Privacy Policy

DreamPaths ("we," "our," or "us") is a goal-tracking application that helps you build bucket lists and follow paths toward your goals. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have. By using the DreamPaths mobile applications or related services (collectively, the "Service"), you agree to this policy.

1. Information We Collect

1.1 Information you provide

• Account information. Your email address, display name, username, and password (stored as a salted hash — we never see your plain-text password). If you sign in with Apple or Google, we receive your name and email as provided by those services.
• Profile photo (optional). An avatar image you choose to upload. Avatar files are stored on Cloudflare R2 and served via a private URL associated with your account.
• Content you create. Buckets (your goals), Paths and their settings (Habit, Skill, Experience, Financial, Metric, Checklist, Deadline), milestones, log entries, contributions, completion dates, target amounts, currencies, notes, and any descriptions you write.
• Experience photos (optional). Photos you attach to Experience paths. Uploaded photos are stored on Cloudflare R2. EXIF metadata may be present in the file you upload; for avatars we strip EXIF and normalize orientation before storing.
• Support requests. If you email us, we receive your email address and the content of your message.

1.2 Information collected automatically

• Authentication tokens. Short-lived access tokens and refresh tokens issued during sign-in. Tokens are stored on your device in Apple Keychain (iOS) or EncryptedSharedPreferences (Android) and used to keep you signed in.
• Device and request metadata. Standard server logs from our API (IP address, request path, timestamp, user agent, response status). These logs help us debug, prevent abuse, and operate the Service.
• Local-time signals.The Service sends your client's local calendar date along with certain requests (e.g. when logging a habit completion) so progress is attributed to the day you intended. We do not store your continuous device location.
• Subscription information. When you purchase or restore a PRO subscription, the platform store (Apple App Store or Google Play) issues a signed transaction that we verify on our server. We record the platform, product identifier, original transaction identifier (a stable ID Apple / Google use for the subscription across renewals), current period start and end, auto-renewal preference, status (e.g. active, in_grace_period, expired), and the decoded signed payload returned by the platform. We also receive subscription lifecycle notifications (renewals, cancellations, refunds, plan changes) from Apple App Store Server Notifications and, in the future, Google Real-Time Developer Notifications, and store them as immutable audit events. We do not see, store, or have access to your payment card or bank details — those stay with Apple / Google.

1.3 Information we do NOT collect

• We do not use third-party advertising or analytics SDKs.
• We do not collect precise location, contacts, microphone, health, or financial-institution data.
• We do not build advertising profiles on you.

2. How We Use Your Information

We use the information described above to:

• Create, authenticate, and secure your account.
• Provide the core features of the Service — storing your buckets, paths, milestones, photos, and computing progress.
• Send transactional emails (account verification, password reset, important security or service notices).
• Verify and manage your PRO subscription: confirm an entitlement is valid, react to renewals, cancellations, refunds, and plan changes, prevent the same platform-store transaction from being bound to more than one DreamPaths account, and refund or revoke PRO features when the platform informs us of a refund or revocation.
• Diagnose problems, maintain reliability, and protect against abuse and fraud.
• Comply with legal obligations and enforce our terms.

We do not use your content to train machine learning models or to sell to third parties.

3. How We Share Your Information

We share information only with the limited service providers we need to operate DreamPaths. Each provider is bound by contract to process data only on our instructions.

• Cloud hosting & database. Our backend API and database run on commercial cloud infrastructure. They store your account data and content on our behalf.
• Cloudflare R2. Avatar and Experience-photo files are stored here. Access goes through short-lived presigned URLs.
• Apple Sign in with Apple.If you choose to sign in with Apple, Apple shares a stable identifier (and, first time, your name + relay email) with us. See Apple's privacy policy.
• Google Sign-In.If you choose to sign in with Google, Google shares your name and email with us. See Google's privacy policy.
• Apple App Store / Google Play (subscription processing). When you purchase, renew, change, or cancel a PRO subscription, the platform store handles billing and shares signed transaction information with us so we can grant or revoke entitlement. Apple additionally sends server-to-server notifications (App Store Server Notifications V2) for subscription lifecycle events. We never receive or store your payment-card or banking information — that stays with the platform store.
• Email delivery. Transactional emails (such as OTP codes and password resets) are sent through a transactional email provider on our behalf.

We do not sell your personal information and we do not share it with advertisers. We may disclose information when required by law (for example, in response to a valid subpoena), or to protect the rights, safety, or property of DreamPaths or our users.

4. Data Retention

• Account and content data are retained for as long as your account is active.
• When you delete your account, your buckets, paths, content, and uploaded photos are deleted from our primary databases and object storage within a reasonable period (typically within 30 days). Server-log backups may retain technical information for a longer period for security and audit purposes, after which they are deleted on rotation.
• You may export key content yourself in-app before deletion (where supported).
• Subscription audit events. Lifecycle events we receive from Apple / Google (renewals, cancellations, refunds, etc.) are stored in an immutable audit log. When you delete your account the personal links from those audit events are removed (the records are dissociated from your user record), but the audit events themselves are retained for financial, anti-fraud, and dispute-resolution purposes for as long as required by law or platform-store policy.
• Cancelling your subscription is separate from deleting your account.If you delete your DreamPaths account while a paid subscription is still active on your Apple ID or Google account, the subscription itself is not automatically cancelled — you must cancel it from your device's Subscriptions settings, or it will continue to renew until you do.

5. Data Security

• All traffic is encrypted in transit using TLS (HTTPS).
• Passwords are stored only as salted hashes; we cannot recover your password if you forget it — only reset it.
• Tokens on your device are stored in the platform's secure storage (Apple Keychain / Android EncryptedSharedPreferences).
• Access to production systems is restricted, audited, and requires multi-factor authentication.
• No system is perfectly secure. If you believe your account is compromised, please change your password and contact us immediately.

6. Your Rights

Depending on where you live (including the EU/UK GDPR, California CCPA/CPRA, and other regional laws), you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and personal data (you can do this from Profile → Delete Account inside the app, or by emailing us).
• Object to or restrict certain processing.
• Port your data to another service.
• Withdraw consent for processing that relies on consent (without affecting the lawfulness of prior processing).
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us at the address in Section 11. We may need to verify your identity before acting on a request.

7. Children's Privacy

DreamPaths is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children under those ages. If you are a parent or guardian and believe your child has provided information to us, please contact us and we will delete it.

8. International Data Transfers

DreamPaths may process and store information in countries other than your own. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses for international transfers of personal data.

9. Third-Party Sign-In Disclosure

When you sign in with Apple or Google, you authenticate directly with that provider. We never see your provider password. We receive only the identity tokens and basic profile information you have authorised the provider to share with us. Your use of those providers is governed by their own privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top and, for material changes, give in-app or email notice before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

Questions, requests, or concerns about this policy or your data?

• Email: privacy@dreampathsapp.com
• Support: support@dreampathsapp.com

This policy is provided as a starting template tailored to DreamPaths' current architecture. It is not legal advice. Before publishing to the App Store / Play Store, have a qualified attorney review it for your jurisdiction(s) and any region-specific addenda (e.g. California Privacy Notice, EU Article 13/14 disclosures, Korea/PIPL requirements).