TokenShield AITokenShield AI

Privacy Policy

Last updated: June 14, 2026

1. Who we are

TokenShield AI, LLC ("TokenShield", "we", "us") is a Delaware limited liability company. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our website, bot, dashboards, APIs, and related services (the "Service"). Capitalized terms not defined here have the meanings in our Terms of Service.

2. Categories of personal data we collect

  • Account data — email address, authentication-provider identifier, display name, role.
  • Billing data — handled by Stripe; we store only customer identifiers, plan, and subscription status. We never store card numbers.
  • Telegram-derived data — chat IDs, user IDs, usernames, message metadata, join / leave / rejoin events, and admin-status signals, collected only from groups that Owners have explicitly connected.
  • Reports and feedback — content you submit through /report, the Trust Page reporting form, or the Feedback page.
  • AI prompt inputs — questions and content sent to /ask and to trust-summary generation.
  • Technical signals — a salted SHA-256 hash derived from your IP address (used for rate-limiting and abuse prevention), user agent, timestamps, and request paths. We do not store raw IP addresses.
  • Strictly necessary cookies / local storage — session and security tokens.

3. Sources of data

We collect data: (a) directly from you when you create an account, submit Content, or contact us; (b) automatically from your use of the Service; and (c) from Telegram via the Bot API when an Owner connects a community.

4. Purposes of processing

  • Provide and operate the Service, including computing community Scores and generating trust summaries.
  • Process payments and manage subscriptions.
  • Prevent abuse, fraud, and security incidents (including rate-limiting).
  • Respond to support, legal, or privacy requests.
  • Improve and develop the Service, including aggregated product analytics.
  • Comply with legal obligations.

5. Legal bases (GDPR / UK GDPR)

For users in the EU/EEA and the UK, we process personal data on the following legal bases:

  • Performance of a contract — to provide the Service you requested.
  • Legitimate interests — security, fraud prevention, product improvement, and reasonable business operations, balanced against your rights.
  • Consent — where required (you may withdraw consent at any time).
  • Legal obligation — to comply with applicable law.

6. What is public vs. private

Public Trust Pages display only aggregate, public-safe outputs and confidence-gated scores. We never publish raw member identities or raw messages. Internal diagnostics, low-confidence scores, and per-member activity remain private to the Owner and to the platform.

7. Third-party processors

We share data with vetted sub-processors strictly to operate the Service:

  • Lovable Cloud — hosting, database, authentication, edge functions, storage.
  • Stripe — payment processing and subscription billing.
  • Telegram — Bot API integration for connected groups.
  • AI model providers (via the Lovable AI Gateway) — generating AI summaries and /ask responses.

We do not sell personal data and do not share personal data with advertisers.

8. International transfers

TokenShield operates from the United States. Personal data may be processed in the United States and in other countries where our sub-processors operate. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses.

9. Retention

  • Telegram activity used for scoring — retained for the active scoring windows plus a short audit buffer, then aggregated or deleted.
  • Reports — retained until resolved plus a reasonable audit period, then deleted or anonymized.
  • Billing records — retained as required by U.S. tax and accounting law.
  • Rate-limit events — retained for less than 30 days.
  • Account data — retained while your account is active, then deleted or anonymized within a reasonable period after closure, subject to legal obligations.

10. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to erasure").
  • Portability — receive your data in a structured, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

California residents (CCPA/CPRA) additionally have the right to know what personal information we collect, to request deletion, to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising), to limit use of sensitive personal information, and to non-discrimination for exercising these rights.

To exercise any right, submit a request via the Feedback page. We may need to verify your identity before responding.

11. Cookies & local storage

We use only strictly necessary cookies and local-storage entries (authentication session, CSRF protection, and basic preferences). We do not use third-party advertising trackers.

12. Children

The Service is not directed to children under 13 (or under 16 in the EU/EEA and the UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us via the Feedback page and we will delete it.

13. Security

We use industry-standard safeguards including row-level security in our database, salted IP hashes (raw IP addresses are not stored), TLS encryption in transit, and least-privilege access controls. No security control is absolute. You are responsible for keeping your account credentials secure.

14. Data breach

If we become aware of a personal data breach that affects you, we will notify you and any applicable regulator as required by law.

15. Project Owner responsibilities

When a project Owner connects a Telegram community, the Owner is responsible for informing their community members that TokenShield processes data about that community for the purposes described in this Policy. As between TokenShield and the Owner, the Owner is the controller of member personal data within their community for purposes of providing notice to members; TokenShield processes that data on the documented basis described in our Terms of Service and this Policy.

16. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated in the product or on the Service. The "Last updated" date at the top reflects the latest revision.

17. Contact

For any privacy matter — including data-subject requests, questions, or complaints — use the Feedback page. It is the official and sole contact channel.