privacy policy

buymetokens.ai (“we”, “us”, “our”) operates the buymetokens.ai website and platform. This privacy policy explains how we collect, use, and protect your personal information when you use our service.

By creating an account or using our platform, you agree to the collection and use of information in accordance with this policy.

account information

When you sign up via OAuth, we receive and store:

• Email address
• Display name and avatar URL (as provided by the OAuth provider)
• OAuth provider account ID (used to link your login)

You may connect multiple login providers (GitHub, Google, Microsoft) to a single account. Each linked provider shares the above information with us.

profile information

When you create a profile, you provide:

• Username (publicly visible, unique identifier)
• Display name, role, and bio
• Social links (Twitter/X, Bluesky, Instagram, YouTube, Facebook, LinkedIn, Discord, website)

content you create

• Blog posts (title, content, slug, excerpt, meta description, OG image URL)
• Uploaded images (profile pictures, blog images — processed and stored as WebP)
• GitHub projects you choose to showcase (repo URL, description, stars, language, verification status)

payment information

All payment processing is handled by Stripe. We never store credit card numbers, bank account details, or other sensitive financial data on our servers. We store only:

• Your Stripe account ID (to route payouts)
• Whether your Stripe account has completed onboarding
• Transaction records (amount, tier, status, timestamp, buyer name, optional message)

automatically collected data

• IP address (used for rate limiting only — not stored persistently)
• Pages visited and features used

• Provide and operate the buymetokens.ai platform
• Display your public profile, blog posts, and GitHub projects
• Process token purchases and route payouts via Stripe Connect
• Verify GitHub project ownership and contributor status
• Enforce rate limits and prevent abuse
• Allocate 20% of platform revenue to carbon removal via Stripe Climate
• Communicate critical service updates (we do not send marketing emails)

We do not sell your personal information. We share data only with the following third parties:

The following information is publicly visible to anyone who visits your profile:

• Username, display name, role, and bio
• Social links you have added
• GitHub projects you have showcased (including verification badges)
• Published blog posts
• Supporter count and recent supporter names/messages (as provided by supporters)

Draft blog posts, onboarding progress, and your email address are never publicly visible.

When you upload an image, it is validated by file type (magic byte detection — not file extension), re-processed and converted to WebP format using Sharp, and stripped of EXIF metadata. Uploaded images are stored on the server in a directory scoped to your profile ID.

We enforce a 5 MB file size limit and accept only JPEG, PNG, GIF, and WebP formats. Images are resized to a maximum width of 1200px.

We implement the following security measures:

• All traffic encrypted via HTTPS
• Authentication handled via JWT sessions with OAuth providers
• Stripe webhook signatures cryptographically verified
• File uploads validated by magic bytes, re-encoded, and path-traversal protected
• Rate limiting on all sensitive endpoints (account creation, payments, uploads, API access)
• Input validation and sanitization on all user-submitted data

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We retain your account data for as long as your account is active. Transaction records are kept for accounting and legal compliance purposes.

You can delete your account from your dashboard settings at any time. When you delete your account:

• Your account is soft-deleted immediately — your profile becomes invisible and cannot receive tips
• You have a 30-day grace period to reactivate by logging back in
• After 30 days, your account and all associated data (profile, blog posts, GitHub projects, uploaded images) are permanently purged
• Transaction records are anonymized but retained for legal compliance

You can disconnect your Stripe account or individual OAuth providers at any time from your dashboard settings, provided at least one login method remains active.

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate profile information (via your dashboard)
• Delete your account and all associated data
• Disconnect OAuth providers and your Stripe account
• Export your data upon request

To exercise any of these rights, use the controls in your dashboard or contact us at the address below.

We use only essential cookies required for the platform to function:

• Session cookie — maintains your authenticated session (JWT)
• CSRF cookie — prevents cross-site request forgery
• Provider linking cookie — short-lived (5 minutes), used only when connecting an additional OAuth provider
• Reactivation cookie — short-lived, used only during account reactivation within the grace period

We do not use third-party tracking cookies, advertising cookies, or analytics services.

buymetokens.ai is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this privacy policy from time to time. We will notify registered users of significant changes via a prominent notice on the platform. The “last updated” date at the top of this page indicates when the policy was last revised.

If you have questions about this privacy policy or your data, contact us at [email protected].