AI Nexus Privacy Policy

Last updated: June 2026

AI Nexus (hereinafter "we," "us," or "our") — operated by Hainan Tongcheng Technology Co., Ltd. — provides a unified AI model gateway platform at www.tokencnn.com. We are committed to protecting your personal information and respecting your privacy rights.

This Privacy Policy explains what personal information we collect, how we use, store, protect, share, and process it, and what rights you have with respect to your data. It applies to all users of the AI Nexus platform worldwide.

Please read this policy carefully before using our services. By accessing or using AI Nexus, you acknowledge that you have read and understood this Privacy Policy.

I. Information Collection

1.1 Information You Provide to Us

We collect the following information that you voluntarily provide when registering, using, or communicating with us about our services:

• Registration Information: Email address, username, and password (stored using salted bcrypt hashing);
• Account Preferences: Default model selection, display language (one of: English, Chinese, Japanese, Vietnamese, French, Russian), notification preferences, time zone;
• User Profile: Avatar, display name, and biography you voluntarily provide;
• Billing and Payment Data: Invoice billing address, tax ID (if provided),.top-up amount preferences;
• User Input Content: Prompts, messages, files, images, and any other content you submit to our API endpoints for processing by AI models. This includes both text inputs and any attached media;
• Customer Support Communications: Information you share when contacting our support team via email (cnn@tokencnn.com) or other channels;
• Feedback and Surveys: Product feedback, feature requests, and survey responses you voluntarily submit.

1.2 Information Collected Automatically

When you use our platform, we automatically collect certain technical and usage information:

• API Usage Logs: Timestamp of each API call, model called, request parameters (metadata only, not the content of prompts/responses unless you opt in to logging — see Section 1.5), response status code, latency, error messages, number of tokens consumed;
• Device and Network Information: IP address, browser type and version, operating system, device type, referrer URL;
• Access Records: Pages you visit on our website, links you click, time spent on each page, and navigation patterns;
• Search Queries: Search terms you enter on our documentation, model catalog, or support portal;
• Session Information: Session tokens, authentication cookies, and CSRF tokens needed to maintain your logged-in state.

1.3 Information from Third-Party Sources

We may receive information about you from the following third parties:

• Payment Processors: Stripe, Creem, and ZPAY provide us with transaction confirmations, payment method type (e.g., "Visa," "Alipay"), last four digits of the card or masked account identifier, and billing status. We do not receive or store full payment credentials;
• OAuth/SSO Providers: If you choose to sign in via Google OAuth or GitHub OAuth, we receive your email address and public profile information from those providers;
• AI Model Providers: Upstream model providers (including DeepSeek, Alibaba Cloud/Qwen, Zhipu AI/GLM, ByteDance/Doubao, MiniMax, and others) return status information about the API calls we forward on your behalf;
• Analytics Services: Aggregated, de-identified usage data from analytics tools we employ (e.g., privacy-friendly self-hosted analytics).

1.4 Payment Information

All payment processing is handled directly by our PCI-DSS-compliant payment partners (Stripe, Creem, and ZPAY). We do not collect, store, or process full credit/debit card numbers, CVV codes, or bank account details. Our systems only receive confirmation of payment success, a transaction reference ID, and the amount. For wallet-based top-ups via ZPAY (WeChat Pay / Alipay), the transaction flow occurs entirely within the ZPAY environment.

1.5 Opt-In Content Logging

By default, we do not log the actual content (prompts and responses) of your API calls beyond transient processing needed to deliver results. If you opt in to content logging (which you may enable or disable at any time via your Console settings), we will store your prompts and model responses to improve service quality, troubleshoot issues, and train internal models. Opt-in content logs are retained for a maximum of 30 days unless otherwise agreed. You may revoke consent and request deletion at any time.

II. Use of Information

We use the information we collect for the following purposes:

1. Service Provision: To provide, operate, and maintain the AI model gateway services you request, including routing API calls to the appropriate upstream model providers;
2. Request Processing: To process and respond to your API requests, including forwarding prompts to AI models and returning generated content to you;
3. Account Management: To create and manage your account, verify your identity, and authenticate your API tokens;
4. Payment Processing: To facilitate top-ups, billing, invoicing, and usage-based fee calculation;
5. Usage Monitoring: To track your token consumption, rate limits, and account balance for billing purposes;
6. Customer Support: To respond to your inquiries, troubleshoot technical issues, and provide user support;
7. Service Improvement: To analyze aggregated usage patterns, identify bugs, and improve platform performance and reliability;
8. Fraud Prevention: To detect, prevent, and mitigate fraudulent, abusive, or unauthorized use of our platform;
9. Security: To maintain the security and integrity of our systems, including monitoring for unauthorized access, DDoS attacks, and other threats;
10. Abuse Detection: To detect and prevent violation of our User Agreement, including misuse of AI models for prohibited purposes;
11. Communication — Service Notices: To send you service-related communications such as account changes, security alerts, payment confirmations, and policy updates;
12. Communication — Marketing: To send you product updates, new feature announcements, and promotional materials (only with your consent, which you may withdraw at any time);
13. Legal Compliance: To comply with applicable legal obligations, court orders, and regulatory requirements;
14. Dispute Resolution: To investigate and resolve disputes, enforce our agreements, and establish, exercise, or defend legal claims;
15. Data Aggregation: To create anonymized, aggregated statistical data for benchmarking, reporting, and product roadmap planning;
16. Model Selection Optimization: To analyze API call patterns and suggest optimal model routing for cost and performance;
17. Localization: To tailor the platform interface and documentation to your selected language preference (English, Chinese, Japanese, Vietnamese, French, or Russian);
18. Audit and Compliance: To conduct internal audits and compliance reviews related to data processing activities;
19. Training and Quality Assurance: With your opt-in consent only, to use de-identified content for training internal quality-assurance models;
20. Beta Features: To provide access to experimental features and collect feedback for iterative improvement;
21. Red Teaming: To conduct authorized security testing and red-teaming exercises that may involve analyzing usage patterns at an aggregated level.

Where we process your information based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

III. Storage and Protection

3.1 Data Storage Location

Your personal information is primarily stored on servers located in Singapore. Where required for service delivery or legal compliance, data may be processed in additional jurisdictions.

3.2 Cross-Border Data Transfers

As a global platform serving users worldwide, we may transfer your personal information across international borders. When we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission under Article 45 of the GDPR, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission under Article 46(2)(c) and (d) of the GDPR, or other appropriate transfer mechanisms, to ensure your data receives an adequate level of protection.

For transfers from other jurisdictions, we implement equivalent safeguards, including contractual commitments, binding corporate rules, or reliance on adequacy determinations where applicable. You may request a copy of the relevant SCCs or other transfer safeguards by contacting us at cnn@tokencnn.com.

3.3 Security Measures

We implement industry-standard technical and organizational security measures to protect your personal information, including:

• Encryption in Transit: TLS 1.2+ for all API and website communications;
• Encryption at Rest: AES-256 encryption for stored data;
• Password Protection: All passwords are hashed using bcrypt with a cost factor of 12 or higher;
• Access Controls: Role-based access control (RBAC) and strict least-privilege policies for internal personnel;
• Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning;
• Audit Logging: Comprehensive audit trails of all administrative access to production systems;
• Incident Response: A documented incident response plan with mandatory breach notification procedures.

3.4 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with applicable law (including Article 33-34 of the GDPR).

IV. Sharing and Disclosure

4.1 No Sale of Personal Information

We do not sell, rent, or trade your personal information to any third party. This includes any activity that would constitute a "sale" under the California Consumer Privacy Act (CCPA).

4.2 Circumstances Under Which We May Share Information

We may share your personal information only under the following circumstances:

• AI Model Providers: When you make an API call to a specific model, we transmit your prompt (input) to the corresponding upstream provider (e.g., DeepSeek, Alibaba Cloud/Qwen, Zhipu AI/GLM, ByteDance/Doubao, MiniMax) solely for the purpose of generating a response. Each provider processes data according to its own privacy policy, which we encourage you to review;
• Payment Processors: We share transaction-related information (amount, currency, user ID, timestamp) with Stripe, Creem, and/or ZPAY as necessary to process payments;
• Service Providers: We engage trusted third-party service providers (e.g., cloud hosting, CDN infrastructure, email delivery services, analytics) who process data on our behalf under written data processing agreements that prohibit them from using your data for any purpose other than the specific service they provide;
• Corporate Transactions: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email and a prominent notice on our website before any such transfer takes effect, and your data will continue to be protected under this Privacy Policy unless and until you consent otherwise;
• Affiliated Companies: We may share information with subsidiaries and affiliates of Hainan Tongcheng Technology for purposes consistent with this policy, provided such entities maintain equivalent data protection standards;
• Legal Requirements: We will disclose information where required by applicable law, regulation, legal process, or governmental request (including but not limited to responding to subpoenas, court orders, or law enforcement requests);
• Protection of Rights: We may disclose information where we believe in good faith that it is necessary to protect the rights, property, or safety of AI Nexus, our users, or the public;
• With Your Consent: We may share your information for any other purpose with your explicit consent.

4.3 Third-Party Links

Our platform may contain links to external websites or services (e.g., model provider documentation pages). This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices.

V. International User Rights — GDPR / CCPA

5.1 Legal Bases for Processing (EEA / UK / Switzerland Users)

Under the General Data Protection Regulation (GDPR), we process your personal information only when we have a valid legal basis. These include:

• Performance of a Contract (Article 6(1)(b)): Processing necessary to provide our AI gateway services to you under our User Agreement — including account management, API request routing, billing, and customer support;
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as fraud prevention, platform security, service improvement, and aggregated analytics, provided these interests are not overridden by your fundamental rights and interests;
• Consent (Article 6(1)(a)): Processing based on your freely given consent — such as for marketing communications, optional content logging, and the use of non-essential cookies. You may withdraw consent at any time;
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal or regulatory obligations.

5.2 Standard Contractual Clauses (SCCs)

For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision (including Singapore, where our servers are located), we have entered into the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, and Module 3: Controller-to-Controller, as applicable) with all relevant data importers. These SCCs ensure that transferred data receives an equivalent level of protection under GDPR standards. You may request a copy of our executed SCCs by contacting cnn@tokencnn.com.

5.3 Your Rights Under the GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal information:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data and information about how it is processed;
• Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data;
• Right to Erasure ("Right to Be Forgotten") (Article 17): You have the right to request deletion of your personal data under certain circumstances, including when the data is no longer necessary for the purpose for which it was collected;
• Right to Restriction of Processing (Article 18): You have the right to restrict our processing of your data under certain circumstances, such as when you contest its accuracy;
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON) and to transmit it to another controller without hindrance;
• Right to Object (Article 21): You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests, including profiling. Where we process data for direct marketing, you have an absolute right to object at any time;
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing violates the GDPR.

5.4 Your Rights Under the CCPA (California Residents)

If you are a resident of California, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose for collection, and the categories of third parties with whom we share it;
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., to complete a transaction, detect security incidents, or comply with legal obligations);
• Right to Opt Out of Sale/Sharing: We do not sell your personal information. However, you have the right to opt out of any future sale or sharing of your personal information for cross-context behavioral advertising;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, or providing a different level of service;
• Right to Correct: You have the right to request correction of inaccurate personal information;
• Right to Limit Use of Sensitive Information: You have the right to limit our use of sensitive personal information (such as account credentials) to purposes essential for service delivery.

To exercise your CCPA rights, please submit a verifiable consumer request to cnn@tokencnn.com. We will confirm receipt within 10 business days and respond substantively within 45 days (extendable by an additional 45 days with notice).

5.5 Exercising Your Rights

To exercise any of the rights described in this Section V, please contact us at cnn@tokencnn.com. We will respond to your request without undue delay and in any event within one month of receipt (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

VI. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies for the purposes described below. You can manage your cookie preferences through your browser settings or via our cookie consent banner (available upon first visit).

6.1 Strictly Necessary Cookies

These cookies are essential for the platform to function correctly and cannot be disabled. They include:

• Session cookies to maintain your logged-in state;
• CSRF (Cross-Site Request Forgery) prevention tokens;
• Security cookies to detect authentication abuse;
• Load-balancing session affinity cookies.

Legal basis: Legitimate interest (essential for service delivery). No consent required.

6.2 Functional Cookies

These cookies enhance your experience by remembering your preferences:

• Language preference selection (English, Chinese, Japanese, Vietnamese, French, Russian);
• Theme preference (light/dark mode if available);
• Saved default model selection;
• Documentation sidebar state (collapsed/expanded).

Legal basis: Consent (GDPR); Legitimate interest (other jurisdictions).

6.3 Analytics Cookies

These cookies help us understand how users interact with our platform so we can improve it:

• Page views, click patterns, and navigation flow;
• Feature usage frequency and drop-off points;
• Aggregated, non-identifiable performance metrics.

We use privacy-respecting, self-hosted analytics tools where possible. Legal basis: Consent.

6.4 Managing Cookies

You can manage or disable cookies through your browser settings. Most browsers allow you to block or delete all cookies. However, please note that disabling strictly necessary cookies may prevent you from logging in or using core platform features. For more detailed guidance, please refer to your browser's help documentation.

VII. Data Retention

7.1 Retention Periods

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law. Specific retention periods include:

• Account Information: Retained for the duration of your account's active status plus 12 months after account closure, unless a longer retention period is required by law;
• API Usage Logs (metadata only): Retained for 90 days, after which they are automatically and permanently deleted;
• Opt-In Content Logs: Retained for a maximum of 30 days, unless you explicitly withdraw consent earlier;
• Payment Records: Retained for the duration required by applicable tax and financial regulations (typically 5-7 years);
• Customer Support Communications: Retained for 3 years from the date of last contact;
• Marketing Communications Preferences: Retained until you withdraw consent or unsubscribe;
• Session Cookies: Retained for the duration of your browser session or up to 30 days for "remember me" preferences.

7.2 Deletion and Anonymization

After the applicable retention period expires, we will securely delete or irreversibly anonymize your personal information such that it can no longer be associated with you. Anonymized data may be retained indefinitely for statistical and analytical purposes.

VIII. Minor Protection

8.1 Age Restriction

Our services are not intended for and may not be used by individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from minors. If we become aware that a minor has registered an account or provided personal information, we will promptly delete that information and terminate the account.

8.2 Reporting

If you are a parent or guardian and believe that a minor under your care has provided us with personal information, please contact us immediately at cnn@tokencnn.com so that we can take appropriate action.

IX. Policy Updates

9.1 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will:

• Notify you by email (sent to the email address associated with your account) at least 30 days before the changes take effect;
• Post a prominent notice on our website and on the Console dashboard;
• Update the "Last updated" date at the top of this policy.

9.2 What Constitutes a Material Change

Material changes include, but are not limited to:

• Significant changes in the categories of personal information we collect;
• New purposes for using your personal information;
• New third parties with whom we share personal information;
• Changes in cross-border transfer mechanisms;
• Changes in data retention practices that may affect your rights;
• Changes in your rights under applicable data protection law.

9.3 Continued Use

Your continued use of the platform after the effective date of any material change constitutes your acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.

X. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us through the following channels:

• Customer Service Email: cnn@tokencnn.com — primary contact for privacy inquiries, rights requests, and data breach notifications;
• Data Protection Officer: cnn@tokencnn.com — for dedicated data protection matters (if designated);
• Official Website: https://www.tokencnn.com;
• Mailing Address: Hainan Tongcheng Technology Co., Ltd. (海南通骋科技投资有限公司).

We will acknowledge your inquiry within 48 hours and respond substantively within 30 days unless a longer period is required or permitted by applicable law.

Operating Entity: Hainan Tongcheng Technology Co., Ltd. (海南通骋科技投资有限公司)

Platform: AI Nexus (tokencnn.com) — China's AI, the World's Tool