Privacy Policy

Effective date: April 21, 2026

This Privacy Policy explains how Dream Engine Inc. (“Cigarro,” “we,” “our,” or “us”), Alberta, Canada, collects, uses, and shares information when you use the Cigarro mobile app and web app at app.cigarroapp.com (together, the “Service”).

By using the Service you agree to this Policy. If you do not agree, do not use the Service.

1. What we collect

You give us

• Your email address when you sign up. We use email one-time passcodes (“OTP”) instead of passwords.
• Optional profile info: display name, favorite tobacconists you add under “My Stores.”
• Your cigar data: humidor entries, reviews (ratings, written notes, flavor tags, smoke times), and any drafts you save mid-review.
• Payment info when you subscribe to a paid plan. This is collected by Stripe on our behalf; we store only a Stripe customer ID and your current subscription tier. We do not see or store your credit card number.

We collect automatically

• Device and usage signals your browser/app sends on every request: IP address, user-agent string (to detect mobile vs desktop), screen size, approximate location (only country/region inferred from IP, never GPS).
• Crash and error reports via Sentry. We configure Sentry to not send personally identifying information by default; reports contain the error itself, the page/screen, and technical context.
• Anonymous page analytics via Vercel Analytics on the web version. Vercel Analytics is cookieless and does not create cross-site tracking profiles.

We do NOT collect

• Your credit card number (Stripe handles this directly; Stripe’s privacy policy applies to payment data).
• Contacts, photos, or other device data not related to the app’s function.
• Precise GPS location.
• Data about people other than you.

2. How we use it

• To run the Service: show your humidor, sync your reviews, aggregate community ratings, deliver news.
• To authenticate you: verify OTP emails at sign-in.
• To bill you when you subscribe to a paid plan (via Stripe).
• To debug problems: diagnose crashes or broken features from error reports.
• To enforce our Terms and respond to abuse reports.
• To comply with law: respond to subpoenas, court orders, or regulatory inquiries.

We do not use your information for advertising, behavioral targeting, or profile sale.

3. Legal basis (for EU/UK users, under GDPR)

We process your information on these legal bases:

• Contract (Art. 6(1)(b) GDPR): to deliver the Service you’ve asked for (humidor, reviews, billing).
• Legitimate interest (Art. 6(1)(f)): to keep the Service secure, debug crashes, prevent fraud, and improve features. We’ve balanced this interest against your privacy rights.
• Consent (Art. 6(1)(a)): for anything outside the above. We’d ask you first and you can withdraw at any time.
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws (e.g., tax recordkeeping for paid subscriptions).

4. Who we share it with

We use a small set of service providers (“processors”) to run the Service. Each has a contract requiring them to protect your data and use it only on our instructions.

We do not sell your personal information. We have never sold personal information and have no plans to.

We may share information if required by law (subpoena, court order, regulatory demand) or to protect the rights, safety, or property of Cigarro, our users, or others.

If Cigarro is acquired, merged, or reorganized, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a new privacy policy.

5. International transfers

The providers listed above are primarily located in the United States. If you access the Service from outside the US (including the EU, UK, or Switzerland), your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms approved by the European Commission.

6. Your rights

Depending on where you live, you may have the following rights. We honor these rights for everyone, regardless of jurisdiction.

• Access: get a copy of the personal data we hold about you.
• Correction: ask us to fix inaccurate information.
• Deletion: delete your account and associated data. You can do this yourself at any time: open the app, go to Profile, tap Delete account, type DELETE to confirm. Your account and all humidor/review data are erased immediately.
• Portability: receive your data in a machine-readable format. Email info@cigarroapp.com and we’ll send a JSON export within 30 days.
• Objection / Restriction: object to or restrict certain processing based on legitimate interest.
• Withdraw consent: where we rely on consent, you can withdraw at any time.
• Lodge a complaint: with your local data protection authority (EU/UK residents).

For California residents (CCPA/CPRA)

You have the right to know what personal information we’ve collected in the last 12 months, the right to delete it, the right to correct it, and the right to limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising, so the CCPA “Do Not Sell or Share” right doesn’t add anything beyond the deletion right already available in-app.

To exercise any of these rights, email info@cigarroapp.com. We’ll respond within 30 days (or the timeframe required by your local law, whichever is shorter).

7. How long we keep it

• Account data (email, humidor, reviews): as long as your account is active. When you delete your account, we erase it immediately.
• Billing records (invoices, tax receipts): retained by Stripe per their policies, typically 7 years, as required by US tax law.
• Crash and error logs: up to 90 days, then deleted.
• Server access logs: up to 30 days.

After account deletion, some information may remain in backup systems for up to 30 days before being purged per our backup rotation.

8. Security

We implement reasonable technical and organizational measures:

• Encryption in transit (TLS 1.2+) for all connections between your device and our servers.
• Encryption at rest for your data in the Supabase database.
• Row-Level Security policies that restrict access to your data to your authenticated session only.
• Least-privilege access internally. Our service-role credentials are only used by specific serverless endpoints with audited code.
• Payment data isolation. Credit card data goes directly to Stripe and is never touched by our servers.

No system is perfectly secure. If we become aware of a breach affecting your data, we’ll notify you and applicable regulators as required by law.

9. Children

The Service is not intended for anyone under the age of 18. Cigar products are age-restricted in most jurisdictions, and content on the Service relates to tobacco use. We require you to confirm you meet the minimum age when you sign up.

We do not knowingly collect information from anyone under 18. If you believe a minor has provided us with information, please contact info@cigarroapp.com and we will delete the account.

10. Tracking, cookies, and “Do Not Track”

• The Service uses localStorage / AsyncStorage to keep your authenticated session and your preferences on your device. This is necessary for the app to work.
• The web app uses Vercel Analytics, which is cookieless. No third-party cookies are set for advertising or cross-site tracking.
• We do not respond to “Do Not Track” (DNT) browser signals because we don’t engage in cross-site tracking in the first place. We do honor the CCPA “Do Not Sell or Share” signal via the Global Privacy Control, but since we don’t sell or share, it’s a no-op.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we’ll notify registered users by email before the changes take effect. The “Effective date” at the top of this page always reflects the current version.

12. Contact us

Questions, concerns, or requests related to your privacy:

Dream Engine Inc.
Email: info@cigarroapp.com