OSS beta — plain-English data-handling summary. This page describes what TokenPak does on your machine today. It is not a substitute for legal advice and has not been reviewed by counsel. TokenPak is a local proxy with no cloud component, so the disclosures here describe local file paths and opt-in escape hatches — not a service operated on your behalf.

Privacy

Last updated: 2026-04-23 (draft).

What runs where

TokenPak is a local proxy. Every compression, routing, caching, and telemetry decision happens on your machine. Your prompts, completions, code, and business data are not sent to TokenPak infrastructure by default, at any point, for any reason.

What we collect by default

Nothing. Zero opt-in-required telemetry. No usage pings. No install counters.

What TokenPak stores locally on your machine

A SQLite ledger at ~/.tokenpak/monitor.db (or ~/.tpk/monitor.db on fresh installs) with per-request metadata (model, token counts, latency, cost, cache-origin). Default retention: 90 days of rolling history.
Configuration at ~/.tokenpak/config.yaml (or ~/.tpk/config.yaml on fresh installs). Contains profile selection, port, compression knobs. Never contains API keys or prompts.

Optional debug/logging escape hatches — full disclosure

Several opt-in controls will expand what is stored locally if you turn them on. They are off by default. We disclose them here so you know exactly what each knob does before enabling it.

TOKENPAK_DEBUG=1 (env var): Enables verbose debug output on stdout/stderr and debug-level entries in local logs. Debug output may include request headers (never credential values — those are redacted at the logging boundary). Off by default.
TOKENPAK_LOG_ENABLED=1 + TOKENPAK_LOG_DESTINATION (env vars): Enables the structured request logger. Destinations: file (default path), stdout, syslog. Logger records request metadata — not prompt/response bodies unless store_prompts is also enabled. See TOKENPAK_LOG_LEVEL and TOKENPAK_LOG_RETENTION_DAYS for tuning.
telemetry.store_prompts = true (config flag): This flag stores prompt and response bodies to local disk. Off by default. Exists for debugging and benchmarking. When enabled, prompt/response content is written to the same retention store as metadata. Clients with regulated data should leave this off.

What leaves your machine

Only what you ask TokenPak to proxy:

LLM requests — forwarded to the provider you configured (Anthropic, OpenAI, etc.), using your credentials on the way out. TokenPak does not intercept, log to our infrastructure, or mirror the payload.

Third parties

TokenPak OSS has no sub-processors. Your prompts, completions, and credentials never cross any TokenPak-operated boundary — only the upstream LLM provider you configure (Anthropic, OpenAI, Google, etc.).

Your controls

rm -rf ~/.tokenpak ~/.tpk removes every local artifact TokenPak has ever created (legacy + canonical paths).
Unset any optional escape-hatch env var to disable that source of data collection.
Uninstalling the package (pip uninstall tokenpak) stops all TokenPak execution on your machine.

Contact

Questions: hello@tokenpak.ai.