to, certain processing activities.
  • Data portability, where applicable.
  • Withdrawal of consent, where processing is based on consent.
  • The right to lodge a complaint with a supervisory authority.

9.1 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@alltoken.ai. We may need to verify your identity before acting on a request. Some requests may be limited by legal retention requirements or by constraints of the third-party model providers involved in processing your data. We will respond within the timeframes required by applicable law.

10International Data Transfers

AllToken is operated from Hong Kong by MAGE BROS LIMITED. Because we rely on global cloud infrastructure and third-party model providers, your data may be transferred to and processed in jurisdictions outside your country of residence, most commonly the United States and the European Union.

Where personal data is transferred from the EU/UK, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs), provider-specific transfer mechanisms, or other lawful transfer frameworks. You may request a summary of the safeguards that apply to your data by contacting privacy@alltoken.ai.

11Children’s Privacy

AllToken is intended for developers and businesses, not for children. The service is not directed to children under 13 (or under 16 in the European Union / United Kingdom, or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children. If you believe that a child has provided personal information to us, please contact privacy@alltoken.ai and we will take appropriate steps to delete it.

12Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the revised version on this page and update the effective date above. Where required by law, we will provide additional notice (for example, by email or in-product notification).

13Contact Us

  • General support: support@alltoken.ai
  • Privacy questions and data subject requests: privacy@alltoken.ai
  • Postal address: MAGE BROS LIMITED, Hong Kong SAR (full registered address available on request).

Questions about this policy? Email support@alltoken.ai or privacy@alltoken.ai.