Privacy Policy

This Privacy Policy explains how ThyraAI ("we," "us," or "our"), the operator of DreamAPI ("the Service"), collects, uses, stores, and protects your information.

We take data privacy seriously — especially because our Service handles sensitive API credentials. This policy is written to be transparent about exactly what we do and don't do with your data.

Account Information

When you create an account through Clerk (our authentication provider), we receive:

• Email address
• Display name (if provided)
• Authentication identifiers (Clerk user ID)

API Keys & Vault Data

When you store third-party API keys in the DreamAPI vault:

• Keys are encrypted with AES-256-GCM before being stored in our database
• Each encrypted key includes a unique initialization vector (IV) and authentication tag
• Encryption uses a server-side master key — we cannot read your raw API keys from the database
• We store a boolean flag indicating whether a vault key exists, but never log or cache raw keys

Usage Data

• Project names and descriptions you create
• Integration configurations (which services are enabled)
• Activity logs (key generation, rotation, project creation)
• Monthly cost estimates you enter for tracking

Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID but never store credit card numbers, bank account details, or other payment credentials on our servers.

Webhook Data

When third-party services send webhooks through DreamAPI, the event payloads are stored temporarily for debugging purposes. Webhook data is scoped to your project and not shared.

We use your information exclusively to:

• Provide and operate the DreamAPI service
• Authenticate your identity and authorize access
• Encrypt, store, and retrieve your API keys when you request them
• Process subscription payments via Stripe
• Display your activity history and project statistics
• Send transactional emails (e.g., billing confirmations)
• Improve the Service based on aggregate usage patterns

We want to be explicit about what we never do:

• ❌ We never sell your data to third parties
• ❌ We never share your API keys with anyone
• ❌ We never use your credentials for our own purposes
• ❌ We never access your third-party accounts via stored keys
• ❌ We never display ads or use data for ad targeting
• ❌ We never log raw (unencrypted) API keys

Encryption

• All API keys are encrypted using AES-256-GCM before database storage
• Encryption keys are stored separately from the database in environment variables
• Dream Key hashes use SHA-256 — raw Dream Keys are never stored

Infrastructure

• Database: Neon (serverless PostgreSQL) hosted on AWS US-East-1
• Application: Vercel (edge network with global CDN)
• Authentication: Clerk (SOC 2 compliant)
• Payments: Stripe (PCI DSS Level 1 compliant)

Access Controls

• All data is scoped to your user account — no cross-user data access
• API routes verify authentication via Clerk on every request
• Database queries are parameterized to prevent SQL injection

We use the following third-party services to operate DreamAPI. Each has its own privacy policy:

• Clerk — Authentication & user management
• Stripe — Payment processing
• Neon — Database hosting
• Vercel — Application hosting & deployment

We only share the minimum data required for each service to function (e.g., email to Clerk, customer ID to Stripe).

• Account data: Retained while your account is active
• Encrypted vault keys: Retained while your account is active; deleted within 30 days of account termination
• Activity logs: Retained for 90 days, then automatically purged
• Webhook events: Retained for 30 days, then automatically purged
• Revoked Dream Keys: Hash retained for security (to prevent reuse); raw key is never stored

You have the right to:

• Access — Request a copy of all data we store about you
• Correction — Update your account information at any time
• Deletion — Request complete deletion of your account and all associated data
• Export — Download your project configurations and integration settings
• Revocation — Revoke all Dream Keys and remove all vault data instantly

To exercise any of these rights, contact us at support@thyraai.com.

We use essential cookies only — specifically those required by Clerk for authentication sessions. We do not use tracking cookies, analytics cookies, or advertising cookies.

DreamAPI is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or email. The "last updated" date at the top of this page will be revised.

Questions or concerns about your privacy? Reach us at support@thyraai.com