Privacy Policy

1. Who We Are

DREAM Discovery Platform is operated by [YOUR COMPANY NAME]. We facilitate pre-workshop discovery conversations to gather insights from workshop participants.

Data Controller: [YOUR COMPANY NAME]
Contact: [CONTACT EMAIL]
Address: [YOUR ADDRESS]

2. What Data We Collect

When you participate in a discovery conversation, we collect:

• Identity Data: Your name, email address, role, and department (if provided by your organization)
• Conversation Data: All messages you send during the discovery conversation, including your responses to questions
• Technical Data: IP address, browser type, device information, and timestamps
• Preference Data: Your attribution preference (named or anonymous)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Consent (Article 6(1)(a)): You explicitly consent to data processing when you click "I Agree" before starting your conversation
• Legitimate Interests (Article 6(1)(f)): To facilitate effective workshops and improve organizational outcomes

4. How We Use Your Data

We use your data to:

• Prepare insights and reports for workshop facilitators
• Identify common themes and challenges across participants
• Improve workshop effectiveness and participant experience
• Generate summaries and analytics (anonymized where possible)

5. Data Sharing and Third Parties

We share your data with the following parties:

• Your Organization: Workshop facilitators and administrators from your organization can access your responses
• OpenAI (GPT-4 API): We use OpenAI's API to facilitate conversations. OpenAI processes data according to their Zero Data Retention policy (data is not stored beyond 30 days)
• Supabase (Infrastructure): Our database provider, with servers located in [REGION]

We do NOT sell your personal data to third parties.

6. Data Security

We implement appropriate security measures to protect your data:

• Data transmitted over HTTPS (TLS/SSL encryption)
• Database access restricted to authorized personnel only
• Regular security audits and monitoring
• Row-level security to prevent cross-organization data access

7. Data Retention

We retain your personal data for:

• Conversation Data: 12 months after workshop completion, or until you request deletion
• Consent Records: 7 years (legal requirement for proof of consent)
• Audit Logs: 7 years (compliance requirement)

After the retention period, data is automatically deleted unless legal obligations require longer retention.

8. Your Rights Under GDPR

You have the following rights:

• Right of Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Request correction of inaccurate data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to data processing
• Right to Withdraw Consent (Article 7(3)): Withdraw your consent at any time

To exercise any of these rights, contact us at: [CONTACT EMAIL]

9. How to Exercise Your Rights

To request access, correction, or deletion of your data:

1. Email us at [CONTACT EMAIL] with "Data Subject Request" in the subject line
2. Provide your email address used for the discovery conversation
3. Specify which workshop/organization you're associated with
4. We will respond within 30 days (as required by GDPR Article 12)

10. Cookies and Tracking

We use minimal cookies necessary for the application to function. We do NOT use tracking cookies or analytics cookies without your explicit consent.

11. International Data Transfers

Your data is stored in [REGION]. If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
• Notify affected individuals without undue delay (GDPR Article 34)
• Provide details of the breach and remedial actions taken

13. Children's Privacy

This service is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by email or through the platform. Continued use after changes constitutes acceptance of the updated policy.

15. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ICO) - https://ico.org.uk
• EU: Your local Data Protection Authority

16. Contact Us

For questions about this privacy policy or data protection: