Privacy Policy

Reckon ("Reckon," "we," "us") provides read-only observability and anomaly detection for AI/LLM spend. This policy explains what we collect, how we use it, who we share it with, and the choices you have. It applies to getreckon.dev and the Reckon application.

The most important thing to know: Reckon is a passive observer. We poll the usage APIs that AI providers already expose and read the numbers they report. We never sit in your request path to those providers, and we never see, receive, or store the content of your AI prompts or responses.

Account & organization data. When you sign up, our authentication provider (Clerk) collects your name, email address, and authentication identifiers (including data from Google or GitHub if you use social sign-in). We store your organization name, role, and the developers you choose to track.

AI usage data.For each provider API key you connect, we poll the provider's usage API and store aggregate usage records: date, model, token counts (input, output, cached), and computed cost. This data is reported at the API key level and attributed to the developer you associate with the key.

Provider API keys. The keys you add are encrypted at rest (see Section 4).

Billing data. Payments are processed by Stripe. We store a Stripe customer/subscription identifier and plan status; we do not store your card number.

Operational data. We log errors and performance data (tagged with organization and user identifiers) to operate and secure the service, and we may set cookies required for authentication and session management.

We do not collect or store the content of your AI requests — no prompts, no completions, no embeddings, no file contents. We are not in your request path to any AI provider and have no access to that traffic. We only read the aggregate usage figures the provider publishes through its own admin/usage API.

Provider keys are protected with envelope encryption: each key is encrypted with AES-256-GCM using a unique data key, which is itself encrypted by a master key held in AWS Key Management Service (KMS). Keys are decrypted only inside our ingestion workers at poll time — never in the web application. Only the last four characters of a key are ever displayed or logged. Keys are used solely to retrieve usage data from the corresponding provider and for no other purpose.

We use the information we collect to:

• provide per-developer spend reporting, trends, and anomaly detection;
• send Slack digests, anomaly alerts, and (where connected) file Linear issues;
• send transactional email such as developer invitations;
• process subscriptions and enforce plan limits;
• secure, monitor, debug, and improve the service.

We do not use your data to train machine-learning models, and we do not sell your data.

We share data only with the service providers required to operate Reckon. Each is contractually bound to protect it:

Usage records are retained according to your plan: 30 days on Free and 365 days on Pro. Older records are deleted automatically. Account and organization records are retained while your account is active. On account deletion, we delete or anonymize your data within 30 days, except where retention is required by law (e.g., tax/billing records).

Depending on where you live (e.g., the EEA/UK under GDPR, or California under the CCPA/CPRA), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise these rights — or ask us to delete your organization's data at any time — by emailing brianmello96@gmail.com. We do not sell personal information.

Reckon and its sub-processors operate in the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on appropriate safeguards (such as Standard Contractual Clauses) where required.

We use structural tenant isolation (every record is scoped to an organization, enforced by database row-level security), envelope encryption for secrets, encryption in transit (TLS 1.2+), and least-privilege access. No system is perfectly secure, but security is the single largest responsibility we carry — see our security overview.

We use only the cookies necessary for authentication, session management, and security. We do not use third-party advertising cookies.

Reckon is a business tool not directed to children and is not intended for anyone under 16. We do not knowingly collect data from children.

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above and, where appropriate, communicated by email or in-app notice.

Questions or requests? Email brianmello96@gmail.com.