Last updated: 2026-04-26

Privacy Policy

This Privacy Policy describes how Dreemdex (“we”, “us”, “our”) collects, uses, and shares your personal information when you use dreemdex.com (the “Site”) or otherwise interact with us. We try to keep this honest and specific to what we actually do, rather than copy a generic template.

Who we are

Dreemdex is a South Korean business (registration 784-04-03248) at 1092, Gyeongui-ro, 808-A60, Paju-si, Gyeonggi 10908, Republic of Korea. For the purposes of GDPR and similar laws, we are the data controller for personal information collected via the Site. You can reach us anytime at info@dreemdex.com.

What we collect

The personal information we collect is limited to what we actually need to do business with you.

You give us directly

Lead-form data: email address, first name, your answers to a small set of survey questions on the funnel page (e.g. “What’s your primary application?”).
Marketing consent: a record that you ticked the consent checkbox, the exact text you agreed to, the version of that text, and the URL of the form.
Customer support: anything you choose to include when you email support@dreemdex.com or info@dreemdex.com.

Collected automatically when you visit

Technical data: IP address, user agent, referring URL, page path, screen size, and timestamps. We use these for analytics, fraud prevention, rate limiting, and understanding how the funnel performs.
Cookies and similar identifiers: see Cookies below.

We do not currently collect

Payment card details (we do not yet accept payment on this Site).
Account credentials (we do not yet offer user accounts).
Government-issued IDs or precise geolocation.

How we use it

We use the information above only for the purposes listed here.

Deliver the lead magnet and follow-up emails you signed up for. Our lawful basis under GDPR is your explicit consent, recorded as described above.
Operate and secure the Site: rate limiting (per-IP, sliding window), CAPTCHA, server logs, and abuse prevention. Lawful basis: legitimate interest in keeping the Site available and free of abuse.
Measure marketing performance: page views, funnel steps, and form submissions, tied to a session identifier and (where you have consented to marketing) third-party advertising platforms. Lawful basis: consent for marketing analytics; legitimate interest for first-party analytics.
Comply with the law, respond to legal requests, and enforce our Terms of Service.

We do not use your information for automated decision-making that has a legal or similarly significant effect on you.

Who we share it with

We use a small number of vetted service providers (“subprocessors”) to actually run the Site. We do not sell your personal information for money. Where required, we treat sharing for cross-context behavioral advertising (e.g. Meta Pixel, Google Ads) as a “sale” or “share” under California law and let you opt out — see your rights.

Subprocessor	Purpose
Supabase Inc. (US)	Database hosting (Postgres) for leads, consent records, funnel events.
Amazon Web Services (US)	Email delivery via Amazon SES for the welcome / nurture sequence.
Cloudflare, Inc. (US/global)	DNS, edge caching, Turnstile CAPTCHA, Worker for unsubscribe routing.
Vercel Inc. (US)	Application hosting and serverless functions for the storefront.
Upstash, Inc. (US)	Redis for IP-based rate limiting (short-lived counter only).
Meta Platforms, Inc. (US)	Meta Pixel and Conversions API for ad measurement, when you have consented to marketing cookies.
Google LLC (US)	Google Analytics 4 and Google Ads conversion tracking, when you have consented to analytics or marketing cookies.

We may also disclose information when legally required (e.g. subpoena, court order), in connection with a corporate transaction (merger, acquisition, asset sale), or to protect our rights and the rights of others. Each subprocessor processes personal information only on our instructions, under a written data-processing agreement.

Cookies and similar technologies

We use a small set of cookies. The first time you visit, our consent banner asks you to choose: necessary cookies only, or all cookies including analytics and marketing.

Necessary (always on): a consent_state cookie storing your choice for up to 13 months, plus short-lived session cookies for CSRF and rate limiting. Required for the Site to function.
Analytics (consent required): Google Analytics 4 (_ga, _ga_*) for aggregate visit measurement.
Marketing (consent required): Meta Pixel (_fbp, _fbc) and Google Ads identifiers for ad measurement and retargeting.

You can revisit your choice at any time via the “Cookie preferences” link in the footer or by clearing cookies in your browser. We honour the Global Privacy Control (GPC) signal as a request to opt out of sale and sharing.

How long we keep it

Lead and consent records: kept while your subscription is active and for up to 36 months after you unsubscribe, so we can prove you opted in if a complaint or audit arises (ICNA / CAN-SPAM / GDPR Article 7 burden of proof).
Funnel events (page views, form submissions): up to 24 months in aggregate form, then deleted or anonymised.
Server logs: up to 30 days, then deleted.
Customer support emails: up to 24 months after the conversation closes.

Your rights

Depending on where you live, you have some or all of the following rights over your personal information. We will respond to verifiable requests within the timeframe required by law (typically 30 days under GDPR, 45 days under CCPA).

Access a copy of the information we hold about you.
Correct inaccurate information.
Delete information (subject to legal exceptions).
Port your information to another service.
Object to processing or restrict it.
Withdraw consent at any time, including unsubscribing from marketing emails.
Opt out of “sale” or “share” for cross-context behavioral advertising (US residents) by declining marketing cookies in our banner or sending a GPC signal.
Lodge a complaint with your local data-protection authority. EEA residents can find theirs via the European Data Protection Board. Korean residents may contact the Personal Information Protection Commission (PIPC).

To exercise any of these rights, email info@dreemdex.com. We may need to verify your identity (typically by replying from the email address on record) before acting on a request.

Children

The Site and Services are not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has given us personal information, contact us and we will delete it.

International transfers

We are based in South Korea and most of our subprocessors are based in the United States. When personal information moves out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (or the equivalent UK International Data Transfer Addendum) with our subprocessors. The European Commission recognised South Korea as providing an adequate level of data protection in December 2021, so transfers to Korea do not require additional safeguards.

Security

We use TLS for all traffic, hash sensitive identifiers before sending them to third parties (e.g. SHA-256 email hash for Meta Conversions API), restrict database access via Row-Level Security, and rotate credentials periodically. No system is perfectly secure, and we cannot guarantee that data sent to us across the Internet is intercept-proof.

Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date at the top and, for material changes, give you reasonable notice before they take effect.

Contact

For privacy questions or requests: info@dreemdex.com.

Postal address: Dreemdex, 1092, Gyeongui-ro, 808-A60, Paju-si, Gyeonggi 10908, Republic of Korea.