Informativa sulla privacy

1. Who we are

Dreamalizing is a service of Elk River Holding B.V., registered in the Netherlands (Chamber of Commerce 78040787). We are the data controller for your personal data under the General Data Protection Regulation (GDPR).

Email: privacy@dreamalizing.com

2. What is Dreamalizing

Dreamalizing is a dream exploration app inspired by Jungian depth psychology. You record dreams (text or audio), answer guided questions, and receive a personal analysis. Dreamalizing is not therapy and does not provide medical or psychiatric advice.

3. What data we collect

Data you provide

• Email address — when registering
• Dream texts — typed or via audio transcription
• Audio recordings — optional, only with your explicit consent
• Session responses — your answers to exploration questions
• Profile data (optional) — first name, date of birth, gender, country, timezone
• Feedback — session ratings and comments

Data collected automatically

• IP address — during login and error reporting
• User agent — browser type and device (during error reporting and session registration)
• Usage events — e.g. “session started”, “export requested” (no content data)
• Technical error reports — error codes and stack traces, never dream content

Data we do NOT collect

• Location data (GPS)
• Contact lists or address book
• Photos, files, or camera access
• Advertising IDs
• Financial or payment data

4. How and why we process your data

a) Performance of contract (Art. 6(1)(b) GDPR)

• Creating and managing your account
• Processing dream texts for analysis
• Generating session questions and summaries
• Data export at your request

b) Consent (Art. 6(1)(a) GDPR)

• Storing audio recordings after transcription
• Tracking recurring motifs (cross-dream pattern recognition)
• Email marketing communications
• Sharing with a human coach (future feature)

You can withdraw consent at any time via your profile settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

c) Legitimate interest (Art. 6(1)(f) GDPR)

• Security monitoring and fraud prevention (IP logging, account lockout after failed attempts)
• Error detection and service improvement
• Anonymous usage statistics

5. Special categories of personal data

Dream content may contain information about your health, emotions, or psychological state. This may be considered special category personal data under Art. 9 GDPR. The legal basis for this processing is your explicit consent (Art. 9(2)(a) GDPR), given when you create an account and record dreams.

6. AI processing of your dream data

To provide your dream analysis, your dream text is processed by our own AI model, trained on Jungian dream analysis. This model runs entirely on our own servers in the Netherlands.

Safeguards

• Your dream text is never sent to external parties for AI processing
• The AI model runs locally on our own infrastructure in the European Union (Netherlands)
• No international data transfer takes place for dream processing
• Your dream data is not used to train third-party AI models

7. Third-party sharing

We never sell your data. Your data is shared only with:

We do not share dream content with advertisers, marketers, or other commercial parties.

8. Security

We take the security of your dream data extremely seriously.

Encryption

• Dream texts, session responses, quotes, and notes are stored encrypted using AES-256-GCM (Galois/Counter Mode)
• Each user has their own encryption key (envelope encryption with HKDF-SHA256)
• Passwords are hashed with Argon2id (memory-hard algorithm, 64 MB per hash)

Authentication

• JWT tokens signed with RS256 (RSA-SHA256), valid for 15 minutes
• Refresh tokens with rotation detection: reuse of a spent token invalidates all tokens in that session
• Account locks after 5 failed login attempts (15 minutes)

Infrastructure

• Own servers in the European Union (Netherlands)
• Own PostgreSQL database (no third-party cloud database service)
• Technical logs are automatically sanitized: dream content, email addresses, and tokens are stripped from log messages

9. Data retention periods

10. Your rights under GDPR

Right of access (Art. 15)

Request what data we hold about you. You can do this via the export function in the app.

Right to rectification (Art. 16)

Correct inaccurate data via your profile in the app.

Right to erasure (Art. 17)

• Delete individual dreams: remove specific dreams in the app
• Delete account (soft delete): your account and all dreams are marked as deleted. Permanently removed after 30 days, with recovery possible within that period.
• Expunge (hard delete): immediate, irreversible deletion. Encryption keys are destroyed first, making all encrypted data — including in backups — permanently unrecoverable.

Right to data portability (Art. 20)

Download all your data as a ZIP file (JSON format) via the export function. This includes: dream texts (decrypted), session questions and answers, motifs, profile data, and consent history.

Right to restriction (Art. 18)

Contact us at privacy@dreamalizing.com.

Right to object (Art. 21)

You can object to processing based on legitimate interest. Contact us at privacy@dreamalizing.com.

Withdraw consent (Art. 7)

Withdraw at any time via your profile settings (audio storage, motif tracking, marketing emails). Withdrawal does not affect prior processing.

11. Cookies and local storage

Cookies

The Dreamalizing app uses no HTTP cookies. The marketing website (dreamalizing.com) uses Google Analytics, which sets standard Google cookies. You can decline these via your browser settings.

Local storage on your device

• Authentication tokens — in SecureStore (iOS/Android) or localStorage (web)
• User profile cache — for faster display
• Marketing attribution (UTM parameters) — to know how you found us

12. Children

Dreamalizing is intended for users aged 13 and older. We do not knowingly collect data from children under 13. If you discover that a child under 13 has created an account, please contact privacy@dreamalizing.com so we can delete the account.

For users between 13 and 16, parental or guardian consent may be required depending on the country of residence (Art. 8 GDPR).

13. Incognito mode

Dreamalizing offers an incognito mode. When you record a dream in incognito mode:

• Audio recordings are deleted immediately after transcription (not stored)
• The dream is not linked to the motif system
• The dream is not included in pattern recognition

The dream text itself is still stored encrypted so you can review it, but can be deleted by you at any time.

14. International data transfers

Your dream data is stored and processed on our own servers in the Netherlands. Our AI model runs locally on the same infrastructure. No international data transfer takes place for dream processing.

The marketing website uses Google Analytics (US). EU Standard Contractual Clauses (SCCs) apply. This concerns only anonymized visit statistics, not dream content or personal data.

15. Changes to this policy

We may update this privacy policy. For substantial changes, we will notify you via email or a notification in the app. The current version is always available at dreamalizing.com/en/privacy.

16. Data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will report it within 72 hours to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). If the breach poses a high risk to you personally, we will also notify you directly.

17. Contact and complaints

Questions, requests, or complaints about privacy:

• Email: privacy@dreamalizing.com
• Controller: Elk River Holding B.V., Chamber of Commerce 78040787

You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).