Privacy policy

Dream Catch is a curated travel deal site operated by Jason Legassie, a sole proprietor based in Maine, USA. We take privacy seriously — not as a slogan, but as a structural choice. This page describes what we collect, what our affiliate partners may collect when you click an affiliate link, and the choices you have.

What we collect from you directly

When you use Dream Catch, we collect only what we need to run the service:

• Email address. Required for sign-in via magic link, single-deal alerts, and the optional weekly digest.
• Travel preferences. Home airports, alternate airports, destinations of interest, travel styles, date flexibility. We use these to tailor which deals you see. Editable any time at /settings.
• Saved deals and alert rules. The deals you save and the criteria you set for alerts.
• Email engagement. Whether you opened our emails and which links you clicked. We use this to improve relevance and to honor your unsubscribe preferences.

We do not collect names, phone numbers, billing addresses, or payment information. Booking is handled by partner sites (Booking.com, Expedia, Costco Travel, the airlines, the cruise lines, and so on) — Dream Catch never sees your payment details.

What our affiliate partners may collect

Some links on Dream Catch are affiliate links. When you click an affiliate link and book through a partner, we may earn a commission at no additional cost to you. The Dream Score is computed by a deterministic algorithm and is never influenced by partner relationships.

Our largest affiliate network today is CJ Affiliate (Commission Junction LLC). When you click a CJ-tracked link:

• CJ may set cookies in your browser so the partner can attribute your booking to Dream Catch.
• CJ collects pseudonymous data — IP address, Cookie IDs, browser type and version, referring URL, browsing activity on the partner site, and order IDs once a booking completes.
• CJ does not receive your name, email address, phone number, or financial account details from Dream Catch. CJ has stated publicly that they do not collect directly identifiable information.
• CJ retains pseudonymized data for six years.

For full detail, read CJ's Services Privacy Notice. When we add other affiliate networks (Impact, ShareASale, direct merchant programs), we will list them here and link their privacy notices.

Cookies and similar technologies

We use a minimal set of cookies and browser storage. We group them into three categories:

• Strictly necessary (always on). Sign-in session, security tokens, basic preferences such as light or dark mode. These can't be disabled without breaking core functionality.
• Analytics (off by default). Aggregate page views and event counts so we can see what is working. We do not currently run any analytics tool. If we add one, it will be a privacy-respecting option such as Plausible or Fathom — never Google Analytics — and it will only run after you accept this category.
• Advertising and affiliate attribution (off by default). CJ Affiliate's tracking cookies and equivalent technology from any other affiliate networks we add. These let partners credit Dream Catch when you book.

On your first visit you will see a banner with Accept all and Reject non-essential buttons. You can change your choice any time using the “Cookie preferences” link in the footer. Until you accept, no advertising or analytics cookies run.

Industry-wide ad opt-out

In addition to our own cookie controls, you can opt out of interest-based advertising across many sites at:

• Digital Advertising Alliance — AboutAds.info
• Network Advertising Initiative — NAI
• For Canadian visitors: DAAC — YourAdChoices

These opt-outs apply to the participating networks. CJ Affiliate is a DAA participant.

California (CCPA) rights

If you are a California resident, you have the right to:

• request access to the personal information we hold about you,
• request that we delete that information,
• opt out of the “sale” of your personal information — note that Dream Catch does not sell personal information as defined by CCPA, and
• designate an authorized agent to make these requests on your behalf (with written authorization or a power of attorney).

Email hello@dreamcatch.app to exercise any of these rights. We do not deny service or charge different prices to people who exercise CCPA rights.

For data CJ holds about you (separate from what Dream Catch holds), CJ provides their own request channel at 1 (833) 983-0087 or via their privacy page.

Data retention

• Account data (email, travel preferences, saved deals, alert rules) — retained while your account is active and deleted within thirty days of account closure.
• Email engagement data — retained for twenty-four months, then aggregated and the per-user records deleted.
• Server logs — retained for thirty days for security and abuse prevention.
• Affiliate-network records (CJ, etc.) — retained per each network's own policy. CJ retains pseudonymized data for six years.

You can request earlier deletion at any time by emailing hello@dreamcatch.app.

EU and UK visitors

Dream Catch is operated from the United States. Our infrastructure providers (Vercel, Supabase, Resend) process data in US-based servers. We do not currently target EU or UK markets. Our cookie banner defaults all non-essential categories to off, and where we transfer data via service providers we rely on the Standard Contractual Clauses adopted by those providers.

EU and UK visitors retain the rights granted by GDPR / UK GDPR, including access, rectification, deletion, restriction, portability, and objection. To exercise any of these rights, email hello@dreamcatch.app.

Children

Dream Catch is not directed at children under thirteen (or under sixteen in the EEA and UK). We do not knowingly collect personal information from children. If you believe a child has registered, email hello@dreamcatch.app and we will delete the account.

Security

Account passwords are not stored — sign-in is passwordless via Supabase magic-link OTP. All data is transmitted over HTTPS. Database access is restricted by row-level security policies on Supabase. Production secrets are stored as encrypted environment variables on Vercel. We will disclose any security incident that affects your data within seventy-two hours of discovery, in line with the standard set by GDPR Article 33 even though that statute does not bind us today.

Changes to this policy

We will post any updates to this page and update the “Last updated” date above. Material changes — for example, a new category of data collection or a new affiliate network — will trigger a notification banner on the site for thirty days.

Contact

Privacy questions, data requests, or complaints:

Email: hello@dreamcatch.app

Dream Catch is operated by Jason Legassie, sole proprietor, in Saco, Maine, USA. Postal correspondence is accepted via the email address above; please request a postal address if you need one.