Privacy Policy

Calcis is a prompt cost estimator for large language model APIs. You paste a prompt, pick a target model, and we return an estimate of input tokens, predicted output tokens, and dollar cost before you make the real API call.

Who we are.Calcis is operated by a sole trader based in New South Wales, Australia. The service is available globally via calcis.dev. References to “we,” “us,” or “Calcis” in this policy mean the Calcis operator; references to “you” mean you, the user of the service.

Scope. This policy covers personal information handled through calcis.dev, the public API at /api/v1, the Calcis VS Code extension, the Calcis browser extension, the Calcis GitHub Action, and any direct email correspondence with us. It does not cover third-party sites we link to; those have their own policies.

Controller. For EU/UK GDPR purposes, Calcis is the data controller for the information described in this policy. Contact details are in section 12.

We collect the minimum needed to run the service. In concrete terms:

• Account information. When you sign up, our authentication provider (Clerk) captures your email address, a name if you provide one, and a password hash (Clerk never reveals the plaintext to us). If you sign in with Google or GitHub, Clerk also stores the OAuth profile identifier.
• Subscription information. If you buy a paid tier, Stripe processes payment and returns to us a customer ID, subscription ID, tier name, billing interval, and status. We do not see or store your full card number.
• Prompt text submitted to the estimator. When you use the web estimator, your prompt is sent to our server for tokenization and output prediction. The raw text is discarded as soon as the response is computed. A SHA-512 hash of the prompt is written to our analytics log so we can later measure how well predictions matched user feedback without retaining any recoverable copy of what you wrote.
• Prompt text submitted to the public API. Calls to /api/v1/estimate (used by the VS Code extension, the browser extension, the GitHub Action, and any direct API integration) do not hash or persist the prompt text. We discard the prompt after computing the response.
• Usage counters. We store per-user weekly and per-session request counts in Upstash Redis to enforce tier quotas. Counts are keyed by your account identifier and reset on a schedule. No prompt content is stored with the counter.
• Prediction feedback. If you click thumbs-up or thumbs-down on a prediction, we store the signal (up or down), the predicted output tokens, the model ID, the prompt hash, and a truncated hash of your IP address. The IP hash prevents one address from stuffing the ballot; we never store the raw IP with the feedback.
• API keys. If you generate a Calcis API key, we store only a salted hash of the key along with a label, a short non-secret prefix for identification, the creation timestamp, and the last-used timestamp. The plaintext key is shown once at creation and never again.
• Support correspondence.Email you send us at calcis.dev@gmail.com is retained in the mailbox according to Google's retention settings.
• Server logs. Vercel (our hosting provider) records standard HTTP access logs including IP address, user-agent, request path, status code, and timestamp. We do not add extra personal data to these logs.
• Analytics. Vercel Analytics collects aggregated traffic numbers (page views, country-level geography, referrer) without setting cookies or fingerprinting individual visitors.

We do not buy data about you from third parties, and we do not enrich what you give us with data from external sources.

Prompt text is the most sensitive thing you give us, so it gets its own section. Two paths exist, and they behave differently.

Web estimator (/estimator).Your prompt is sent over HTTPS to our server, tokenized locally using the target provider's tokenizer, scored by an output-length predictor, and returned as a cost estimate. The raw prompt string is held in memory only for the duration of the request. When the response returns, a SHA-512 hash of the prompt is written to an Upstash Redis list keyed by the current calendar month. The entry also contains the input token count, predicted output token count, model ID, estimator source, and timestamp. The raw prompt text is not written anywhere. List entries are deleted automatically after 90 days.

Public API (/api/v1/estimate). Calls made by the VS Code extension, the browser extension, the Calcis GitHub Action, or any client using a Calcis API key do not go through the hashing log. The prompt is tokenized, scored, and discarded. Nothing about its content is persisted.

We do not send your prompt to any LLM provider to compute the estimate. Tokenization runs locally against our own tokenizer implementations. Output length prediction runs against a regression model on our server and, optionally on paid tiers, a short call to Anthropic's Haiku model which receives only a summarized fingerprint of the prompt (length and structural signals), not the text itself.

We rely on a short list of vendors to run Calcis. Each is bound by a data-processing agreement (DPA) where one is available from the vendor. The current list is mirrored at /sub-processors and reflects the vendors currently in production:

• Vercel Inc. (United States). Hosting and edge delivery. Processes access logs and serves every request.
• Clerk Inc. (United States). Authentication and user profile management.
• Stripe, Inc. (United States). Payment processing and subscription billing. Stripe is a PCI DSS Level 1 service provider.
• Upstash Inc. (United States). Redis for rate limits, weekly quota counters, prompt-hash log, and prediction feedback storage.
• Neon Inc. (United States). Managed Postgres storing API key hashes and subscription records.
• Resend, Inc. (United States). Transactional email (receipts, password reset links).
• Anthropic, PBC (United States).The paid LLM predictor calls Anthropic's API with a prompt fingerprint, not the prompt text, to refine output-length predictions.
• Google LLC (United States). Our support mailbox is hosted on Google Workspace.

If we add, remove, or replace a sub-processor we will update the /sub-processors page and adjust this list on the next edit of this policy.

We process personal information for a fixed set of purposes:

• Service delivery. Compute token counts, run output predictions, meter usage against tier quotas, and return cost estimates.
• Account management. Authenticate sign-in, associate subscriptions with accounts, issue and rotate API keys.
• Billing. Charge, refund, and dunning workflows through Stripe, and keep records required by Australian tax law.
• Abuse prevention. Enforce rate limits, detect credential stuffing, identify and block abusive clients.
• Service improvement. Aggregate the prompt-hash log with thumbs-up/thumbs-down feedback to measure prediction accuracy and retrain the output estimator. We cannot recover the original prompt from the hash.
• Transactional email. Send sign-up confirmations, receipts, security notices, and service announcements directly related to your account.
• Legal compliance. Respond to lawful requests, meet statutory record-keeping obligations, and honour your rights under the laws named below.

Lawful bases (GDPR / UK GDPR). We rely on performance of a contract (Art. 6(1)(b)) for account and billing data; legitimate interests (Art. 6(1)(f)) for rate limiting, abuse prevention, and aggregate prediction-quality measurement; consent (Art. 6(1)(a)) where specifically asked; and legal obligation (Art. 6(1)(c)) for retained financial records.

We do not keep data longer than we need it. Current retention rules:

• Account record: kept for the life of the account, deleted within 30 days of account closure except where a longer period is required by law.
• Prompt-hash log: 90 days, auto-expired by Redis TTL.
• Prediction feedback: 90 days, auto-expired by Redis TTL.
• API key hash: while the key is active and for 30 days after revocation for audit.
• Subscription and invoice records: seven years, to meet Australian tax record-keeping obligations (s. 262A, Income Tax Assessment Act 1936).
• Consent records (terms of service): three years after account closure, to meet California clickwrap-enforceability standards.
• Server access logs: 30 days at Vercel.
• Support email: two years, then archived or deleted.

When a retention period ends, data is either deleted or, if deletion is not technically possible (for example, in encrypted backups), put out of use until the backup cycle rolls it over.

You have rights over the information we hold about you. The exact list depends on where you live; everyone gets at least the baseline set we apply globally.

Global baseline (everyone)

• Access a copy of what we hold about you.
• Correct information that is inaccurate.
• Delete your account and associated data.
• Object to specific processing activities.
• Withdraw consent where consent is the lawful basis.

Australia (APP / Privacy Act 1988)

The Australian Privacy Principles give you the right to access and correct personal information we hold about you (APP 12 and APP 13). If you are unhappy with how we handle your request, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

United States: California (CCPA / CPRA)

Californian residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of “sale” or “sharing” of personal information, to limit use of sensitive personal information, and to be free from retaliation for exercising these rights. We do not sell or share personal information as those terms are defined by the CCPA. To make a request, email us at the address in section 12. A state-specific disclosure follows in section 16.

United States: Connecticut (CTDPA) and Texas (TDPSA)

Connecticut and Texas residents have rights analogous to California: access, correction, deletion, portability, and opt-out of targeted advertising and profiling that produces legal or similarly significant effects. We do not engage in targeted advertising or legal-effect profiling. Appeals of refused requests are available; email us and we will respond within the statutory window.

Canada (PIPEDA) and Quebec (Law 25)

Canadian residents may access, correct, and request deletion of personal information under the Personal Information Protection and Electronic Documents Act. Quebec residents have additional rights under Law 25 including portability in a structured technical format, and may complain to the Commission d'accès à l'information.

India (DPDP Act 2023)

Indian residents (Data Principals under the Digital Personal Data Protection Act) have the right to access, correct, and erase personal data, and to nominate another person to exercise these rights on their behalf. You may complain to the Data Protection Board of India if unsatisfied.

European Economic Area and United Kingdom (GDPR / UK GDPR)

Under the GDPR and UK GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and to withdraw consent at any time (Art. 7). You may lodge a complaint with the data protection authority in your country of residence; in the UK this is the Information Commissioner's Office (ico.org.uk).

How to exercise any of the above. Email the address in section 12 from the account associated with the data. We aim to respond within 30 days, extended to 45 or 60 days where statute permits for complex requests. There is no fee for a first request. Repeated or manifestly unfounded requests may carry a reasonable charge.

We take security seriously because a breach of an LLM cost estimator could still leak the one thing users care about most: the prompts they were about to run in production.

• Every request is served over HTTPS (TLS 1.2 or newer).
• Passwords are handled only by Clerk; we never see plaintext.
• API keys are stored as salted hashes. The plaintext is shown once at creation and never again.
• Prompt text is held in memory only for the duration of a single request and is never written to durable storage. The SHA-512 hash we do write is not reversible.
• Rate limits sit at the edge and in the application, with a distributed tier at Upstash Redis so limits hold across serverless instances.
• Access to production dashboards (Vercel, Clerk, Stripe, Upstash, Neon, Resend) is protected by multi-factor authentication.
• All dependencies are scanned automatically for known vulnerabilities.

No system is ever perfectly secure. If we discover a breach affecting your personal information, we will notify you without undue delay and in any case within the period required by the laws listed in this policy. Our full response plan is documented internally at BREACH_RESPONSE.md in the Calcis repository.

Calcis is operated from Australia and hosted on infrastructure in the United States. If you are outside the United States, your information will be transferred to and processed in the United States. We rely on:

• Standard Contractual Clauses (and the UK International Data Transfer Addendum) with each of our sub-processors where those clauses apply.
• The EU-U.S. Data Privacy Framework and its UK Extension, for sub-processors who have certified.
• Additional safeguards such as encryption in transit and at rest, and strict access controls.

By using Calcis you consent to the transfer of your personal information to the United States for processing.

Calcis is not directed at children under 16 and we do not knowingly collect personal information from anyone under that age. If you are a parent or guardian and believe your child has given us information, contact us and we will delete it.

We may update this policy from time to time. When we do, we will change the “Last updated” date at the top of the page. Material changes will be notified by email to the address on your account and, where required by law, require your active acceptance before continuing to use the service.

Previous versions are available on request by emailing the address in section 12.

For privacy questions, rights requests, or any complaint about how we handle your information:

• Email: calcis.dev@gmail.com
• Postal address: available on request to the email above.

If you are in the EEA or UK and prefer to contact a local data protection authority, you have the right to do so at any time; you do not need to try us first.

Calcis uses the smallest cookie set it can get away with:

• Strictly necessary session cookies set by Clerk to keep you signed in. These cannot be disabled without breaking authentication. They are first-party, HTTP-only, and marked Secure and SameSite=Lax.
• Strictly necessary billing cookies set by Stripe on checkout pages we redirect to. These are required to complete a subscription purchase.
• No advertising cookies. We do not run ads and we do not embed ad tracking.
• No analytics cookies. We use Vercel Analytics and Vercel Speed Insights, which operate without third-party cookies. Speed Insights uses a short-lived anonymous identifier in sessionStorage that rotates automatically; neither product stores a persistent device fingerprint or cross-site tracker.

The estimator also writes a small number of functional preferences to your browser's localStorage (“calcis_llm_prediction”, “calcis_agentic”, and “calcis_effort_*” keys) so your toggle choices persist between visits. These are stored only in your browser, never sent to our server, and contain no personal information.

Because our only cookies are strictly necessary, we do not show a cookie banner. EU/UK visitors can read this section as our “strictly necessary” disclosure under ePrivacy / PECR.

We do not make decisions that produce legal effects or similarly significant effects about you based solely on automated processing. The output-token predictor and tier quotas are calculations, not decisions about you; they influence the estimate you see, not your rights or access.

Calcis is not targeted at users in mainland China and does not comply with the cross-border transfer requirements of the Personal Information Protection Law (PIPL). If you access the service from mainland China, you do so on your own initiative and are responsible for compliance with applicable local law.

California

In the last 12 months we have collected the following categories of personal information as defined by the CCPA: identifiers (email, account ID), commercial information (subscription tier, purchase history), internet or network activity (server access logs, usage counters), and inferences drawn from that information (only for prediction quality measurement). We have not sold or shared personal information for cross-context behavioural advertising and we do not have “actual knowledge” of selling or sharing the personal information of anyone under 16. You have the right to know, delete, correct, and limit use of sensitive personal information, and to be free from retaliation for exercising these rights.

Connecticut

Under the Connecticut Data Privacy Act you have the right to access, correct, delete, and port your personal data, to opt out of targeted advertising, sale, and profiling with legal effects, and to appeal any refusal.

Texas

Under the Texas Data Privacy and Security Act you have the right to access, correct, delete, and port your personal data, to opt out of targeted advertising, sale, and profiling with legal effects, and to appeal any refusal.