Privacy Policy

1. Information We Collect

We collect information you provide directly, information generated through your use of the Service, and limited information from third parties.

1.1 Information You Provide

• Account Information: Name, email address, company name, phone number, and password when you create an account.
• Billing Information: Payment method details (credit card number, expiration date, billing address) processed securely through Stripe. We do not store full credit card numbers on our servers.
• Profile Information: Job title, profile photo, timezone, and communication preferences you choose to provide.
• Support Communications: Messages, emails, and attachments you send to our support team.

1.2 Customer Data (Your Business Data)

• Contacts and Leads: Names, email addresses, phone numbers, company information, and custom fields for your contacts and leads.
• Communication Records:Emails sent and received, SMS messages, call recordings and transcriptions, and chat messages processed through DreamFlow's communication features.
• Business Records: Deals, pipeline stages, proposals, invoices, tasks, calendar events, notes, and automation configurations.
• Marketing Data: Campaign content, email templates, form submissions, audience segments, and engagement metrics.
• File Uploads: Documents, images, and attachments you upload to the Service.

1.3 Automatically Collected Information

• Usage Data: Pages visited, features used, clicks, time spent on pages, search queries, and interaction patterns within the Service.
• Device Information: Browser type and version, operating system, device type, screen resolution, and language settings.
• Network Information: IP address, approximate geographic location (city/region level), internet service provider, and referring URL.
• Log Data: Access timestamps, error logs, and server request information for security and debugging purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

• Provide, operate, and maintain the DreamFlow CRM platform
• Process and deliver email, SMS, and voice communications on your behalf
• Execute automations and workflows you configure
• Generate reports and analytics from your business data
• Provide AI-powered features such as content suggestions, email drafting, call transcription, and data enrichment

2.2 Account Management

• Process subscription payments and manage billing
• Send transactional notifications (billing confirmations, security alerts, feature updates, usage warnings)
• Provide customer support and respond to inquiries
• Authenticate users and enforce account security

2.3 Service Improvement

• Analyze aggregated, anonymized usage patterns to improve features and user experience
• Monitor system performance and identify technical issues
• Detect and prevent fraud, abuse, and security threats
• Conduct internal research and development

3. SMS / Text Messaging

DreamFlow may send you SMS text messages for account notifications (such as billing alerts, security notices, and feature updates) and, with your separate opt-in consent, promotional and marketing messages (such as product announcements, special offers, and event invitations).

3.1 Consent and Opt-In

• We only send SMS messages to individuals who have provided explicit, voluntary consent, either during account registration or through our website opt-in form.
• Providing your phone number is optional and is not required to use DreamFlow.
• Consent to receive SMS messages is not a condition of purchasing any goods or services from DreamFlow.

3.2 Message Frequency and Charges

• Message frequency varies depending on your account activity and communication preferences.
• Message and data rates may apply. Please contact your mobile carrier for details about your text messaging plan.

3.3 Opt-Out and Help

• You may opt out of SMS messages at any time by replying STOP to any message you receive from us. You will receive a one-time confirmation message and no further texts will be sent.
• For help, reply HELP to any message or contact us at support@whywedream.com.
• You can also manage your SMS preferences from your account settings at any time.

3.4 SMS Service Providers

SMS messages are delivered through Telnyx, our telecommunications provider. Telnyx processes phone numbers and message content solely for the purpose of message delivery under our data processing agreement. Carriers are not liable for delayed or undelivered messages.

4. AI-Powered Features

DreamFlow includes AI-powered features that process your data to provide enhanced functionality. We want to be transparent about how these work:

• AI Content Generation: When you use AI writing assistance (email drafting, content suggestions, Sally AI assistant), your prompts and relevant context are sent to Anthropic (Claude) for processing. Anthropic does not use this data for model training under our data processing agreement.
• Call Transcription:When you use call transcription, audio data is sent to OpenAI's Whisper API for speech-to-text conversion. OpenAI does not use this data for model training under our API agreement.
• AI Analytics: Automated insights, lead scoring, and recommendation features process your data on our servers and through our AI providers to generate actionable intelligence.

You can disable AI features at any time from your account settings. Disabling AI features will not affect the core functionality of the CRM.

5. Third-Party Services

We rely on trusted third-party service providers to operate DreamFlow. Each provider processes data under contractual obligations consistent with this Privacy Policy:

We may also share information when required by law, to protect our rights, to enforce our Terms of Service, or in connection with a merger, acquisition, or sale of assets (in which case you will be notified).

6. Data Storage and Security

Your data is stored on servers provided by Supabase, which is backed by Amazon Web Services (AWS) infrastructure located in the us-east-1 (N. Virginia) region, United States.

We implement the following security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: All database data and file storage is encrypted using AES-256 encryption.
• Access controls: Role-based access controls (RBAC) and row-level security (RLS) policies ensure users can only access data within their organization.
• Authentication: Secure session-based authentication with OTP (one-time password) verification.
• Payment security: All payment processing is handled by Stripe, which maintains PCI DSS Level 1 certification. We never store full credit card numbers on our servers.
• Monitoring: Automated security monitoring and alerting for suspicious activity.

While we implement commercially reasonable security measures, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

7. Data Retention

• Active accounts: We retain all data for as long as your account is active and you maintain a valid subscription.
• Cancelled accounts: After account cancellation, your data is soft-deleted and retained for 30 days. During this period, you may request data export or account reactivation. After 30 days, data is permanently and irreversibly deleted.
• Expired trials: Trial accounts that are not converted to a paid subscription have their data retained for 30 days after trial expiration, after which data is permanently deleted.
• Backups: Database backups are retained for 30 days on a rolling basis. Backups older than 30 days are automatically destroyed.
• Communication logs: Call recordings, SMS messages, and email records are retained as part of your account data and follow the same retention schedule.
• Audit logs: System audit logs (login events, data changes) are retained for 12 months for security and compliance purposes.
• Deletion requests: We honor deletion requests within 30 days. Upon receiving a verified deletion request, we will permanently delete your personal data from our active systems. Some data may persist in encrypted backups for up to 30 additional days before being overwritten.

8. Cookies and Tracking

We use cookies and similar tracking technologies to operate the Service, understand how it is used, and support our marketing efforts. Cookie consent is captured before analytics or marketing cookies fire.

• Authentication cookies: Session cookies (provided by Supabase) that maintain your login state. These are essential for the Service to function and cannot be disabled.
• PostHog: We use PostHog for behavioral analytics, page view tracking, and session recording. PostHog data is processed in the EU region. This helps us understand how users navigate the platform so we can improve it.
• Google Tag Manager (GTM): We use GTM as a tag management container. GTM may load additional measurement and analytics scripts as configured.
• Meta Pixel (Facebook Pixel): We use the Meta Pixel for conversion tracking and advertising retargeting. This allows us to measure the effectiveness of our ads and show relevant ads to people who have visited our site.
• Vercel Analytics: Vercel provides anonymous performance analytics (page load times, web vitals) to help us monitor and improve site performance. No personally identifiable information is collected.
• Stripe: Stripe sets cookies as part of payment processing and fraud prevention during the checkout flow.

9. Your Rights

Regardless of where you are located, we provide the following rights to all DreamFlow users:

• Right to Access: You may request a copy of all personal data we hold about you. You can also view and download most of your data directly from Settings within the Service.
• Right to Correction: You may update or correct inaccurate personal information at any time through your account settings or by contacting us.
• Right to Deletion: You may request that we delete your account and all associated personal data. We will process deletion requests within 30 days.
• Right to Data Portability: You may export your data at any time from the Settings page. Exports are provided in standard formats (CSV, JSON) suitable for import into other services.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to Object: You may object to the processing of your personal data for specific purposes, including marketing communications. You can unsubscribe from marketing emails at any time using the link in any email we send.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@whywedream.com. We will respond to verified requests within 30 days. We will not discriminate against you for exercising your privacy rights.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information is collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Information: We only use sensitive personal information (such as account login credentials) as necessary to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA/CPRA request, email support@whywedream.com with the subject line "CCPA Request." We may need to verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.

In the preceding 12 months, we have collected the categories of personal information described in Section 1 of this policy. We have not sold personal information and do not intend to sell personal information.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional protections:

• Legal Basis for Processing: We process your personal data on the following legal bases: (a) performance of our contract with you (providing the Service), (b) legitimate interests (improving the Service, security), and (c) your consent (where applicable, such as for optional AI features).
• Data Controller: Why We Dream LLC acts as the data controller for account and usage data. For customer data you store in DreamFlow, we act as the data processor on your behalf.
• Data Protection Officer: You may contact our privacy team at support@whywedream.com for any GDPR-related inquiries.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

Upon verified request, we will delete your personal data within 30 days, consistent with GDPR Article 17 (Right to Erasure). Some data may be retained where we have a legal obligation or legitimate basis to do so.

12. International Data Transfers

DreamFlow is operated from the United States, and your data is stored on servers located in the United States. If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer. Where required by applicable law, we implement appropriate safeguards (such as Standard Contractual Clauses) for international data transfers.

13. Children's Privacy

DreamFlow is a business-to-business service intended for use by adults. The Service is not directed at individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at support@whywedream.com.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Since we do not use third-party tracking cookies or cross-site tracking technologies, our practices are consistent with DNT preferences by default. We do not alter our data collection or use practices in response to DNT signals because our practices already align with DNT principles.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this policy. The most current version of this policy will always be available at dreamflowcrm.com/privacy. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Google API Services

DreamFlow integrates with Google Workspace (Gmail, Google Calendar, and Google Business Profile) so you can manage email, calendar events, and reviews from inside DreamFlow. When you connect a Google account, we request permission via Google's OAuth 2.0 consent flow to access only the data needed for the features you choose to use.

Scopes we request and why:

• Gmail (read-only): Read your messages and metadata so we can display threads tied to your DreamFlow contacts and surface replies in the unified inbox. We do not modify, label, or delete your Gmail.
• Gmail (send): Send messages on your behalf when you compose an email from a contact card or campaign in DreamFlow. Sent messages are saved to your Gmail Sent folder.
• Google Calendar: Read your calendars to display events alongside your DreamFlow tasks, and create or update events when you schedule a meeting from a deal or contact.
• Google Business Profile (manage): If you connect your Business Profile, we read incoming reviews so you can respond to them from the DreamFlow inbox, and we post your replies back on your behalf.

How we handle Google user data (Limited Use compliance):

DreamFlow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We use Google user data only to provide and improve the user-facing features you connect to (inbox sync, send-on-behalf, calendar sync, review response).
• We do not use Google user data for advertising, do not transfer or sell it to third parties for serving advertisements, and do not allow humans to read it except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
• We do not use Google user data to train any AI or machine learning model that is used outside of providing the connected feature to you (and only to you).
• Google user data is stored encrypted at rest and in transit. You can revoke DreamFlow's access at any time from your Google Account permissions page or from DreamFlow's Settings > Integrations page.

When you disconnect a Google integration, we delete the OAuth refresh token within 30 days and stop fetching new data immediately. Cached message and event data tied to your DreamFlow records is retained for the lifetime of those records (so your contact timeline stays intact) and is deleted when you delete the underlying contact, deal, or workspace.

17. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your privacy rights, please contact us: