Privacy Policy
1. Privacy at a Glance
The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified.
2. Data Controller
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
BMGS Production OÜ
Pae tn 25-47, Lasnamäe linnaosa
11414 Tallinn, Republic of Estonia
Registry code: 14874412
Email: info@dreamai.vision
3. Hosting and Content Delivery Networks (CDN)
We host our website with **Vercel** (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA). When you visit our website, Vercel collects server log files including your IP address, browser type, operating system, referrer URL, and time of the page access. The use of Vercel is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the secure and reliable technical provision of our website. Data transfers to Vercel in the United States are secured by Vercel’s EU-U.S. Data Privacy Framework (DPF) certification and Standard Contractual Clauses (SCCs).
4. Data We Collect and Purposes
We process personal data only to the extent necessary to provide a functional website and our digital products.
- Dream Text, Generated Analysis, Images & Audio: To create your interpretation we process the dream text (or transcribed speech) you submit, and we generate and store the resulting written analysis, AI-generated images and audio narration in our database and file storage (Supabase, EU region) so your report can be delivered, re-opened, and — if you create an account — kept in your personal dream archive.
*Legal Basis: Art. 6(1)(b) GDPR (performance of the contract). Dream content may reveal special categories of personal data within the meaning of Art. 9 GDPR (e.g. health, religious or philosophical beliefs, or sex life). We process such content solely on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR, which you give before submitting your dream and may withdraw at any time with future effect.* - Account Data (optional): If you register for a personal dream archive, we store your email address and authentication identifiers to maintain your account and give you access to your saved reports.
*Legal Basis: Art. 6(1)(b) GDPR (Contract Performance).* - Email Address: When you purchase a report, we collect your email address to deliver the generated PDF report and send a receipt.
*Legal Basis: Art. 6(1)(b) GDPR (Contract Performance).* - Payment Data: All payments are processed securely by Stripe. We do not store or have access to your full credit card details. Stripe shares transaction metadata (billing email, transaction ID, payment status) with us.
*Legal Basis: Art. 6(1)(b) GDPR (Contract Performance) & Art. 6(1)(c) GDPR (Legal Tax Obligation).* - Technical Logs: IP address, device specifications, and runtime error logs are processed automatically for security and monitoring.
*Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest).*
5. Third-Party Processors
To provide our services, we transfer data to the following external service providers acting as our processors under Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR:
| Processor | Location | Purpose | Data Safeguard |
|---|---|---|---|
| Stripe Payments Europe Ltd. / Stripe Inc. | Ireland / USA | Payment processing & fraud prevention | EU-U.S. Data Privacy Framework & SCCs |
| Vercel Inc. | USA | Web hosting & serverless functions | EU-U.S. Data Privacy Framework & SCCs |
| Resend Inc. | USA | Transactional email delivery | EU-U.S. Data Privacy Framework & SCCs |
| Functional Software Inc. (Sentry) | USA | Technical error monitoring (masked IPs) | EU-U.S. Data Privacy Framework |
| Anthropic PBC | USA | AI-driven text analysis (Jungian decoding) | EU-U.S. Data Privacy Framework & SCCs |
| FAL Labs Inc. (fal.ai) | USA | AI-driven image generation for dream scenes | EU Standard Contractual Clauses (SCCs) |
| ElevenLabs Inc. | USA | AI voice narration of your report excerpt | EU Standard Contractual Clauses (SCCs) |
| Supabase Inc. | EU (Ireland) | Database & file storage (dream text, reports, images, audio, account data) | Processing within the EEA |
| Cloudflare, Inc. | USA | Bot protection (Turnstile) — processes IP address | EU-U.S. Data Privacy Framework & SCCs |
| Upstash, Inc. | USA / EU | Rate-limiting cache (temporary IP-derived keys) | EU Standard Contractual Clauses (SCCs) |
*Note on AI Processors:* Anthropic, fal.ai and ElevenLabs process your inputs only to return the requested result. Under their API terms and data processing agreements, data submitted through the API is not used to train their models.
6. Data Retention
- Unpaid Previews: Dream submissions that are not purchased are automatically deleted, together with any generated preview image, within **14 days**.
- Purchased Reports (registered users): Your dream text, analysis, images and audio remain available in your personal archive until you delete the report or your account, or otherwise request erasure.
- Purchased Reports (guest checkout): Where you purchase without creating an account, your report is retained so you can re-access it and is erased upon request at info@dreamai.vision.
- Payment and Invoice Metadata: Retained for **7 years** to satisfy statutory tax, auditing and bookkeeping obligations under Estonian and EU law.
- Server and Error Logs: Technical log data on our hosting and error-monitoring infrastructure (Vercel, Sentry) is automatically purged within **30 days**.
7. International Data Transfers
Because some of our technical processors operate in the United States, your personal data may be processed outside the European Economic Area (EEA). To guarantee an adequate level of data protection, all US transfers are governed by standard safeguards: either the recipient is certified under the **EU-U.S. Data Privacy Framework (DPF)** (pursuant to an adequacy decision under Art. 45 GDPR) or we have concluded **EU Standard Contractual Clauses (SCCs)** (pursuant to Art. 46(2)(c) GDPR) with the respective processors.
8. Your Rights under GDPR
You have the following statutory rights regarding your personal data:
- Right of Access (Art. 15 GDPR): Right to obtain confirmation of whether your data is processed and a copy of the data.
- Right to Rectification (Art. 16 GDPR): Right to request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17 GDPR): Right to request deletion of your personal data ("Right to be Forgotten").
- Right to Restriction of Processing (Art. 18 GDPR): Right to request blocking of your data in specific cases.
- Right to Data Portability (Art. 20 GDPR): Right to receive your data in a structured, machine-readable format.
- Right to Object (Art. 21 GDPR): Right to object to processing based on legitimate interests (Art. 6(1)(f) GDPR).
- Right to Withdraw Consent (Art. 7(3) GDPR): Right to withdraw consent at any time, affecting future processing.
- Right to Lodge a Complaint (Art. 77 GDPR): Right to complain to a competent supervisory authority.
To exercise any of these rights, please email us at info@dreamai.vision.
9. Competent Supervisory Authority
Our lead supervisory authority is:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee | Website: www.aki.ee
You also retain the right to lodge a complaint with the data protection authority in your habitual place of residence, place of work, or place of the alleged infringement.
10. Cookies
We use strictly necessary technical cookies and equivalent local storage only (Stripe payment session tokens, an anti-abuse / rate-limiting identifier, Cloudflare Turnstile bot protection, and language & consent preference markers). We do not use advertising, cross-site tracking, or analytics cookies. Please refer to our Cookie Policy for detailed descriptions.
11. Age Limit
Our service is strictly intended for individuals aged **16 or older** (pursuant to Art. 8 GDPR). We do not knowingly collect, store, or process personal data of children under this age.
Last updated: June 11, 2026