Privacy Policy — Dreamz Sleep Mask

01

Overview & Our Commitment

Dreamz, Inc. ("Dreamz," "we," "our," or "us") is committed to protecting the privacy and security of your personal information, including the sensitive biometric and sleep data generated by our products. This Privacy Policy describes how we collect, use, disclose, store, and protect information we gather through our website at dreamz.sleep ("Site"), the Dreamz companion mobile application ("App"), and the Dreamz sleep neurotechnology device ("Device") — collectively referred to as our "Services."

This Policy applies to all current and former users, website visitors, waitlist registrants, customers, and anyone whose data Dreamz processes in connection with our Services.

Privacy-by-Design Principles

Our core privacy commitments include:

Data minimization: We collect only what is necessary to provide and improve our Services;
Purpose limitation: We use your data only for the specific purposes disclosed here;
Transparency: We communicate clearly and plainly about data practices;
Security: We implement technical and organizational safeguards appropriate to the sensitivity of the data;
User control: We provide meaningful choices about how your data is used;
No sale of health data: We do not sell your health or biometric data to third parties, ever.

02

Data We Collect

We collect the following categories of information:

Category	Examples	Source
Identity Data	Name, email address, password (hashed)	You provide directly
Contact Data	Shipping address, billing address, phone number	You provide directly
Financial Data	Payment card type, last 4 digits, billing zip (full card data held by payment processor only)	You provide via checkout
Device & Biometric Data	EEG-derived brainwave signals, stimulation response data, sleep stage patterns, session timestamps	Dreamz Device sensors
Health & Wellness Data	Self-reported sleep history, wellness ratings, symptom logs, user questionnaire responses	You provide via App
Usage Data	Device session frequency, feature usage, app interaction patterns, session duration	Automatically via App & Device
Technical Data	IP address, browser type, operating system, device identifiers, time zone	Automatically via Site & App
Communications Data	Customer support messages, survey responses, feedback submissions	You provide directly
Marketing Data	Email preferences, waitlist registration, referral source	You provide directly / automatically

We do not intentionally collect or solicit personal information from individuals under 18. See Section 12 for our Children's Privacy policy.

03

Biometric & Health Data

The Dreamz device collects data derived from surface electrical activity on the scalp and forehead — often described as EEG-style brainwave data. This category of data is treated with the highest level of privacy protection in our practices and under applicable law. We understand this is sensitive personal information.

What We Collect from the Device

Real-time electrical signal patterns from skin-contact electrodes during sleep sessions;
Derived sleep stage classifications (e.g., light sleep, deep sleep, REM-adjacent indicators);
Stimulation delivery logs (timing, intensity level delivered);
Session start/stop timestamps and total session duration;
Device firmware version and hardware metrics (battery level, electrode contact quality).

How This Data is Stored

Raw biometric signals are processed on-device and/or within the App; we transmit only derived/processed data to Dreamz servers, minimizing exposure of raw brainwave sequences;
All biometric data at rest is encrypted at the database level (AES-256 or equivalent) and in transit via TLS 1.2+;
Biometric data is stored separately from identity data and linked only via pseudonymous identifiers;
We retain identifiable biometric data only as long as your account is active plus a defined window thereafter (see Section 6).

Applicable Biometric Privacy Laws

Dreamz acknowledges that collection of biometric data may be subject to laws such as the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington My Health MY Data Act, and similar state-level biometric privacy statutes. In jurisdictions where explicit written consent is required prior to collection, we obtain such consent separately through an in-app consent flow before the device is activated.

If you are located in Illinois, Texas, Washington, or any other jurisdiction with specific biometric data laws, please review the supplemental disclosures we provide during device setup.

No Sale of Biometric Data

Dreamz does not and will not sell, lease, trade, or profit from your biometric or health data. We do not share raw biometric data with third-party advertisers or data brokers under any circumstances.

04

How We Use Your Data

We use your data only for purposes compatible with those disclosed at the time of collection. Our primary purposes include:

Service Delivery

Account creation and management;
Processing and fulfilling orders, pre-orders, and waitlist registrations;
Operating the Dreamz companion App and delivering personalized sleep insights;
Syncing device data, generating sleep reports, and providing stimulation recommendations;
Providing customer support and responding to inquiries.

Safety & Security

Monitoring for adverse reactions or unusual usage patterns that may indicate a safety concern;
Fraud detection and prevention;
Enforcing our Terms of Service;
Verifying identity for account recovery.

Research & Product Improvement

Analyzing aggregated, de-identified sleep data to improve algorithm performance and stimulation protocols;
Conducting internal research on the effectiveness of Dreamz technology across diverse user populations;
We do not share identifiable individual data for external research without your explicit, separately obtained consent.

Communications

Sending transactional emails (order confirmations, shipping updates, warranty communications);
Sending product updates, waitlist status notifications, and service announcements — which you cannot opt out of while you have an active account;
Sending marketing and promotional emails — only with your express consent, and always with a clear opt-out mechanism.

Legal & Compliance

Complying with applicable laws, regulations, legal process, and government requests;
Establishing, exercising, or defending legal claims;
Meeting our regulatory and contractual obligations.

What We Do Not Do

We do not use your biometric or health data to make decisions about your insurance, employment, housing, or credit eligibility;
We do not sell your personal data to third-party data brokers or advertisers;
We do not use your data to build ad-targeting profiles for third-party platforms;
We do not allow third parties to collect your data from our Services for their own marketing purposes without your consent.

05

Data Sharing & Disclosure

We may share your personal information only in the following limited circumstances:

Service Providers

We engage vetted third-party companies to perform services on our behalf, including payment processing, cloud hosting, email delivery, analytics, and customer support tools. These service providers access your data only to perform services for us under contractual obligations that prohibit them from using or disclosing your data for any other purpose. Key sub-processors include:

Cloud Infrastructure: Data is hosted on SOC 2 Type II certified cloud platforms (e.g., AWS or equivalent) with US-region data residency by default;
Payment Processing: We use PCI-DSS compliant payment processors. Full payment card data is never stored on Dreamz servers;
Email & Communications: Transactional and marketing emails are sent via third-party email platforms bound by data processing agreements;
Analytics: We use privacy-focused analytics tools. We do not share identifiable personal data with advertising networks.

Legal Requirements

We may disclose your personal information if required to do so by law, regulation, legal process, or governmental authority, or if we believe in good faith that such disclosure is necessary to:

Comply with applicable law or respond to valid legal process (e.g., subpoena, court order);
Protect the rights, property, or safety of Dreamz, our users, or the public;
Detect, prevent, or address fraud, security, or technical issues.

Business Transfers

In the event of a merger, acquisition, reorganization, sale of all or substantially all of our assets, or bankruptcy, your personal information may be transferred to the successor entity. We will notify you via email or prominent notice on the Site of any such change in ownership or control and of any choices you may have regarding your information.

With Your Consent

We may share your data with third parties when you have given us explicit, freely given, specific, informed consent to do so — for example, integrating with a third-party health platform (such as Apple Health or Samsung Health) that you explicitly authorize within the App.

What We Never Do

We do not sell or rent personal data to any third party;
We do not share biometric or health data with insurers, employers, law enforcement (absent a valid legal order), or data brokers;
We do not disclose personal data to third parties for their own marketing or advertising purposes.

06

Data Retention

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Our general retention approach:

Account & identity data: Retained for the duration of your account, plus up to 3 years after account closure (to comply with legal and financial record-keeping requirements);
Biometric & sleep data: Retained for the duration of your active account. Upon account deletion request, identifiable biometric data is deleted within 30 days from active systems and within 90 days from backup systems, unless retention is required by law;
Purchase records: Retained for a minimum of 7 years to comply with tax and financial regulations;
Customer support communications: Up to 3 years from the date of the last interaction;
Marketing opt-in records: Retained for as long as you remain a subscriber, plus 3 years to document consent (the opt-out record is kept permanently);
Anonymized/aggregated data: May be retained indefinitely as it no longer constitutes personal data.

If you request deletion of your account, we will process your request as described in Section 9. Deletion of some categories of data may be subject to legal retention obligations that override your request.

07

Security Measures

Dreamz implements a comprehensive set of technical and organizational security measures to protect your personal and biometric data against unauthorized access, loss, misuse, or destruction. These include:

Technical Safeguards

Encryption in transit: All communications between the App, Device, and our servers use TLS 1.2 or higher;
Encryption at rest: Databases containing personal and biometric data are encrypted using AES-256 or equivalent;
Pseudonymization: Biometric data is stored separately from identity data and linked via non-guessable pseudonymous identifiers;
Access controls: Role-based access controls (RBAC) ensure that only authorized personnel with a legitimate business need can access personal data;
Multi-factor authentication (MFA): Required for all internal Dreamz systems containing customer data;
Penetration testing: Regular third-party security assessments are conducted;
Vulnerability management: Automated scanning and patch management processes are in place.

Organizational Safeguards

All employees with access to personal data receive privacy and security training and are bound by confidentiality obligations;
Third-party service providers are vetted and bound by data processing agreements;
We maintain an incident response plan for data breaches.

Data Breach Notification

In the event of a data breach affecting your personal information, Dreamz will notify you as required by applicable law (and in any event within 72 hours of becoming aware of a breach involving EU/UK users), via email to the address associated with your account, and/or via a prominently displayed notice on the Site. We will provide relevant information about the breach, the likely consequences, and the measures taken or proposed to address it.

Your Role in Security

While we work hard to protect your data, no security system is impenetrable. You are responsible for maintaining the confidentiality of your account password and for notifying us at security@dreamz.sleep if you suspect unauthorized access to your account.

08

Cookies & Tracking Technologies

Dreamz's website uses cookies and similar tracking technologies to improve user experience, analyze site performance, and support our communications. Here is an overview of the tracking technologies we use:

Types of Cookies We Use

Strictly Necessary Cookies: Essential for the Site to function (e.g., session management, shopping cart). Cannot be disabled;
Analytics Cookies: Help us understand how visitors interact with the Site (e.g., page views, traffic sources). We use privacy-respecting analytics that do not create cross-site user profiles. These are only activated with your consent where required by law;
Preference Cookies: Remember your settings and preferences (e.g., language, region). Activated with your consent;
Marketing Cookies: We do not currently use marketing or ad-retargeting cookies. If we introduce them in the future, we will update this Policy and seek your consent.

Your Cookie Choices

On your first visit, a cookie consent banner will allow you to accept or reject non-essential cookies. You can also manage your cookie preferences at any time by clicking "Cookie Settings" in the footer of the Site. Additionally:

Most browsers allow you to refuse or delete cookies through browser settings — see your browser's help documentation for details;
You may opt out of analytics tracking by using your browser's Do Not Track signal (where we honor this) or by adjusting your cookie preferences;
Mobile device tracking (App analytics) can be limited through your device's privacy settings (e.g., Limit Ad Tracking on iOS, Opt out of Ads Personalization on Android).

Third-Party Analytics

We may use third-party analytics services. These services may set cookies on your device. We contractually restrict these providers from using data collected through our Site for any purpose other than providing analytics services to us. We do not permit advertising networks or social media platforms to set tracking cookies on our Site.

09

Your Rights & Choices

Depending on your location, you may have some or all of the following rights regarding your personal data. We honor these rights regardless of your jurisdiction where technically and legally feasible.

Right to Access

Request a copy of all personal data we hold about you, including your sleep and biometric data.

Right to Correction

Request that we correct inaccurate or incomplete personal information we hold about you.

Right to Deletion

Request that we delete your personal data ("right to be forgotten"), subject to certain legal retention obligations.

Right to Portability

Request your personal data in a structured, machine-readable format (e.g., JSON or CSV export of your sleep data).

Right to Restrict Processing

Request that we restrict processing of your data while we investigate a dispute or verify its accuracy.

Right to Object

Object to processing of your data for direct marketing or where we rely on legitimate interests as our legal basis.

Right to Withdraw Consent

Where processing is based on consent (including biometric data consent), withdraw it at any time without affecting prior lawful processing.

Marketing Opt-Out

Unsubscribe from marketing emails at any time via the "unsubscribe" link in any email or in your App account settings.

How to Exercise Your Rights

To exercise any of the rights above, submit a request to privacy@dreamz.sleep or via the in-App "Data & Privacy" settings. We will verify your identity before processing any request and respond within:

45 days for California residents (CCPA) — extendable once for an additional 45 days with notice;
30 days for EEA/UK residents (GDPR) — extendable to 3 months with notice;
45 days for other users — subject to applicable law.

We do not charge fees for processing rights requests unless they are manifestly unfounded, repetitive, or excessive.

10

California Consumer Privacy Act (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). This section supplements the information elsewhere in this Policy.

Categories of Personal Information Collected

In the past 12 months, Dreamz has collected the following categories of personal information as defined under the CCPA: identifiers; commercial information; biometric information; internet or other electronic network activity information; geolocation data (city/region level); inferences drawn from personal information to create a profile about you.

Sale & Sharing of Personal Information

Dreamz does not sell personal information as defined by the CCPA. Dreamz does not share personal information for cross-context behavioral advertising. Accordingly, we do not offer a "Do Not Sell or Share My Personal Information" opt-out mechanism because we do not engage in these activities. If this changes, we will update this Policy and implement the required opt-out before doing so.

Sensitive Personal Information

We collect "sensitive personal information" as defined by the CPRA (including biometric data). We collect this information only to the extent necessary to provide the Services and do not use it for inferring characteristics about you for advertising purposes. You may limit our use of sensitive personal information, where applicable, by contacting us or adjusting your preferences in the App.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge different prices, provide a different level of service, or suggest that you may receive a different level of service for exercising your privacy rights.

Authorized Agent

You may designate an authorized agent to submit requests on your behalf. We will require verification that the agent is authorized to act on your behalf and may require additional identity verification from you directly.

11

GDPR & EEA / UK Users

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), Dreamz processes your personal data in compliance with the General Data Protection Regulation (EU GDPR) and the UK GDPR, as applicable. Dreamz, Inc. acts as the data controller for data collected through the Services.

Legal Bases for Processing

We rely on the following legal bases to process your personal data:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill your order, manage your account, and deliver the Services you have requested;
Legitimate interests (Art. 6(1)(f) GDPR): Processing for fraud prevention, security, product improvement, and direct marketing to existing customers (subject to your right to object);
Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): Processing of biometric/health data and optional marketing communications — you may withdraw consent at any time without affecting prior lawful processing;
Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable EU/UK law.

International Transfers

Dreamz is headquartered in the United States. Personal data from EEA/UK users is transferred to the US under Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and contractual safeguards. See Section 13 for details.

Data Protection Officer

Dreamz has appointed a Data Protection Officer (DPO) who can be reached at: dpo@dreamz.sleep.

Right to Lodge a Complaint

EEA residents have the right to lodge a complaint with their local supervisory authority (e.g., the Data Protection Authority in their EU member state). UK residents may contact the Information Commissioner's Office (ICO). However, we encourage you to contact us first so we can try to resolve your concern directly.

12

Children's Privacy

The Dreamz device, App, and website are not directed at children under the age of 18, and we do not knowingly collect personal information from anyone under 18.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). If we learn that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will promptly delete that information from our systems.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at privacy@dreamz.sleep. We will investigate and take prompt corrective action.

13

International Data Transfers

Dreamz is operated from the United States. If you are accessing our Services from outside the United States, please be aware that your personal information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws different from those in your home country.

When we transfer personal data from the EEA, UK, or Switzerland to the United States or other third countries, we do so only using one or more of the following safeguards:

Standard Contractual Clauses (SCCs) adopted or approved by the European Commission or the UK's Information Commissioner's Office;
The EU-US Data Privacy Framework (for participating service providers);
Other legally recognized transfer mechanisms as applicable.

You may request more information about the specific safeguards we use for international transfers by contacting us at privacy@dreamz.sleep.

14

Third-Party Links & Services

Our Site and App may contain links to third-party websites, platforms, or services (such as social media pages, research articles, or partner integrations). We are not responsible for the privacy practices of those third parties. This Privacy Policy applies only to information collected by Dreamz through our own Services.

Before sharing any personal information with a third-party site or service, we encourage you to review that party's privacy policy. Third-party integrations enabled by you within the App (e.g., connecting to Apple Health or Google Fit) are governed by those platforms' privacy policies, in addition to the limited data sharing governed by your explicit authorization within our App.

15

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes to this Policy, we will:

Update the "Last Updated" date at the top of this page;
Send a notification email to all registered users;
Display a prominent banner on the Site for a period after the update;
Where required by applicable law (e.g., for changes to processing biometric data), seek fresh consent from you before the changes take effect.

Your continued use of the Services after such updates constitutes your acknowledgment of the revised Policy. If you disagree with any updates, you must stop using the Services and may request deletion of your account and associated personal data.

We encourage you to review this Policy periodically. Prior versions of this Policy can be requested by contacting privacy@dreamz.sleep.

16

Contact & Data Requests

For any questions, concerns, or requests related to your privacy or this Privacy Policy, please reach out to us:

Privacy & Data Rights Requests: privacy@dreamz.sleep
Data Protection Officer (EU/UK): dpo@dreamz.sleep
General Inquiries: hello@dreamz.sleep
Security Concerns: security@dreamz.sleep
Mailing Address: Dreamz, Inc., Attn: Privacy Team, [Address], Delaware, USA

We aim to acknowledge all privacy requests within 5 business days and to resolve them within the applicable legal timeframes.

If you are not satisfied with our response, you have the right to escalate your complaint to your local data protection authority or, where applicable, seek a judicial remedy.