Privacy Policy & Data Protection

1. Introduction

Welcome to Codex Somniorum ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with:

GDPR (Regulation (EU) 2016/679)
Romanian Law No. 190/2018 implementing the GDPR
The ePrivacy Directive (Directive 2002/58/EC) as transposed into national law

2. Data Controller Contact

For the purposes of the GDPR, the Data Controller is:

Name/Company: Codex Somniorum
Address: Str. Dr. Constantin Caracas, nr.18, sector 1, Bucuresti, Romania 011154
Contact Email: support@codexsomniorum.com

3. Data We Collect & Legal Basis (Art. 6 GDPR)

Data Category	Examples	Purpose	Legal Basis
Identity Data	Name, Username	Account creation, identification	Contractual Necessity (Art. 6(1)(b))
Contact Data	Email Address	Service delivery, transactional emails	Contractual Necessity (Art. 6(1)(b))
Input Data (AI)	Dream descriptions, user text inputs	Providing AI interpretations	Contractual Necessity (Art. 6(1)(b))
Marketing Data	Email for newsletters	Promotional offers	Explicit Consent (Art. 6(1)(a))
Technical/Usage Data	IP Address, Browser Type, Device Info	Security, Analytics, Fraud Prevention	Legitimate Interest (Art. 6(1)(f))
Payment Data	Transaction history (Card details are processed securely by Stripe; we do not store full card numbers)	Processing payments	Contractual Necessity (Art. 6(1)(b)) Legal Obligation (Art. 6(1)(c))

4. Specific Clause: AI-Generated Content & Automated Processing

Our service uses Artificial Intelligence (AI) to interpret user inputs (e.g., dream descriptions).

Transparency (Art. 13-15 GDPR): Users are informed that interpretations are generated by an AI model and should not be considered professional psychological or medical advice.
Data Usage: The text you input (dreams) is processed by our AI provider to generate a response.
Anonymization: We may use anonymized user inputs to improve our AI models and service quality (Legitimate Interest).
Automated Decision Making: We do not use automated decision-making or profiling that produces legal effects concerning you (Art. 22 GDPR).

5. Children's Privacy

Age Restriction: Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16.

If we become aware that we have collected data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

6. Data Processors & Third Parties

We share data only with trusted third-party service providers ("Processors") bound by data processing agreements (DPAs):

Stripe (USA/Global): Payment processing. Privacy Policy.
NameCheap (e.g., Vercel/AWS/DigitalOcean): Website hosting and database storage.
Google Analytics 4 (USA/Ireland): Website traffic analysis. Only active with your explicit consent.
OpenAI / GPT-4o (USA): AI model inference provider.

7. International Data Transfers

Some of our partners (e.g., Stripe, Google, OpenAI) are based outside the European Economic Area (EEA).

We ensure safeguards are in place for such transfers, including:

Adequacy Decisions: Transfer to countries deemed safe by the EU Commission (e.g., EU-US Data Privacy Framework participants).
Standard Contractual Clauses (SCCs): We rely on EU Commission-approved SCCs for data protection with providers who are not under an adequacy decision.

8. Data Retention

Account Data: Retained as long as your account is active. Deleted upon request or after 2 years of inactivity.
Financial Records: Retained for 10 years as required by Romanian fiscal law.
Consent Logs: Retained for 3 years to demonstrate compliance.

9. Your Rights

Under GDPR, you have the following rights:

Right of Access: Request a copy of your data.
Right to Rectification: Correct inaccurate data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal obligations).
Right to Restriction: Limit how we process your data.
Right to Portability: Receive your data in a structured format.
Right to Object: Object to processing based on legitimate interest or direct marketing.
Right to Withdraw Consent: At any time (e.g., for cookies or marketing emails).

To exercise these rights, email us at: support@codexsomniorum.com

10. Cookies

We use cookies to analyze traffic and improve user experience. You can manage your preferences via our Cookie Settings or the banner at the bottom of the page.

Strictly Necessary: Required for login and security (cannot be disabled).
Analytics: Google Analytics (requires consent).
Marketing: Ad tracking (requires consent).

11. Complaint

If you believe your rights have been violated, you have the right to lodge a complaint with the Romanian Supervisory Authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Global IP Building, B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, cod postal 010336, Bucuresti, Romania
Website: www.dataprotection.ro

Privacy Policy & Data Protection Notice