Security

Your dreams are deeply personal. We built Drowsy with security at its core.

At Drowsy, we understand that your dreams, reflections, and personal insights are among the most private data you could share with any service. That's why we've implemented enterprise-grade security measures to ensure your dream journal remains yours alone.

Our Security Philosophy

We designed Drowsy with one principle in mind: your data should be accessible only to you.

This isn't just a policy—it's embedded in our technical architecture. From database-level isolation to encrypted transmission, every layer of Drowsy is built to protect your privacy.

Technical Security Measures

Encryption in Transit

All data transmitted between your device and our servers is protected with TLS 1.3 encryption (HTTPS). This means:

  • Your dream entries are encrypted before they leave your device
  • AI analysis requests travel through secure, encrypted channels
  • No one can intercept or read your data in transit
  • We enforce HTTPS on all connections—no exceptions

Encryption at Rest

Your data doesn't just need protection while moving—it needs protection while stored. All data in our database is encrypted at rest using AES-256 encryption, the same standard used by banks and government agencies.

This includes:

  • Dream entries and titles
  • Life context entries
  • AI-generated analyses
  • Follow-up chat histories
  • Profile information

Row-Level Security (RLS)

This is where Drowsy's security architecture truly stands apart. We implement Row-Level Security at the database level through Supabase's PostgreSQL infrastructure.

What does this mean?

Every query to our database is automatically filtered by your unique user ID. This is enforced at the database level—not in our application code. The result:

  • You can only access rows that belong to you
  • Even if our application code had a bug, you still couldn't access another user's data
  • Database queries are automatically scoped to your user ID
  • There is no administrative backdoor to read user content

Even our development team cannot read your dream entries. The database itself enforces this isolation.

Authentication Security

We support secure authentication through:

  • Apple Sign-In — Using Apple's secure authentication flow
  • Google Sign-In — OAuth 2.0 with Google's security infrastructure
  • Email/Password — With passwords hashed using bcrypt (never stored in plain text)

All authentication is handled by Supabase Auth, which provides:

  • Secure token generation and management
  • Automatic token expiration and refresh
  • Protection against common authentication attacks
  • No password storage on our servers (only secure hashes)

AI Processing Security

When you request a dream analysis, your data is processed through Anthropic's Claude AI. Here's how we keep that process secure:

Stateless Processing

Each AI analysis is a stateless request. This means:

  1. Your dream text is sent to Anthropic's Claude API
  2. Claude generates an interpretation in real-time
  3. The response is returned immediately
  4. Anthropic does not store your dream content
  5. Anthropic does not train models on your individual dreams

API Key Protection

Your device never has access to our Anthropic API key. All AI requests are routed through Supabase Edge Functions, which:

  • Keep API keys server-side only
  • Validate your authentication before processing
  • Rate-limit requests to prevent abuse
  • Log no dream content in server logs

Infrastructure Security

Supabase Infrastructure

Drowsy's backend is built on Supabase, which provides enterprise-grade security:

  • SOC 2 Type II certified infrastructure
  • Hosted on AWS with multi-region redundancy
  • Automatic database backups
  • DDoS protection
  • Regular security audits and penetration testing

Data Centers

Your data is stored in secure data centers that maintain:

  • 24/7 physical security monitoring
  • Biometric access controls
  • Fire suppression and climate control
  • Redundant power and networking

What We Don't Do

Security is as much about what you don't do as what you do. Here's what we never do:

Sell your data

Your dreams are not a product

Share content with other users

Your journal is private

Train AI on your personal dreams

Your content isn't training data

Store payment information

Apple handles all billing

Read your dream entries

RLS prevents even team access

Create administrative backdoors

No exceptions to privacy

Your Security Controls

You have full control over your data:

View Your Data

See all dreams, analyses, and life context

Delete Individual Dreams

Remove dreams permanently

Delete Your Account

Complete data removal within 30 days

Export Your Data

Download complete dream journal

App Lock

Enable Face ID/Touch ID protection

Control Notifications

Manage when and how we contact you

Third-Party Security

We carefully vet every third-party service we use:

ServicePurposeSecurity Standard
SupabaseDatabase & AuthSOC 2 Type II, GDPR compliant
AnthropicAI ProcessingEnterprise security, no data retention
ApplePayments & PushIndustry-leading security standards

Security Summary

TransitTLS 1.3 encryption (HTTPS)
StorageAES-256 encryption at rest
DatabaseRow-Level Security isolation
AuthenticationSecure OAuth + hashed passwords
AI ProcessingStateless, no data retention
DeviceiOS Keychain + biometric lock
InfrastructureSOC 2 certified, AWS hosted

Your dreams are safe with Drowsy.

Security Contact

Found a security vulnerability? We appreciate responsible disclosure.

Email: hello@drowsyjournal.com

We take all reports seriously and will respond within 48 hours.