Privacy Policy

Dreamcore operates the Dreamcore peer-to-peer VPN, residential proxy, Tor-routing network, and anonymized Data Intelligence Marketplace. This Privacy Policy explains how we collect, use, and protect information when you use our applications, website, or services.

Privacy inquiries: [email protected]

Account Information: Email address and securely hashed password. We never store passwords in plaintext or in a recoverable form.

Device Information: Device type (Android/iOS/Windows), display name, and geographic location (country, approximate lat/lon) derived from your IP at connection time. Device identifiers are stored only as irreversible hashes — the raw identifier is never retained.

IP Address: Used at connection time for geo-routing decisions only. Raw IP addresses are NOT stored persistently in our database.

Earnings and Transaction Data: GB served, USD amounts, timestamps, and payout requests (method, address, status).

VPN Usage Data (Non-Content): Total bytes consumed per day for rate-limiting and subscription enforcement. No content, no destinations beyond aggregate telemetry as described in Section 3.

Referral Relationships: Referral codes and relationships for bonus calculation.

By accepting these Terms, you consent to Dreamcore collecting two categories of anonymized, non-identifiable signals for all service tiers. All data described here is structurally de-identified — no record in any dataset can be linked to any individual person, even by Dreamcore employees.

Dataset A — Web Traffic Intelligence (collected at VPN/proxy connection time):

• Destination domain name (e.g., "youtube.com") — never a URL path, query string, or content

• Traffic category (social, streaming, gaming, shopping, finance, tech, news, other)

• Destination TCP port number

• Client country (geo-IP derived at connection time — no IP address stored)

• UTC hour of day and day of week (derived from system clock at collection time)

• HTTPS indicator (whether port 443 was used)

• Subscription plan tier (free/basic/pro/premium)

Dataset B — Device Environment Signals (collected at node heartbeat every 60 seconds, node mode only):

• Connection type bucket: WiFi, Cellular, or Ethernet — no network name or SSID

• Network speed tier: bucketed as <10 / 10-50 / 50-100 / 100-500 / 500+ Mbps

• Battery state bucket: Charging, High (>80%), Medium (20-80%), Low (<20%)

• OS family and major version bucket only (e.g., "android-14", "windows-11") — no minor versions, no build IDs

• Device class: Phone or Tablet — no make, model, or hardware identifiers

• IPv6 capability: Yes or No

• ISP type: Residential, Cellular, Business, or Unknown

• App version (our application version string only)

• Client country (same geo-IP method as Dataset A)

• UTC hour and day of week

What is categorically NEVER collected in either dataset:

• User ID, email address, or any account identifier

• Device ID, IMEI, MAC address, or hardware serial number

• IP address (client or node)

• GPS coordinates, city-level location, or any precise location

• Health sensor data (accelerometer, heart rate, step count, gyroscope)

• App usage lists (which specific apps are installed or used)

• URL paths, query parameters, request/response bodies, or any content

• Cookies, session tokens, passwords, or credentials

• Tor/.onion destinations — completely excluded from all telemetry

• Any data point that alone or in combination could identify an individual

Legal basis (EU/GDPR): Consent (Article 6(1)(a)). None of the data above qualifies as personal data under GDPR Recital 26. You may withdraw consent at any time (see Section 9).

Legal basis (US/CCPA/Global): Aggregate, de-identified data — exempt from CCPA "personal information" definition. Covered by your acceptance of our Terms of Service in all other jurisdictions.

Dreamcore operates a Data Intelligence Marketplace where approved companies ("Data Buyers") may purchase access to our aggregate, de-identified telemetry dataset via a secure API.

What Data Buyers receive: Aggregated records containing domain, category, country, port, and plan tier — identical to Section 3 telemetry. No personal data is ever transferred to Data Buyers.

Data Buyer obligations: All Data Buyers must: (a) execute Dreamcore's Data Processing Agreement; (b) comply with GDPR, CCPA, and all applicable data protection laws; (c) use data only for the declared lawful research or analytics purpose; (d) not attempt to re-identify individuals.

Dreamcore's oversight: Dreamcore manually approves all Data Buyer applications. API access may be revoked at any time for Terms violations. Access logs are maintained for accountability.

Your benefit: Data marketplace revenue funds the free VPN tier and contributes to node operator earnings.

Dreamcore's VPN client is engineered to prevent all common IP leak vectors:

IPv4: All IPv4 traffic is routed through the encrypted VPN tunnel (0.0.0.0/0 route).

IPv6: All IPv6 traffic is routed through the VPN tunnel (::/0 route) via a dedicated IPv6 TUN address. This prevents IPv6 leaks that bypass IPv4-only VPNs.

DNS: All DNS queries are resolved through the VPN tunnel using trusted, encrypted DNS resolvers bound to the VPN interface. Your ISP's DNS server never sees your queries.

WebRTC: The VPN interface is the only network interface exposed to the operating system while connected. WebRTC host candidates show only the non-routable VPN interface address, not your real device IP — preventing identity or location exposure via browser WebRTC leaks.

Anti-VPN-Detection: When routing through a residential peer node, your traffic exits through a real home IP address on a residential ISP — not a datacenter — making the connection indistinguishable from a local home network to destination sites.

a) Operate and maintain your account and earnings balance

b) Route proxy/VPN traffic and enforce usage limits by subscription tier

c) Calculate and pay earnings to proxy node operators

d) Prevent fraud, abuse, CSAM, and Acceptable Use Policy violations

e) Send transactional emails (payout confirmations, account notices, security alerts)

f) Compile and distribute anonymized aggregate telemetry per Section 3

g) Comply with legal obligations and law enforcement requests

We do not sell personal data. Your email, device data, earnings records, or any personally identifiable information are never shared with third parties for marketing.

Aggregate telemetry: De-identified, aggregate data is available to approved Data Buyers per Section 4. It cannot be traced back to any individual.

Payment processors: Payout addresses (PayPal email, Bitcoin/crypto address, bank details) are shared only as necessary to execute the payment.

Legal requirements: We may disclose information if required by valid legal process (court order, subpoena, law enforcement request). We will notify you of such requests unless prohibited by law. Note: because we do not log traffic or browsing history, there is limited data we could provide even if compelled.

CSAM reporting: In the event of CSAM detection, technical evidence is preserved and reported to NCMEC, IWF, and law enforcement as required by law, regardless of any other provision of this policy.

Right to Access: Request a copy of all personal data we hold about you.

Right to Correction: Request correction of inaccurate personal data.

Right to Deletion: Request deletion of your account and personal data. Fulfilled within 30 days. Anonymized telemetry (which cannot be linked to you) is not deletable as it contains no personal data.

Right to Data Portability: Request your account data in a machine-readable format.

Right to Withdraw Consent (Telemetry): EU/EEA residents may withdraw consent to telemetry collection by contacting [email protected]. We will flag your account for telemetry exclusion within 5 business days.

CCPA (California): You have the right to know what data we collect and how it is used, the right to deletion, and the right to opt out of "sale" of personal information. We do not sell personal information — only aggregate, de-identified data.

To exercise any right: [email protected]. Response within 30 days.

• Passwords are hashed using a memory-hard, industry-standard algorithm. Plaintext passwords are never stored or logged.

• Tax IDs (SSN/EIN/TIN) submitted for payout verification are encrypted at rest using authenticated encryption before being stored.

• Device identifiers used for authentication are stored only as irreversible hashes — the raw identifier is never retained.

• API and WebSocket sessions use short-lived authenticated tokens over TLS 1.2+ encrypted transport.

• Data marketplace access is controlled through per-buyer bearer tokens with scoped permissions and revocation capability.

• All financial transactions are processed by Stripe — no card data is ever stored on Dreamcore infrastructure.

In the event of a data breach affecting personal data, we will notify affected users within 72 hours per GDPR Article 33.

Account data is retained while your account is active. Upon deletion, personal data is purged within 30 days. Earnings and payout records may be retained for up to 7 years for tax/accounting compliance. Anonymized telemetry records (no personal linkage) may be retained indefinitely.

Dreamcore is strictly for users 18 years of age and older. We do not knowingly collect data from minors. If you believe a minor has created an account, contact [email protected] immediately.

Material changes will be communicated via email or in-app notification at least 14 days before taking effect. Continued use after changes constitutes acceptance.

Privacy & data rights: [email protected]

Data marketplace: [email protected]

Abuse & CSAM: [email protected]