Effective date: 2026-01-15

Release: 1.0.0

Connected Dreams / Origin – Privacy Policy

This Privacy Policy explains how Connected Dreams B.V. (“Connected Dreams”, “we”, “us”) collects and uses personal data when you use Connected Dreams / Origin (the “Service”), visit our websites, or communicate with us.

We do not sell personal data, and we do not send marketing emails.

1. Our role: Controller vs Processor

  1. For account administration, security, support, and website operations, Connected Dreams acts as a data controller.
  2. For Customer Content stored in the Service (documents, requirements, tests, uploaded files), Connected Dreams typically acts as a data processor on behalf of the customer organization (the customer is the controller). For business customers, our DPA is available at: https://connecteddreams.com/legal/dpa

2. What personal data we process

We minimize personal data. Depending on how you use the Service:

2.1. Account and identity data

  1. Email address (login identifier)
  2. Internal identifiers (including GUID-based IDs tied to email in an internal lookup table)
  3. Workspace membership, roles, permissions
  4. Optional profile data you provide (e.g., display name)

2.2. Authentication and session data

  1. Session identifiers/tokens and security metadata required to keep you signed in and prevent abuse (see Cookies and similar technologies (Cookie Policy)

2.2.3. Third-party sign-up and sign-in

If you choose “Sign in with Google”, you will be redirected to Google to authenticate. This means your browser connects to Google, and Google may receive information such as your IP address, device information, and cookie identifiers, in accordance with Google’s own privacy and cookie policies.

If you use this option, we receive limited account information from Google (typically your name, email address, and profile picture) so we can create or log you into your account.

You can always choose an alternative sign-up method (for example email sign-in).

2.4. Operational communications

  1. Operational emails (password reset, invite emails, security notices, trial expiration reminders, subscription activation reminders)
  2. Support emails and messages you send to us and our replies

We do not send marketing newsletters or promotional emails.

2.5. Payment and billing (via Paddle as Merchant of Record)

Payments are handled by Paddle as Merchant of Record. Paddle processes payment method details and billing information. We typically receive limited transaction metadata required for account administration, support, and accounting (e.g., plan, billing status, transaction references).

2.6. Logs and diagnostic data

To operate and secure the Service we process:

  1. Server logs (may include IP address, timestamps, request metadata, security/audit events)
  2. Client error reports (error messages and diagnostic information sent from the application)

Typical retention:

  1. Server logs: up to 90 days
  2. Error logs: up to 180 days

(We may retain specific records longer where required for security investigations or legal obligations.)

2.7. Customer Content (may contain personal data)

Customer Content is created by customers and may include personal data depending on what users write/upload. Customers control what they put into the system.

3. How we use Customer Content (no secondary use / no AI training)

Customer Content is yours.

  1. We do not sell Customer Content.
  2. We do not use Customer Content for advertising.
  3. We access and process Customer Content only as necessary to provide, secure, and maintain the Service (for example: storing and displaying your content, applying permissions, creating backups, preventing abuse, and providing support at your request).

We do not use Customer Content (including prompts, uploads, or generated outputs within your tenant) to train or improve machine learning or AI models, except if you explicitly opt in via a separate agreement or a clearly identified product setting.

4. Purposes and legal bases

We process personal data only when we have a lawful basis, such as:

  1. Contract: provide the Service, authentication, workspace features, operational emails
  2. Legitimate interests: security, abuse prevention, reliability, debugging, service improvement
  3. Legal obligations: accounting and tax requirements related to billing

5. Cookies and similar technologies (Cookie Policy)

We only use functional / strictly necessary cookies and similar storage needed to run the Service and keep it secure.

5.1. What we use cookies for

  1. Keeping you signed in and maintaining session state
  2. Security features (e.g., CSRF protection, abuse prevention)
  3. Essential preferences needed for service operation (where applicable)

5.2. What we do not use cookies for

  1. Advertising/marketing cookies
  2. Cross-site tracking
  3. Third-party marketing analytics cookies

If we introduce non-essential cookies in the future, we will update this policy and request consent where required.

5.3. Authentication cookies

We use SuperTokens for authentication. The Service uses strictly necessary cookies/storage items to manage secure sessions (exact cookie names may vary by configuration).

5.4. Third party services

If you choose ‘Sign in with Google’, you’ll be redirected to Google. Google may set cookies/identifiers as described in their cookie policy. You can always choose an alternative sign-up method (for example email sign-in

5.5. Payment-related cookies (Paddle)

When you access payment/checkout flows, Paddle may set cookies required for payment processing and fraud prevention.

5.6. Managing cookies

Because we use only strictly necessary cookies, we generally do not show an opt-in cookie banner. You can manage cookies through browser settings; disabling essential cookies may prevent the Service from functioning properly.

6. Where data is hosted and processed

  1. Default hosting: Customer Content is hosted in Europe and/or The United States.
  2. We also use cloud services for DNS and backup storage, and service providers for payments and email delivery.

7. Sharing and processors

We share personal data only as needed to provide the Service. Key subprocessors include:

  1. Paddle (payments, invoicing, taxes, refunds)
  2. Hetzner (primary hosting/infrastructure)
  3. AWS (DNS and backup storage in cloud buckets)
  4. Google Cloud (DNS and backup storage in cloud buckets)
  5. SendGrid (operational email delivery)
  6. SuperTokens (authentication/session management)
  7. OpenAI (AI)
  8. Friendly Captcha (bot/fraud prevention on forms)

8. International transfers

Some subprocessors may process data outside the EEA or USA.

9. Data retention

  1. Workspace data: retained while active.
  2. After cancellation: retained for 90 days, then may be deleted.
  3. Cloud backups (cloud plans): automatic backups with an archive retention lock of approximately 3 months.
  4. Billing/accounting records: retained as required by law.

10. Security

We use appropriate technical and organizational measures to protect data. A high-level overview is available at:

https://connecteddreams.com/legal/security

11. Your rights

Depending on your location and role (controller/processor relationship), you may have rights to access, correct, delete, restrict or object to processing, and data portability.

If your request relates to Customer Content controlled by your organization, we may redirect you to the relevant controller.

EU/EEA residents may lodge a complaint with their supervisory authority (e.g., in the Netherlands: Autoriteit Persoonsgegevens).

12. Children

The Service is intended for professional use and is not directed to children.

13. Changes

We may update this policy from time to time. The effective date indicates when the latest version takes effect.

14. Contact details

Connected Dreams B.V.

Address: Houthavenkade 21, 1014 ZB Amsterdam, The Netherlands

Chamber of Commerce (KvK): 34292834

VAT: NL8189.56.550.B01

Email: info@connecteddreams.com