Effective — April 20, 2026Last revised — April 20, 2026Version — 1.0
§ 01Who we are
Veil is a service that delivers interpretive writing on dreams and natal astrology via SMS text message. This policy describes the practices of [LEGAL ENTITY NAME] ("Veil," "we," "us," "our"), the controller of your personal information under applicable data protection law.
Registered address: [REGISTERED BUSINESS ADDRESS].
We are a small team. One of us will read your privacy request personally. We do not have a "Privacy Operations Center." We will behave accordingly.
§ 02What we collect
We collect only what Veil needs to function. Categories of personal information processed:
Contact data
Your mobile phone number, used as your primary identifier. Optional: email address if you provide one for account recovery.
Birth data
Date of birth, time of birth (hour and minute, to the precision you provide), and place of birth (city, or latitude/longitude). Required to calculate a natal chart.
Dream content
The text of dreams you choose to share, along with timestamp and any images you attach (MMS). This is the most sensitive category we handle — see § 04.
Astrological derivations
Calculated natal placements, transits, and aspects derived from your birth data. Stored so we do not recompute them on every message.
Message history
The full two-way record of messages between you and Veil, including our replies, timestamps, and delivery status.
Technical metadata
Carrier-supplied message metadata (country code, approximate region from phone prefix), delivery receipts, and error codes returned by the SMS gateway.
Website data
If you visit our website, basic server logs (IP address, user agent, pages requested, timestamps) retained for security and abuse prevention.
Payment data
If Veil offers paid plans: handled by a third-party processor (Stripe or equivalent). We store only transaction identifiers and subscription status — never your card number or CVV.
We do not collect: your location beyond the birth-place you tell us, your contacts, your photos beyond what you send directly, your calendar, or any data from other apps on your phone.
§ 03Why we collect it
Each category above maps to a specific purpose:
Phone number — to send and receive your messages, and to identify which account a message belongs to.
Birth data — to calculate your natal chart, which forms the astrological basis of your readings.
Dream content — to respond to you thoughtfully. Without the text of your dream, we cannot interpret it.
Message history — to maintain continuity in the relationship (so we can reference what you told us last week), and for your records.
Technical metadata — to diagnose delivery failures, prevent abuse, and comply with SMS carrier requirements.
Website data — to keep the site available and to block automated attacks.
We do not use your personal data to train machine learning models, to build an advertising profile of you, or to enrich it with data purchased from brokers. We never will.
§ 04Dream content — a note
Dreams are not ordinary data. They contain, routinely and without warning, material that relates to sexual life, mental and physical health, grief, trauma, religious and philosophical beliefs, and the identities of third parties (partners, children, family members, colleagues). Some of these categories are classified as special category data under Article 9 of the UK GDPR and EU GDPR.
Veil treats the entire corpus of your dream content as special category data by default, regardless of its actual contents, and processes it only on the basis of your explicit consent (GDPR Art. 9(2)(a)) — which you give by signing up and sending us a dream, and which you can withdraw at any time (see § 12).
Specific commitments regarding dream content:
Dream content is stored in an encrypted-at-rest database (see § 11) and accessed only to generate your replies and for the retention purposes listed in § 10.
Dream content is never shared with advertisers, data brokers, or any third party not listed as a subprocessor in § 07.
Dream content is never used to train the language model that replies to you, nor any other model, ours or anyone else's.
We will not use dream content for any new purpose without first asking you clearly and giving you a way to say no.
If our AI subprocessor (currently Anthropic) modifies their data handling in a way that would permit training on your content, we will either migrate away from them or obtain your fresh consent. We will not let it happen quietly.
If you are in crisis
Veil is not an emergency service, a therapist, or a substitute for mental health care. If a dream surfaces material you need immediate support for — suicidal ideation, trauma flashbacks, a crisis of any kind — please contact a crisis line. In the United States, dial or text 988. In the UK, Samaritans at 116 123. Elsewhere, findahelpline.com. We hold this seriously.
§ 05Legal basis for processing (GDPR)
For users located in the UK, EEA, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:
Contract (Art. 6(1)(b)) — to deliver the Veil service you signed up for. Covers phone number, birth data, astrological derivations, and message exchange.
Explicit consent (Art. 9(2)(a)) — for processing dream content and any other special category data contained within it. You may withdraw consent by texting STOP or DELETE, or by emailing us (see § 12).
Legitimate interests (Art. 6(1)(f)) — for security logging, abuse prevention, and protecting the integrity of our service. We have assessed that these interests do not override your rights and freedoms; you may object at any time.
Legal obligation (Art. 6(1)(c)) — where required to comply with law, court order, or valid regulatory request.
§ 06Who we share personal data with
We share personal data only with:
Subprocessors listed in § 07, strictly in order to deliver the service.
Professional advisors (lawyers, accountants, auditors) under confidentiality obligations, on a need-to-know basis.
Law enforcement or government, only when compelled by valid legal process, and we will (where legally permitted) notify you first.
An acquirer, in the event of a merger, acquisition, or sale of substantially all of our assets — in which case the acquirer is bound by this policy or will give you notice and a choice.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under US state privacy laws (see § 13).
§ 07Subprocessors
These are the third-party services Veil relies on to operate. Each is bound by a data processing agreement (or equivalent terms) that restricts their use of your data to providing their service to us.
Provider
Role
Data received
Location
Anthropic, PBC
AI language model (Claude) that drafts your replies
Your dream text, relevant prior message history, birth-chart summary for context
United States
Supabase Inc.
Database, authentication, storage
All categories in § 02 except payment card data
United States (or region of your Supabase project)
Blooio
iMessage / SMS gateway for sending and receiving texts
Phone number, message content, delivery metadata
United States
AstrologyAPI
Ephemeris calculation (natal chart, transits)
Date, time, and location of birth
Provider-dependent (see their privacy policy)
Cloudflare, Inc.
Website hosting, CDN, DDoS protection
Website traffic metadata (IP, user agent, request logs)
Globally distributed edge network
n8n GmbH (self-hosted or cloud)
Workflow orchestration between the above services
All data types in transit, held transiently during execution
EU (if n8n Cloud) or our infrastructure
[Payment processor — e.g. Stripe]
Billing, if applicable
Name, email, card data (held by them — never by us)
United States
This list is current as of the effective date at the top of the page. We will update it when it changes. If you are on a subscription plan, we will notify you of material changes before they take effect.
§ 08AI processing, in detail
Because Veil uses a third-party large language model to generate your replies, we owe you a clear account of what that means.
What is sent to the model
When you send a dream or ask a chart question, we send the following to Anthropic's API: the text of your current message, a relevant slice of your recent message history for context, a compact summary of your natal chart (not your raw birth data — the calculated placements), and a system prompt that shapes the response. Your name, phone number, email, and full birth data (date/time/place) are not included in API requests.
What Anthropic does with it
Under Anthropic's commercial API terms (which govern our use), inputs and outputs are not used to train their models by default, and are retained only as long as needed to operate the service and comply with legal obligations — currently up to thirty days in the ordinary case, or up to two years for inputs flagged by trust-and-safety systems. Anthropic's full policy is at anthropic.com/legal/privacy. If these terms change materially, we will update this policy and notify you.
What we do with the output
The model's output is sent to you via SMS and stored in your message history in our database. We do not review individual outputs except when diagnosing bugs, investigating reported problems, or responding to your explicit request for help.
Automated decision-making
Veil's AI-generated readings are interpretive reflection, not decisions that produce legal or similarly significant effects about you. We do not use automated decision-making in the sense of GDPR Article 22. Nothing Veil says determines your creditworthiness, employment, insurance, healthcare, or access to any service — because Veil does not provide any of those.
§ 09International transfers
Several of our subprocessors are located in the United States. If you are in the UK, EEA, or Switzerland, your personal data will be transferred to the United States in the course of delivering the service.
For these transfers, we rely on the following safeguards:
EU Standard Contractual Clauses (2021 modules, as applicable) and the UK International Data Transfer Addendum, executed with each US-based subprocessor.
EU–US Data Privacy Framework and the UK and Swiss extensions, where the subprocessor is self-certified.
Additional technical measures (encryption in transit and at rest, access controls) as documented in § 11.
Copies of the transfer mechanisms relevant to you are available on request at privacy@veildream.com.
§ 10Retention
We keep personal data only as long as we need it. Specific retention periods:
Active account data
Phone number, birth data, astrological derivations, and message history are retained for as long as your account is active. Message history may be pruned periodically if storage requires it; you will be notified before we do this.
Dream content
Retained with your account for continuity of interpretation. You may request deletion of individual dreams, of your entire dream history, or of your whole account at any time (see § 12).
After account deletion
On deletion request we remove your account, dream history, birth data, and personal identifiers from active systems within thirty (30) days. Encrypted backups containing residual data are overwritten on a rolling cycle not exceeding ninety (90) days.
Opted-out phone numbers
A hashed, suppressed record of phone numbers that have texted STOP is retained indefinitely. This is required by US SMS regulation: we must remember not to message you again. The record contains no other personal data.
Security and abuse logs
Website access logs and abuse-prevention data: up to 180 days. Indefinitely for records relating to an active security incident or investigation.
Billing records
Retained for the period required by applicable tax and accounting law (typically seven years in the US and UK).
Legal holds
If we are obligated to preserve data for litigation, regulatory inquiry, or criminal investigation, we will retain the minimum necessary data for the duration of the hold.
§ 11Security
We take the following measures to protect your personal data:
Encryption in transit — all API calls use TLS 1.2 or higher.
Encryption at rest — database storage is encrypted by our subprocessor (Supabase, using AES-256).
Access control — production database access is limited to named individuals with multi-factor authentication. Service-to-service access uses least-privilege credentials that are rotated when personnel change.
Secret management — API keys and credentials are never stored in source code or configuration files committed to version control.
Logging and monitoring — authentication events and administrative actions are logged.
Vendor diligence — each subprocessor in § 07 has been reviewed for security posture, data protection terms, and incident response capability before onboarding.
No system is perfectly secure. If we discover a breach affecting your personal data, we will act as described in § 17.
§ 12Your rights
Regardless of where you live, Veil honors the following requests from any user:
Access — a copy of the personal data we hold about you.
Rectification — correction of inaccurate data (e.g. wrong birth time).
Deletion — erasure of your account and associated personal data, subject to the residual retention described in § 10.
Portability — an export of your dream history and message history in a structured, machine-readable format (JSON).
Restriction — pause on processing while you contest accuracy or lawfulness.
Objection — to any processing based on legitimate interest.
Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
Complaint — to your local data protection authority (UK: Information Commissioner's Office; EU: your member state DPA; California: the California Privacy Protection Agency). We would prefer you come to us first, but you are not required to.
How to make a request
Email privacy@veildream.com from the email associated with your account, or text the account phone number with the word DELETE for account erasure, or EXPORT for a data copy. We respond within thirty (30) days. We do not charge a fee except for manifestly unfounded or repetitive requests, as permitted by law.
To verify your identity for a rights request, we will confirm control of the phone number or email associated with the account. We will not ask you for sensitive identifying information we do not already hold.
§ 13US state privacy rights
If you are a resident of California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, or another US state with a comprehensive privacy law, you have rights under that law. Those rights substantially overlap with § 12 above, and Veil honors them.
Do not sell / do not share
Veil does not sell personal information, and does not share personal information for cross-context behavioral advertising. There is no "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of. You may submit this request anyway by emailing us, and we will confirm in writing.
Sensitive personal information (California)
We process information that qualifies as "sensitive personal information" under the CPRA, including the contents of your text messages. We use it only for the purposes listed in § 03 and not for purposes requiring a separate opt-out under Cal. Civ. Code § 1798.121.
Authorized agents
California residents may designate an authorized agent to make requests on their behalf by providing written permission signed by the resident. We will verify the agent's authority and may still contact the resident directly to confirm.
Non-discrimination
We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right. That would be unethical; in several states it is also illegal.
§ 14SMS, carriers, and STOP
Veil is delivered over SMS and MMS in the United States and, where supported, internationally.
Consent — by signing up with your phone number, you consent to receive text messages from Veil, including transactional responses to your dreams and service notices.
Frequency — message frequency varies based on your use of the service. You control it by how often you write to us.
Carrier fees — standard message and data rates may apply, depending on your mobile plan. We do not charge for the SMS itself, but your carrier might.
Opt out — text STOP at any time to unsubscribe. We will stop all non-essential messages. Text HELP for support.
Carrier metadata — SMS delivery produces metadata (timestamps, delivery receipts, routing information) held by your mobile carrier under their own policies, which we cannot control.
No sharing with carriers for marketing — we do not share your phone number with mobile carriers, aggregators, or affiliates for their marketing purposes.
§ 15Cookies and the website
The Veil website uses the minimum cookies required to function. Specifically:
Essential cookies — session identification, security (CSRF protection). Cannot be switched off without breaking the site.
No advertising or tracking cookies — we do not use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight, or any third-party advertising tag on this website.
If we ever add analytics, it will be a privacy-respecting, cookieless analytics product, and we will update this section before enabling it.
§ 16Minors
Veil is not directed to, and is not available to, persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it.
If you are a parent or guardian and you believe your minor child has signed up for Veil, please contact us at privacy@veildream.com and we will remove the account promptly.
§ 17Breach notification
If we discover a personal data breach that poses a risk to your rights and freedoms, we will:
Notify the relevant supervisory authority within seventy-two (72) hours of becoming aware, where required under GDPR Art. 33 and equivalent laws.
Notify you directly and without undue delay where the breach is likely to result in a high risk to you, by SMS and email, including what happened, what data was involved, what we are doing in response, and what you can do.
Comply with all applicable US state breach notification statutes, including California Civil Code § 1798.82 and equivalents in other states.
We will not wait for a legal deadline to tell you something you should know.
§ 18Changes to this policy
We will update this policy from time to time. When we make material changes — changes that affect how we collect, use, share, or protect your data — we will:
Update the effective date at the top of the page.
Notify active users by SMS and, where we have your email, by email, at least fourteen (14) days before the change takes effect.
For non-material changes (typos, clarifications, new subprocessor additions that do not expand data use), we will update the effective date but may not individually notify you.