SYSTEM · ONLINE// PRIVACYBUILD · 2.1.β--:--:-- UTC

// PRIVACY

Privacy policy.

Last updated: May 6, 2026

What we collect

Creative content you submit — TikTok URLs, uploaded video keyframes, uploaded images, scripts, planned captions.

Account info if you sign in — your email address (or, if you sign in with TikTok, a stable per-app TikTok user ID). Display name and avatar if you sign in with Google or TikTok.

Usage signals — your IP address (used only for rate limiting), the timestamps of your analyses, and the share-link IDs you created.

Email opt-ins — if you give us your email via a waitlist form, we save it to our Mailchimp audience tagged by source so we can email you when the relevant feature opens.

What we don’t collect

  • — No passwords (we use email magic-links and OAuth only).
  • — No fingerprinting beyond IP-for-rate-limit.
  • — No third-party analytics or trackers (no GA, no Mixpanel, no FB Pixel).
  • — No advertising cookies.

Where your data goes

Video uploads: the original file never leaves your browser. Frames are extracted client-side; only the JPEG keyframes upload to Vercel Blob storage at unguessable URLs. Audio is extracted client-side, sent to OpenAI Whisper for transcription, then dropped.

Analysis content:sent to Anthropic (Claude API) for the actual review. Anthropic's commercial API terms forbid training on submitted data.

Saved reports: stored in Vercel Marketplace Redis, keyed by your account email or by an unguessable share-link ID. Share-link payloads expire after 1 year.

Sub-processors: Vercel (hosting, edge, storage), Upstash (Redis via Vercel Marketplace), Anthropic (Claude analysis), OpenAI (voiceover transcription), Resend (sign-in emails), Mailchimp (waitlist / account email lists), Stripe (only when paid plans launch).

How long we keep it

  • Anonymous analyses: uploaded keyframes auto-purge after 24 hours.
  • Share links: 1 year from creation, then deleted.
  • Saved reports: kept until you delete them or your account.
  • Account email: kept until you ask us to delete it.
  • Rate-limit counters: auto-expire within 24 hours.

How to delete your data

Email legal@tokbench.ai with your account email or a specific share-link ID. We action deletions within 7 days and confirm by email when complete.

You can also remove your saved reports yourself from /account/reports if you're signed in.

Security

Sessions are signed JWTs (HS256) in httpOnly cookies with a 30-day expiry. Magic-link tokens are 32 bytes of randomness, single-use, expire in 15 minutes. We use HSTS preload, CSP, X-Frame-Options DENY, and the rest of the security-header set. Storage is encrypted at rest by our sub-processors; transport is TLS 1.2+.

Children

TokBench is not directed at children under 13. If you believe we have data on a child under 13, email legal@tokbench.ai and we'll delete it.

Changes to this policy

We'll update the "last updated" date and, for any change that materially affects user rights, email everyone on our account / Mailchimp lists before the change takes effect.

Contact

Privacy / data deletion: legal@tokbench.ai
Operator: Bloody Fingers Software (Oakland, CA).