ThermlyPrivacy Policy
Last updated: March 24, 2026
Quick Summary
- ✓We do NOT store your prompts or messages
- ✓We do NOT store your credit card details
- ✓We store only usage metadata (token counts, costs, timestamps)
- ✓Your prompts are forwarded to AI providers for processing (that's the service)
- ✓Cached responses auto-delete within 24 hours
- ✓You can request deletion of your data at any time
1. Who We Are
Thermly ("we", "us", "our") operates an AI request routing service that helps businesses optimize their AI API costs. This Privacy Policy explains how we collect, use, and protect your information when you use our website, dashboard, and API (collectively, the "Service").
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address - for account identification and communication
- Name - for display in the dashboard
- Password - stored as a secure hash by Supabase Auth (we never see your plaintext password)
2.2 API Usage Data
When you make API requests, we collect:
- Token counts - number of input and output tokens per request
- Model used - which AI model handled the request
- Complexity level - our classifier's assessment (simple/moderate/complex)
- Cost - what the request cost us and what we charged you
- Timestamps - when each request was made
- Latency - response time in milliseconds
- Cache status - whether the response was served from cache
2.3 What We Do NOT Collect
- Prompts and messages: We do NOT store the content of your API requests. We only store cryptographic hashes (one-way, irreversible) for caching purposes.
- AI responses: We do NOT permanently store AI-generated responses. Cached responses are temporary (1-24 hours) and automatically deleted.
- Credit card details: We NEVER see, process, or store your payment card information. All payments are handled directly by Stripe.
2.4 Payment Information
Payments are processed by Stripe. When you purchase credits, you interact directly with Stripe's payment system. We only receive:
- A Stripe customer reference ID (not your card number)
- Payment status (paid/failed)
- Transaction amount
3. How We Use Your Information
| Data | Purpose |
|---|---|
| Email, name | Account management, dashboard display, support communication |
| Usage metadata | Billing calculation, dashboard analytics, cost savings display |
| Prompt hashes | Cache matching only (to serve faster, cheaper responses) |
| Stripe customer ID | Process payments and manage billing |
We do NOT use your data to train AI models. We do NOT sell your data to third parties.
4. Third-Party Data Sharing
Your data is shared with these third parties only as necessary to provide the Service:
| Third Party | Data Shared | Purpose |
|---|---|---|
| OpenAI | Your prompt/message content | AI response generation |
| Anthropic (Claude) | Your prompt/message content | AI response generation |
| Google (Gemini) | Your prompt/message content | AI response generation |
| Stripe | Payment information, transaction amounts | Payment processing |
| Supabase | Account data, usage metadata | Database hosting |
| Railway | Application logs (no prompt content) | Server hosting |
Each provider has their own privacy policies governing how they handle data. We encourage you to review their policies:
5. Caching
To reduce costs and improve response times, we cache AI responses temporarily in Redis (an in-memory database):
- Cache keys are SHA-256 hashes of your request parameters. The hash is irreversible - the original prompt cannot be reconstructed from it.
- Cached responses (the AI's answer) are stored for 1-24 hours depending on query type, then automatically deleted.
- You can bypass caching by including the header
x-no-cache: truein your request. - High-temperature requests (temperature > 0.5) and requests with tools/function calling are never cached.
6. Data Security
- API keys: Stored as SHA-256 hashes (one-way). We cannot retrieve your key after creation - only you have it.
- Encryption in transit: All connections use HTTPS/TLS encryption.
- Database: Hosted on Supabase with Row Level Security policies.
- Payment processing: Stripe is PCI DSS Level 1 certified. We never handle raw card data.
- Admin access: Protected by separate admin keys. Dashboard API routes use server-side authentication.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account info (email, name) | Until you delete your account |
| Usage logs (token counts, costs) | Indefinite (required for billing audits) |
| Credit transactions | Indefinite (required for financial records) |
| Cached responses | 1-24 hours (automatically deleted) |
| Application logs | 30 days (Railway log retention) |
8. Your Rights
You have the right to:
- Access your data: View your usage data anytime via the dashboard.
- Delete your account: Contact us to delete your account and associated data within 30 days.
- Export your data: Contact us for a copy of your usage data.
- Disable caching: Use the
x-no-cache: trueheader to prevent response caching. - Object to processing: Contact us if you have concerns about how we process your data.
If you are in the European Economic Area (EEA), you have additional rights under GDPR, including the right to data portability and the right to lodge a complaint with your local data protection authority.
9. Cookies
The Thermly dashboard uses essential cookies for authentication (Supabase session tokens). We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
10. Children
The Service is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the dashboard. Your continued use of the Service after changes take effect constitutes acceptance.
12. Contact
For privacy-related questions or to exercise your data rights, contact us at support@thermly.net