← OneForAll

Privacy Policy

Effective date: January 1, 2025

OneForAll (“we,” “us,” or “our”) operates the OneForAll API proxy service and VS Code extension. This policy explains what data we collect, how we use it, and your rights. By using our service you agree to this policy.

1. What we collect

Account data

When you register we collect your email address and a hashed password (managed by Supabase Auth). We never store your password in plain text.

API keys

We store a SHA-256 hash of your API keys — never the raw key. The first 12 characters (prefix) are stored in plain text for display purposes only.

Usage data

For billing and service operation we log: the model used, input and output token counts, credits deducted, your user ID, and the API key ID. We do not log the content of your messages.

Payment data

Payments are processed by Stripe. We store only the credit pack purchased, amount paid, and Stripe session ID. We never see or store your card number, CVV, or full billing address.

Technical data

Standard server logs may include IP address, browser/client type, and timestamps for security and debugging purposes. Logs are retained for 30 days.

2. How we use your data

  • Authenticate your account and validate API keys
  • Route your API requests to the appropriate AI provider
  • Deduct credits and display your usage history
  • Process payments and issue refunds
  • Send transactional emails (low-balance warnings, receipts)
  • Detect abuse and enforce rate limits
  • Comply with legal obligations

We do not sell your data, use it for advertising, or train AI models on your usage.

3. Third-party services

Your API requests are routed to the following providers. Each receives your prompt content as required to generate a response. Their privacy policies govern their data handling.

ProviderPurpose
AnthropicClaude AI models
OpenAIGPT models
GoogleGemini models
StripePayment processing
SupabaseDatabase and authentication

4. Data retention

  • Account data: Until you delete your account
  • Usage logs: 12 months rolling
  • Payment records: 7 years (legal requirement)
  • Server logs: 30 days
  • API key hashes: Deleted immediately on key revocation

5. Security

We use industry-standard protections: TLS encryption in transit, hashed API keys, AES-256-GCM encryption for OAuth tokens, row-level security on all database tables, and least-privilege service accounts. No system is perfectly secure — if you discover a vulnerability please contact us at privacy@oneforall.dev.

6. Your rights

Depending on your location you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data (except payment records required by law)
  • Export your usage history in JSON format
  • Opt out of transactional emails (except critical security notices)

To exercise any of these rights email privacy@oneforall.dev. We respond within 30 days.

7. GDPR (EU/UK users)

Our lawful basis for processing your data is contract performance (providing the service you signed up for) and legitimate interests (security, fraud prevention). You may lodge a complaint with your local data protection authority if you believe we have mishandled your data.

8. CCPA (California users)

We do not sell personal information. California residents may request disclosure of categories of data collected and may request deletion. Contact us at the email below.

9. Children

The service is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us immediately.

10. Changes to this policy

We may update this policy. If changes are material we will notify you by email at least 14 days before they take effect. Continued use after that date constitutes acceptance.

11. Contact

Questions or requests: privacy@oneforall.dev

© 2026 OneForAllTerms of Service →