TokenFYı
Deal rooms for outsiders
Sign in

Privacy Policy

Last updated March 2026

1. Who we are

Token ("we", "us", or "our") operates the website at token.fyi and related services. We provide secure document sharing rooms with end-to-end encryption. We act as the data controller for all personal data processed in connection with our service.

2. What data we collect

We collect the following categories of personal data:

  • Account data — your email address, provided when you create an account via magic-link login.
  • Workspace data — the name and company name of your workspace, and any logo you upload.
  • Shared document metadata — file names, file sizes, MIME types, and room settings (expiry, access controls) you configure.
  • Acceptance records — when a recipient signs an NDA to access your room, we record their name, email, company, address, and signature.
  • Access logs — timestamps and IP addresses of recipients who view or download documents from your rooms.
  • Cookie data — a signed session cookie to keep you logged in, and an access token cookie when you open a shared room.

Important: Files you upload are encrypted client-side (AES-256-GCM) before they reach our servers. We never have access to the plaintext of your files or the passwords used to protect them.

3. How we use your data

  • To create and manage your account and workspace
  • To deliver shared documents to recipients you invite
  • To record NDA acceptances and access logs you request
  • To notify you about document activity via email (when you opt in)
  • To operate, secure, and improve our service

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Encryption

All files uploaded to Token are encrypted client-side using AES-256-GCM with a key derived from your chosen password (PBKDF2, 250,000 iterations). This means:

  • The server stores only the encrypted blob and key-derivation parameters.
  • We cannot decrypt your files without your password.
  • If you lose your password, encrypted files cannot be recovered.

5. Data retention

We retain your personal data for as long as your account is active. You may delete your account and all associated data at any time from your workspace settings. Upon deletion, we remove:

  • Your user account and workspace
  • All rooms, files, and access logs in your workspace
  • All NDA acceptance records associated with your workspace

Deletion is permanent and cannot be undone. Data removed from our active systems may persist in backups for up to 30 days before being overwritten.

6. Your rights

You have the following rights over your personal data:

  • Access — request a copy of all personal data we hold about you.
  • Deletion — delete your account and all associated data at any time from your workspace settings page.
  • Portability — export your workspace data as a JSON file before deleting your account.
  • Correction — update your email, workspace name, or company name at any time.

To exercise any of these rights, log in to your account and visit your workspace settings, or contact us at privacy@token.fyi.

7. Cookies

We use only functional, necessary cookies:

  • Session cookie — keeps you logged in. HttpOnly, signed with HMAC-SHA256. Automatically removed when you log out.
  • Access token cookie — set when you open a shared room using an owner link. HttpOnly. Used to manage room access.

We do not use advertising cookies, analytics cookies, or any tracking pixels. We do not honor "Do Not Track" signals as we do not track across sites.

8. Third-party processors

We use the following third-party services to operate Token. Each is a data processor acting only on our instructions:

  • Vercel — hosting and server infrastructure. Privacy Policy
  • Vercel Blob — encrypted file storage (when configured). Privacy Policy
  • SendGrid — transactional email delivery (OTP codes). Privacy Policy

We may update this list if we change service providers. Updates will be posted on this page.

9. Data security

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • TLS encryption in transit (HTTPS everywhere)
  • AES-256-GCM encryption at rest for all uploaded files
  • HMAC-SHA256 signed session cookies
  • Access logging and anomaly detection
  • Least-privilege access controls for our own team

10. Children

Token is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@token.fyi and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page with a revised "Last updated" date. For material changes, we will notify you by email if you have an active account.

12. Contact

For any questions about this Privacy Policy or to exercise your rights, contact us at:

privacy@token.fyi

Terms of ServiceData Processing AgreementHome