Your numbers, not your prompts.

BurnCap (“BurnCap”, “we”, “us”) is an AI cost monitoring and budget-guardrail service for small teams, operated by Eastbase Studio. You can reach us about privacy at support@eastbase.studio.

• Account details. Your email address, an optional display name, and a securely hashed password. If you sign in with Google or GitHub, we receive the basic profile your provider shares (name, email, avatar) instead of a password.
• Usage metadata. Token counts, computed or provider-billed costs, model names, timestamps, and the identifiers you choose to attach to each event — feature, customer_id, environment, request_id, and session_id. These power your dashboards, forecasts, budgets, and unit economics.
• Provider credentials. If you connect OpenAI or Anthropic, the admin API key you paste is encrypted at rest (AES-256-GCM) and used only to pull your daily usage totals.
• Revenue you record. If you use unit economics, the per-customer revenue figures you enter or import — used only to compute margins for your own workspace.
• Billing details. Subscription plan and status. Payments are processed by Lemon Squeezy as merchant of record — we never see or store your card number.

We never receive or store your prompts or model completions. BurnCap sits out-of-band: it is not a proxy and your model traffic never passes through it.

• To run the product — show cost breakdowns, forecasts, alerts, budgets, and reports.
• To send the emails you ask for — account, security, alert, and digest emails.
• To enforce plan limits and process your subscription.
• To keep the service secure, debug failures, and prevent abuse.

We do not sell your data, and we do not use your usage data to train models.

We keep cookies to a minimum and use no third-party advertising trackers.

• Essential cookies.A session cookie keeps you signed in, an active-workspace cookie remembers which workspace you’re viewing, and a theme preference cookie remembers your appearance choice. These are required for the app to work.
• Product analytics (optional). When analytics are enabled, we use PostHog for privacy-preserving pageviews and product events. There is no session replay and no autocapture; events are keyed to an internal account id and workspace — never your email or name — and reset when you sign out. Reset and invite tokens are scrubbed from URLs before any event leaves your browser.
• Error monitoring (optional). When enabled, Sentry records errors and performance traces with personal information turned off — only an internal id is attached.

We rely on a small set of subprocessors, each handling only what their function requires:

• Lemon Squeezy — subscription billing and payments (merchant of record).
• Resend — transactional and alert email delivery.
• Vercel — application hosting, plus aggregate Analytics and Speed Insights.
• PostHog and Sentry— optional, privacy-preserving product analytics and error monitoring (see Cookies & tracking above).
• Upstash — optional rate limiting and short-lived caching for our public API.
• Neon — our managed Postgres database; stores your account and usage metadata.
• OpenAI and Anthropic — contacted only with the admin API key you connect, to read your usage totals.

We keep your usage history for as long as your plan allows (7 days on Free, 90 days on Starter, 365 days on Growth) and your account data for as long as your account is active.

• You can delete all usage data for your workspace at any time from Settings — this is immediate and irreversible.
• To delete your account entirely, contact us and we will remove your personal data, subject to any records we must keep for legal or accounting reasons.

Provider credentials are encrypted at rest with AES-256-GCM, API keys are stored only as SHA-256 hashes (we can never show a key again after it’s created), and passwords are hashed. Most importantly, the data we never collect — your prompts and completions — can’t leak from us, because we don’t hold it. No system is perfectly secure, but we minimize what we store precisely to reduce that risk.

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. Email support@eastbase.studioand we’ll help.

We’ll update this page when our practices change and revise the date above. For material changes we’ll give notice in-app or by email. Questions? See our Terms of Service or reach out any time.