Last updated 2026-06-12 · This page is the policy. There is no longer version in legalese that says something different.
The short version: the meter collects counters, never content. It cannot read your prompts, your code, your file paths or your repo names, because its schema has no field for them. You see every byte before anything is sent. You can leave with one command.
Backpay is operated from Belgium by its founding member (the same person whose usage data is on the homepage). Data controller contact: [contact address — enable JavaScript]. We answer privacy mail ourselves, fast — there is no support queue to hide behind.
When you run the open-source meter and consent, it submits day-level usage counters read from log files your AI tools already write to your own disk. One day's payload, in full:
{ "schema_version": 0,
"panelist": "<random uuid — not your name, not your email>",
"date": "2026-06-12",
"entries": [ {
"tool": "claude-code", // fixed vocabulary
"model": "claude-opus-4-8", // fixed vocabulary
"input_tokens": 18093021,
"output_tokens": 842117,
"cache_read_tokens": 114230998,
"cache_creation_tokens": 1082211,
"cost_usd_est": 23.91,
"sessions": 4
} ] }
That is the entire schema. Tool and model names are mapped to a fixed list — strings from
your logs are never copied into payloads. The preview command prints exactly
what would be sent, any time, without sending it.
| Data | Status |
|---|---|
| Prompts, completions, code | no field exists — cannot be sent |
| File paths, repo or project names | no field exists — cannot be sent |
| Your name, email, employer (as a member) | no field exists — your id is a random UUID |
| Machine identifiers, hostnames, IP-derived profiles | no field exists |
| Timestamps finer than the calendar day | no field exists |
There is no signup form, no waitlist, no newsletter. Joining is npx backpay —
the union doesn't know your email because it never asks for it.
Our web server keeps standard access logs (IP address, user agent, requested URL) for security and debugging, retained for at most 30 days, then deleted. No analytics scripts, no trackers, no advertising pixels, no cookies. Fonts are self-hosted, so your browser makes no third-party requests when loading this site.
y at the
preview. Schema changes void consent — the meter re-asks.stop. It removes the cron line and local config.
Server-side erasure: mail your member UUID to the contact address above and we delete your rows.export command writes your complete data to a
file — you hold the originals anyway, on your own disk.Aggregates only, and only cells covering five or more members (k≥5). Individual rows are never sold, licensed, shown or "shared with select partners" — at any price. If a buyer wants raw rows, the answer is no, and the conversation is over.
50% of every revenue contract accrues to members, pro-rata by days contributed, in a ledger you can query. If you opt into payouts you may give us a Lightning address; it is stored only for paying you and deleted with the rest on erasure.
Your day-rows are kept while you are a member, to compute your ledger share. On erasure request: raw rows deleted; already-published k≥5 aggregates (which contain no individual data) remain.
This page is versioned in the open-source repo. Material changes to collection require a schema version bump, which makes every meter re-ask for consent. That is enforced by code, not by promise.