Onyrix

1. Who We Are & Scope

Onyrix ("we," "us," "our") is a dream journaling and analysis application headquartered in British Columbia, Canada. We serve users globally and comply with applicable privacy laws in the jurisdictions where our users reside, including but not limited to:

Canada: PIPEDA & BC PIPA
European Union/UK: GDPR & UK GDPR
United States: CCPA/CPRA (California) & applicable state laws
Australia, Brazil, India, and others: Local data protection regulations where applicable

2. Information We Collect

"Personal information" refers to any data that can identify you, directly or indirectly. We collect only what is necessary for core functionality or with your explicit consent.

Category	Examples	Purpose
Account Data	Email, authentication tokens, profile preferences	Account creation, secure login, personalization
Dream Content	Journal text, tags, emotions, symbols, archetypes, sleep quality, lucidity status	Core journaling, AI analysis, personal insights
Usage & Telemetry	Feature interactions, analytics mode selection, error logs, session metadata	App stability, privacy compliance, performance optimization
Voice Data	Processed text from voice commands (audio is captured/processed locally and not stored on servers)	Hands-free navigation, text-to-speech summaries
Device & Network	IP address, browser/OS type, approximate region (via CDN)	Security, fraud prevention, service delivery

We do NOT intentionally collect: Government IDs, financial/payment information, precise geolocation, or clinical health diagnoses. We advise users to avoid including highly sensitive identifiers in dream text.

3. How & Why We Use Your Information

We process your data only with your consent, to fulfill our service agreement, for legitimate interests, or as required by law.

Processing Activity	Legal Basis (Global)	Notes
Account creation & authentication	Contractual necessity / Consent	Required to provide the service
Dream journaling & AI analysis	Explicit consent (withdrawable)	Core feature; Local mode requires no external processing
Collective insights & comparisons	Explicit opt-in consent	Anonymized & aggregated; never tied to identity
Security, fraud prevention, debugging	Legitimate interest	Minimal, non-identifiable technical data
Legal compliance & dispute resolution	Legal obligation	Only when required by applicable law

4. Your Privacy Controls

Onyrix is built with privacy by design. You control exactly how your data is used:

Analytics Mode: Local (all analysis runs in your browser) or Server (AI insights via secure API routing).
Dream Privacy Levels: Private, Anonymous (contributes to collective trends without identity), or Public.
Granular Element Controls: Opt out specific elements (text, symbols, emotions, tags, archetypes) from collective sharing.
Exclude from Insights: Flag sensitive dreams to remove them from all analytics without deleting the entry.
Retention Policy: Set auto-deletion timelines (30 days, 1 year, 2 years, forever).
AI Consent Gate: Require explicit confirmation before any dream content is sent for server-side analysis.
Data Export & Deletion: Request full JSON/CSV export or permanent account deletion anytime via Settings.

5. Data Protection & Security

We implement technical and organizational measures proportional to the sensitivity of dream and wellness data:

Encryption: Data encrypted at rest (Supabase PostgreSQL) and in transit (TLS 1.3+)
Access Control: Row-Level Security (RLS) ensures users can only access their own records; collective queries use strictly anonymized aggregates
Authentication: Supabase Auth with secure session management, optional MFA readiness
Data Minimization: Local Analytics mode keeps all processing client-side. Server mode transmits only necessary fields for inference.
Operational Security: Access logs maintained, staff trained on privacy protocols, regular security reviews

6. Third Parties & AI Processing

OpenRouter (AI API Gateway)

In Server Analytics mode, dream content is securely transmitted to OpenRouter's API for real-time analysis.
OpenRouter routes requests to selected AI model providers (e.g., Anthropic, Google, Meta) strictly for inference.
No training or profiling: Onyrix and our routing partners do not use your dream content to train, fine-tune, or profile AI models.
OpenRouter Privacy Policy: https://openrouter.ai/privacy

Supabase (Database, Auth & Hosting)

Provides PostgreSQL storage, authentication, and edge functions.
Acts as a Data Processor under a Data Processing Addendum (DPA) with GDPR/PIPEDA-compliant safeguards.
Supabase Privacy Policy: https://supabase.com/privacy

Other Services

Error Monitoring: Privacy-respecting tools (e.g., Sentry) with IP anonymization and no PII collection.
Analytics (optional): If enabled, we use cookie-less, anonymized analytics (e.g., Plausible) that do not track individuals.

7. International Data Transfers

Onyrix operates globally. Depending on your settings, data may be processed across borders:

Primary Storage: Canada (where available)
AI Routing: United States / EU / other regions via OpenRouter's infrastructure
CDN/Edge: Global nodes for performance (no personal data cached)

Safeguards

Local Analytics Mode: Data never leaves your device, avoiding cross-border transfers entirely.
Server Mode: Transfers are limited to inference-only. We rely on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent contractual safeguards to ensure protection comparable to GDPR/PIPA standards.
You may contact us to inquire about regional processing options for enterprise/organizational accounts.

8. Data Retention & Deletion

Retention follows your selected policy (30d, 1y, 2y, forever).
Deleted data is purged from active systems within 30 days. Backup copies may persist longer per infrastructure retention schedules but are logically excluded from access.
Anonymized collective data (if you opted in) may be retained indefinitely in aggregated, non-reversible form.

9. Your Rights (Global)

Depending on your location, you may have the following rights:

Right	Applicable Regions	How to Exercise
Access & Portability	EU, UK, CA, BC, AU, BR, Global	Settings > Export or contact privacy@onyrix.app
Correction	Global	In-app editing or contact support
Deletion / Right to be Forgotten	EU, UK, CA, CCPA, BC, Global	Settings > Delete Account or email privacy@onyrix.app
Withdraw Consent	EU, UK, CA, Global	Switch to Local Analytics or disable AI in Settings
Opt-out of "Sale/Sharing"	California (CCPA/CPRA)	Onyrix does not sell data. Server AI routing is not "sharing" for cross-context advertising. Use Local mode to opt out.
Non-Discrimination	California	Exercising rights will not affect service access (may limit AI features)
Lodge Complaint	EU/UK/CA/AU	Contact your local supervisory authority (see Section 12)

We respond to verified requests within 30 days (or as required by local law).

10. Children & Age Restrictions

Onyrix is intended for users aged 16 or older, or the age of digital consent in your jurisdiction, whichever is higher. We do not knowingly collect personal information from individuals below this threshold. If you believe a minor has submitted data, contact us immediately for secure deletion.

11. Changes to This Policy

We may update this policy to reflect product changes, legal requirements, or industry standards. Material changes will be communicated via in-app notice or email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance of the updated policy.

12. Contact & Supervisory Authorities

For privacy inquiries, data requests, or complaints:

Email: privacy@onyrix.app
In-App: Settings > Help & Support > Privacy Inquiry

Regional Supervisory Authorities

BC/Canada: Office of the Information and Privacy Commissioner for BC (https://www.oipc.bc.ca)
EU: Your national data protection authority (e.g., CNIL, ICO, BfDI)
UK: Information Commissioner's Office (https://ico.org.uk)
California: California Privacy Protection Agency (https://cppa.ca.gov)

This policy was drafted with reference to:

• BC Personal Information Protection Act (PIPA), S.B.C. 2003, c. 63
• Canada PIPEDA, S.C. 2000, c. 5
• EU/UK General Data Protection Regulation (GDPR)
• California CCPA/CPRA
• OECD Privacy Guidelines & Global Privacy Framework best practices

Onyrix Privacy Policy