Privacy Policy

DreamPitch - Dream Journal Application

Effective Date: 12/01/2025 Version: 1.0

1. Introduction

Protection of your personal data is a priority for DreamPitch. This Privacy Policy informs you how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679).

Data Controller:

  • Company Name: 2NDRUN
  • Legal Form: SASU (Simplified Joint-Stock Company)
  • Address: 6 Rue Sebastienne Guyot, 91190 Gif-sur-Yvette, France
  • SIREN: 989 659 123
  • SIRET: 989 659 123 00016
  • Email: support@dreampitch.app
  • Data Protection Officer (DPO): Not applicable (company with fewer than 250 employees)

2. Data Collected

2.1 Identification and Account Data

Data collected:

  • Email address (mandatory)
  • Full name (optional)
  • Username (optional)
  • Password (hashed and encrypted)
  • Profile picture (optional)

Purpose: Creation and management of your user account. Legal basis: Contract performance (Article 6.1.b GDPR).

Social network connections: If you connect via Google or Apple, we receive:

  • Email address
  • Full name
  • Profile picture (if authorized)
  • Unique third-party account identifier

Legal basis: Contract performance (Article 6.1.b GDPR).

2.2 Dream Contents (Sensitive Data)

Data collected:

  • Voice recordings of your dreams (audio files)
  • Textual transcriptions of recordings
  • Manually written dreams
  • AI-generated interpretations and analyses
  • AI-generated images
  • Metadata: date/time, duration, tags, emotions, symbols

Purpose:

  • Storage and organization of your dream journal
  • Analysis and interpretation by artificial intelligence
  • Generation of dream visuals
  • Personal statistics and trends

Legal basis: Explicit consent (Article 6.1.a and 9.2.a GDPR).

⚠️ Important: Dreams may contain data revealing your private life, mental health, opinions, beliefs. This data is considered "sensitive" under Article 9 of GDPR. Processing requires your explicit and specific consent, which you give separately when using the Application.

2.3 Usage and Technical Data

Data automatically collected:

  • Device used (model, operating system, version)
  • IP address
  • Navigation and usage data (pages visited, features used)
  • Connection dates and times
  • Application preferences (language, theme, notifications)
  • Usage statistics (number of dreams, frequency of use)

Purpose:

  • Application improvement
  • Bug and technical problem resolution
  • Performance and engagement analysis
  • User experience personalization

Legal basis: Legitimate interest (Article 6.1.f GDPR).

2.4 Payment Data

Data collected:

  • Subscription type (free, premium)
  • Subscription and renewal dates
  • Payment history
  • Subscription status

⚠️ Note: Banking information (card number, etc.) is NEVER collected directly by DreamPitch. It is securely managed by:

  • Apple App Store (for iOS)
  • Google Play Store (for Android)
  • RevenueCat (PCI-DSS compliant third-party subscription manager)

Legal basis: Contract performance (Article 6.1.b GDPR).

2.5 Consent Data (GDPR Audit)

Data collected:

  • Date and time of acceptance of ToS and Privacy Policy
  • Version of accepted documents
  • IP address at acceptance time
  • AI usage consent
  • Consent modification history

Purpose: GDPR compliance proof and audit. Legal basis: Legal obligation (Article 6.1.c GDPR).

3. Data Usage

3.1 Artificial Intelligence Processing

Your dreams are processed by the following artificial intelligence services:

OpenAI (United States)

  • Whisper Service: Automatic transcription of voice recordings
  • GPT-4 Service: Dream analysis and interpretation
  • DALL-E Service: Dream image generation

Location: United States (third country outside EU).

Safeguards: OpenAI has implemented:

  • Standard Contractual Clauses (SCC) approved by European Commission
  • GDPR-compliant privacy policy
  • Commitment not to use your data to train their models (per DPA agreement)

Retention at OpenAI: According to their policy, your data is deleted after processing (typically within 30 days). See: https://openai.com/privacy

Replicate (United States)

  • Stable Diffusion Service: Alternative image generation

Location: United States.

Safeguards: Standard Contractual Clauses (SCC).

⚠️ Your consent: Processing of your dreams by these AI services requires your explicit consent, which you give separately. You can withdraw this consent at any time in Settings > Privacy > AI Consent. Withdrawal disables AI features.

3.2 Storage and Synchronization

Infrastructure used: Supabase Inc. (PostgreSQL + Storage)

Location: Secure servers (AWS infrastructure)

Purpose:

  • Secure data storage
  • Synchronization across your devices
  • Backup and recovery in case of loss

Encryption:

  • Data in transit: HTTPS/TLS 1.3
  • Data at rest: AES-256
  • Local data: Secure encryption via SecureStore (iOS/Android)

3.3 Subscription Management

Service used: RevenueCat

Data shared:

  • User identifier (anonymized)
  • Subscription status
  • Payment history

Purpose: Premium subscription management, renewals, and customer support.

Legal basis: Contract performance (Article 6.1.b GDPR).

4. Data Sharing

4.1 Data Recipients

Your data may be shared with:

RecipientPurposeLocationSafeguards
OpenAIAI analysis, transcription, image generationUnited StatesSCC, DPA
ReplicateAlternative image generationUnited StatesSCC
SupabaseStorage, database, infrastructure[EU/US]SCC if US
RevenueCatSubscription managementUnited StatesSCC, PCI-DSS certified
Apple / GooglePayments (App Store, Play Store)WorldwideOwn policies

4.2 No Data Sale

We NEVER sell your personal data to third parties. Your dreams are private and confidential.

4.3 Transfers Outside EU

Some of our service providers are located in the United States (third country). These transfers are governed by:

  • Standard Contractual Clauses (SCC) approved by European Commission (Decision 2021/914)
  • Data Processing Agreements (DPA) with each provider
  • Additional security measures (encryption, pseudonymization)

You can obtain a copy of SCCs by contacting support@dreampitch.app.

4.4 Legal Obligations

We may disclose your data if required by:

  • Judicial authority (order, requisition)
  • Legal obligation
  • Protection of our legal rights

5. Retention Period

5.1 Active Account

While your account is active:

  • Account data: retained indefinitely
  • Dreams and contents: retained indefinitely
  • Usage data: retained 3 years (then anonymized)
  • Technical logs: retained 12 months (then deleted)

5.2 After Account Deletion

When you delete your account:

  • Immediate deletion of Application access
  • Permanent deletion of all your data within 30 days maximum
  • Billing data retention: 10 years (legal accounting obligation)
  • Consent logs retention: 3 years (GDPR compliance proof)

5.3 Inactive Account

If you don't use your account for:

  • 2 years: Reminder email and notice of upcoming deletion
  • 3 years: Automatic account and data deletion (except legal obligations)

You will be notified 3 months before deletion.

6. Your GDPR Rights

As a European Union resident, you have the following rights:

6.1 Right of Access (Article 15 GDPR)

You can request:

  • A copy of all your personal data
  • Information about processing of your data

How to exercise:

Response time: 1 month (renewable once).

6.2 Right of Rectification (Article 16 GDPR)

You can correct:

  • Your account information (name, email, etc.)
  • Your dream contents

How to exercise:

6.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion:

  • Of your account and all your data
  • Of specific dreams
  • Of data that became unnecessary

How to exercise:

Timeline: Permanent deletion within 30 days.

⚠️ Exceptions: We may retain certain data if required by law (billing: 10 years, consents: 3 years).

6.4 Right to Data Portability (Article 20 GDPR)

You can retrieve:

  • Your data in structured, commonly used format (JSON)
  • To transfer to another service

How to exercise:

  • Settings > Privacy > Export my data
  • Format: Machine-readable JSON

Export content:

  • User profile
  • All your dreams (text, metadata)
  • Preferences and settings
  • Consent history

6.5 Right to Object (Article 21 GDPR)

You can object:

  • To processing based on legitimate interest (e.g., analytics)
  • To profiling

How to exercise:

Consequence: Some features may be limited.

6.6 Right to Restriction of Processing (Article 18 GDPR)

You can request:

  • Temporary pause of data processing
  • While you contest accuracy or legitimacy of processing

How to exercise: Email to support@dreampitch.app

6.7 Right to Withdraw Consent (Article 7.3 GDPR)

You can withdraw:

  • Your consent to AI usage
  • At any time, without justification

How to exercise:

  • Settings > Privacy > AI Consent > Withdraw

Consequence: AI features will be disabled (analysis, interpretation, image generation).

6.8 Right to Lodge a Complaint (Article 77 GDPR)

You can file a complaint with your local data protection authority or:

French supervisory authority: CNIL

  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
  • Phone: +33 1 53 73 22 22
  • Website: https://www.cnil.fr

7. Data Security

7.1 Technical and Organizational Measures

We implement appropriate security measures to protect your data:

Encryption:

  • HTTPS/TLS 1.3 for all communications
  • AES-256 for data storage at rest
  • Secure local storage via Keychain (iOS) and Keystore (Android)
  • Bcrypt hashing for passwords (never stored in plain text)

Access and Authentication:

  • Multi-factor authentication available
  • Role-based access control (RBAC)
  • Sessions with automatic expiration
  • Rotating access tokens (JWT)

Infrastructure:

  • Firewall and intrusion detection
  • Daily encrypted backups
  • 24/7 system monitoring
  • Regular security updates

Organizational:

  • Staff training on data protection
  • Data access on need-to-know basis
  • Regular security audits
  • Incident response plan

7.2 Data Breach

In case of personal data breach likely to result in high risk to your rights and freedoms, we commit to:

  • Notify supervisory authority within 72 hours
  • Inform you directly without undue delay
  • Describe breach nature and measures taken

8. Cookies and Similar Technologies

8.1 Cookies Used

Strictly Necessary:

  • User session (authentication)
  • Language and theme preferences
  • Security and fraud prevention

Legal basis: Contract performance (Article 6.1.b GDPR) - No consent required.

Analytics (if enabled):

  • Anonymized usage statistics
  • User experience improvement

Legal basis: Consent (Article 6.1.a GDPR) - You can refuse in Settings > Privacy.

8.2 Cookie Management

How to manage:

  • Settings > Privacy > Cookies and Analytics
  • Your browser/device settings

9. Children's Data

The Application is not intended for persons under 16 years (digital consent age under GDPR Article 8).

If you are under 16:

  • You must obtain parental or legal guardian consent before using the Application
  • We do not knowingly collect children's data without parental consent

If you are a parent:

  • You can request access, rectification, or deletion of your child's data by contacting support@dreampitch.app

10. Policy Modifications

10.1 Updates

We may modify this Privacy Policy to reflect:

  • Application developments
  • Regulatory changes
  • Practice improvements

10.2 Notification

In case of substantial modification, you will be informed via:

  • In-app notification
  • Email to registered address
  • 30 days before changes take effect

10.3 Acceptance

Your continued use of the Application after notification constitutes acceptance of new policy. If you refuse, you must stop using the Application and delete your account.

11. Contact and Questions

11.1 Contact

For any questions regarding your personal data:

Email: support@dreampitch.app Postal Address: 2NDRUN, 6 Rue Sebastienne Guyot, 91190 Gif-sur-Yvette, France

11.2 Response Time

We commit to responding to any request:

  • Within 1 month (Article 12.3 GDPR)
  • Extendable by 2 months if complex (with notification)

12. GDPR Glossary

Personal data: Any information relating to an identified or identifiable natural person.

Sensitive data: Data revealing racial origin, political opinions, religious convictions, health, sex life, etc. (Article 9 GDPR).

Data controller: Entity that determines purposes and means of processing (DreamPitch).

Processor: Entity that processes data on behalf of controller (e.g., OpenAI, Supabase).

Consent: Free, specific, informed, and unambiguous indication of wishes.

SCC (Standard Contractual Clauses): Clauses approved by European Commission to govern transfers outside EU.

Last Updated: 12/01/2025 Version 1.0