Privacy Policy
Your dreams are personal. We treat them with care.
Version 2.2 — July 10, 2026
1. Who we are
Dreamalizing is a service of Elk River Holding B.V., registered in the Netherlands (Chamber of Commerce 78040787). We are the data controller for your personal data under the General Data Protection Regulation (GDPR).
Email: privacy@dreamalizing.com
2. What is Dreamalizing
Dreamalizing is a dream exploration app inspired by Jungian depth psychology. You type your dream or use device dictation, answer personal questions, and receive a reflection. Dreamalizing is not therapy and does not provide medical or psychiatric advice.
3. What data we collect
Data you provide
- Email address — when registering
- Dream texts — typed or entered with device dictation; Dreamalizing does not store an audio recording
- Session responses — your answers to exploration questions
- Profile data (optional) — first name, date of birth, gender, country, timezone
- Feedback — session ratings and comments
Data collected automatically
- IP address — during login and error reporting
- User agent — browser type and device (during error reporting and session registration)
- Usage events — e.g. "session started", "export requested" (no content data)
- Technical errors — error codes and stack traces, never dream content
Data we do NOT collect
- Location data (GPS)
- Contact lists or address book
- Photos, files or camera access
- Advertising IDs
- Financial or payment data
4. How and why we process your data
a) Performance of the contract (Art. 6(1)(b) GDPR)
- Creating and managing your account
- Processing dream texts for analysis
- Generating session questions and summaries
- Data export upon your request
b) Consent (Art. 6(1)(a) GDPR)
- Tracking recurring motifs (pattern recognition across dreams)
- Marketing communication via email
- Sharing with a human coach (future feature)
You can withdraw consent at any time via your profile settings. Withdrawal does not have retroactive effect on previously performed processing.
c) Legitimate interest (Art. 6(1)(f) GDPR)
- Security monitoring and fraud prevention (IP logging, account lockout after failed attempts)
- Bug fixing and service improvement
- Anonymous usage statistics
5. Special categories of personal data
Dream content may contain information about your health, emotions or psychological state. This may be considered special categories of personal data under Art. 9 GDPR. The legal basis for this processing is your explicit consent (Art. 9(2)(a) GDPR), which you provide when creating an account and recording dreams.
6. AI processing of your dream data
Your dream text is processed by our own language model on servers within the European Union. Your data is stored encrypted and your dream text is not sent to external AI services.
Safeguards
- Dream content is not sent to external AI providers for AI processing
- Text correction, questions, and analysis use our own language model on servers within the European Union.
- Dream content is not used to train third-party models
- If the local model is unavailable, there is no cloud fallback for dream content
7. Sharing with third parties
We never sell your data. Your data is only shared with:
| Party | Purpose | Data |
|---|---|---|
| Google Analytics | Website visitor statistics (marketing site only) | Anonymized visit data, cookies |
| SMTP mail server (self-hosted) | Email delivery | Email address, verification links |
We do not share dream content with advertisers, marketers, or other commercial parties.
8. Security
We take the security of your dream data extremely seriously.
Encryption
- Dream texts, session responses, quotes and notes are stored encrypted with AES-256-GCM (Galois/Counter Mode)
- Each user has their own encryption key (envelope encryption with HKDF-SHA256)
- Passwords are hashed with Argon2id (memory-hard, 64 MB)
Authentication
- JWT tokens signed with RS256 (RSA-SHA256), valid for 15 minutes
- Refresh tokens with rotation detection: reuse of a used token invalidates all tokens in that session
- Account lockout after 5 failed login attempts (15 minutes)
Infrastructure
- The production API, database, and our own language model run on servers within the European Union.
- Self-hosted PostgreSQL database (no third-party cloud database service)
- Technical logs are automatically sanitized: dream content, email addresses and tokens are removed from log messages
9. Retention periods
| Data | Retention period |
|---|---|
| Dream content | Unlimited — kept while the account exists |
| Account data | Until deletion request |
| Soft-deleted data | No automatic purge period is currently demonstrated for individually soft-deleted dreams |
| Encryption keys after expunge | Immediately deleted |
| Access logs | 30 days |
| Authentication events | 90 days |
| AI usage metrics (token counts) | 90 days |
| Error reports | 30 days |
| Audit trail | 1 year |
| Backups after deletion | No working production backup is currently demonstrated; we therefore promise no backup retention or restore window |
10. Your rights under the GDPR
Right of access (Art. 15)
Request what data we have about you. This is available via the export function in the app.
Right to rectification (Art. 16)
Correct inaccurate data via your profile in the app.
Right to erasure (Art. 17)
- Delete an individual dream: removes it from your visible archive; no automatic purge period is currently demonstrated for this soft-delete route
- Delete account: after confirmation the account is immediately hard-deleted; profile, dreams, sessions, other personal data, and encryption keys are removed
- No recovery period: confirmed account deletion is irreversible. The current backup status is stated in the retention table above
Right to data portability (Art. 20)
Download all your data as a ZIP file (JSON format) via the export function. This includes: dream texts (decrypted), session questions and answers, motifs, profile data, and consent history.
Right to restriction of processing (Art. 18)
Contact us at privacy@dreamalizing.com.
Right to object (Art. 21)
You can object to processing based on legitimate interest. Contact us at privacy@dreamalizing.com.
Withdraw consent (Art. 7)
You can withdraw consent at any time via your profile settings (audio storage, motif tracking, marketing emails). Withdrawal does not have retroactive effect.
11. Cookies and local storage
Cookies
The Dreamalizing app sets no HTTP cookies. The marketing website (dreamalizing.com) uses Google Analytics, which sets standard Google cookies. You can decline these via your browser settings.
Local storage on your device
- Authentication tokens — in SecureStore (iOS/Android) or localStorage (web)
- User profile cache — for faster display
- Marketing source (UTM parameters) — to know which channel you came from
12. Children
Dreamalizing is intended for users 13 years and older. We do not knowingly collect data from children under 13. If you discover that a child under 13 has created an account, please contact us at privacy@dreamalizing.com so we can delete the account.
For users between 13 and 16, parental or guardian consent may be required depending on the country of residence (Art. 8 GDPR).
13. Incognito mode
Dreamalizing offers an incognito mode. When you record a dream in incognito mode:
- The dream is not linked to the motif system
- The dream is not included in pattern recognition
The dream text itself is stored encrypted so you can find it again, but you can delete it at any time.
14. International data transfer
Account and dream data are stored on servers within the European Union. AI processing of dream content also takes place on servers within the European Union; between these servers, dream content travels over a private connection.
The marketing website uses Google Analytics (USA). EU Standard Contractual Clauses (SCCs) apply. This concerns only anonymized visit statistics, never dream content or personal data.
15. Changes to this policy
We may update this privacy policy. For substantial changes we will notify you via email or an in-app notification. The current version is always available at dreamalizing.com/en/privacy.
16. Data breaches
In the event of a data breach posing a risk to your rights and freedoms, we will report it within 72 hours to the Dutch Data Protection Authority. If the breach poses a high risk to you personally, we will also notify you directly.
17. Contact and complaints
Privacy questions, requests or complaints:
- Email: privacy@dreamalizing.com
- Controller: Elk River Holding B.V., Chamber of Commerce 78040787
You have the right to file a complaint with the Autoriteit Persoonsgegevens or with the supervisory authority in your EU member state.