Legal
Privacy Policy
Effective date: 2026-04-28
1. Introduction
This Privacy Policy describes how Virev AI ("we", "us", "our") collects, uses, and shares information when you
or an end-user of your application interacts with the Virev API at api.virev.ai ("API" or "Service").
By creating an account or calling the API you agree to the practices described here.
2. Information We Collect
2.1 Developer Account Information
When you sign in to the developer portal through Clerk, we collect:
- Email address
- Name and profile photo (if provided)
- Account identifiers (user ID)
2.2 API Keys
For each developer account we store:
- A SHA-256 hash of the API key (used for authorization on every request)
- The key prefix (first 16 characters) to help you identify it in dashboards
- An AES-256-GCM-encrypted copy of the raw key, used only when you click "Reveal" in the portal
- The key's status (active / revoked), creation time, and last-used timestamp
Each developer has a single active key; creating a new key auto-revokes the old one. Raw API keys are never logged, never written to error reports, and never shared with third parties.
2.3 Request Metadata
For every API call we record:
- The API key ID, endpoint path, response status, and duration
- The Instagram identifier you queried (username or shortcode), used to fulfill the request
- The cost charged and your remaining balance
- An internal request ID (for support and debugging)
We do not log full request bodies for the public Instagram-data endpoints, and we do not retain end-user IP addresses beyond what is required for security and abuse prevention.
2.4 Billing Information
Payments are processed by Stripe. We do not store full card numbers — Stripe holds them under PCI-DSS compliance. We retain billing identifiers (Stripe customer ID, payment intent IDs, saved-card metadata such as brand and last four digits), top-up history, and balance state.
2.5 Public Instagram Data Returned by the API
The API returns publicly available Instagram data (profiles, posts, timelines, public contact info from bios) that we collect via our crawler-v2 backend. We do not access private accounts, direct messages, or any data requiring login authentication on third-party platforms.
3. How We Use Information
- Authenticate API requests — match the bearer token to an active key and authorize the call
- Charge usage — deduct per-request cost from your dollar balance and write usage logs
- Provide the developer portal — show your key, balance, usage history, and top-up history
- Operate auto top-up — charge your saved card off-session when balance falls below a threshold you set
- Prevent abuse — detect and block credential-stuffing, scraping at suspicious rates, and other abuse
- Improve the Service — analyze aggregated request patterns to tune performance, caching, and pricing
- Communication — send service notices, billing receipts, and security alerts
- Compliance — meet legal, tax, and accounting obligations
4. Third-Party Processors
The following providers process data on our behalf:
4.1 Infrastructure & Authentication
- Clerk — developer-portal authentication and session management. Subject to Clerk's Privacy Policy.
- Convex — application database (API keys, balances, usage logs, top-up history). Servers in the United States.
- Vercel — hosting for the API gateway and developer portal.
- Railway — hosting for our backend Instagram-data service (crawler-v2).
- PlanetScale — PostgreSQL storage for the Instagram-data cache (read-only from the gateway).
- Backblaze B2 — media cache and CDN for cached Instagram media.
4.2 Payments
- Stripe — payments, saved cards, auto top-up. Subject to Stripe's Privacy Policy.
4.3 AI Providers
- OpenAI — content classification and enrichment for the
/v1/intelligence/profileendpoint. - Google (Gemini) — embedding and content classification fallback.
4.4 Observability
- Sentry — error monitoring (we redact API keys before sending events).
- PostHog — product analytics for the developer portal only (not for API requests).
We do not sell your data to advertisers, and we do not run advertising trackers on the developer portal or API endpoints.
5. End-User Data (Your API Consumers)
When your application makes calls to the API on behalf of your end-users, we treat you as the controller of any end-user data you submit and we act as a processor under your instructions. You are responsible for:
- Obtaining the legal basis (consent or other) to query and store the public Instagram data you receive
- Honoring access, correction, and deletion requests from your end-users
- Providing your own privacy policy that describes your use of the API
- Complying with applicable data-protection laws (GDPR, CCPA, PIPA, and similar)
6. Data Storage & Security
Your data is stored on servers located in the United States. We apply:
- HTTPS/TLS encryption for all API traffic and portal access
- API keys stored as SHA-256 hashes; raw keys are AES-256-GCM-encrypted and decrypted only on explicit reveal
- Stripe handles all card data under PCI-DSS Level 1; we never see the card number
- Access controls scoped by user identity; admin access is logged
- Webhook signatures verified for Stripe and Convex callbacks
No system is 100% secure. While we apply industry-standard protections, we cannot guarantee absolute security of your data.
7. Data Retention
- Developer account — retained until you delete the account, plus periods required by law.
- API keys (revoked) — hash + prefix retained indefinitely for usage-log integrity; encrypted raw key purged on revocation.
- Usage logs — retained for 12 months for billing dispute resolution and abuse investigation.
- Top-up and billing records — retained for at least 7 years to satisfy tax and accounting obligations.
- Cached Instagram data — refreshed periodically; stale cache purged within 12 months.
- Error logs and traces — retained up to 90 days.
8. Your Rights
Depending on your location, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your developer account
- Portability — receive your data in a portable format
- Objection / Restriction — object to or restrict certain processing
To exercise these rights, email privacy@virev.ai. We respond within 30 days. Where you act on behalf of an end-user, please direct your end-users to your own controller-level privacy contact.
9. Cookies & Tracking
The developer portal uses essential cookies for authentication and session management (Clerk) and PostHog cookies for product analytics. The API itself does not set cookies on your end-users. We do not run advertising cookies or third-party ad networks.
10. International Data Transfers
Data is processed and stored in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and processor agreements to safeguard transfers from the EU/UK and other regions with cross-border restrictions.
11. Children's Privacy
The Service is intended for businesses and developers and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we hold data from a minor, contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date and, where required, communicated to active developer accounts by email. Continued use of the Service after changes constitutes acceptance.
13. Contact
For privacy-related inquiries, email privacy@virev.ai.
© 2026 Virev AI. All rights reserved.