Privacy Policy

Dreamuna ("we", "us", "our") runs https://dreamuna.com — an AI dream-interpretation subscription operated from the European Union. We are the data controller for the personal data described here. Questions go to hello@dreamuna.com; a human replies within one business day.

1. What we collect

We collect the minimum we need to run the service:

• Account — email, password hash, display name, preferred language, marketing-email preference.
• Payment — subscription status, plan, trial/renewal dates, billing country, partial card metadata (brand + last four digits) returned by our payment processor. We never see or store full card numbers.
• Content — the dream descriptions you submit, quiz answers (mood, life stage, frequency, people, emotions), AI-generated interpretations, chat messages, and the audio/PDF/image artefacts produced from them. Dream content can imply information that GDPR Art. 9 treats as special-category — health, beliefs, sexuality, ethnicity. The service exists specifically to read and reflect on this kind of material; by starting the quiz and submitting a dream after reading this notice, you provide informed consent under Art. 9(2)(a) for the interpretation purposes described in §2. The general processing (running the service, hosting your journal, generating reads) is also necessary to perform the contract you have with us (Art. 6(1)(b)). You can withdraw consent and trigger erasure of your content at any time by deleting your account from the account page — full erasure completes within 30 days.
• Technical — IP address, user-agent, approximate region (derived from IP, not precise location), timestamps, error reports. Used for security, fraud prevention, and debugging.

2. How we use it

We use the data above for the following purposes, each tied to a lawful basis under Art. 6 (and Art. 9 where dream content is involved):

• Provide the service — generate your interpretation, render your journal, run chat, create images and audio. Basis: contract (Art. 6(1)(b)) for the general processing, and your informed consent (Art. 9(2)(a)) for any special-category content you choose to share with the service, given by submitting it after reading §1.
• Process payments — charge your card, manage trials and renewals, prevent chargebacks. Basis: contract.
• Keep the service safe — rate-limit abuse, screen inputs for moderation, monitor for crisis signals. Basis: legitimate interest in protecting users and the service.
• Communicate — transactional emails (receipts, password resets), and marketing emails only if you opted in. Basis: contract / consent.
• Comply with law — respond to lawful requests, defend legal claims. Basis: legal obligation / legitimate interest.

We do not sell your personal data. We do not use your dream content to train AI models — neither ours nor a third party's.

3. Who we share it with

We share only what each service needs to do its job, and we bind each by a data-processing agreement. The categories of recipients are:

• Hosting & database — stores your account, dreams, and journal in an EU region.
• AI inference — generates interpretations, chat replies, dream images, and audio. Configured for non-training use; your content is not retained for model training. Inference servers are US-based.
• Payment processor (merchant of record) — handles card processing, sales tax / VAT, refunds, and the customer billing portal. US-based.
• Email delivery — transactional and (consented) marketing emails.
• Web hosting & error telemetry — serves the site at the edge and collects scrubbed error reports so we can fix bugs.

We may also disclose information where required by law (a valid court order, regulatory request) or to defend our rights, lives, or property.

4. How long we keep it

Account and content stay while your account is active. When you delete your account, personal data is removed within 30 days, except for transaction records we are required to keep for tax and accounting (typically 7 years), security logs (90 days), and any aggregated, anonymised analytics that no longer identify you.

If you don't sign in for 24 months, we email a warning and then delete the account if you don't return.

5. Your rights

If you are in the EU, EEA, UK, or Switzerland, GDPR (or its equivalent) gives you the right to access, rectify, delete, restrict, or export your personal data; to object to processing based on legitimate interest; and to withdraw consent at any time. Exercise any of these by emailing hello@dreamuna.com — we respond within 30 days. You can also export or delete your account directly from your account page.

You also have the right to lodge a complaint with your local data- protection supervisory authority. If you live outside the EU, your country's privacy law gives you similar rights — same email.

6. International transfers

Your data primarily lives in the European Union. Some of our processors operate from the United States; for those transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) and any applicable adequacy decision. You can request the relevant agreements by emailing us.

7. Cookies

We use essential cookies — a session cookie to keep you signed in, an anonymous-session cookie so your journal follows you before signup, a locale cookie, and a consent cookie that records your banner choice. With your consent we may also use analytics and marketing cookies to understand how the product is used and to measure ad performance; those fire only after you accept the consent banner. A specific per-vendor list will be published here once the granular per-category consent UI ships.

8. Security

We use industry-standard measures (TLS in transit, encrypted database storage, restricted service-account access, rate limits, security logging) and review them regularly. No system is impenetrable; if we ever detect a personal-data breach we'll notify affected users and the relevant supervisory authority within 72 hours, as Art. 33-34 require.

9. Children (16+ only)

Dreamuna is intended for users aged 16 and over. Account creation asks you to confirm your date of birth, and we refuse to process content from anyone we discover to be under 16 — under-16 sign-ups are blocked from the quiz, success, journal, and account pages. If you believe a child under 16 has created an account, please email us so we can remove it.

10. Changes to this policy

We may update this policy as the service or the law changes. Material changes (new processor categories, new data uses, retention extensions) are announced by email at least 30 days before they take effect. Continued use after the effective date means you accept the updated policy.

See also our Terms of Service for subscription, content, AI, and accessibility provisions.