Your data stays
on your Mac.
- TokenWatch does not collect, transmit, or share any personal data with the developer or any third party.
- All data stays on your device: in the macOS Keychain and local app storage.
- Network requests go directly from your device to Anthropic, using your own credentials.
- There are no analytics, trackers, advertising SDKs, or crash reporters in the app.
01Who We Are
TokenWatch is an independent macOS application developed by Gökhan Gökova ("developer", "we", "us"). The app is a menu bar utility that helps you monitor your Claude.ai subscription usage, optional API costs, and Claude Code activity from your local machine. TokenWatch is not affiliated with or endorsed by Anthropic, PBC.
02Data Collected and Stored
TokenWatch stores the following data locally on your device only. None of this data is accessible to the developer.
| What | Where stored | Why | Shared? |
|---|---|---|---|
| Claude.ai organization ID | macOS Keychain | To fetch your usage data without re-login on every launch | No |
| Anthropic Admin API key (optional) | macOS Keychain | To retrieve cost reports when you enable cost tracking | No |
| Trial install date and last-seen date | macOS Keychain | To track the 7-day free trial period and detect clock manipulation | No |
| Claude.ai session cookies | WebKit data store (system) | To maintain your login session across app launches (managed by macOS, same as Safari) | No |
| App preferences (refresh interval, menu bar mode, alert thresholds) | UserDefaults (local) | To restore your settings between sessions | No |
| 24-hour usage history snapshots | UserDefaults (local) | To render the sparkline usage chart in the menu bar popover | No |
| Claude Code session log cache | App memory and a security-scoped bookmark to ~/.claude |
To compute Claude Code analytics by reading your local session JSONL files. Files are read, never copied, never uploaded. | No |
03Data We Do Not Collect Important
TokenWatch does not collect or have access to:
- Your name, email address, or any account credentials
- The content of your Claude.ai conversations or prompts
- The content of your Claude Code session messages or code
- Your IP address or location data
- Device identifiers or hardware information
- Crash logs or diagnostic reports
- Usage analytics or behavioral data
There is no developer-operated backend server. No data is ever sent to a server controlled by the developer.
04Network Requests
The app makes outbound HTTPS requests directly from your device to the following Anthropic-operated services, using your own credentials:
- claude.ai : to read your subscription usage data (session percentage, weekly model limits) via the embedded browser session you establish. All requests are authenticated with your own session cookies.
- api.anthropic.com : only if you choose to enable optional cost tracking by providing an Anthropic Admin API key. Requests are read-only (billing cost reports). The key is used solely for this purpose.
Claude Code analytics never make a network request. They are computed entirely by reading session JSONL files on your local machine. No request content, response data, or metadata is routed through or logged by any server operated by the developer.
05In-App Purchases
TokenWatch offers a one-time in-app purchase ("TokenWatch Pro") through Apple's StoreKit. Purchase processing, receipt validation, and refunds are handled entirely by the App Store. The developer never sees your payment information. The only purchase-related data the app reads is the StoreKit transaction receipt (whether you have purchased Pro), which Apple delivers to the app on your device.
06Third-Party Services and SDKs
TokenWatch has zero external dependencies. It is built entirely using Apple-provided frameworks: SwiftUI, WebKit, Foundation, Security, StoreKit, WidgetKit, and ServiceManagement. No third-party SDKs, analytics libraries, advertising networks, or crash reporting services are included.
07Data Retention and Deletion
All locally stored data is deleted when you:
- Use the "Log out" option in Settings, which removes session data and organization ID from the Keychain
- Use the "Remove" option in API Cost Tracking settings, which deletes the Admin API key from the Keychain
- Revoke Claude Code folder access in Settings, which clears the security-scoped bookmark to
~/.claude - Uninstall the app, which removes all UserDefaults data and the app sandbox container
Keychain items associated with the app can also be removed manually via
Keychain Access.app by searching for
"com.gokhangokova.TokenWatch".
08App Sandbox and Security
TokenWatch runs inside the macOS App Sandbox. The only
entitlements requested beyond the default sandbox are outbound network access
(com.apple.security.network.client) and an optional user-selected
read-only access to ~/.claude for Claude Code analytics
(granted via a system file picker). The app does not access your file system
beyond that, the microphone, camera, contacts, or any other sensitive resources.
09Children's Privacy
TokenWatch is not directed at children under 13 and does not knowingly collect information from children. Use of the app requires an active Claude.ai subscription, which itself requires users to comply with Anthropic's Terms of Service.
10Changes to This Policy
If this Privacy Policy is updated in a material way, the "Last updated" date above will be changed and, where appropriate, users will be notified via the app's release notes.
11Contact
If you have questions or concerns about this Privacy Policy, please contact:
Gökhan Gökova
gokhan@gokhangokova.com
TokenWatch is an independent utility and is not affiliated with, sponsored by, or endorsed by Anthropic, PBC. "Claude" and "Claude.ai" are trademarks of Anthropic, PBC. This app is provided "as is" without warranty of any kind.