Skip to main content
← Back to Home

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy describes how Why We Dream LLC ("Company," "we," "us," or "our") collects, uses, and protects your information when you use DreamCreator ("Service"), a content production platform available at dreamcreator.whywedream.com. By using the Service you consent to the practices described here. Plain English first: we collect only what we need, we use it to run the product, and we never sell it.

1. Information We Collect

We collect information you give us directly, information created when you use the Service, and limited information pulled from the social platforms you connect.

1.1 Account Information

  • Basic account data: Name, email address, company or agency name, and password when you sign up.
  • Profile details: Profile photo, timezone, role, and notification preferences you choose to add.
  • Support messages: Emails and attachments you send to our support team.

1.2 Social Media OAuth Tokens

  • When you connect a social account (Instagram, Facebook, TikTok, YouTube, LinkedIn, or Google Business Profile), we store the OAuth access and refresh tokens issued by that platform.
  • Tokens are encrypted at rest using AES-256-GCM and stored in our database. We never log or expose raw tokens.
  • We request only the permission scopes needed to perform the actions you initiate inside DreamCreator (publishing, scheduling, reading analytics). See Section 3 for platform-by-platform details.

1.3 Content You Create or Upload

  • Media files: Videos, images, and audio clips you upload for posts or short-form content.
  • Post copy: Captions, hashtags, alt text, and link data you write or generate via AI.
  • Scheduling data: Publish dates, times, target platforms, and queue configurations.
  • Campaign and brand assets: Logos, brand color palettes, font files, and templates you store in your workspace.

1.4 Analytics Data

  • Engagement metrics (likes, shares, comments, saves, views, follower growth) pulled from each connected platform on your behalf via their official APIs.
  • Audience demographic data provided by the platforms (age range, location, gender breakdown) where their APIs expose it to content creators.
  • Post-level performance data tied to content you published through or synced into DreamCreator.

1.5 AI Prompts and Generated Content

  • Text prompts you type into our AI assistant (Sally) and the content it generates in response.
  • Audio or video you submit for AI transcription or voice generation features.
  • AI-generated scripts, captions, hooks, and post ideas stored in your workspace.

1.6 Payment Information

  • Billing details (card number, expiry, billing address) are entered directly into Stripe's secure payment form. We never receive or store full card numbers on our servers.
  • We store your Stripe Customer ID and subscription status to manage your plan and billing history inside the app.

1.7 Communications Data

  • Email: Transactional email logs (delivery status, open events) for notifications we send you via Resend.
  • SMS: Phone number and message delivery status for account alerts sent via Twilio, where you have opted in.

1.8 Automatically Collected Information

  • Usage data: Pages and features you use, clicks, session duration, and navigation patterns.
  • Device and browser: Browser type, OS, screen size, and language settings.
  • Network: IP address, approximate city-level location, and referring URL.
  • Log data: Server request timestamps, error logs, and performance traces for debugging and security.

2. How We Use Your Information

2.1 Deliver and Run the Service

  • Publish and schedule content to your connected social accounts on your behalf.
  • Sync analytics data from each platform so your dashboard stays current.
  • Store, organize, and serve your media files and workspace assets.
  • Manage your account, subscription, and team permissions.

2.2 AI Features

  • Route your prompts and relevant context to Anthropic's Claude API to generate captions, scripts, hooks, and content ideas.
  • Process audio or video you submit to Deepgram for transcription (captions, repurposing workflows).
  • Generate AI voiceovers via ElevenLabs when you use voice clone or text-to-speech features.

2.3 Billing and Notifications

  • Process subscription payments and send billing receipts and renewal reminders.
  • Send transactional notifications: publishing confirmations, failed-post alerts, security notices, and usage warnings.
  • Provide customer support and respond to your requests.

2.4 Security and Improvement

  • Detect and prevent fraud, abuse, and unauthorized access.
  • Monitor system health and fix technical issues.
  • Analyze aggregated, anonymized usage patterns to improve features (never your individual content or social data).

Our commitments:

  • We do not sell your personal information or social data to any third party.
  • We do not use your content to train AI models.
  • We do not share your data with third parties for their marketing purposes.
  • We do not post, delete, or modify content on your social accounts except when you explicitly initiate an action in DreamCreator.

3. Social Platform Data

DreamCreator connects to social platforms through their official APIs using OAuth 2.0. Here is exactly what we access on each platform, and what we do not.

PlatformWhat we accessWhat we do not do
Instagram / MetaPublish feed posts, Reels, and Stories you schedule. Read post-level analytics (reach, impressions, engagement). Read basic profile info (username, follower count).We do not read your DMs or inbox. We do not access other users' data. We do not run paid ads.
FacebookPublish posts and videos to Pages you manage. Read Page insights and post analytics. Read Page name and profile.We do not access your personal profile or friend list. We do not manage Groups or Marketplace. We do not run ads.
TikTokPublish videos you create or upload. Read video analytics (views, likes, shares, comments count). Read basic account info.We do not read your messages. We do not access your contacts or following list beyond public counts.
YouTubeUpload videos and Shorts. Set titles, descriptions, tags, and thumbnails. Read channel and video analytics. Read channel name and subscriber count.We do not read your private playlists or watch history. We do not access your YouTube inbox. We do not purchase or manage ads.
LinkedInPublish posts and articles to your profile or Company Pages you admin. Read post-level analytics. Read your display name and profile URL.We do not read your connections or messages. We do not access your job applications or private activity.
Google Business ProfilePublish posts and updates to your Business Profile. Read post performance metrics. Read your business name and profile status.We do not access or respond to customer reviews. We do not modify your business listing details (address, hours, categories).

How we handle your social tokens:

  • OAuth tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is never stored alongside the data.
  • Tokens are never logged, exposed in API responses, or shared with any third party.
  • We only call platform APIs when you trigger an action (schedule a post, refresh analytics, connect an account). We do not poll your accounts in the background beyond scheduled sync jobs you have configured.
  • When you disconnect a social account, we immediately stop using its token and delete it from our database within 30 days. Cached analytics tied to that account are retained for the life of your workspace unless you request deletion.
  • You can revoke our access at any time from each platform's own permissions settings page, in addition to disconnecting inside DreamCreator.

4. AI-Powered Features

DreamCreator includes AI features powered by three providers. Here is what gets sent where and how long it is retained.

4.1 Anthropic Claude (Sally assistant)

  • When you use Sally to write captions, generate hooks, ideate content, or get strategic suggestions, your prompt and any context you provide (platform, brand voice, recent posts) are sent to Anthropic's Claude API over an encrypted connection.
  • Under our data processing agreement with Anthropic, they do not use API inputs or outputs to train their models.
  • Anthropic retains API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted.
  • AI-generated content you save in your workspace is stored in our database and follows the retention schedule in Section 7.

4.2 Deepgram (Transcription)

  • When you use auto-captioning or audio transcription, your audio or video file is sent to Deepgram's API for speech-to-text conversion.
  • Under our agreement with Deepgram, they process audio solely to return a transcript and do not use your audio to train their models.
  • Audio data sent to Deepgram is not stored by Deepgram beyond the time needed to process the request (typically seconds).

4.3 ElevenLabs (Voice Generation)

  • When you use voice-over or text-to-speech features, your script text (and, for voice cloning, short audio samples you explicitly upload) are sent to ElevenLabs to generate audio.
  • You retain full ownership of any voice you clone. DreamCreator does not share your voice model with other users.
  • ElevenLabs' data handling is governed by their Privacy Policy. We recommend reviewing it before using voice-cloning features.

You can disable AI features at any time from your account settings. Turning off AI features does not affect scheduling, publishing, or analytics.

5. Third-Party Services

We rely on the following providers to operate DreamCreator. Each processes data under contractual obligations consistent with this policy.

ProviderPurposePrivacy Policy
SupabaseDatabase, authentication, row-level securitysupabase.com/privacy
Cloudflare R2Media and asset file storagecloudflare.com/privacypolicy
VercelApplication hosting and edge deliveryvercel.com/legal/privacy-policy
StripePayment processing and subscription billingstripe.com/privacy
AnthropicAI content generation (Claude / Sally)anthropic.com/privacy
DeepgramAudio transcription and auto-captionsdeepgram.com/privacy
ElevenLabsAI voice generation and voice cloningelevenlabs.io/privacy
ResendTransactional email deliveryresend.com/privacy
TwilioSMS account notificationstwilio.com/legal/privacy

We may also share information when required by law, to protect our rights, or in connection with a merger or acquisition (in which case we will notify you before your data is subject to a different privacy policy).

6. Data Storage and Security

Your account and workspace data is stored in Supabase (backed by AWS infrastructure in the us-east-1 region, United States). Media files and uploaded assets are stored in Cloudflare R2 with global CDN delivery.

  • Encryption at rest: All database data is encrypted at rest by Supabase using AES-256. R2 storage objects are encrypted at rest by Cloudflare.
  • Encryption in transit: All traffic between your browser and our servers uses TLS 1.2 or higher. API calls to third-party providers are made over HTTPS.
  • Social token encryption: OAuth tokens are additionally encrypted using AES-256-GCM at the application layer before being written to the database. Encryption keys are stored separately from the data they protect.
  • Access controls: Row-level security (RLS) ensures users can only access data within their own workspace. Admin access to the database requires multi-factor authentication.
  • Payment security: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never see or store full card numbers.
  • Security monitoring: We run automated monitoring for anomalous activity and apply security patches on a routine schedule.

No method of electronic storage or internet transmission is 100% secure. While we implement commercially reasonable measures, we cannot guarantee absolute security. If you discover a security issue, please report it to jaiden@whywedream.com.

7. Data Retention

  • Active accounts: We retain all workspace data for as long as your subscription is active.
  • Cancelled accounts: Your data is soft-deleted for 30 days after cancellation. During that window you can request a data export or reactivate your account. After 30 days data is permanently deleted.
  • Expired trials: Trial accounts not converted to a paid plan are retained for 30 days after trial expiry, then permanently deleted.
  • Disconnected social accounts: OAuth tokens are deleted within 30 days of disconnection. Cached analytics data remains in your workspace until you delete it or close your account.
  • Database backups: Rolling backups are kept for 30 days, then automatically destroyed.
  • AI session data: Prompts and outputs saved to your workspace follow the same retention schedule as other workspace data. Unsaved AI sessions are discarded at the end of each browser session.
  • Audit logs: System access logs are retained for 12 months for security and compliance purposes.
  • Deletion requests: We process verified deletion requests within 30 days. Some data may persist in encrypted backups for up to 30 additional days before being overwritten. We may retain minimal records where required by law (for example, billing records for tax compliance).

8. Cookies and Tracking

We keep tracking minimal. Here is what we use and why:

  • Session cookies (Supabase auth): These keep you logged in. They are essential and cannot be disabled without breaking the app.
  • Vercel Analytics: Anonymous performance metrics (page load times, web vitals). No personally identifiable information is collected.
  • Stripe: Stripe sets cookies during payment flows for fraud prevention. These are limited to checkout pages.

What we do not do:

  • We do not run ad-tracking pixels (no Meta Pixel, no Google Ads tag) on app pages.
  • We do not sell cookie or tracking data to data brokers or advertisers.
  • We do not use cross-site tracking technologies.

You can manage or clear cookies via your browser settings at any time. Clearing session cookies will log you out.

9. Your Rights

These rights apply to all DreamCreator users regardless of location:

  • Access: Request a copy of the personal data we hold about you. Most of your data is already visible and exportable from your account Settings.
  • Correction: Update or correct inaccurate information through account Settings or by contacting us.
  • Deletion: Request deletion of your account and all associated personal data. We process deletion requests within 30 days.
  • Portability: Export your workspace data (posts, analytics, content library) from Settings in standard formats (CSV, JSON).
  • Restrict processing: Request that we limit how we process your data in specific circumstances.
  • Object: Opt out of marketing communications at any time using the unsubscribe link in any email or by updating notification settings.
  • Withdraw consent: Where processing is based on your consent (for example, optional AI features), you may withdraw that consent at any time.

To exercise any right, email jaiden@whywedream.com. We will respond to verified requests within 30 days and will not discriminate against you for exercising your privacy rights.

10. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties we share with.
  • Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to Limit Sensitive Information: We use sensitive personal information (such as login credentials and payment data) only as necessary to provide the Service.
  • Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.

To submit a California privacy request, email jaiden@whywedream.com with the subject line "CCPA Request." We may verify your identity before processing. You may designate an authorized agent to submit requests on your behalf. In the preceding 12 months we have collected the categories of personal information described in Section 1. We have not sold personal information.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) gives you additional protections:

  • Lawful basis for processing: We process your data on the basis of (a) contract performance (delivering the Service you subscribed to), (b) legitimate interests (security, service improvement), and (c) consent (where you have opted in, for example, to AI features or marketing emails).
  • Data Controller vs. Processor: Why We Dream LLC acts as the data controller for your account and usage data. For content, analytics, and social data you store in your workspace, we act as data processor on your behalf.
  • Data Protection contact: For GDPR inquiries, email jaiden@whywedream.com.
  • Right to Lodge a Complaint: You may lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

On a verified request we will erase your personal data within 30 days (GDPR Article 17), except where we have a legal obligation to retain it.

12. International Data Transfers

DreamCreator is operated from the United States. Data is stored on servers located in the United States (Supabase on AWS us-east-1, Cloudflare R2 with US primary). If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. Where required by applicable law (such as for EEA transfers), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide appropriate safeguards for international data transfers.

13. Children's Privacy

DreamCreator is a professional content production tool intended for adults and businesses. The Service is not directed at individuals under 13 years of age, and we do not knowingly collect personal information from anyone under 13. If we discover that a child under 13 has provided us personal information, we will delete it promptly. If you believe a child under 13 has created an account, contact us at jaiden@whywedream.com.

14. Do Not Track Signals

Some browsers send a "Do Not Track" (DNT) signal to websites. Because DreamCreator does not use cross-site tracking technologies or third-party ad-tracking scripts on app pages, our default practices already align with DNT preferences. We do not alter our behavior in response to DNT signals because we do not engage in the tracking those signals are designed to prevent.

15. Changes to This Policy

We may update this Privacy Policy when our practices change, new features launch, or legal requirements evolve. When we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Last updated" date at the top of this page. The current version is always available at dreamcreator.whywedream.com/privacy. Your continued use of the Service after changes take effect means you accept the updated policy.

16. Contact Us

Questions about this policy, your data, or how to exercise your rights? Reach us here:

Why We Dream LLC

1254 W Union Bench Dr, Mapleton, UT 84664

Email: jaiden@whywedream.com

Website: dreamcreator.whywedream.com

© 2026 Why We Dream LLC. All rights reserved.

Terms of ServicePrivacy Policy