tou.tools is a developer API for U.S. Time-of-Use (TOU) electricity schedule data, accessible over REST and the Model Context Protocol (MCP). This Privacy Policy explains what we collect, why, who we share it with, and what control you have over it.
The Service has two kinds of human users: developers, who register a dashboard account and call the API with API keys or OAuth tokens; and visitors, who browse the marketing site and coverage pages without an account. We collect different data for each. Calls made by an AI agent on a developer's behalf are treated as that developer's calls.
When you register a developer account we collect and store:
free, builder, growth, business, enterprise).One-time tokens for email verification, password reset, and email-change confirmation are stored as SHA-256 hashes with short TTLs (24 hours for verification and email-change, 1 hour for password reset) and are purged after they expire or are used.
API keys are generated client-side at the moment of creation. We store only the SHA-256 hash plus a short non-secret prefix — the raw tou_… string is shown to you exactly once and is unrecoverable thereafter. Each call stamps a last_used_at timestamp on the key row.
If you connect Claude Web or another OAuth 2.1 MCP client, we additionally store: a generated client_id and registered redirect_uris for the client; short-lived authorization codes (10-minute TTL, SHA-256 hashed, single-use); and refresh tokens (30-day TTL, hashed, rotated on every use). Access tokens are stateless JWTs and are not stored server-side.
When you call the API we receive and process:
ZIP and customer class are commonly tied to an end customer's premises. You are responsible for any consent or notice your end users are entitled to before you transmit their address or ZIP to the Service.
For every billable call we record an event row containing: your API key (by hash), the queried ZIP code, the endpoint, the request source (REST or MCP), the HTTP status code, the response duration in milliseconds, and a UTC timestamp. We use this data to enforce plan quotas, render the meters and request log in your dashboard, debug operational issues, and detect abuse.
Blocked-quota responses (429) are logged in the request log but are not metered against your billable usage.
Mail sent to hello@tou.tools is delivered to us via Resend and stored so we can read and reply. To filter spam, the body and headers of inbound messages are sent to Google's Gemma model via the Google AI API for a ham/spam classification (mail from verified developer accounts and from our admin address skips the classifier). The model returns a label, not generated content, and we do not retrain models on your message contents.
Every public page on the marketing site loads a small /track.js beacon that, on first user input, posts the page path and the referrer hostname to the Service. The Service resolves your IP address to a U.S. state using a locally hosted GeoIP database (db-ip.com), increments per-state and per-referrer counters, and discards the IP. We do not store the IP address, do not set a cookie, do not assign a visitor ID, and do not record anything that allows us to link page views to a person or session. Non-US and unrecognized IPs are dropped without insert. Bot user-agents and requests missing an Accept-Language header are rejected before any work happens.
Like every web service, our servers automatically write request logs (IP address, user-agent, request line, response code, timing) that are used for security monitoring, fail2ban, and operational debugging. These logs rotate and are not used to build profiles of individual visitors or developers.
Account credentials authenticate you; API keys and OAuth tokens authorize calls; query inputs resolve to a TOU answer; usage events enforce quotas and render your dashboard.
If you subscribe to a paid plan we open a Stripe Checkout session referencing your account. Stripe collects payment information directly; we receive only the customer ID, the subscription's plan metadata, and Stripe webhook events (checkout.session.completed, customer.subscription.*, invoice.payment_failed). Those events are the source of truth for your billing plan.
We use your email address for transactional messages (verification, password reset, email change confirmation, billing receipts via Stripe, and operational notices such as planned maintenance or material policy changes) and to reply to support inquiries you initiate. We do not currently send marketing email; if that changes, we will give existing accounts a clearly labeled, single-click opt-out at first send.
Per-state pageview counts and per-referrer counts are aggregated nightly and surfaced only to our internal admin dashboard.
We use technical logs, request patterns, and usage events to detect credential stuffing, key sharing across organizations, scraping attempts, and other abuse described in the Terms of Service.
We do not sell personal information. We do share specific data with the following subprocessors strictly to operate the Service:
hello@tou.tools.hello@tou.tools for spam classification, subject to Google's API terms.We may also disclose information when required by law, court order, or other valid legal process; to enforce our Terms; or to protect the rights, property, or safety of the Service, our users, or the public. If we are acquired or merged, your information may be transferred as part of that transaction; we will notify account holders in advance.
hello@tou.tools are retained until manually deleted from our admin inbox.When you delete your account, we remove your account row, API keys, usage events, OAuth client registrations, and OAuth tokens. Stripe customer records persist with Stripe under their own retention rules so that prior invoices remain auditable; you can request closure of the Stripe customer separately.
Passwords are stored as bcrypt hashes; API keys are stored as SHA-256 hashes and shown to you in plaintext exactly once; OAuth refresh tokens are stored hashed and rotate on every use, with full-family revocation if a rotated token is replayed. JWTs are signed with a server-side secret. All traffic is served over HTTPS with certificates issued by Let's Encrypt. Database connections are pooled through PgBouncer; production hosts use SSH key authentication only and are firewalled.
No system is completely secure. If we discover a breach affecting your personal data, we will notify affected account holders by email without unreasonable delay, and in any case as required by applicable law.
tou.tools does not use third-party advertising or analytics cookies. We do not set tracking pixels. The dashboard uses your browser's localStorage to hold your JWT session token, your email, a cached theme preference, and a couple of housekeeping keys used by the verification flow. These values are visible only to your browser and to the tou.tools origin; they are not transmitted to anyone else.
California residents may request to know the categories and specific pieces of personal information collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom information is shared; to delete personal information; to correct inaccurate personal information; and to opt out of any sale or sharing of personal information for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising. To exercise these rights, email hello@tou.tools; we will verify your request by sending a confirmation to the email on file.
Because pageview analytics are stored only as aggregate counters with no per-visitor identifier or stored IP, we are unable to look up or delete a specific visitor's contribution to those counters — there is no record tied to you to look up.
The Service is operated from the United States and the data it returns is U.S.-scoped. You may call the API from anywhere, but by submitting personal data (your developer account email, or an end user's address for geocoding) you understand that the data will be processed and stored in the United States, which may have different data-protection laws than your country of residence.
The Service is intended for software developers and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has registered an account or otherwise provided us with personal information, contact us at hello@tou.tools and we will delete it.
We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page. Material changes affecting how we collect or share your personal information will be communicated to account holders by email at least 14 days before they take effect.
Privacy questions, access or deletion requests, and breach reports may be directed to hello@tou.tools.