1. Information We Collect
1.1 Account Information: When you register, we collect your email address and basic profile information (display name, profile picture) from your authentication provider (e.g., Google). We do not collect or store passwords directly.
1.2 User Content: We store the content you create within the Service, including campaign text, character details, world lore, chat messages, and any other inputs you provide. This data is necessary to deliver persistent campaign experiences across sessions.
1.3 Payment Information: Payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full credit card number, CVV, or bank account details. We receive only a confirmation of payment status and a Stripe customer identifier to manage your subscription.
1.4 Usage Data: We collect basic usage information including Spark consumption, action counts, and session metadata. We do not use third-party analytics trackers or advertising pixels.
1.5 Security Logs: As described in our Terms of Service (Section 6A), automated safety systems may log flagged content and associated metadata for child safety enforcement purposes.
2. How We Use Your Information
We use your information for the following purposes:
- To provide, maintain, and improve the Service.
- To process your subscription and Spark purchases.
- To generate AI content based on your inputs (requires transmission to third-party AI providers).
- To store and retrieve your campaign data across sessions.
- To send transactional emails (welcome, billing confirmations, payment failures, subscription changes).
- To enforce our Terms of Service and protect platform safety.
We do not sell, rent, or trade your personal information. We do not use your data for advertising. We do not use your content to train AI models.
3. Third-Party Service Providers
To deliver the Service, we share limited data with the following third-party providers. Each provider processes data only as necessary to perform their specific function:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Gemini API) | AI text and image generation | User prompts, campaign context (per-request, not stored by Google under API terms) |
| Supabase | Database, authentication, file storage | Account data, campaign data, generated images |
| Stripe | Payment processing | Email, payment method details (handled directly by Stripe) |
| Resend | Transactional email delivery | Email address, email content |
| Railway | Application hosting | Server logs (IP addresses, request metadata) |
4. Data Storage and Location
4.1 Storage Location: Your campaign data and account information are stored in Supabase-hosted PostgreSQL databases. Our primary database region is in the United States. Application servers are hosted on Railway infrastructure in the United States.
4.2 Data Retention: Your data is retained for as long as your account is active. If you delete your account, we will delete your personal information and campaign data within 30 days, except where retention is required by law (e.g., security logs related to child safety enforcement, billing records required for tax purposes).
4.3 Data Security: We use industry-standard security measures including encrypted connections (TLS/SSL), Row Level Security (RLS) on all database tables, secure API key management, and scoped authentication tokens. No system is perfectly secure, and we cannot guarantee absolute security.
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access: You can request a copy of the personal data we hold about you.
- Right to Rectification: You can request correction of inaccurate personal data.
- Right to Erasure: You can request deletion of your account and all associated personal data. We will process deletion requests within 30 days.
- Right to Data Portability: You can request an export of your campaign data in a machine-readable format.
- Right to Object: You can object to processing of your data where we rely on legitimate interests as the legal basis.
- Right to Restrict Processing: You can request that we limit how we use your data while a complaint is being resolved.
To exercise any of these rights, contact support.creationos@gmail.com. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing a request.
7. International Data Transfers
If you are located outside the United States, your data will be transferred to and processed in the United States where our infrastructure providers operate. By using the Service, you consent to this transfer. We ensure that our third-party providers maintain appropriate data protection safeguards consistent with applicable law.
8. Children
The Service is not intended for users under the age of 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected data from a child under the applicable minimum age, we will delete that data promptly. If you believe a child has provided us with personal information, please contact support.creationos@gmail.com.
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions, data access requests, or concerns about how your information is handled, contact us at support.creationos@gmail.com.