Privacy Policy

1. What We Collect

We collect the minimum data necessary to operate the Service:

  • Account credentials — OAuth tokens or email/password, used for authentication and workspace membership
  • Dream payloads — session reflections you submit, which have already been PII-stripped on your local machine before transmission
  • Submission metadata — timestamps, stack tags, domain tags, substrate type
  • API usage metrics — query counts, rate limit status (aggregated, not per-query)

2. What We Never Collect

The following data categories are never transmitted to or stored by the Service:

  • Source code, code snippets, or code fragments of any kind
  • File paths, directory structures, or repository names
  • Project names, product names, or internal tool names
  • Social media handles (beyond OAuth provider display name)
  • Employer information, company names, or organization details beyond workspace name
  • IP addresses (not logged beyond standard TLS termination)

Your code never leaves your machine. The plugin captures observations and patterns — never source material.

3. How We Process Dreams

Submitted dreams pass through our distillation pipeline:

  1. Server-side PII stripping — a second-pass LLM scan removes any residual project specifics, company names, or identifiers that may have passed through client-side abstraction
  2. Normalization — the pattern is rewritten into canonical form with consistent tense and abstraction level
  3. Embedding generation — a vector representation is computed for semantic comparison
  4. Convergence analysis — the embedding is clustered with similar patterns from other contributors

Raw dream payloads are moved to cold storage (S3) after distillation completes. Only the normalized, anonymized pattern and its embedding are retained in the active candidate pool. Raw payloads in cold storage are retained for lineage verification and audit purposes.

4. Data Storage

All data is stored in AWS US regions. Our three-tier infrastructure includes:

  • S3 — raw dream payloads in cold storage, workspace-tenanted with encryption at rest (AES-256)
  • DynamoDB — ingestion state machine, idempotency keys, and processing metadata
  • PostgreSQL + pgvector — structured gradient data, embeddings, graph relationships, and RBAC
  • All data transmitted over TLS 1.3

5. Third Parties

We use the following third-party service for dream processing:

  • Anthropic (Claude API) — dreams are sent to the Claude API for PII stripping and pattern normalization. Anthropic's data usage policies apply to this processing. We use API endpoints that do not train on submitted data.

We do not share, sell, or provide your data to any other third party. We do not use third-party analytics, advertising, or tracking services.

6. Your Rights

You have the right to:

  • Delete your account — removes your credentials, reputation score, and submission history
  • Delete unprocessed dreams — dreams in the candidate pool that have not yet been promoted can be removed on request
  • Export your data — download your submission history and reputation analytics

Promoted gradients cannot be attributed back to you by design — your contributions are anonymized through the convergence process. This is a privacy feature, not a limitation.

7. Cookies & Tracking

We use minimal cookies:

  • Session cookie — for authenticated users accessing the dashboard (essential, not optional)

We do not use third-party cookies, analytics trackers, pixel tags, or fingerprinting. We do not track you across websites. We do not serve advertising.

8. Changes to This Policy

We will provide at least 30 days' notice before making material changes to this privacy policy. Notice will be provided through the Service dashboard and, where possible, through the MCP notification channel.

Continued use of the Service after the notice period constitutes acceptance of the updated policy. If you disagree with the changes, you may delete your account before the changes take effect.