Privacy Policy for toolstream.dev

Your trust is the most important asset to us. This policy outlines our commitment to protecting your data, especially the sensitive API credentials you entrust to our service. We've designed our system from the ground up with your security and privacy as our top priority.

The Core Promise: A Zero-Human-Access Architecture

Your trust is our most critical asset. Our entire security model is built on one fundamental principle: **to ensure that no human at toolstream.dev can ever view your raw, unencrypted secrets.** While our automated system must handle your credentials in memory to function, we have architected our platform to make direct human access to these secrets technically infeasible and have implemented strict policies against ever logging or persisting them.

Here is the exact lifecycle of your credential when you add a connection:

1. Your browser sends your API key directly to our server over a secure TLS (HTTPS) connection.
2. Our application server immediately encrypts your credential in memory using strong, industry-standard **AES-256-GCM authenticated encryption**.
3. The unique master encryption key used for this process is stored securely in AWS Secrets Manager and is injected into our application at runtime. It is never stored in our code or database.
4. Only this resulting encrypted, unreadable text blob is ever written to our database.

When you execute a tool call, our server performs the reverse process in memory: it fetches your encrypted credential and the master key, decrypts the credential just long enough to make the outbound API call to the target service (e.g., Jira, GitHub), and then immediately discards the decrypted key from memory. **Your raw secrets are never written to logs or any other persistent storage.**

This means that even in the highly unlikely event of a database breach, your credentials would remain secure and unusable. While any service provider theoretically *could* change their code to expose customer data, our promise and our architecture are designed to make your secrets inaccessible to our team and to minimize their exposure time in our system to the absolute minimum required for functionality.

Data We Collect

To provide our service, we collect and store the following information:

• Account Information: Your email address, which is used for login, authentication, and service notifications.
• Connection Configuration: Non-sensitive metadata about your connections, such as the connection name you provide, the type of service (e.g., "Jira"), and public details like a Jira URL or a GitHub repository name (`owner/repo`).
• Usage Data: We log metadata about API calls, such as which user called which tool (e.g., jira.search_issues) and the timestamp of the call. We do this for billing (credit decrements), troubleshooting, and service improvement. **We do not log the arguments or results of your tool calls.**

How We Use Your Data

• To provide, maintain, and improve the toolstream.dev service.
• To authenticate you and manage your account.
• To manage your credit balance and billing.
• To communicate with you about service updates, security alerts, or support inquiries.

Data Security

We implement a variety of security measures to maintain the safety of your personal information and credentials. Our infrastructure runs on Amazon Web Services (AWS), leveraging their robust security features. Access to our production environment and data is strictly limited to authorized personnel.

Data Deletion

You have full control over your data. When you delete a connection through the dashboard, all associated data, including the encrypted credential, is permanently and irrecoverably removed from our database. You can request the deletion of your entire account by contacting us at support@toolstream.dev.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by posting the new policy on this page and, if applicable, through an email notification.

Last Updated: June 23, 2025