Privacy Policy

Privacy Policy

Effective date: June 12, 2026

This Privacy Policy explains how Surrly ("we", "us") collects and uses information when you use the Surrly mobile application and website.

1) Scope

  • App (iOS). Covers data processed in the Surrly app, including in‑app purchases.
  • Website (surrly.com). Covers visits to our site and any web forms (e.g., support, contact). The website is separate from the app; we do not mix web analytics with your in‑app journal.

2) Intended Users

Surrly is designed for users 16+. We do not knowingly collect data from anyone under 16. If you believe a child has provided data, contact us and we will delete it.

3) Data We Process (App)

We process only what is needed to operate features you choose to use.

  • Account & Identifiers. App-specific user ID, RevenueCat purchase identifiers, device information, and push token. We do not collect IDFA for ad tracking.
  • User Content. Dream text you enter; audio you record; tags/metadata you choose to save.
  • AI Processing. To generate interpretations/affirmations, your dream text (and, if applicable, transcribed audio) is sent to third‑party AI model providers (currently OpenAI) strictly to provide the feature.
  • Purchases. In‑app purchase metadata (e.g., product ID, transaction ID) via Apple and RevenueCat to fulfill subscriptions and packs.
  • Diagnostics. Basic diagnostics and crash logs to improve reliability.

4) What We Do Not Do

  • We do not sell personal data.
  • We do not use your journal content for our marketing without explicit, separate permission.
  • We do not track you across apps or websites for ads; no IDFA.

5) How We Use Data (Legal Bases)

  • Operate the App & provide features (journal, AI analysis, reminders, purchases): Contract (Art. 6(1)(b) GDPR).
  • Diagnostics/anti‑abuse: Legitimate interests (Art. 6(1)(f)).
  • Website analytics (cookies): Consent (Art. 6(1)(a)).
  • Legal compliance (e.g., receipts, tax): Legal obligation (Art. 6(1)(c)).

6) AI Providers (OpenAI)

  • What is sent. Dream text; if you use voice, the transcription derived from your audio.
  • Purpose. Provide interpretations, affirmations, and reflection prompts that you request.
  • Retention & training. Providers may retain data for a limited period for abuse monitoring and do not use your API data to train their models by default. See the provider’s policy for details.

7) Subscriptions & Packs (RevenueCat)

  • We use RevenueCat to validate purchases and manage entitlements. RevenueCat receives purchase metadata (e.g., product/transaction identifiers). Payment is handled by Apple; we do not receive full payment details.
  • Analysis Packs. Packs add analysis credits and transcription minutes. Transcription minutes are deducted in 15‑second increments (rounded up) with a 15‑second minimum per recording. Failed or canceled transcriptions are not charged.

8) Notifications

  • Functional reminders. Includes morning reminders at the wake‑up time you set in the App and nudges to help you journal.
  • Marketing pushes. We send news/updates/offers only with your explicit opt‑in and provide an easy opt‑out in Settings. Access to paid features is not conditioned on marketing consent.

9) Premium Backups (optional)

Premium users may opt in to store server‑side backups of their entries for convenience and recovery. You can turn this off anytime in Settings. Backups are stored with our database provider (Supabase) in the project’s selected region. We encrypt data at rest and in transit.

10) Data Storage & Transfers

  • Hosting. App data (including optional backups) is hosted with Supabase in the project’s selected region EU (Frankfurt), on AWS (Central EU). We aim to keep app data in the EU when possible.
  • Supabase AI Assistant: Disabled — we do not share schema, logs, or database data with Amazon Bedrock.
  • Third parties. AI providers and Apple/RevenueCat process data in accordance with their policies and locations. We use safeguards such as standard contractual clauses where required. We have signed Data Processing Addenda (DPA) with key processors and maintain a Transfer Impact Assessment (TIA) for cross-border transfers.

11) Retention

  • Account & journal content. Retained while your account is active. You can delete entries or your account at any time; deletion is immediate on our side.
  • Backups (Premium, if enabled). Deleted after account deletion (subject to minimal technical delay for safe removal).
  • Purchase records. Retained as required by Apple/RevenueCat and applicable law.
  • Diagnostics. Retained for a limited period to improve reliability.

12) Your Controls & Rights

  • In the App: export JSON (including base64 audio), import supported JSON, delete account.
  • iOS Settings: manage notifications; manage subscriptions.
  • Legal rights (EEA/UK and similar): access, correction, deletion, portability, objection, and restriction. Contact us to exercise your rights.

13) Website (surrly.com): Cookies & Analytics

  • We use Google Analytics to understand visits to our website. GA sets cookies only with your consent via our cookie banner. You can withdraw consent at any time.
  • Website analytics are kept separate from your in‑app journal.

14) Security

We use technical and organizational measures appropriate to the risk (encryption in transit/at rest, access controls). No method of transmission or storage is 100% secure.

15) Contact

Surrly — Sergei Kruglov
Otto‑Franke‑Straße 45, 12489 Berlin, Germany
Email: hello@surrly.com (you can also contact us via the in‑app support form)

16) Changes to This Policy

We may update this Policy from time to time. If changes are material, we will notify you by reasonable means (e.g., in‑app notice or on our website).