Onirelo
Begin
Back to notices

Legal document

Privacy policy

Last updated on June 2, 2026

1. Foreword

This Privacy Policy describes how E1 (hereinafter "Onirelo", "we") processes the personal data of users (hereinafter "you") of the Onirelo service available at https://onirelo.com.

Onirelo is a dream journal. By its very nature, you entrust us with deeply personal and sometimes sensitive content. We take this commitment very seriously and have designed the Service to collect as little data as possible, retain it only as long as strictly necessary, and protect it with appropriate technical and organisational measures.

2. Data controller

The data controller is E1, a single-member limited liability company (EURL) with share capital of €1,000, located at 12 rue Vauban, 69006 Lyon, France, registered with the Lyon Trade and Companies Register under number 935 101 618.

3. Data Protection Officer (DPO)

Onirelo has appointed a Data Protection Officer (DPO). You can reach them for any question about your data or to exercise your rights:

  • Email: privacy@onirelo.com
  • DPO name: [TO BE COMPLETED]
  • Postal mail: E1, attn. DPO, 12 rue Vauban, 69006 Lyon, France

4. Categories of data processed

4.1. Data you provide

When creating your account and using the Service, you give us:

  • account data: email address, password (in encrypted form), Google or Apple identifier if you sign in via those providers;
  • optional profile data: gender, which you freely enter in your settings;
  • content: dream entries, titles, notes and personal tags that you freely write in your journal.

4.2. Data collected automatically

While you use the Service, we collect:

  • strictly necessary technical data: session identifiers, authentication tokens, IP address, browser type, language, time zone;
  • billing data when you take out a subscription (processed by Stripe: amounts, date, payment status, card tokens; the card number is not transmitted to us);
  • audience-measurement and diagnostic data only after your consent (see the Cookie Policy).

4.3. Potentially sensitive data

Your dream entries may, by their nature, contain or hint at sensitive information within the meaning of article 9 of the GDPR, in particular information relating to your physical or mental health. You remain in full control of what you write in your journal and free to leave out anything you do not wish to share.

When you write such content, the processing is based on your explicit consent under article 9(2)(a) of the GDPR. You can withdraw that consent at any time by deleting the relevant content or your account.

5. Purposes and legal bases

| Purpose | Legal basis | |---|---| | Account creation and management, authentication, Service security | Performance of the contract (art. 6.1.b GDPR) | | Provision of journal features (saving, displaying, organising dreams) | Performance of the contract (art. 6.1.b GDPR) | | Generation of interpretations and tags by artificial intelligence | Performance of the contract (art. 6.1.b) and, for sensitive content, your explicit consent (art. 9.2.a) | | Billing and subscription management | Performance of the contract (art. 6.1.b) and statutory accounting obligation (art. 6.1.c) | | Sending transactional messages (confirmation, security, billing) | Performance of the contract (art. 6.1.b) | | Audience measurement, non-strictly necessary usage statistics | Your consent (art. 6.1.a) | | Prevention and detection of fraud and abuse | Legitimate interest (art. 6.1.f) in protecting the Service and its users | | Responding to rights requests, handling disputes | Statutory obligation (art. 6.1.c) and legitimate interest |

Onirelo does not carry out any targeted advertising and performs no profiling for marketing purposes.

6. Automated decisions and artificial intelligence

The Service uses artificial intelligence models to produce interpretations, tags and, where applicable, mood or wellbeing indicators from your dreams. These processing operations do not constitute decisions producing legal effects concerning you or significantly affecting you within the meaning of article 22 of the GDPR: they are introspective in nature and play no part in any contractual, medical or financial decision about you.

At any time you keep:

  • the right to obtain human intervention from us;
  • the right to express your point of view;
  • the right to contest the analyses produced;
  • the right to stop submitting your content to AI processing.

Your content is never used to train artificial intelligence models, whether ours or those of our providers.

7. Recipients and processors

Your data is processed by our authorised staff and by the following providers, acting as processors within the meaning of article 28 of the GDPR:

| Provider | Role | Processing location | |---|---|---| | Laravel Cloud (Laravel Holdings, Inc.) | Application and database hosting | European Union | | Stripe Payments Europe, Ltd. | Payment processing and billing | European Union, with transfers to the United States | | Anthropic, PBC | AI interpretation generation (Claude models) | United States | | OpenAI Ireland Ltd. / OpenAI, L.L.C. | AI interpretation and tag generation | United States | | Google Ireland Ltd. (Vertex AI) | AI interpretation generation | European Union or United States depending on the calling region | | [Email delivery provider — TO BE COMPLETED] | Sending transactional emails | [European Union / other — TO BE COMPLETED] | | [Error monitoring provider — TO BE COMPLETED] | Diagnosis of technical incidents | [TO BE COMPLETED] | | [Audience analytics tool — TO BE COMPLETED] | Consent-based audience measurement | [TO BE COMPLETED] |

Each of these providers is bound by a contract compliant with article 28 of the GDPR and only uses your data on behalf of Onirelo, in accordance with our instructions.

8. Transfers outside the European Union

Some of our processors (notably Anthropic, OpenAI, as well as Google and Stripe for certain processing operations) may process data in the United States.

These transfers are framed in accordance with Chapter V of the GDPR, by:

  • the recipient's adhesion to the EU–US Data Privacy Framework, when it is certified there;
  • failing that, the signature of the standard contractual clauses adopted by the European Commission (decision 2021/914);
  • the implementation, where appropriate, of additional measures (encryption, access restriction, content pseudonymisation).

You can obtain a copy or summary of these safeguards by writing to privacy@onirelo.com.

9. Retention periods

| Data | Retention period | |---|---| | User account, dream content, tags and profile | Until the user deletes their account. Deletion entails immediate and definitive removal, with no grace period. | | Billing data (invoices, supporting documents) | 10 years from the end of the relevant accounting year, under accounting and tax obligations (article L. 123-22 of the French Commercial Code) | | Technical connection logs | 12 months at most, in line with CNIL recommendations | | Error diagnostic data (Sentry or equivalent) | 90 days at most | | Consented audience measurement data | In line with CNIL recommendations (13 months for trackers; 25 months for derived anonymised statistics) | | Rights requests | 3 years from the last interaction, for evidentiary purposes | | Inactive accounts (no sign-in for 24 months) | Notification to the user, followed by deletion of the account if no response is received within a reasonable period |

10. Security

Onirelo implements appropriate technical and organisational measures to ensure the security of your data:

  • encryption of connections (TLS) between your browser and the Service;
  • encryption of data at rest at the database and hosting system level (Onirelo keeps the decryption keys needed to operate the Service; your content is therefore not end-to-end encrypted and remains technically accessible to our authorised staff);
  • password hashing;
  • restrictive access controls, logging of administrator access;
  • incident management policy and notification to the French data protection authority (CNIL) in the event of a breach posing a risk to your rights and freedoms, within 72 hours.

11. Your rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

  • right of access to your data;
  • right of rectification of inaccurate or incomplete data;
  • right of erasure ("right to be forgotten");
  • right to restriction of processing;
  • right to object to processing, in particular for processing based on legitimate interest;
  • right to portability: you can receive your data in a structured, commonly used and machine-readable format;
  • right to withdraw your consent at any time when processing is based on consent, without affecting the lawfulness of processing carried out beforehand;
  • right to issue directives regarding the fate of your data after your death;
  • right to lodge a complaint with the French data protection authority (CNIL): 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.

To exercise these rights, write to privacy@onirelo.com, providing proof of identity if there is reasonable doubt. We undertake to respond within one month, extendable by two months in cases of particular complexity.

12. Exporting your data

Self-service export from the interface is not yet available. In the meantime, you can request an export of your data (entries, tags, profile) by writing to privacy@onirelo.com. We undertake to provide a structured file in an open format within at most one month of your request.

13. Minors

The Service is reserved for people aged at least 16 years. We do not knowingly collect data concerning younger individuals. If you believe a minor under 16 has created an account, please write to privacy@onirelo.com so that the account can be deleted.

14. Cookies

The use of cookies and similar trackers on the Service is described in detail in the Cookie Policy, available separately.

15. Changes

This Privacy Policy may be updated to reflect changes to the Service, legislation or our practices. Any substantial change will be flagged to you through an in-Service message or by email before it enters into force.