Privacy Policy

Dreamluna is a mobile app that lets you record, transcribe, and analyse your dreams with AI, keep a private dream journal, and optionally share dreams with a community. This policy covers all personal data handled through the app and its backend services.

"Personal data" means any information relating to an identifiable person. "Processing" means any operation performed on that data — collection, storage, use, sharing, or deletion.

Identity & contact

• Name and email — to create your account, sign you in, and send account-related messages.
• Google account basics — if you sign in with Google, we receive your name, email, and profile photo.
• Date of birth — for age verification (18+) and personalisation.
• Profile photo — optional.

Dream content

• Dream text — what you type or dictate.
• Voice recordings — only if you grant microphone access, used to transcribe your spoken dreams.
• AI analyses — interpretations, symbols, and mood signals generated from your entries.

Community & subscription

• Shared dreams, comments, likes — only the content you choose to share (anonymous sharing is available).
• Subscription status and history — your plan, renewal dates, and rewarded-ad usage on the free tier. We never receive your card details; payments are handled by Apple, Google, and RevenueCat.

Usage & technical

• In-app activity (dreams recorded, analyses requested, frequency of use).
• Device information (model, OS version, language).
• Approximate location (city level) and IP address, for analytics and abuse prevention.
• Crash logs and performance metrics.
• Advertising identifiers (IDFA on iOS, AAID on Android) for ads, where permitted.

Data	How it's collected	Legal basis
Identity	You provide it at sign-up	Contract — GDPR Art. 6(1)(b)
Dream content	Text / voice input	Explicit consent — GDPR Art. 9(2)(a)
Community content	Your interactions	Contract — GDPR Art. 6(1)(b)
Analytics	Automatic (Firebase)	Legitimate interest — GDPR Art. 6(1)(f)
Ads	Automatic (AdMob)	Consent — GDPR Art. 6(1)(a)

• Store and manage your dream journal securely.
• Generate AI dream analysis, mood detection, and symbol interpretation using OpenAI's GPT models.
• Transcribe voice recordings to text using OpenAI Whisper.
• Authenticate you (email and Google Sign-In) and manage your sessions.
• Provide statistics, streaks, and trends.
• Run community features: sharing, comments, and likes.
• Manage subscriptions and rewarded ads.
• Diagnose crashes, improve performance, and develop new features.
• Send dream reminders and important account or security notices.
• Show ads (free tier) and measure their performance.

We do not use your dream content to train third-party AI models, and we do not sell your data.

OpenAI (United States)

• Shared: dream text (for analysis) and voice recordings (for transcription).
• Purpose: AI interpretation via GPT models and speech-to-text via Whisper.
• Retention: OpenAI may retain API requests for a limited period for abuse prevention, and does not use API data to train its models.
• openai.com/policies/privacy-policy

Google Firebase (United States)

• Shared: your app data — profile, dreams, settings, audio files.
• Purpose: authentication, database (Firestore), file storage, and hosting.
• Security: encryption in transit (TLS) and at rest (AES-256).
• firebase.google.com/support/privacy

Google Analytics for Firebase

• Shared: anonymised usage and device data.
• Purpose: understand usage, track errors, improve performance.
• Opt out: Settings › App Settings › Analytics.

Google AdMob

• Shared: advertising identifiers, device info, approximate location.
• Purpose: show ads on the free tier.
• Control: limit ad tracking in your device privacy settings.

RevenueCat (United States)

• Shared: your account id, subscription status, and purchase history.
• Purpose: manage subscriptions and sync them across platforms.
• Card details are handled by Apple and Google, not by RevenueCat or us.

Some processors store data outside the European Economic Area and Türkiye, primarily in the United States. These transfers rely on appropriate safeguards under GDPR Art. 44–50 and KVKK Art. 9, including Standard Contractual Clauses, encryption in transit and at rest, and data minimisation — we transfer only what the service needs.

We keep data only as long as it is needed.

Data	Kept for	Deleted when
Account & dreams	While your account is active	You delete the item or the account
Voice files	While your account is active	You delete them or the account
Analyses	Until the related dream is deleted	Automatically with the dream
Community content	While your account is active	You delete it or the account
Anonymised analytics	Up to 26 months	Automatically by Google Analytics
Backups	Up to 90 days after deletion	Automatic backup rotation

• In transit: TLS encryption between the app and our backend.
• At rest: AES-256 encryption for databases and files (Firebase default).
• Access control: Firebase Security Rules restrict each user to their own data.
• Authentication: Firebase Authentication, with Google Sign-In support.
• App integrity: Firebase App Check (Play Integrity on Android, App Attest on iOS).

No system is perfectly secure, but we apply current, industry-standard safeguards and review them as the app evolves.

Under GDPR and KVKK you have the following rights, most of which you can exercise directly in the app.

• Access & portability: export your data as a machine-readable JSON file — Settings › Account Settings › Download my data.
• Rectification: edit your profile and account details in the app.
• Erasure ("right to be forgotten"): permanently delete your account and data — Settings › Account Settings › Delete account. See the account deletion page.
• Object / restrict: turn off analytics, personalised ads, push notifications, or marketing email from the app and your device settings.
• Complain: in Türkiye, the Personal Data Protection Authority (kvkk.gov.tr); in the EU, your local data protection authority.

We respond to requests within 30 days. The first request is free.

We do not knowingly collect data from anyone under 18. Date of birth and an age confirmation are required at sign-up. If we learn that an under-18 user has created an account, we delete it and its data. Parents who believe their child uses the app can contact us.

Dreamluna is a mobile app and does not use browser cookies. It uses the following SDK-level technologies:

Technology	Purpose	Control
Firebase Analytics	Usage & performance	Settings › Analytics
Google AdMob	Ads (free tier)	Device privacy settings
Local storage	App preferences	Required for the app to work
Firebase Cloud Messaging	Push notifications	Settings › Notifications
RevenueCat	Subscriptions	Cancel your subscription

If a personal data breach occurs, we will notify the relevant authority within 72 hours where required (GDPR Art. 33, KVKK Art. 12) and inform affected users without undue delay, describing the scope and the steps we have taken.

We may update this policy. For significant changes we will notify you in advance by email and in-app, and ask for renewed consent where required. Minor changes take effect when we update the "last updated" date above.

For any privacy question, request, or complaint, email dreamlunapp@gmail.com. We reply within 30 days.

This policy is maintained in compliance with GDPR (EU 2016/679) and KVKK (Law No. 6698).