1. Introduction

Welcome to ONYRA ("we," "our," "us," or the "Company"). ONYRA is operated by Manuel Thurner / 03-Studios, located at Weinstraße 6, 39057 Girlan BZ, Italy (VAT: IT03288300217).

We are committed to protecting your privacy and ensuring you have a positive experience when using our mobile application ONYRA (the "App") and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: When you create an account using Sign In with Apple or Google Sign-In, we receive your email address and, optionally, your name.
• Dream Journal Entries: Text content, titles, dates, categories, mood ratings, clarity ratings, intensity ratings, and quality ratings you input.
• Voice Recordings: Audio recordings you create within the App for dream documentation.
• Preferences and Settings: Notification preferences, technique settings, and other customization choices.

3.2 Information Collected Automatically

• Device Information: Device type, operating system version, unique device identifiers, and app version.
• Usage Data: App interaction patterns, feature usage, session duration, and crash reports.
• Analytics Data: Screen views, user engagement metrics, app open events, and session statistics (collected via Firebase Analytics).
• Subscription Information: Subscription status, purchase history, and entitlements (managed through RevenueCat).

3.3 Information Generated by AI Processing

• Dream Analysis: AI-generated interpretations, symbol identifications, mood assessments, complexity scores, and narrative breakdowns.
• Audio Transcriptions: Text transcriptions of your voice recordings generated by AI.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To provide, maintain, and improve the ONYRA App and its features.
• AI Dream Analysis: To process your dream entries through artificial intelligence to provide personalized insights, interpretations, and pattern recognition.
• Voice Transcription: To convert your audio recordings into text for analysis and journaling purposes.
• Account Management: To create and manage your user account and authentication.
• Cloud Synchronization: To sync your dream journal across devices (premium feature).
• Notifications: To send you morning reminders, reality check prompts, and other notifications you have opted into.
• Subscription Management: To process and manage your subscription and in-app purchases.
• Customer Support: To respond to your inquiries and provide technical assistance.
• Service Improvement: To analyze usage patterns and improve user experience.
• Legal Compliance: To comply with legal obligations and protect our rights.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (Art. 6(1)(b) GDPR).
• Consent: Where you have given explicit consent for specific processing activities, such as AI analysis of your dreams (Art. 6(1)(a) GDPR).
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services and preventing fraud (Art. 6(1)(f) GDPR).
• Legal Obligation: Processing necessary to comply with legal requirements (Art. 6(1)(c) GDPR).

6. Artificial Intelligence Processing

6.1 What Data is Processed by AI

• Dream journal text content (title, description, notes)
• Audio recordings (for transcription)
• Associated metadata (mood, category, date)

6.2 How AI Processing Works

• Your dream content is sent to OpenAI's API through secure, encrypted connections via our backend services (Supabase Edge Functions).
• OpenAI processes the data to generate dream interpretations, symbol analysis, and audio transcriptions.
• According to OpenAI's current policies, data sent via their API is not used to train their models.
• AI-generated results are stored in your account and on your device.

6.3 Your Control Over AI Processing

AI analysis is an optional premium feature. You can use the App's basic dream journaling features without AI processing. By using the AI analysis feature, you consent to the processing described above.

7. Third-Party Service Providers

We use the following third-party services to operate and improve our Service:

8. Data Storage and Security

8.1 Local Storage

Your dream journal entries are stored locally on your device by default. This data remains under your control and is not automatically transmitted to our servers unless you have an active premium subscription with cloud sync enabled.

8.2 Cloud Storage (Premium Feature)

For premium subscribers who enable cloud synchronization, data is stored on Supabase's secure cloud infrastructure. Data is encrypted in transit (TLS 1.2+) and at rest.

8.3 Security Measures

• Industry-standard encryption for data in transit and at rest
• Secure authentication protocols (OAuth 2.0, PKCE)
• Regular security audits and updates
• Access controls and authentication requirements
• Row-level security policies in our database

9. Data Retention

• Account Data: Retained until you delete your account.
• Dream Entries: Retained until you delete them or your account.
• Audio Files: Retained until you delete them or your account.
• AI Analysis Results: Retained with the associated dream entry.
• Subscription Data: Retained as required for tax and legal compliance (typically 7-10 years).
• Local Data: Remains on your device until you uninstall the App or delete it manually.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Our service providers (Supabase, OpenAI, RevenueCat) may process data outside the EEA.

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and adequacy decisions where applicable.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

11.1 GDPR Rights (EEA Users)

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your data ("right to be forgotten").
• Right to Restrict Processing: Request limitation of processing.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

11.2 CCPA Rights (California Users)

• Right to Know: Request disclosure of personal information collected.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information).
• Right to Non-Discrimination: Not be discriminated against for exercising your rights.

11.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@03-studios.com. We will respond to your request within 30 days (or as required by applicable law).

You can also delete your account and all associated data directly through the App's settings menu.

12. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

We may share your information only in the following circumstances:

• Service Providers: With third-party service providers who assist in operating our Service (as listed in Section 7), under strict confidentiality and data processing agreements.
• Legal Requirements: When required by law, court order, or governmental authority.
• Protection of Rights: To protect and defend our rights, property, or safety, or that of our users.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you.
• With Your Consent: When you explicitly consent to the sharing.

13. Children's Privacy

ONYRA is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@03-studios.com.

If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

14. Cookies, Analytics, and Tracking Technologies

The ONYRA mobile app does not use cookies. Our website (onyra.app) may use essential cookies for basic functionality.

Firebase Analytics: We use Firebase Analytics to collect anonymous usage data about how you interact with our App. This includes information such as which screens you view, how long you spend in the App, and which features you use. This data helps us improve the App and understand user behavior. Firebase Analytics does not collect personally identifiable information and is not used for advertising purposes.

We do not use advertising trackers or sell your data to advertisers. We do not engage in cross-app tracking.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top
• Sending you an in-app notification or email for significant changes

Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA users, you also have the right to lodge a complaint with your local supervisory authority. For Italy, this is the Garante per la protezione dei dati personali (garanteprivacy.it).