Privacy Policy

This Privacy Policy explains how [YOUR_LEGAL_ENTITY_NAME] ("we," "us," or "our") collects, uses, discloses, and protects personal information when you use WovenMyth (the "Service").

By using the Service, you consent to the practices described in this Policy. If you do not agree, do not use the Service.

Information you provide directly:

• Account information: email address, password (hashed), display name
• Billing information: collected and processed by Stripe; we do not store full payment card numbers
• User Content: worlds, characters, story notes, uploaded documents, and other creative content you create or upload
• Communications: feedback, support requests, survey responses

Information collected automatically:

• Usage data: features used, pages visited, time spent, AI generation counts
• Device and browser information: browser type, operating system, IP address, device identifiers
• Cookies and similar technologies: session cookies for authentication, analytics cookies (PostHog)

Information from third parties:

• Authentication providers (Supabase) verify your identity
• Payment processor (Stripe) provides subscription status
• Analytics providers (PostHog) provide aggregated usage data

We use information to:

• Provide, operate, and maintain the Service
• Authenticate users and secure accounts
• Process payments and manage subscriptions
• Send AI-generation requests to third-party AI providers (Anthropic) on your behalf
• Communicate about your account, billing, security, and product updates
• Improve the Service through analytics and usage research
• Detect, investigate, and prevent fraud, abuse, or security incidents
• Comply with legal obligations and enforce our Terms of Service

When you use AI features, the content you submit (your prompts and world context) is transmitted to Anthropic for processing. Per Anthropic's API terms, this data is not used to train Anthropic's AI models when accessed via the API.

We do not use Your Content to train any AI models — ours or third parties' — except where you explicitly opt in.

Your AI requests and outputs are stored in our database for the purpose of providing the Service to you (e.g., displaying your prior Oracle sessions). You may delete this data at any time.

We use the following types of cookies:

• Strictly necessary: session authentication, CSRF protection (cannot be disabled)
• Functional: remembering your preferences (e.g., sidebar state)
• Analytics: aggregated usage data via PostHog (you may opt out)

You may control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Service.

We do not sell your personal information. We share information only as follows:

• Service providers: Supabase (database/auth), Stripe (payments), Anthropic (AI processing), Vercel (hosting), PostHog (analytics), and similar vendors. Each is contractually bound to protect your data.
• Legal compliance: when required by law, court order, or to respond to valid legal processes
• Protection of rights: to protect the safety, rights, or property of WovenMyth, our users, or the public
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you
• With your consent: when you explicitly opt in to specific sharing

We retain personal information only as long as needed to:

• Provide the Service to you
• Comply with legal, accounting, or reporting obligations
• Resolve disputes and enforce agreements

When you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g., financial records typically retained for 7 years for tax purposes).

We implement technical and organizational measures to protect your data, including:

• Encrypted transmission (TLS) of all data in transit
• Encrypted storage of passwords (hashed) and sensitive content (when privacy mode enabled)
• Row-level security on the database
• Regular security reviews and dependency updates
• Limited employee access to user data on a need-to-know basis

However, no system is perfectly secure. We cannot guarantee absolute security and are not liable for unauthorized access despite reasonable safeguards.

Depending on your jurisdiction, you may have the right to:

• Access: request a copy of personal information we hold about you
• Correction: request correction of inaccurate personal information
• Deletion: request deletion of your personal information (subject to legal exceptions)
• Portability: request a machine-readable export of your data
• Objection: object to certain processing activities
• Restriction: request restriction of processing in certain circumstances
• Opt-out (CCPA): opt out of the "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising)
• Withdraw consent: where processing is based on consent

To exercise any of these rights, contact us at privacy@yourdomain.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it. If you are a parent and believe your child has provided personal information, please contact us.

Our services are operated from the United States. If you access the Service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. or other countries. By using the Service, you consent to such transfers.

For users in the European Economic Area, United Kingdom, or Switzerland, we implement appropriate safeguards (such as Standard Contractual Clauses) for international data transfers.

Paid subscribers may enable "Privacy Mode," which encrypts world content at rest in our database. Note that this does not prevent us from processing content as needed to provide the Service (e.g., transmitting to AI providers for generation requests).

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. Review their privacy policies before providing information.

We may update this Privacy Policy. Material changes will be communicated via email or prominent notice within the Service at least 14 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance.

For privacy questions or to exercise your rights, contact:

[YOUR_LEGAL_ENTITY_NAME] — Privacy Team
[YOUR_BUSINESS_ADDRESS]
Email: privacy@yourdomain.com