Privacy Policy

Last updated: May 25, 2026

Dreamer is a personal command center — tasks, notes, bookmarks, journal, and an AI assistant — that runs as a web app and an optional browser extension ("Dreamer Capture"). This policy explains what data we collect, what we do with it, and what controls you have.

The short version

• Your data is stored in your own Supabase project (or one we host for you, depending on your install). It is not shared with anyone else.
• We do not sell your data. We do not run ads. We do not have a marketing-analytics stack.
• The browser extension only sends data to the dashboard URL you configured — nothing else.
• Ask AI questions are forwarded to OpenRouter (which routes to Anthropic's Claude). They are not used to train models.
• You can export everything as JSON or delete your account at any time.

What data we collect

You create it

• Account data: email, display name, timezone.
• Content you save: tasks, notes, bookmarks, highlights, follow-ups, reminders, calendar events, journal entries, contacts, books/media/travel records, goals, habits, pomodoro logs, and any tags or descriptions you add.
• Bookmark enrichment: when you bookmark a URL, our server fetches the page once to extract its title, description, thumbnail, favicon, author, and a plain-text excerpt. The fetched page contents are stored alongside the bookmark for your future reading and search.
• Activity log: a per-user record of which entities you created, edited, or archived, so the Settings → Activity page can show your own history.

The browser extension sends

The extension is opt-in. When it's installed and you trigger a save (popup, right-click menu, or keyboard shortcut), it sends to the dashboard URL you configured:

• The URL, page title, and (if you selected text) the highlighted text of the current tab.
• Anything you typed in the popup: title, note, tags, target type (bookmark / note / task).
• An Authorization: Bearer drm_… header containing your personal API token, which authenticates the request against your account.

The extension does not read or send anything from other tabs, does not log your browsing history, and does not phone home to any third party. The <all_urls> host permission is required only so the right-click context menu works on any site you choose to save from — it is not used for background reading. See Extension permissions, in detail for the full per-permission justification.

Server-side, automatically

• Authentication tokens: stored as opaque session cookies by Supabase Auth. API tokens for the extension are stored as SHA-256 hashes — the plaintext is shown only once at creation time.
• Server logs: standard request logs (timestamp, path, status code) retained by our hosting provider (Vercel) for up to 30 days. No request bodies are logged.

What we do with it

• Run the product. Render your dashboard, persist your edits, search your history, generate AI answers when you ask.
• Bookmark enrichment. The server fetches public pages you save so we can show you a title and summary instead of a bare URL.
• AI assistant (Ask AI). When you chat with the assistant, we build a snapshot of your relevant data (open tasks, recent notes, etc.) and send it together with your prompt to OpenRouter, which routes the request to Anthropic's Claude 3.5 Haiku model. The response is streamed back to you. Per Anthropic and OpenRouter's policies, requests made via the OpenRouter API are not used to train future models.
• Optional notifications. If you opt in to browser push notifications, we may send you reminders (e.g. "Task X is due today") at the times you've configured. You can revoke this in your browser at any time.

What we do not do

• We do not sell, rent, or share your data with advertisers.
• We do not use your content to train AI models.
• We do not run third-party trackers (no Google Analytics, no Meta Pixel, no Mixpanel, no Sentry).
• We do not read your other tabs from the browser extension.

Sub-processors

To run the service we rely on:

• Supabase (database + auth) — privacy policy
• Vercel (hosting) — privacy policy
• OpenRouter (AI API gateway) — privacy policy
• Anthropic (Claude model, via OpenRouter) — privacy policy
• Resend (transactional email, optional) — privacy policy

Security

• Every table in our database has row-level security enabled. A user can only read and write rows where user_id = auth.uid(); there is no cross-account access path.
• The service-role database key lives only on the server, never in any browser bundle, and is used only for narrow paths (extension auth verification, the email-capture webhook, the nudge scheduler) that explicitly scope queries by user_id.
• API tokens for the extension are stored as SHA-256 hashes. You can revoke any token at any time from Settings → API tokens.
• Bookmark URL fetching has an SSRF guard that refuses to fetch private/internal hostnames (localhost, RFC1918, link-local, cloud metadata endpoints).
• Redirects on the auth callback are restricted to the same origin — open-redirect attacks are blocked.
• All traffic is HTTPS. All cookies are Secure, HttpOnly, and SameSite=Lax.

Your controls

• Export — Settings → Data → Export all my data as JSON.
• Archive — most entity types support an archive button so you can hide without deleting.
• Delete — Settings → Danger zone → Delete account. This permanently removes your user row and (by foreign-key cascade) every piece of content you created. Backups roll over within 7 days.
• Revoke tokens — Settings → API tokens → Revoke. The extension will stop working immediately.
• Notifications — disable per-channel in Settings → Notifications, or in your browser's site permissions.

Children

Dreamer is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has created an account, email us and we'll delete it.

International

If you use Dreamer from outside the country where the database is provisioned (typically the US or Singapore on Supabase's free tier), you consent to your data being transferred to and stored there. Supabase encrypts data at rest and in transit.

Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top, and (if you have an account) email you before the changes take effect.

Contact

Questions or requests: tusharmali1972@gmail.com.