Privacy Policy

1.1 Information You Provide

• Account Information: Name, email address, phone number, age, location
• FaceCast Data: Photos or Sora Cameos authorization for AI character creation
• Profile Information: Personality traits, archetype, gameplay preferences
• Content: Scenario responses, messages, feedback
• Payment Information: Processed securely through Stripe (we don't store full payment details)

1.2 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent on platform
• Device Information: IP address, browser type, device type, operating system
• Cookies: Authentication, preferences, analytics (see Cookie Policy)
• Performance Data: Response times, engagement metrics, error logs

We use your information to:

• Provide Services: Create your AI character, generate episodes, process payments
• Personalization: Tailor content and recommendations to your preferences
• Communication: Send scenario notifications, episode alerts, payment confirmations
• Platform Improvement: Analyze usage patterns, fix bugs, develop new features
• Security: Detect fraud, prevent abuse, enforce Terms of Service
• Legal Compliance: Fulfill legal obligations, respond to lawful requests
• Marketing: Send promotional content (opt-out available)

3.1 We Never Sell Your Data

We do not sell your personal information to third parties. Period.

3.2 Service Providers

We share data with trusted service providers who help us operate:

• Supabase: Database and authentication
• Stripe: Payment processing
• OpenAI/Sora: AI video generation (if using Sora Cameos)
• Cloud Storage: AWS/Google Cloud for secure file storage
• Analytics: Google Analytics (anonymized data)

3.3 Legal Requirements

We may disclose information when required by law, court order, or government request, or to protect our rights, property, or safety.

3.4 Business Transfers

If we are acquired or merged, your information may be transferred to the new entity. You will be notified of any such change.

We implement industry-standard security measures:

• Encryption: All data transmitted via HTTPS/TLS; photos encrypted at rest (AES-256)
• Access Controls: Limited employee access on need-to-know basis
• Regular Audits: Security assessments and penetration testing
• Secure Infrastructure: Firewalls, intrusion detection, DDoS protection
• Incident Response: 24-hour breach notification protocol

5.1 GDPR Rights (EU/UK Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate information
• Erasure: Request deletion ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in machine-readable format
• Objection: Object to processing for specific purposes
• Withdraw Consent: Revoke consent at any time

5.2 CCPA Rights (California Users)

• Know: What personal information we collect and how we use it
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of sale (we don't sell data, but right is available)
• Non-Discrimination: Equal service regardless of privacy choices

5.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@immersiverseos.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

We use cookies and similar technologies:

• Essential: Authentication, security, session management
• Functional: Preferences, language settings, UI customization
• Analytics: Usage patterns, performance monitoring (anonymized)
• Marketing: Ad targeting (with consent)

You can control cookies through your browser settings. Note that disabling essential cookies may affect platform functionality.

Our platform is not intended for users under 18. We do not knowingly collect information from minors. If we discover we have collected data from someone under 18, we will delete it immediately.

Parents who believe their child has provided information should contact us at privacy@immersiverseos.com.

We operate globally and may transfer data to the United States and other countries. We use Standard Contractual Clauses (SCCs) and other legally approved mechanisms to ensure adequate protection.

For EU/UK users, we comply with GDPR requirements for international transfers.

We retain your information as follows:

• Active Accounts: Duration of account + 30 days post-deletion
• FaceCast Photos: 30 days after account deletion
• Published Content: Indefinite (per content license in Terms)
• Financial Records: 7 years (tax/legal compliance)
• Analytics: 2 years (aggregated/anonymized)

You may request earlier deletion, subject to legal obligations.

We may update this Privacy Policy periodically. Material changes will be communicated via email and/or platform notification 30 days before taking effect. Continued use after changes constitutes acceptance.

Previous versions available upon request.