drea Privacy Policy =================== Effective Date: April 29, 2026 This document explains data/information handling pertaining to use of the drea iOS app. The app relies on related backend services, including api.drea.fm, to provide certain features. drea is a podcast app with optional ad-detection and ad-skipping features. The app does not require a user account. Summary ------- - drea does not require account creation. - We do not ask for direct identifiers such as your name, email address, phone number, or postal address inside the iOS app. - drea does not currently use the iOS advertising identifier (IDFA) or App Tracking Transparency-based cross-app tracking. - We do collect technical, app-security, and episode-related data needed to operate the app and run optional ad detection. - Most of the data we handle is tied to a podcast episode, a file, or a pseudonymous app-install identifier rather than a real-name user profile. Some records can still be associated with a particular app install for security, rate limiting, caching, and abuse-prevention purposes. Information We Collect ---------------------- > Information Stored on Your Device drea stores certain information locally on your device so the app can work, including: - your podcast library, bookmarks, playback position/state, downloads, cached search/browse results, and app settings; - downloaded episode audio files; - local ad-detection artifacts such as on-device transcripts, alignment/timing data, and related cache files; - a randomly generated app-install identifier and related authentication/security data used by the app. > Information Sent to drea Servers When you use certain features, drea may send the following to our servers: - Security and app integrity data, such as a random install ID, App Attest key identifiers, attestation/assertion data, short-lived session tokens, and related anti-abuse/rate-limiting signals. - Podcast and episode technical data, such as episode keys, feed URLs, episode identifiers, file hashes, and similar technical identifiers. - Ad-detection data, such as transcripts generated from downloaded episode audio, ad timestamp data, and other related derived technical data. This data may be uploaded to drea's backend and processed by drea's service providers, including third-party AI/model providers used to identify ad segments. - Operational and security logs, which may include technical data such as episode keys, job IDs, file hashes, request metadata, and error details. - Network/request metadata. Like most internet services, our backend may receive IP addresses and similar request metadata for routing, abuse prevention, and rate limiting. What drea Does Not Currently Upload for Ad Detection ---------------------------------------------------- drea currently does not upload raw podcast audio from your device as part of the ad-detection pipeline. Instead, the app performs transcription on-device and may upload the resulting transcript plus related derived technical data to drea's backend to support ad detection. Any such derived technical data is one-way and non-invertible with respect to the underlying audio waveform and cannot be used to reconstruct the original audio. Other Network Requests Created by Normal App Use ------------------------------------------------ Using drea also creates network requests to third parties as part of normal podcast app functionality, including: - Apple's iTunes Search API when you search for podcasts; - podcast publishers, RSS hosts, media hosts, and artwork/CDN providers when the app fetches feeds, artwork, or episode audio; - Apple's App Attest service during app authentication setup; - podcast feed resolution services used by drea's backend when needed to recover or normalize feed URLs. Podcast episode audio is downloaded from the media URLs published in podcast RSS feeds by podcast publishers or their hosting providers, not from drea's backend. How We Use Information ---------------------- We use the information described above to: - provide podcast search, browsing, downloads, and playback; - run the optional ad-detection and ad-skipping features; - authenticate legitimate app installs and prevent abuse, fraud, and excessive automated use; - debug, monitor, secure, and improve the app and backend. No Accounts and No Direct Profile Data -------------------------------------- drea does not require account creation and does not ask you for direct identifiers such as your name, email address, phone number, or postal address inside the iOS app. That said, "no account" does not mean "no data." drea still uses technical and pseudonymous identifiers, such as a random app-install ID and App Attest records, so the service can function securely and efficiently. Tracking, Advertising, and Device Permissions --------------------------------------------- drea does not currently use the iOS advertising identifier (IDFA) or ask for App Tracking Transparency permission. drea does not currently use third-party mobile advertising SDKs for cross-app tracking, and we do not sell your personal information. The current iOS app also does not ask for access to your location, contacts, photos, camera, or microphone. Podcast transcription is performed from downloaded episode audio files, not from microphone input. Limited Disclosures ------------------- drea may disclose information to service providers that help operate the app and backend, such as hosting, storage, security, abuse prevention, feed resolution, and model providers used for ad detection. These service providers are permitted to process information only to provide services to drea and must provide the same or equal protection for user data as described in this Privacy Policy and required by the App Store Review Guidelines. drea may also disclose information if required by law, legal process, or to protect the rights, safety, or security of drea, our users, or others; or in connection with a merger, acquisition, financing, or sale of assets, subject to applicable law. Retention --------- On-device data generally remains on your device until you delete it or remove the app. Security and operational data are retained only as long as reasonably necessary for the purposes described in this policy. Transcripts and related derived technical data used to support ad detection may be retained indefinitely. Your Choices ------------ You can limit certain data processing by limiting how you use certain features: - If you do not use the ad-detection feature for an episode, drea does not upload transcripts or related ad-detection data for that episode. - You can delete downloads and other local app data from your device. - You can stop using the app or uninstall it to remove on-device data. You can request deletion of server-side data that drea can reasonably associate with your app install or request metadata by contacting hamza@narcotic.sh. Because drea does not use accounts and does not collect direct profile identifiers, some server-side records may not be identifiable as belonging to a specific person or app install. Where drea can reasonably identify responsive records, we will delete or de-identify them unless retention is required for security, abuse prevention, legal compliance, or operation of the service. Because drea does not use user accounts, we may not always be able to identify server-side records as belonging to a specific real-world person. Children's Privacy ------------------ drea is not directed to children under 13, and we do not knowingly collect personal information from children under 13. International Processing ------------------------ drea may process data in countries other than the one where you live. By using the app, you understand that data may be transferred to and processed in jurisdictions with different data protection laws. Changes to This Policy ---------------------- We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and may provide additional notice where appropriate. Contact Us ---------- If you have questions about this Privacy Policy or drea's privacy practices, contact us at hamza@narcotic.sh.