Data Processing Addendum
Last updated: April 23, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between MyDream Labs LLC ("MyDream", "Processor", "we", "us") and the business customer or organization using the Service as a controller ("Customer", "Controller").
This DPA applies only where Customer uses MyDream.video to process personal data on behalf of a business, employer, client, or other organization and applicable data protection law requires a controller-processor agreement. It does not apply to purely personal, household, or consumer use of the Service.
If Customer needs a countersigned copy of this DPA, a security questionnaire, or further privacy documentation, contact [email protected].
1. Roles and Scope
- Customer acts as controller of Customer Personal Data.
- MyDream acts as processor of Customer Personal Data.
- This DPA applies only to Customer Personal Data processed by MyDream to provide, secure, support, or improve the Service in accordance with Customer's documented instructions, the Terms of Use, and this DPA.
2. Subject Matter and Duration
The subject matter of the processing is the operation of the MyDream.video service, including account access, hosted media processing, generated video delivery, support handling, fraud prevention, billing reconciliation, and related security operations.
Processing starts when Customer first submits Customer Personal Data to the Service and continues for the duration of the Customer relationship, plus any limited retention period needed for security, billing, fraud prevention, legal compliance, backup lifecycle processing, or dispute handling.
3. Nature and Purpose of Processing
MyDream may process Customer Personal Data to:
- authenticate users and maintain account state;
- receive and store uploaded photos, prompts, and related project inputs;
- generate and return requested video output;
- provide customer support and respond to service requests;
- process payments, grants, refunds, and billing reconciliation;
- detect abuse, fraud, policy violations, and security incidents;
- maintain logs, error monitoring, and operational health;
- comply with applicable law and valid legal process.
4. Categories of Data Subjects and Personal Data
Data subjects
- Customer users
- Customer end users, if Customer uploads their data lawfully
- support contacts
Categories of personal data
- account identifiers and contact information, such as email address and user ID
- uploaded photos and related user-provided content
- prompts, template selections, project history, and generated videos
- billing and transaction metadata
- device, browser, network, attribution, and analytics metadata
- support correspondence and legal request records
MyDream does not require Customer to submit special category data or highly sensitive regulated data. Customer must not use the Service to process special category data, health data, biometric templates for identification, government-issued identifiers, children's data, or other restricted data unless Customer has independently determined that such use is lawful and appropriate and has obtained MyDream's prior written approval.
5. Customer Instructions
Customer instructs MyDream to process Customer Personal Data only:
- to provide the Service and related support;
- as described in the Terms of Use, Privacy Policy, and this DPA;
- through Customer's configuration and use of the Service;
- as otherwise documented in writing by Customer and accepted by MyDream;
- as required by applicable law.
If MyDream believes an instruction violates applicable law, MyDream may suspend the affected processing and notify Customer where legally permitted.
6. Confidentiality
MyDream will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
7. Security Measures
Taking into account the nature of the processing and the information available to MyDream, MyDream will implement reasonable technical and organizational measures designed to protect Customer Personal Data, including measures appropriate to:
- access control and least-privilege administration;
- transport encryption for public service traffic;
- secret management through deployment platform variables rather than source control;
- production logging, error monitoring, and service health monitoring;
- rate limiting, abuse controls, and operational incident response;
- backup and recovery procedures operated by infrastructure providers;
- deletion workflows for user content and account data, subject to retention exceptions described in the Privacy Policy.
No security measure is perfect, and MyDream does not guarantee absolute security.
8. Subprocessors
Customer authorizes MyDream to use subprocessors that are reasonably necessary to deliver the Service.
As of the effective date of this DPA, MyDream's relevant processors and subprocessors include:
- Clerk for authentication and account services
- Stripe for web payment processing
- Apple App Store and Google Play for in-app purchase records and verification
- Google Cloud, Google Cloud Storage, Vertex AI, and related Google APIs for storage and video generation infrastructure
- PostHog for product analytics
- AppsFlyer for mobile attribution and deep linking
- Sentry for error monitoring
- Cloudflare for security and CDN services
- Railway for infrastructure and hosting
MyDream may update this list from time to time. Material changes may be reflected in the Privacy Policy, service documentation, or other customer-facing notices.
9. International Transfers
Customer authorizes MyDream and its subprocessors to process Customer Personal Data in the United States and other countries where MyDream or its subprocessors operate.
Where required by applicable law, MyDream will use an appropriate transfer mechanism, such as Standard Contractual Clauses, the UK Addendum or IDTA, adequacy decisions, the EU-U.S. Data Privacy Framework and UK extension where available, or another lawful safeguard adopted by the relevant provider.
10. Assistance
Taking into account the nature of the processing, MyDream will provide reasonable assistance to Customer, to the extent legally required and commercially reasonable, with:
- responding to data subject requests;
- security incident notifications;
- data protection impact assessments;
- consultations with supervisory authorities.
MyDream may charge reasonable costs for assistance that goes materially beyond the standard functionality of the Service.
11. Security Incident Notification
If MyDream becomes aware of a confirmed security incident affecting Customer Personal Data, MyDream will notify Customer without undue delay after confirmation, taking into account the need to verify the incident, contain it, and avoid compromising the investigation.
12. Deletion and Return
Customer controls the data it submits to the Service. Customer may request deletion through in-product flows, support channels, or [email protected] where applicable.
At the end of the processing relationship, MyDream will delete or anonymize Customer Personal Data from active systems in accordance with its standard retention and deletion practices, unless retention is required for security, billing reconciliation, fraud prevention, legal compliance, dispute handling, backup lifecycle processing, or other lawful obligations.
13. Audit Information
MyDream will make available information reasonably necessary to demonstrate its compliance with this DPA, including relevant public documentation and reasonable responses to written questions, subject to confidentiality, security, and privilege limitations.
MyDream is not required to allow on-site audits that would unreasonably interfere with its operations, create security risk, or expose information about other customers.
14. Conflict
If there is a conflict between this DPA and the Terms of Use regarding data protection obligations, this DPA controls to the extent of that conflict.
15. Contact
- Privacy and DPA requests: [email protected]
- Support: [email protected]
- Company: MyDream Labs LLC, 30 N Gould St, STE R, Sheridan, WY 82801, United States