Privacy Policy

Last updated: April 17, 2026

Dreamuna ("we", "us", "our") runs dreamuna.com, an AI dream-interpretation subscription service. This Privacy Policy explains what information we collect about you, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It is written in plain English. Where the law requires specific language, we use it; elsewhere we try to be readable. It should be read alongside our Terms of Service.

§ 1. Who we are

Dreamuna is an independent digital product operated from Cyprus, European Union. We act as the data controller for the personal data described in this policy. We do not maintain a public registered office; all correspondence goes to hello@dreamuna.com, where a human replies within one business day.

This policy covers the Dreamuna web application, marketing site, transactional emails, and the public share pages under /d/[slug]. Third-party services we use each have their own privacy notices; we link to them in § 4.

§ 2. Information we collect

We collect the minimum we need to run the service, grouped into four categories:

§ 2.1 Account information

Email address, password hash, display name, optional avatar URL, preferred language, and marketing-email preference. If you sign in with an OAuth provider (Google, Apple), we also receive the provider ID and the basic profile fields that provider shares.

§ 2.2 Payment information

Subscription status, plan, trial/renewal dates, billing country, partial card metadata (brand + last four), and Lemon Squeezy customer/order IDs. Full card numbers and CVV never touch our servers — they go directly to Lemon Squeezy, our merchant of record. See Lemon Squeezy's privacy policy for how they handle payment data.

§ 2.3 Content you create

Dream descriptions you submit, quiz responses (mood, life stage, frequency, people, emotions), generated interpretations, AI-generated dream images, follow-up chat messages with Dreamuna, synthesised audio narrations, and any tags or notes you add. This content is encrypted in transit and stored in an EU-region database.

§ 2.4 Technical and device information

IP address, user-agent string, device type, approximate geolocation (country/region derived from IP), timestamps of logins and significant actions, and an anonymous session identifier (a UUID we generate so your journal follows you across devices before you sign in). We also log standard server telemetry (request paths, status codes, latency) for a short window for operational and security purposes.

§ 3. How we use your information

We use the data collected above for the following purposes, each tied to a lawful basis under Article 6 GDPR where applicable:

To provide the service — generate your interpretation, render your journal, run the chat, deliver reveal-series emails, and preserve your dreams across devices. Lawful basis: performance of a contract (Art. 6(1)(b)).
To process payments — charge your card via Lemon Squeezy, manage trials and renewals, and issue receipts. Lawful basis: performance of a contract (Art. 6(1)(b)) and, for tax-record retention, compliance with a legal obligation (Art. 6(1)(c)).
To keep the service safe — prevent fraud, abuse, and unauthorized access; rate-limit API calls; detect anomalies. Lawful basis: our legitimate interest in a secure product (Art. 6(1)(f)), balanced against your rights.
To improve the product — read aggregated, non-identifying usage trends (e.g. how many people finish the quiz on mobile). Lawful basis: legitimate interest (Art. 6(1)(f)).
To communicate with you — transactional emails (receipts, password resets, security alerts) based on contractual necessity; marketing emails only with your consent (Art. 6(1)(a)), which you can withdraw from your Account page or via the unsubscribe link in every marketing email.
To comply with law and enforce our rights — respond to lawful requests, prevent fraud, defend claims. Lawful basis: legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

We do not sell your personal data. We do not train third-party AI models on your dream content. We do not use your dreams for advertising.

§ 4. Who we share information with

We share only what a given sub-processor needs to do its job, and we bind each of them by a data-processing agreement. Our current sub-processors are:

Supabase (EU region) — database + authentication hosting. Stores your account, dreams, chat messages, and subscription metadata. Data resides on EU-based infrastructure. Supabase privacy notice.
OpenAI (United States) — AI inference for interpretations, chat replies, and dream imagery. API calls run under a zero-retention agreement: OpenAI does not store prompts or responses and does not train its models on API data. OpenAI privacy notice.
Lemon Squeezy (United States) — merchant of record for payments, sales tax, and the billing portal. Handles your card data end-to-end; we only see tokens and metadata. Lemon Squeezy privacy policy.
Resend (United States) — transactional and reveal-series email delivery. Receives your email address and email contents. Resend privacy policy.
Vercel (United States, EU edge regions) — web-application hosting and edge delivery. Processes request metadata (IP, user-agent, path) for routing, caching, and DDoS protection. Vercel privacy policy.
Cloudflare (global) — if used for DNS and DDoS protection in front of our domain. Processes request metadata in transit. Cloudflare privacy policy.

We may also disclose information when legally required (a valid court order, regulatory request, or to protect life or property). When we do, we tell you unless the request forbids notice.

§ 5. Your rights

Depending on where you live, you have the rights below. You can exercise any of them for free by emailing hello@dreamuna.com or using the tools on your Account page. We respond within 30 days (most replies come within one business day).

§ 5.1 EU / EEA / UK residents — GDPR Articles 12–23

Access (Art. 15) — request a copy of the personal data we hold about you. Tap "Export my data" on your Account page for an instant JSON download.
Rectification (Art. 16) — correct inaccurate or incomplete data.
Erasure / right to be forgotten (Art. 17) — delete your account and associated data. Use the type-to-confirm flow under Account → Danger zone, or email us.
Restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
Portability (Art. 20) — receive your data in a structured, machine-readable JSON format; the export tool provides this.
Object (Art. 21) — object to processing based on legitimate interests, including any profiling. Email us and we stop unless overriding legitimate grounds apply.
Withdraw consent (Art. 7(3)) — withdraw consent for marketing emails or non-essential cookies at any time; this does not affect lawfulness of prior processing.
Complain to a supervisory authority (Art. 77) — lodge a complaint with your local data-protection authority. If you are in Cyprus, that is the Office of the Commissioner for Personal Data Protection. A full list is on the EDPB website.

§ 5.2 California residents — CCPA / CPRA

You have the right to know, delete, correct, and limit the use of your personal information, and to opt out of the "sale" or "sharing" of personal information as defined by the CPRA. We do not sell your personal information and we do not share it for cross-context behavioural advertising. We verify requests by matching the requesting email to the one on the account. You may also appoint an authorised agent to act on your behalf.

§ 5.3 Other jurisdictions

If you live in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), the UK (UK GDPR), Switzerland (FADP), or another jurisdiction with comparable data-protection law, you have substantially similar rights. Contact us and we will honour them.

§ 6. Data retention

We keep data only as long as needed for the purpose it was collected, then we delete or anonymise it.

Account + content — kept while your account is active. On deletion, personal data is purged from the application layer immediately and from encrypted backups within 30 days.
Inactive accounts — if you have not signed in for 24 months, we send a warning email and, without response, delete the account after 30 more days.
Transaction records — retained for the period mandated by tax and accounting law (typically 6 to 10 years depending on jurisdiction, e.g. 6 years in Cyprus).
Security logs — 90 days, then aggregated or deleted.
Aggregated analytics — anonymised numbers (daily active users, funnel rates) may be kept indefinitely because they no longer identify anyone.

§ 7. International data transfers

Your primary data lives in the European Union (Supabase EU region). Some sub-processors are US-based (OpenAI, Lemon Squeezy, Resend, Vercel). Transfers to them rely on the EU–US Data Privacy Framework where the processor is certified, and on Standard Contractual Clauses (SCCs) approved by the European Commission in all other cases, as permitted by Chapter V GDPR. You can request a copy of the transfer safeguards by emailing hello@dreamuna.com.

§ 8. Cookies and local storage

We use a small number of cookies. You see a consent banner on first visit; we only set non-essential cookies after you accept.

Session cookie (essential) — keeps you signed in. Expires with the session or after 30 days.
Anonymous session cookie (essential) — an opaque UUID so your journal follows you before you sign in. Cleared when you sign in and we merge the data onto your account.
Locale cookie (essential) — remembers your preferred language so pages load in the right locale on return.
Consent + age-gate cookies (essential) — record that you accepted the banner and the 16+ self-declaration so we don't ask again.
Non-essential cookies — if we ever add analytics or marketing cookies, they fire only after affirmative consent. You can change your choice by clearing cookies and reloading the site.

§ 9. Children and teens (16+ only)

Dreamuna is intended for users aged 16 and over. Before the dream quiz we require a 16+ self-declaration. We do not knowingly collect data from children under 16. If you are a parent or guardian and believe a child has given us their data, email hello@dreamuna.com and we will delete it promptly.

§ 10. Security

We take security seriously. Technical and organisational measures include: TLS 1.2+ encryption in transit, encryption at rest for the primary database and backups, Argon2-hashed passwords, least-privilege access for team members, short-lived access tokens, HTTP security headers (CSP, HSTS, X-Content-Type-Options), automated dependency scanning, and incident-response procedures. No system is perfectly secure; if we detect a data breach that is likely to harm you, we notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Article 33–34 GDPR.

§ 11. Automated decision-making and AI

Your dream interpretation is generated by an AI system (OpenAI's API). It is not a legally significant automated decision in the sense of Article 22 GDPR — it does not affect your rights, legal status, or access to goods or services. You always have the option not to use it. Per Article 50 of the EU AI Act, we disclose clearly that interpretations, chat replies, reveal-series emails, and dream images are AI-generated.

§ 12. Changes to this policy

We may update this policy as the service evolves or the law changes. Material changes — for example, a new sub-processor category or a new purpose of processing — are announced by email and by a site-wide banner at least 14 days before they take effect. Non-material edits (clarifications, typos) are made silently; the "Last updated" date at the top always reflects the most recent change.

§ 13. Contact us

Questions, requests, or concerns? Email hello@dreamuna.com — a human replies within one business day. For formal GDPR requests please include the email on your account so we can verify your identity.