1. Identity and contact of the controller
Data controller: Erick Rico, independent developer ("Controller", "Operator", "we").
Email: support@oneiric-diary.com
Initial availability: Mexico. Planned expansion: Latin America and North America.
This Notice is issued in compliance with the LFPDPPP (Mexico), without claiming full compliance with GDPR, CCPA, or other foreign regulations until specific adaptations are made.
2. Personal data collected
Oneiric Diary collects the following data depending on the features used:
2.1 Identification and account data
a. full name; b. nickname; c. email address (unique identifier); d. password (stored as BCrypt hash, never in plain text); e. internal user identifier; f. registration method (email, google, apple, facebook); g. OAuth provider identifier, when applicable; h. email verification status; i. account status (active, pending deletion, etc.).
2.2 Demographic data (optional)
a. gender; b. date of birth.
2.3 Profile data (optional)
a. profile image URL; b. phone number and country code (reserved fields; currently not actively requested in all versions).
2.4 User-provided content
a. dream text and titles; b. dream type and frequency classification; c. entry method (manual text or voice/dictation); d. content language; e. analysis results: detected emotions, named entities (people, places, organizations), lemmatized words; f. generated AI interpretations; g. AI-generated images, when the feature is available.
2.5 Audio and voice
When the user uses voice dictation, audio processing may be performed on the device (through operating system services). The server primarily receives the transcribed text, not the original audio file, unless stated otherwise in a future version.
2.6 Technical, device, and usage data
a. platform type (ANDROID/IOS); b. device token for push notifications (Firebase Cloud Messaging); c. application version; d. operating system version (in support requests); e. IP address (for security, rate limiting, and diagnostics); f. session tokens (access and refresh JWT, stored hashed); g. subscription transaction identifiers (Google Play purchase tokens, Apple originalTransactionId); h. subscription status and account tier (FREE_USER/PREMIUM_USER); i. activity timestamps (last login, creation, update).
2.7 Data NOT currently collected
- precise or approximate geographic location of the user (location permission is not requested in the current backend implementation);
- complete bank card data (managed exclusively by Apple/Google);
- cookies (native mobile application, not web browser);
- advertising identifiers or data for behavioral advertising.
3. Sensitive data or private content
Oneiric Diary does not intentionally request sensitive personal data. However, due to the nature of a dream journal, the user may voluntarily enter private, intimate, or sensitive information (health, emotions, beliefs, sexual orientation, relationships, data of third parties mentioned in dreams, etc.).
The user should avoid entering sensitive data of third parties, information about minors, medical, financial data, passwords, or official documents.
When the user voluntarily enters sensitive data, it will be processed solely to provide the requested features (store, analyze, interpret). When required by law, additional express consent will be requested.
4. Primary purposes
a. create, verify, authenticate, and manage the account; b. record, store, and organize dreams; c. process text for NLP, emotions, entities, and word clouds; d. generate dream interpretations with local AI; e. send push notifications about interpretations; f. manage free plan and Morpheus Premium; g. verify subscriptions with Google Play and App Store; h. provide technical support; i. send transactional emails (verification, password reset, account confirmation/deletion); j. prevent fraud, abuse, and prompt injection; k. enforce Terms and Conditions; l. comply with legal obligations; m. address ARCO rights and deletion requests.
5. Secondary purposes
Currently Oneiric Diary does NOT use data for behavioral advertising, data sales, advertising profiles, or advertising trackers.
In the future, data may be processed for promotional communications, voluntary surveys, or aggregated/anonymous metrics, with prior consent when applicable.
User Content will not be used for marketing or external publication without additional consent.
6. Legal basis for processing
Processing is based on: user consent, legal relationship derived from use of the app, necessity to provide the service, compliance with legal obligations, protection of the Controller's rights, and application security.
The user may revoke consent in accordance with this Notice, without retroactive effect and subject to legal or contractual limitations.
7. Use of artificial intelligence and automated processing
Oneiric Diary uses automated processing and AI for:
a. dream interpretations (LLM model via Ollama, hosted on own servers);
b. emotional analysis (emotion classification models, run locally);
c. entity extraction and lemmatization (spaCy, local);
d. word clouds, patterns, and statistics;
e. AI images (when available).
IMPORTANT — Model training: User Content is NOT used to train, fine-tune, or improve third-party artificial intelligence models. Processing is performed on infrastructure controlled by the Operator (proprietary microservices + local Ollama). Cloud providers used (MongoDB, Firebase, SMTP) do not receive dream content for AI training.
AI results are automated, may be inaccurate, and do not constitute professional advice. Oneiric Diary does not make automated decisions with significant legal effects on the user.
8. Transfers and data processors
Oneiric Diary does NOT sell or share data with third parties for commercial or advertising purposes.
Necessary processors and technology providers (July 2026):
- MongoDB — primary database (location: [MongoDB cluster region — complete, e.g. AWS us-east-1]);
- Hosting/server infrastructure — [hosting provider — complete, e.g. own VPS/cloud];
- Google SMTP (Gmail) — transactional emails (verification, password, account deletion) from support@oneiric-diary.com;
- Support mailbox SMTP — reception of support requests (separate email configured in SUPPORT_SMTP_EMAIL);
- Firebase / Google Cloud Messaging — push notifications (device tokens);
- Google Play Developer API — Android subscription verification;
- Apple App Store Server API — iOS subscription verification;
- Apple and Google — payment processing, subscriptions, renewals, and refunds;
- Ollama (self-hosted) — interpretation generation (without transfer to cloud AI APIs);
- Proprietary NLP microservices (spaCy, Hugging Face models run locally) — text analysis;
- Competent authorities — when there is a legal obligation.
International transfers will be made only when necessary for the described purposes, with reasonable protection measures.
9. No sale of personal data
Oneiric Diary does not sell, rent, or commercialize personal data. Providing data to technology processors does not constitute a sale, provided they act to provide necessary technical services.
10. Data retention
Operational periods (July 2026):
- Account data and dream content: while the account is active;
- After deletion request: 14-day grace period, then permanent deletion;
- Email verification codes: 10 minutes (automatic deletion by TTL);
- Session tokens (refresh): 30 days (automatic deletion by TTL);
- Web deletion confirmation tokens: 24 hours;
- Subscription records and billing events: during the commercial relationship and applicable legal periods (recommended: 5 years for tax/accounting purposes — confirm with accountant);
- Support requests: [12 months recommended — complete];
- Account deletion event logs (audit): [24 months recommended — complete];
- Blocked malicious content attempt logs: [6 months recommended — complete];
- Security and diagnostic logs: [6-12 months recommended — complete];
- Encrypted backup copies: limited period before automatic overwrite (mentioned in account deletion confirmation email to the user).
After fulfilling the purposes, data will be deleted, blocked, or anonymized, unless there is a legal obligation to retain it.
11. Information security
Implemented measures (July 2026):
a. passwords hashed with BCrypt;
b. session tokens and verification codes stored with SHA-256 hash;
c. JWT authentication (access: 15 minutes; refresh: 30 days);
d. rate limiting on sensitive endpoints (login, registration, password recovery, account deletion, support);
e. automated filtering of malicious content and prompt injection in dreams;
f. AI prompt hardening with delimiters and system rules;
g. CORS restricted in production;
h. Swagger/API docs disabled in production;
i. server-side subscription verification (never trust client only);
j. encryption in transit (HTTPS/TLS) for communications;
k. STARTTLS for email.
No system is completely secure. The Controller does not guarantee absolute security.
12. ARCO rights
The data subject may exercise:
Access — know what data is processed.
Rectification — correct inaccurate data (available in app profile or upon request).
Cancellation — request deletion (via app, web, or email).
Opposition — object to specific processing when applicable.
Limitations: retention obligations, fraud prevention, defense of rights, inability to identify the requester.
13. Procedure to exercise ARCO rights
Send request to: support@oneiric-diary.com
Include: name, email associated with the account, right being exercised, clear description, identity documents if necessary.
Response time: up to 20 business days from receipt of complete request.
14. Account and data deletion
Mechanisms:
a. In-app: Settings → Delete account (password required for email accounts).
b. Web: https://api.oneiric-diary.com/account/delete.
c. Email: support@oneiric-diary.com
Flow: request → 14-day grace period (cancellable) → definitive deletion.
Deleted: profile, dreams, NLP analysis, statistics, session and device tokens.
Retained: deletion audit events, prior support requests, subscription records, blocked malicious attempts, temporary backups.
Deletion does NOT cancel Apple/Google subscriptions.
15. Push notifications
Oneiric Diary uses Google's Firebase Cloud Messaging (FCM) to send push notifications to the user's device, primarily to inform when a dream interpretation is ready or has failed.
Data processed: device FCM token, user identifier, platform (ANDROID/IOS). The token is deleted upon sign-out, account deletion, or app uninstall (depending on device behavior).
The user may disable notifications from their device settings.
16. Cookies, trackers, and advertising
Oneiric Diary does not use cookies (native mobile application).
Currently does not use advertising trackers, advertising analytics SDKs, or share data with advertising networks.
Necessary technical technologies are used: authentication tokens, FCM tokens, subscription validation. If analytics or trackers are incorporated in the future, this Notice will be updated.
17. Children's privacy
Recommended for persons over 18 years of age. Minors under 18 only with consent and supervision of parent/legal guardian/tutor.
If collection of data from minors without consent is detected, the account will be deleted. Contact: support@oneiric-diary.com
18. International users
Initially available in Mexico. Data may be processed in Mexico, United States (MongoDB, Firebase, Google/Apple APIs, SMTP), or other countries of providers.
Full compliance with GDPR, CCPA, CPRA, PIPEDA, or LGPD is not claimed until specific adaptation.
19. Changes to the privacy notice
The Controller may modify this Notice. It will be communicated through the app, web, email, or other reasonable means. Relevant changes may require additional consent.
20. Contact
Controller: Erick Rico | Email: support@oneiric-diary.com
Account deletion URL: https://api.oneiric-diary.com/account/delete
Terms URL: https://legal.oneiric-diary.com/en/terms/
Privacy URL: https://legal.oneiric-diary.com/en/privacy/