Privacy Policy

1. Who is responsible for your data?

Noctalia is published by TiMax. TiMax acts as the Data Controller within the meaning of the GDPR for the processing described in this policy.

For any questions regarding your personal data or to exercise your rights, you can contact us at: [email protected].

2. Data we collect

When using the Noctalia app, we may process the following categories of data:

• Account data: email address, password (stored in hashed form), language or display preferences, information related to the creation and management of your account.
• Dream data: text transcriptions of your dreams, AI-generated analyses, shareable quotes, themes or categories, dream type, favorite status, as well as images generated to illustrate your dreams, and the history of conversations with the AI assistant about your dreams.
• Audio recordings: when you use the voice recording feature, your voice is processed to produce a transcript. Noctalia does not record or store your audio files on its servers: they are processed in real-time only to produce the transcript, then deleted from the technical flow. Only the transcribed text is saved in your journal.
• Technical and usage data: technical logs (errors, performance, security events), basic device information (operating system, app version), a hashed device identifier used solely for free-tier quota management, technical identifiers necessary to provide the service. We currently use no third-party marketing analytics tools (such as Google Analytics, Mixpanel, etc.).
• Support data: content of your exchanges with us (for example when you contact us by email) and information necessary to track your requests.

Content you record in Noctalia may, at your discretion, contain sensitive information within the meaning of the GDPR (for example elements related to your health, sexual life, beliefs, etc.). This information is processed solely to provide you with the dream journal and analysis service, based on your explicit consent and your initiative in recording it.

3. Purposes and legal bases

We process your personal data for the following purposes and legal bases:

• Providing the app and its features (dream journal, analyses, generated images, account creation and management): processing necessary for the performance of the contract (acceptance of Terms of Service) between you and Noctalia.
• Transcription and analysis of your dreams, including when they contain sensitive information: processing based on your explicit consent, which you can withdraw at any time by deleting the relevant dreams and/or your account.
• Improving the app, measuring stability, preventing abuse and ensuring security: processing based on our legitimate interest in ensuring the proper functioning, security and development of the service, without marketing profiling.
• Managing rights exercise requests, user support and legal compliance: processing necessary to comply with our legal obligations and to exercise our rights (evidence, legal defense, etc.).

4. Use of Artificial Intelligence and voice

Noctalia relies on Artificial Intelligence services to transcribe and analyze your dreams, as well as to generate associated images.

• Speech recognition: we primarily use your device's native speech recognition (via system interfaces). In case of failure or unavailability, an audio recording may be temporarily transmitted to a third-party speech recognition service (e.g., Google Cloud Speech-to-Text) via our backend to produce a transcript. These audio recordings are processed in real-time to produce the transcript and are not persistently stored by Noctalia.
• Dream analysis and content generation: the text of your dreams and certain strictly necessary metadata are sent to our main AI provider, currently Google (Gemini), to generate analyses, summaries, conversation elements and visuals.
• Other leading AI providers: in the future, we may use other high-level AI providers such as Anthropic, OpenAI, Perplexity, Mistral, or equivalent services. We will only enable them if we have equivalent contractual and technical guarantees (security, confidentiality, usage limitations).
• Model training: where these services allow it, we configure our AI providers so that they do not use your data to train their general models. Where applicable, your data is only used to provide the requested service (transcription, analysis, image or text generation).

5. Storage, security and data location

The security and location of your data are at the core of our approach.

• Communication encryption: exchanges between your device and our servers are protected by SSL/TLS encryption protocols.
• Database in the European Union: your account data and dreams are hosted in a Supabase database located in Western Europe (EU), on secure servers subject to the GDPR.
• Limited access: access to your data is strictly limited to only those persons and service providers who need it to provide the service (on a need-to-know basis). You retain control over your dream journal via your account.
• Controlled international transfers: some of our service providers (notably AI providers) may be located outside the European Economic Area (for example in the United States). In this case, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, adherence to the Data Privacy Framework or equivalent mechanisms.

6. Retention periods

We retain your personal data for a limited period, proportionate to the purposes pursued:

• Account and dream journal: your account data and journal content (transcripts, analyses, images) are retained as long as your account is active. When you delete your account, we delete or anonymize your data within a reasonable timeframe (generally within 30 days, unless a legal obligation requires otherwise).
• Audio recordings: recordings necessary for voice transcription are retained only for the time strictly necessary for technical processing (generally a few minutes) and are not stored long-term by Noctalia.
• Technical and security logs: retained for a maximum period of 12 months, to ensure security, incident detection and evidence in case of dispute.
• Support exchanges: retained for the duration necessary to handle your request and, where applicable, to defend our rights (generally up to 24 months).

7. Data sharing and service providers

Noctalia does not sell your personal data. We do not display targeted advertising in the app.

Your data may only be shared with the following categories of recipients:

• Technical providers: notably Supabase (hosting, database, authentication) and cloud infrastructure providers necessary for the app's operation.
• AI and speech recognition providers: Google (Gemini, Google Cloud Speech-to-Text), and where applicable other leading AI providers (Anthropic, OpenAI, Perplexity, Mistral, or equivalent services) for transcription, analysis of your dreams and generation of images or content.
• Subscription management: RevenueCat (USA) for managing in-app subscriptions. RevenueCat receives an anonymous user identifier and purchase information provided by Apple/Google. Your complete payment information never passes through Noctalia.
• External advisors and authorities: legal firms, accountants or administrative and judicial authorities when required by law or to defend our rights.

In all cases, we require our service providers to offer sufficient guarantees regarding security and confidentiality, and not to use your data for their own marketing purposes.

8. Minor users

Noctalia is intended for a general audience but is not designed for children under 16 years of age. We do not knowingly collect data concerning persons under 16 without the appropriate consent of a parental authority holder where required by law.

If you believe that a child under 16 has provided us with personal data without authorization, please contact us at [email protected] so that we can delete the account and associated data.

9. Your rights (GDPR and other applicable laws)

In accordance with the General Data Protection Regulation (GDPR) and, where applicable, other applicable laws, you have the following rights over your personal data:

• Right of access: obtain confirmation that we process your data and receive a copy.
• Right to rectification: correct inaccurate or incomplete data concerning you.
• Right to erasure: request the deletion of your data in cases provided by law (including deletion of your account and dream journal).
• Right to restriction of processing: request the temporary suspension of certain processing.
• Right to object: object to certain processing based on our legitimate interest.
• Right to data portability: receive the data you have provided to us in a structured, commonly used and machine-readable format, or request its transmission to another controller where technically feasible.
• Right to withdraw consent: where processing is based on your consent (notably for certain sensitive data), you can withdraw it at any time, without affecting the lawfulness of prior processing.

You can exercise your rights by contacting us at: [email protected], specifying the email address used to create your account. We may need to ask you for additional information to verify your identity.

If you reside in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local supervisory authority (in France: the CNIL).

If you reside in a jurisdiction with specific rights (for example in California under the CCPA/CPRA), you may also benefit from rights of access, deletion and limitation of use of your data. Noctalia does not sell your personal data within the meaning of these laws and does not engage in behavioral advertising based on cross-site tracking.

10. Changes to this policy

We may update this privacy policy to reflect legal, technical or functional changes to Noctalia. In case of significant changes, we will inform you by reasonable means (in-app notification, email, or banner) before the new terms take effect where required by law.

The date of the last update appears at the top of this page. We encourage you to regularly review this policy to stay informed about how we protect your data.