GDPR Compliance

Last updated: January 2025

1. Our Commitment to GDPR

Dream Journal is committed to protecting the privacy and security of your personal data in compliance with the General Data Protection Regulation (GDPR). This page explains how we adhere to GDPR requirements and outlines your rights as a data subject.

The GDPR is a European Union regulation that gives individuals greater control over their personal data. Even if you're not in the EU, we extend these protections to all our users.

2. Data Controller Information

Dream Journal acts as the data controller for the personal data we collect from you. This means we determine the purposes and means of processing your personal data.

Data Controller: Dream Journal

Contact Email: dpo@dreamjournal.online

3. Lawful Bases for Processing

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

3.1 Contract Performance

Processing necessary to provide you with the Dream Journal service:

  • Creating and managing your account
  • Storing and displaying your dream entries
  • Processing payments for subscriptions
  • Providing AI-powered dream interpretations

3.2 Legitimate Interests

Processing necessary for our legitimate business interests:

  • Improving and optimising our platform
  • Ensuring security and preventing fraud
  • Providing customer support
  • Understanding how users interact with our service

3.3 Consent

Where we rely on your consent:

  • Marketing communications (you can opt out at any time)
  • Analytics cookies (can be managed via browser settings)

3.4 Legal Obligation

Processing required to comply with legal requirements:

  • Tax and accounting records
  • Responding to lawful requests from authorities

4. Your Rights Under GDPR

As a data subject, you have the following rights:

visibility

Right of Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

edit

Right to Rectification

You can request correction of any inaccurate or incomplete personal data we hold about you.

delete

Right to Erasure

You can request deletion of your personal data. This is also known as the "right to be forgotten."

block

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

download

Right to Data Portability

You can request your data in a machine-readable format to transfer to another service.

front_hand

Right to Object

You can object to processing based on legitimate interests, including profiling.

5. How to Exercise Your Rights

You can exercise your GDPR rights in several ways:

5.1 Self-Service Options

  • Access & Export: Use the Export feature in your account settings to download all your data in PDF or CSV format
  • Rectification: Edit your profile information directly in your account settings
  • Erasure: Delete individual dream entries from your journal, or request full account deletion

5.2 Contact Us

For any GDPR-related requests, please contact our Data Protection team:

  • Email: dpo@dreamjournal.online
  • Subject line: "GDPR Request - [Your Request Type]"

We will respond to your request within 30 days. If we need more time, we will inform you within the initial 30-day period.

5.3 Verification

To protect your privacy, we may need to verify your identity before processing certain requests. This may involve confirming your email address or providing additional identification.

6. Data We Collect

We collect and process the following categories of personal data:

Category Data Types Purpose Retention
Account Data Email, name, password hash Account management Until account deletion
Dream Content Dreams, emotions, tags, characters Core service functionality Until account deletion
Payment Data Transaction history, subscription status Payment processing 7 years (legal requirement)
Usage Data Feature usage, session data Service improvement 2 years
Technical Data IP address, browser info, logs Security, debugging 90 days

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
  • Standard Contractual Clauses: EU-approved contracts with our service providers
  • Data Processing Agreements: Binding agreements ensuring GDPR-level protection

7.1 Our Service Providers

  • AWS (Amazon Web Services): Cloud hosting - EU and US data centres
  • Stripe: Payment processing - US with SCCs in place
  • Anthropic (Claude AI): AI processing - US with SCCs in place
  • Google (Analytics & OAuth): Analytics and authentication - US with SCCs in place

8. Data Security Measures

We implement robust technical and organisational measures to protect your data:

8.1 Technical Measures

  • SSL/TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Secure password hashing (bcrypt with 12 salt rounds)
  • Regular security updates and patches
  • Firewall and intrusion detection systems

8.2 Organisational Measures

  • Access controls based on the principle of least privilege
  • Regular security training for team members
  • Incident response procedures
  • Regular backups with secure storage

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours
  • If the breach is likely to result in a high risk to you, we will notify you directly
  • We will document all breaches, including facts, effects, and remedial actions

10. Children's Data

Dream Journal is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

11. Automated Decision-Making

Dream Journal uses AI to analyse dreams and provide interpretations. This processing:

  • Does not make decisions that significantly affect you legally or similarly
  • Is used solely to enhance your understanding of your dreams
  • Can be disabled in your account settings at any time
  • Is not used for profiling that produces legal effects

12. Supervisory Authority

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority. For users in the UK, this is the Information Commissioner's Office (ICO):

We encourage you to contact us first so we can try to resolve any concerns directly.

13. Updates to This Information

We may update this GDPR compliance information from time to time. Significant changes will be communicated through our platform or via email. The "Last updated" date at the top of this page indicates when changes were last made.

14. Contact Our Data Protection Team

For any questions about GDPR compliance or to exercise your rights:

Data Protection Officer: Dream Journal DPO

Email: dpo@dreamjournal.online

Response Time: Within 30 days

Please include "GDPR" in your subject line to ensure prompt handling of your request.