How we handle your data.

The data controller under Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act is:

Big Dreams Group LTD ("BDG", "we", "us"), EIK 206986388, registered office: 42 Boulevard General Skobelev, Sofia, Bulgaria. Contact: [email protected].

BDG is not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR. For any data-related questions, email [email protected].

We only collect what we need, and only when we have a basis to do so. Grouped by source:

Contact form

Name, email address, phone (optional), message content, inquiry type, IP address and user-agent. Stored in our database and sent to [email protected].

Dreamer Pond

Email address, name (optional), country, dream title and body, IP address and user-agent. Approved dreams are published publicly — with the name you chose, or anonymously if you opted for that.

Dreamer Portal (client area)

Name, email address, preferred language, project-related information, session cookie for sign-in. Access is invite-only.

Analytics

Anonymous usage data — page views, time on page, aggregate behaviour, and session recordings. Only activated after your consent via cookie banner.

Technical logs

IP address, user-agent, URL, time, HTTP status — standard server logs for security and diagnostics.

We do not collect special categories of personal data (health, biometric, political or religious beliefs, etc.) and we do not perform automated decision-making or profiling.

We process your data on one of the following legal bases under Art. 6(1) GDPR:

• Consent (Art. 6(1)(a)) - submitting a contact form, publishing a dream in Dreamer Pond, using analytics cookies. You can withdraw consent at any time.
• Contract performance (Art. 6(1)(b)) - Dreamer Portal access and client project delivery.
• Legal obligation (Art. 6(1)(c)) - accounting and tax documentation where a contract exists.
• Legitimate interest (Art. 6(1)(f)) - site security (technical logs), anti-spam and abuse protection, infrastructure maintenance.

We rely on the following categories of data processors to run the site:

Email service provider (USA)

Transactional email delivery — inquiry replies, confirmations, Dreamer Portal sign-in links. Processes email address and message content.

Bot-protection provider (USA)

Anti-spam protection on dream submissions. Processes IP address and browser signals.

Web analytics provider (USA)

Anonymous traffic analytics — only runs after you consent.

User-behaviour analytics provider (USA)

Heatmaps and session recordings for UX research — only runs after you consent.

The specific commercial names of these processors are available on request via [email protected].

Website and database hosting runs on our own infrastructure. We do not share your data with third parties for marketing, and we do not sell it.

We may disclose data to competent authorities when legally compelled (court order, prosecutor's or law enforcement request).

Some of the processors listed in §04 are based in the USA. These transfers are safeguarded by:

• EU-U.S. Data Privacy Framework - European Commission adequacy decision of 10 July 2023 for companies certified under the framework.
• Standard Contractual Clauses (SCCs) - for remaining cases, under Commission Implementing Decision (EU) 2021/914.

We use a minimal set of cookies:

• Session (essential) - to keep you signed in to Dreamer Portal / the admin panel. No consent needed.
• Analytics (optional) - for measuring site traffic and user behaviour. Only activated after your explicit consent via banner. Withdrawing consent deactivates all tracking scripts.

You can also manage cookies in your browser settings. Blocking them won't break the site but may limit some features (e.g. staying signed in between visits).

Contact inquiries

24 months from last communication

Dreams in Dreamer Pond

Indefinitely, until you request removal

Client accounts & data

Contract duration + 5 years (Bulgarian Accounting Act)

Dreamer Portal sessions

Up to 30 days since last activity

Server logs

90 days

Analytics

Up to 14 months, per the analytics providers' policies.

Under GDPR you have the following rights regarding your personal data:

• Access (Art. 15) - receive a copy of the data we hold about you.
• Rectification (Art. 16) - correct inaccurate or incomplete data.
• Erasure (Art. 17) - the "right to be forgotten" in specific cases.
• Restriction of processing (Art. 18) - in specific cases.
• Portability (Art. 20) - receive your data in a structured, machine-readable format.
• Objection (Art. 21) - to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)) - at any time, without affecting the lawfulness of processing before withdrawal.
• File a complaint with the supervisory authority - Commission for Personal Data Protection (KZLD): 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, www.cpdp.bg, [email protected], +359 2 915 3 518.

To exercise any of these rights, email [email protected]. We reply within 30 days as required by Art. 12(3) GDPR.

We apply technical and organisational measures proportionate to the risks to data subjects' rights and freedoms:

• HTTPS / TLS encryption on all traffic
• Passwords stored only as an irreversible hash
• Signed session cookies
• Restricted admin access with role-based hierarchy
• Audit log of administrator actions
• Regular database backups

If we discover a security breach that leads to high risk for your rights, we will notify you within 72 hours as required by Art. 33-34 GDPR.

Our services are not intended for persons under 16. We don't knowingly collect data from children. If we learn that a child under 16 has provided us personal data without parental or guardian consent, we will delete the data.

We may update this policy. Material changes will be announced on the homepage and — for Dreamer Portal accounts — by email to registered users. The date at the top always reflects the latest revision.

Questions, rights requests, or feedback:

[email protected]

Big Dreams Group LTD · EIK 206986388
42 Boulevard General Skobelev, Sofia, Bulgaria