Privacy Policy

This Privacy Policy describes how MythScribe AI (“MythScribe AI,” “we,” “us,” or “our”), a sole proprietorship operated from the United States, collects, uses, stores, shares, and protects your personal information in connection with the MythScribe AI platform, website, applications, and all related services (collectively, the “Service”).

We are committed to protecting your privacy and handling your data transparently. By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (required for all accounts)
• Display name (if provided)
• Password (stored in hashed form for credential-based accounts only)
• Google profile data (name, email, and profile picture, if you sign in via Google OAuth)
• TTRPG experience level (selected during registration, used to personalize AI responses)

1.2 Billing Information

Payment details are processed and stored exclusively by our payment processor, Stripe. We store your Stripe customer ID, subscription plan, subscription status, and billing cycle information in our database. We never receive, store, or have access to your full credit card number, CVC, or other sensitive payment card data.

1.3 Usage Data

We collect information about how you use the Service, including:

• AI interactions: Prompts you submit, generated content (characters, backstories, encounters, campaign ideas, names, chat messages), and associated metadata
• Worldbuilder data: Worlds, locations, NPCs, factions, lore entries, and other worldbuilding content you create
• Collections: Saved and organized content within your library
• Game system preferences: Your selected TTRPG system (D&D 5e, Pathfinder 2e, Daggerheart)
• Feature usage patterns: Which tools and features you access and how frequently

1.4 Technical Data

We automatically collect certain technical information when you access the Service:

• Device information: Device type, operating system, and browser type/version
• Network information: IP address, approximate geographic location (country/region level)
• Access logs: Pages visited, timestamps, referral URLs, and session duration
• Performance data: Page load times and error reports

1.5 Cookies and Similar Technologies

We use cookies and local storage to maintain your session, remember your preferences, and collect analytics data. For detailed information about the specific cookies we use and how to manage them, please see our Cookie Policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To provide, operate, and maintain the Service, including AI-powered content generation, chat, worldbuilder tools, and your content library
• Personalization: To customize AI responses and recommendations based on your experience level, game system preferences, and worldbuilder context
• Payment processing: To manage subscriptions, process payments, and handle billing inquiries through Stripe
• Communication: To send you transactional emails (account verification, password resets, billing receipts, subscription changes) and important service announcements
• Security and fraud prevention: To detect, investigate, and prevent unauthorized access, abuse, and fraudulent activity
• Service improvement: To analyze usage patterns, diagnose technical issues, and improve features and user experience
• Legal compliance: To comply with applicable laws, regulations, and legal processes

We do not use your personal data for advertising or marketing purposes, and we do not sell your personal information to third parties.

3. AI Data Handling

3.1 How AI Processing Works

When you use AI features (chat, character creator, backstory generator, encounter generator, campaign ideas, name generator, worldbuilder AI), your prompts and relevant context (such as character details, world data, campaign information, and your experience level) are transmitted to third-party AI providers for processing. The AI provider generates a response, which is returned to you through the Service.

3.2 AI Providers

We currently use the following AI providers:

• Google Gemini: Processes prompts under the Gemini API Terms of Service
• OpenAI: Processes prompts under the OpenAI Terms of Use

3.3 No Model Training on User Data

MythScribe AI does not use your inputs, prompts, generated content, or any other user data to train, fine-tune, or improve any AI models. We use API-based access to AI providers configured for commercial use, which means your data is not used for model training by those providers either, subject to their respective terms. AI providers may retain prompts for a limited period solely for safety monitoring, abuse detection, and compliance purposes.

3.4 Data Minimization for AI Requests

We send only the information necessary to generate a relevant response to the AI provider. We do not send your email address, billing information, or other account details to AI providers. We recommend that you avoid including sensitive personal information (such as real names, addresses, phone numbers, or financial details) in your prompts.

3.5 Storage of AI-Generated Content

AI-generated content is stored in your account and is accessible only to you unless you explicitly choose to share it. Generated content is stored in our database hosted by Neon and is subject to the data retention policies described in Section 6.

4. Data Sharing and Sub-Processors

We share your data only with the service providers necessary to operate the Service. We do not sell, rent, or trade your personal information with third parties. Our current sub-processors are:

4.1 Sub-Processor List

• Stripe (San Francisco, CA, USA) — Payment processing and subscription management. Receives: payment method data, email, billing address. Stripe Privacy Policy
• Vercel (San Francisco, CA, USA) — Application hosting and edge network. Receives: all HTTP request data including IP addresses, headers, and page content. Vercel Privacy Policy
• Neon (San Francisco, CA, USA) — PostgreSQL database hosting. Stores: all account data, user content, worldbuilder data, chat history, and generated content. Neon Privacy Policy
• Google (Gemini API) (Mountain View, CA, USA) — AI content generation. Receives: user prompts and context necessary for generation. Google Privacy Policy
• OpenAI (San Francisco, CA, USA) — AI content generation. Receives: user prompts and context necessary for generation. OpenAI Privacy Policy
• Resend (San Francisco, CA, USA) — Transactional email delivery. Receives: recipient email address and email content. Resend Privacy Policy
• Ahrefs (Singapore) — Web analytics. Receives: anonymized page view data, referral sources, device/browser information, geographic region. Ahrefs Privacy Policy

4.2 Other Disclosures

We may disclose your information in the following circumstances:

• Legal requirements: When required by law, regulation, legal process, or governmental request
• Safety and rights: To protect the rights, property, or safety of MythScribe AI, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, in which case you will be notified via email and/or a prominent notice on the Service
• With your consent: When you have explicitly authorized us to share your information

5. International Data Transfers

MythScribe AI is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our sub-processors operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following mechanisms for data transfers to countries that have not received an adequacy decision from the European Commission:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-U.S. Data Privacy Framework, where applicable
• Your explicit consent, where required

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions as described in this Privacy Policy.

6. Data Retention

We retain your personal data in accordance with the following periods:

• Active account data: Retained for as long as your account remains active and you continue to use the Service
• Post-deletion retention: When you delete your account, we will delete your personal data within thirty (30) calendar days, except as described below
• Post-termination retention: If your account is terminated by us, we retain your data for thirty (30) days to allow you to request an export, after which it is permanently deleted
• Billing records: Retained for seven (7) years after the end of the billing relationship to comply with tax and accounting obligations
• Security and abuse logs: IP addresses and access logs are retained for ninety (90) days for security and abuse prevention purposes
• Legal obligations: We may retain certain data longer if required by applicable law, regulation, or valid legal process (e.g., litigation hold, regulatory investigation)

7. Your Rights

7.1 Rights for All Users

Regardless of your location, you may:

• Access and update your account information through your account settings
• Request a copy of the personal data we hold about you
• Request deletion of your account and associated data
• Request an export of your content in a machine-readable format
• Opt out of analytics cookies via your browser settings

7.2 Rights for EU/EEA Residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

• Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to restrict processing (Art. 18): You have the right to request that we limit the processing of your personal data under certain circumstances (e.g., while we verify the accuracy of your data).
• Right to object (Art. 21): You have the right to object to our processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Legal basis for processing: We process your data based on: (a) contractual necessity (to provide the Service under our Terms of Use); (b) legitimate interests (security, fraud prevention, service improvement); and (c) consent (analytics cookies, optional marketing communications).

7.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. If this practice ever changes, we will provide a “Do Not Sell or Share My Personal Information” link on our website.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service because you exercised your rights.

Categories of personal information collected in the past 12 months: Identifiers (email, name, IP address); commercial information (subscription history, billing records); internet activity (usage data, browsing history within the Service); and inferences (experience level, game system preferences).

7.4 Exercising Your Rights

To exercise any of the rights described above, contact us at privacy@mythscribeai.com. We will verify your identity before processing your request and respond within thirty (30) days (or within the timeframe required by applicable law). If we need additional time, we will notify you of the extension and the reasons for the delay.

8. Children's Privacy

The Service is not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at privacy@mythscribeai.com. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take steps to promptly delete that information from our systems.

Users between the ages of 13 and 18 (or the age of majority in their jurisdiction) may use the Service only with the consent and supervision of a parent or legal guardian.

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your device and the Service is encrypted using TLS (Transport Layer Security)
• Encryption at rest: Data stored in our database is encrypted at rest using AES-256 encryption provided by our database host (Neon)
• Password hashing: User passwords are hashed using bcrypt with salting before storage; we never store plaintext passwords
• Access controls: Database access is restricted to authorized systems and personnel only, with role-based access controls
• Session management: Authentication sessions use secure, HTTP-only cookies with CSRF protection
• Infrastructure security: Our hosting provider (Vercel) maintains SOC 2 Type II compliance and implements additional infrastructure-level protections

While we take reasonable precautions, no method of data transmission or storage is 100% secure. We cannot guarantee the absolute security of your data. Please use the Service responsibly, choose a strong password, and keep your account credentials confidential.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

• Notify affected users by email within seventy-two (72) hours of becoming aware of the breach, where feasible
• Notify the relevant supervisory authority within seventy-two (72) hours, as required by GDPR (for EU/EEA residents)
• Provide a description of the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures taken or proposed to address the breach
• Post a notice on the Service if the breach affects a large number of users

11. Cookies

We use cookies and similar technologies (such as local storage) for authentication, preferences, and analytics. For a comprehensive description of the specific cookies we use, their purposes, duration, and how to manage them, please see our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Send an email notification to the address associated with your account
• Display a prominent notice within the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our designated privacy contact (serving as our DPO equivalent):

• Privacy inquiries: privacy@mythscribeai.com
• General support: support@mythscribeai.com
• Abuse reports: abuse@mythscribeai.com

For GDPR-related inquiries, you may also contact your local data protection supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.