Legal
Privacy Policy
Last updated July 6, 2026
1Introduction
SMART SC EOOD (“we,” “us,” “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Lyra Dream application (the “App,” including any web version of it we make available) and related services (the “Services”).
We process personal data in compliance with:
- The EU General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act, as amended by the CPRA (CCPA/CPRA)
- Other applicable data protection laws
Because the App analyzes dreams and psychological themes, some of the data you provide is treated as a special category / sensitive personal data under GDPR and CCPA. We describe below how we handle it.
2Data controller
The data controller responsible for your personal data is:
SMART SC EOOD
Sofia, DARVENITZA 9
Bulgaria
Email: support@lyradream.com
For EU/EEA data-protection inquiries, you may contact us at the same email address.
3Information we collect
3.1 Information you provide
- Account information: Email address and authentication data via Firebase Authentication (Email/Password or Apple Sign-In). If you use Apple Sign-In, you may choose to hide your real email, in which case we receive only a private relay address.
- Profile information: A brief “life snapshot” (for example approximate age, occupation, living situation, life stage) that the AI analyst may ask about during your first session, plus other profile details the AI records from your conversations to personalize interpretations.
- Dream content: Dream descriptions, associations, and the messages you exchange with the AI analyst during a session. In-progress sessions may be saved as a draft so you can resume them.
- Life context: Perishable details about your current life situation and significant life events, either entered by you or proposed by the AI and confirmed by you, used to give more relevant interpretations over time.
- Known people: Where you mention people in your dreams (for example a relationship such as “partner” or “colleague,” a short description, and their emotional significance to you), we may store a note so the AI does not have to ask again in later sessions.
- Inner work / integration notes: Reflection and integration suggestions derived from your dream interpretations.
- Feedback and support: Any feedback, bug reports, or support inquiries you send us.
- Website waitlist: If you join the waitlist on our marketing website, we store the email address you submit (and the signup source) solely to contact you about availability and launch. You can request removal at any time by emailing support@lyradream.com.
- Voice input (optional, iOS): If you use the voice dictation feature to describe a dream, the audio is transcribed to text on your device using Apple's on-device speech recognition. We do not receive or store the raw audio; we only receive the resulting text if you choose to submit it.
3.2 Information collected automatically
- Device information: Device type, operating system version, and app version.
- Usage data: Features accessed, number and timing of dream sessions, and token/usage metering needed to operate the credit system and prevent abuse.
- Log data: IP address, access times, and error/diagnostic information used for security, debugging, and fraud prevention.
- Timezone: We may use your timezone. We do not collect precise GPS location.
3.3 Information from third parties
- Firebase Authentication (Google): Authentication tokens and identifiers.
- Apple Sign-In: Apple user identifier and (unless you hide it) verified email.
- Apple In-App Purchases: Signed transaction receipts confirming a credit purchase. We do not receive your full payment card details — those are handled entirely by Apple.
4How we use your information
4.1 Service provision
- To create, authenticate, and manage your account.
- To provide AI-powered dream analysis and interpretation.
- To personalize interpretations using your profile, life context, and known-people notes.
- To maintain your dream history and inner-work notes.
- To operate the dream-credit system, including granting free signup credits, applying purchased credits, and processing referral credits.
4.2 Service improvement and security
- To analyze aggregated, de-identified usage patterns and improve the App.
- To detect, prevent, and investigate abuse, fraud, and violations of our Terms (including automated content-safety checks on submitted text).
- To fix bugs and technical issues.
We do not use your personal dream content, conversations, or profile to train AI models — neither our own nor those of our AI providers (see Section 5).
4.3 Communication
- To respond to your inquiries and support requests.
- To send essential service-related notifications (for example account, security, or transaction messages).
- To inform you of material changes to our Terms or this Privacy Policy.
- To send optional promotional messages, only with your consent, which you can withdraw at any time.
4.4 Legal and safety
- To comply with legal obligations.
- To protect our rights, safety, or property, and those of our users.
4.5 Safety signals
Dark or disturbing imagery inside a dream is normal analytical material and is never flagged. However, if you make a statement about your waking life that indicates a risk of serious harm (for example to yourself or others), the AI analyst may raise a silent safety signal. When that happens:
- We record metadata only — a category, a severity level, and the position in the session. We deliberately never store the content of the message itself.
- For the most serious signals, the session is paused and you are shown crisis resources instead of further analysis. No credit is charged for a paused session.
- A real-time internal alert notifies our team, containing only a pseudonymous reference and the category — never your name, email, or any content.
Legal bases for processing (GDPR):
- Contract performance: processing necessary to provide the Services you request.
- Legitimate interests: service improvement, security, and fraud prevention.
- Consent: optional marketing, and processing of sensitive/special-category data such as dream and psychological content. You may withdraw consent at any time.
- Legal obligation: compliance with applicable laws (for example tax/financial record-keeping).
5AI processing and automated decision-making
5.1 AI service providers
Dream analysis is powered by large language models accessed through Amazon Web Services (AWS Bedrock). Depending on configuration, the underlying model may be provided by Anthropic (Claude) or by OpenAI (accessed via the Amazon Bedrock endpoint). When you submit a message for analysis, the relevant text is transmitted to AWS Bedrock and the applicable model provider for processing.
5.2 Data sent to the AI
When you send a message in a dream session, we transmit:
- Your dream description and conversation messages for that session.
- Relevant context assembled from your data (for example your life snapshot, life context, and known-people notes) to inform the interpretation.
5.3 AI data handling
- Data is processed under AWS's and the applicable provider's data-processing terms.
- We do not use, and we instruct our providers not to use, your content to train or improve their models. We configure the AI processing to minimize provider-side data retention (for example zero-data-retention / non-storage settings where available).
- Conversations are processed in real time to generate a response. Apart from brief technical caching used to serve your active session (for example prompt caching, which holds session context for a few minutes to reduce reprocessing), they are not retained by the AI provider.
5.4 Automated profiling
We use automated processing to generate dream interpretations and psychological insights and to maintain your profile and life context. These outputs are informational and reflective only; they do not produce legal or similarly significant effects. You have the right to request human review, to express your point of view, and to contest any automated output — contact us at support@lyradream.com.
6Data storage and security
6.1 Data location
Your personal data is stored on secure servers hosted on our own Virtual Private Server (VPS) infrastructure located in Germany, with a PostgreSQL database. Some processing occurs with the third parties described in Sections 5 and 7 (for example authentication and AI processing).
6.2 Optional encryption of your content (“encryption at rest”)
The App offers an encryption feature you can enable. When you enable it, sensitive user content — including your dream conversations, interpretations, summaries, assessment/profile text, known-people notes, inner-work notes, life context, and drafts — is encrypted at rest using envelope encryption:
- Your content is encrypted with a per-user Data Encryption Key (DEK) using AES-256-GCM.
- The DEK is itself wrapped (encrypted) by a key derived from your password using Argon2id, and separately by a Recovery Key that you can download.
- Our servers store only the wrapped keys and cannot decrypt your content without your password or your Recovery Key.
Important: This is strong at-rest protection, but it is not end-to-end encryption. During an active dream session, the server temporarily decrypts the necessary content in memory so it can be sent to the AI provider for processing and then re-encrypted. If you lose both your password and your Recovery Key, your encrypted content cannot be recovered by us.
If you have not enabled encryption, your content is not wrapped with a personal key, but it remains protected by the security measures described in Section 6.3, including encryption in transit and server access controls.
6.3 Other security measures
- Encryption in transit: all data between the App, our servers, and third-party services uses TLS/SSL.
- Access controls and secure authentication via Firebase with JWT verification.
- Rate limiting and abuse controls on our servers.
- Periodic review of our security practices.
6.4 Data retention
We retain your personal data for as long as your account is active or as needed to provide the Services:
- Account data: retained until account deletion.
- Dream records, life context, known-people notes, and inner-work notes: retained until you delete them or delete your account.
- Usage and security logs: retained only for as long as necessary for security, abuse prevention, and service-cost accounting.
- Detailed diagnostic logs (only ever generated to troubleshoot a specific issue): deleted promptly once the issue is resolved.
- Payment/transaction records: retained as required by applicable tax and accounting law (typically up to the statutory period).
Upon account deletion, we delete or irreversibly anonymize your personal data within 30 days, except where longer retention is required by law.
7Data sharing and disclosure
7.1 Service providers (processors)
- Firebase / Google: authentication.
- Amazon Web Services (AWS Bedrock) and the applicable model provider (Anthropic and/or OpenAI): AI processing for dream analysis.
- Apple: In-App Purchase processing for dream credits.
- Hosting/infrastructure providers for our servers.
- Operational alerting tools (currently Discord): receive internal service alerts and aggregate daily statistics only — for example error notices and the safety-signal alerts described in Section 4.5, which carry a pseudonymous reference and a category. These alerts never include your dream content, email address, or other direct identifiers.
7.2 Legal requirements
We may disclose data if required by law or in response to valid legal requests by public authorities.
7.3 Business transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to this Privacy Policy.
7.4 With your consent
We may share data with third parties when you have given explicit consent.
7.5 No sale or “sharing” of personal data
We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
8International data transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including:
- United States (AWS Bedrock and its model providers, Firebase, Apple).
- The EU (our primary servers).
For transfers from the EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and Data Processing Agreements with our providers, together with additional safeguards as required by law.
9Your rights
9.1 Rights under GDPR (EU/EEA/UK residents)
- Access, Rectification, and Erasure (“right to be forgotten”).
- Restriction of, and Objection to, processing.
- Data Portability: receive your data in a structured, machine-readable format. The App provides a data-export function.
- Withdraw Consent at any time (without affecting prior processing).
- Rights related to automated decision-making (see Section 5.4).
9.2 Rights under CCPA/CPRA (California residents)
- Right to Know / Access the personal information we collect, use, and disclose.
- Right to Delete your personal information.
- Right to Correct inaccurate personal information.
- Right to Opt-Out of sale or sharing (we do not sell or share — see 7.5).
- Right to Limit use of sensitive personal information; we use such information only to provide the Services.
- Right to Non-Discrimination for exercising your rights.
Categories of personal information collected (CCPA):
- Identifiers (email, device identifiers).
- Internet/network activity (usage and log data).
- Geolocation (timezone only; not precise location).
- Inferences (dream interpretations, psychological insights).
- Sensitive personal information (dream content and psychological/reflective responses), used solely to provide the Services.
9.3 Exercising your rights and account deletion
You can access and export your data, and permanently delete your account and associated data, from within the App. You may also contact us at support@lyradream.com. We respond within one month (extendable where permitted). We may need to verify your identity to protect your account.
10Children's privacy
The Services are intended only for individuals 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it promptly. If you believe a minor has provided us data, contact us at support@lyradream.com.
11Cookies and similar technologies
The App does not use advertising cookies or third-party ad tracking. We use only strictly necessary technologies for session management, authentication state, and de-identified analytics.
12Third-party links
The App may contain links to third-party websites or services. We are not responsible for their privacy practices and encourage you to review their policies.
13Data breach notification
In the event of a personal-data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR), notify affected users without undue delay where the risk is high, and document the breach and our response.
14Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy, updating the “Last Updated” date, and, where appropriate, providing an in-app or email notice. Your continued use after changes take effect constitutes acceptance of the revised policy.
15Contact us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
SMART SC EOOD
Email: support@lyradream.com
Sofia, DARVENITZA 9
Bulgaria
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority, or with the Commission for Personal Data Protection (Bulgaria): https://www.cpdp.bg/
By using Lyra Dream, you acknowledge that you have read and understood this Privacy Policy.
Copyright © 2026 SMART SC EOOD. All rights reserved.