Quick summary
CostPilot never captures, stores, or transmits your AI prompt content, response content, or documents. This is enforced at the interceptor layer by a whitelist-based sanitizer with no public override. It is not a setting — it is an architectural constraint baked into the SDK.
| Data type | Collected? | Notes |
|---|---|---|
| Prompt / message content | Never | Dropped at interceptor layer |
| Response / completion content | Never | Dropped at interceptor layer |
| Documents / RAG context | Never | Dropped at interceptor layer |
| Token counts (input / output / cache) | Yes | Required for cost calculation |
| Model name | Yes | Required for cost calculation |
| Cost (USD) | Yes | Computed locally, never prompt-derived |
| Latency (ms) | Yes | Wall-clock time of API call |
| User ID | Hash only | One-way SHA-256 with per-account salt |
| Session ID | Hash only | Same hashing treatment as user ID |
| Project / feature label | Yes | You define these in your config |
| Account email | Yes | Required for account management |
1. What we collect
We collect data in two categories: account data (from thecostpilot.dev) and usage telemetry (from the SDK).
1.1 Account data
When you create a thecostpilot.dev account:
- Email address (required — used for authentication and billing)
- Name (optional — display purposes only)
- Stripe customer ID (if you subscribe to a paid plan)
- Timestamps: account created, last login, deletion requested
We do not collect phone numbers, physical addresses, or payment card details. Payment is processed entirely by Stripe; we store only the Stripe customer reference.
1.2 SDK telemetry — what is stored
The SDK intercepts your LLM API calls and stores the following fields to local SQLite and (in CLOUD mode) to your thecostpilot.dev account:
provider— e.g.anthropic,openaimodel— e.g.claude-sonnet-4-5input_tokens,output_tokens,cache_read_tokens,cache_write_tokenssystem_prompt_tokens— token count only, never the textcost_usd— calculated from token counts and pricing registrylatency_ms— wall-clock duration of the API callproject,feature— labels you define in.costpilot.yamluser_id_hash,session_id_hash— one-way SHA-256 hashes with your local salttimestamp— UTC datetime of the call
This whitelist is enforced by the DataSanitizer class in costpilot/privacy/sanitizer.py. Any field not in this list is silently dropped before
any write or transmission.
1.3 Infrastructure usage
If you instrument Redis, Qdrant, or Appwrite operations using the service trackers, we store: service name, operation type, unit count, and estimated cost. No keys, query content, stored documents, or operation payloads are captured.
2. What we never collect
The following data is structurally excluded from collection. This is not controlled by a feature flag, environment variable, or API parameter — the code physically cannot store these fields.
- Prompt text — the
messages[].contentfield in your API call - System prompt text — only the token count is recorded, never the content
- Response / completion text — the
contentfield in the API response - RAG documents — documents injected as context in your messages
- Raw user IDs or session IDs — only the SHA-256 hash with your local salt is stored; the original is never written anywhere
- Redis keys or values
- Qdrant vector data or payloads
- Appwrite document data
- API keys or secrets — your LLM provider keys are passed through to the provider unchanged and never intercepted
3. How we use your data
We use the data we collect solely to provide and improve the CostPilot service:
- Cost calculation and display — token counts and model names are used to calculate and display per-query costs in your dashboard
- Scenario projections — your real measured averages power the scenario engine's projections
- Pre-migration reports — your measured local usage is used to project cloud costs
- Account management — your email is used for authentication, billing communications, and GDPR-required notifications
- Product improvement — aggregate, anonymised usage patterns (e.g. "most common model type") help us prioritise features. This never includes prompt content or individual query details.
We do not sell your data. We do not use your data for advertising. We do not share your individual query data with third parties except as described in Section 6.
4. Data storage and security
4.1 Local storage
All SDK telemetry is written first to a local SQLite database at .costpilot/data.db in your project directory. This file is under your control at all
times. We recommend adding it to .gitignore (the costpilot init command does this automatically).
4.2 Cloud storage
In CLOUD mode, telemetry is synced to your thecostpilot.dev account hosted on Appwrite Cloud / Azure. Data is:
- Encrypted at rest (AES-256)
- Transmitted over TLS 1.3
- Stored in your chosen geographic region (US East, EU West, or AP South)
- Isolated per account — other customers cannot access your data
4.3 Self-hosted mode
Enterprise customers with a self-hosted license key operate entirely within their own infrastructure. No telemetry data is transmitted to thecostpilot.dev. The license key validation is the only outbound network call, and it transmits only a machine ID hash and the key prefix — never any query data.
4.4 Identifier hashing
User IDs and session IDs are hashed using SHA-256 with a per-account salt. The salt is
generated during costpilot init, stored in your local .costpilot.yaml or trial.json, and never
transmitted to our servers. Even if our cloud database were breached, the hashed identifiers cannot
be reversed.
5. Cloud mode vs. local mode
| Aspect | CLOUD mode | SELF-HOST mode |
|---|---|---|
| Query telemetry | Local SQLite + cloud sync | Local SQLite only |
| Data leaves your machine | Token counts + metadata only | Never (except license ping) |
| License validation | API key — cached 6h / 7-day offline grace | License key — cached 30 days |
| Dashboard | Local + cloud web dashboard | Local only |
| Data deletion | GDPR endpoint + local file deletion | Local file deletion |
6. Third parties
We use a small number of third-party services to operate thecostpilot.dev:
- Stripe — payment processing. Stripe receives your billing information; we receive only a customer reference ID. Stripe's privacy policy applies to data they hold.
- Appwrite Cloud / Azure — cloud database and hosting for your account and synced telemetry.
- Postmark — transactional email (account confirmation, GDPR deletion confirmation).
We do not use third-party analytics services (e.g. Google Analytics) on the thecostpilot.dev website or in the SDK. We do not use advertising networks.
7. Your rights under GDPR
If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:
- Right to access — request a copy of all data we hold about you via
GET /v1/account/export(API) or by emailing privacy@thecostpilot.dev. - Right to rectification — update your name or email from your account settings at any time.
- Right to erasure — request deletion of your account and all associated data via
DELETE /v1/account/data(API) or by emailing us. Deletion is completed within 30 days. All API keys are revoked immediately upon request. - Right to data portability — export your data in JSON format at any time from the dashboard or via the API.
- Right to restrict processing — contact us if you believe we are processing your data unlawfully.
- Right to object — you may object to processing of your data at any time; we will stop unless we have compelling legitimate grounds.
Because user IDs and session IDs are one-way hashed with a salt that we never hold, we are technically unable to identify which hash corresponds to a given original ID. Your data export will include the hashed values with this note.
Our legal basis for processing telemetry data is contract performance (you signed up to receive cost tracking). Our legal basis for account data is contract performance and legitimate interest (billing, security).
The data controller is: CostPilot, contact privacy@thecostpilot.dev. We do not have a formal DPO at Phase 1; the founder handles all privacy requests directly.
8. Cookies and tracking
The thecostpilot.dev website uses strictly necessary cookies only:
- Session cookie — keeps you authenticated. HTTP-only, Secure, SameSite=Strict. Expires when you close the browser or after 7 days.
- Theme preference — stores your light/dark mode preference in localStorage. Contains no personal data.
We do not use tracking cookies, advertising cookies, or analytics cookies. We do not use any third-party pixel trackers. There is no cookie consent banner because we do not use non-essential cookies.
9. Children's privacy
CostPilot is a developer tool intended for adults and professional teams. We do not knowingly collect data from individuals under 16. If we become aware that we have inadvertently done so, we will delete the account promptly. Contact privacy@thecostpilot.dev if you have concerns.
10. Changes to this policy
We will notify you of material changes to this privacy policy by email (to the address on your account) at least 14 days before the changes take effect. The effective date at the top of this page reflects the current version.
Non-material changes (e.g. typo corrections, clarifications that don't affect your rights) may be made without advance notice. The full history of this policy is available on GitHub.
11. Contact us
For privacy questions, data requests, or to report a concern:
Privacy enquiries
Email: privacy@thecostpilot.dev
Security issues: security@thecostpilot.dev
We respond to all privacy requests within 5 business days.