Privacy Policy
Effective date: March 13, 2026
1. Data Controller
Lorenzo Fiore
Via Briantea 72, 20063 Cernusco sul Naviglio (MI), Italy
Email: support@embertold.com
2. Data We Collect
Account Data
When you register, we collect your email address, username, and display name via Supabase Auth. You may optionally upload an avatar image.
Profile Data
Your account role and preferences stored in your user profile.
Payment Data
We store your Stripe customer ID, subscription tier, credit balance, and transaction history. Credit card details are handled entirely by Stripe and never touch our servers.
Gameplay Data
Adventures, characters, game sessions, messages, inventory, chapter summaries, and adventure reviews you create while using the service.
AI-Generated Content
Images, sound effects, voice narration, and scene descriptions generated by AI during gameplay, cached for performance.
Analytics Data
With your consent, we collect page views and gameplay events via Google Analytics 4 (GA4), and heatmaps and session replays via Microsoft Clarity.
Technical Data
IP address, browser type, device information, and other standard data collected through server logs.
3. Legal Bases for Processing (GDPR Art. 6)
- Contract performance — Processing your account, gameplay, and billing data is necessary to provide the service you signed up for.
- Consent — Analytics and session recording are only activated when you explicitly opt in via our cookie consent banner.
- Legitimate interest — Security monitoring, fraud prevention, and service improvement.
4. Third-Party Services
We use the following sub-processors to operate the service:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (SOC2) |
| Weaviate Cloud | Vector embeddings for lore | EU |
| Stripe | Payment processing | US (PCI DSS) |
| Google Gemini | AI language model | US |
| Google Analytics | Website analytics (with consent) | US |
| Replicate | AI image generation | US |
| ElevenLabs | Sound effects generation | US/EU |
| Microsoft Clarity | Session recording (with consent) | US |
| Azure Speech Service | Text-to-speech | Configurable region |
| Inworld AI | Text-to-speech | US |
| Vercel | Hosting | US/EU |
5. Cookies & Tracking
Necessary Cookies
Supabase authentication session cookies and cookie consent preference storage. These are required for the site to function and cannot be disabled.
Analytics Cookies
Google Analytics 4 cookies, activated only with your explicit consent.
Session Recording
Microsoft Clarity cookies for heatmaps and replays, activated only with your consent.
You can manage your cookie preferences at any time using the Cookie Settings option in the sidebar or by visiting our Cookie Policy.
6. Data Retention
- Account & gameplay data — Retained while your account is active. Deleted within 30 days of an account deletion request.
- Payment records — Retained as required by Italian tax and accounting law (up to 10 years).
- Analytics data — Retained per Google and Microsoft Clarity default retention policies.
- AI-generated content cache — Retained indefinitely. Cached content is anonymized and not linked to your account after deletion.
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data to another service
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at support@embertold.com.
You also have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) at www.garanteprivacy.it.
8. CCPA Disclosure (California Residents)
If you are a California resident, the California Consumer Privacy Act grants you additional rights:
- The right to know what personal information we collect and how it is used.
- The right to request deletion of your personal information.
- The right to opt out of the sale of personal information.
We do not sell your personal information. The categories of data we collect and their purposes are described in Section 2 above.
9. Children's Privacy
Embertold is not intended for children under 13. We do not knowingly collect personal data from children under 13. Users aged 13 to 15 require verifiable parental consent per Italian GDPR implementation (D.Lgs. 101/2018).
If you believe a child under 13 has provided us with personal data, please contact us at support@embertold.com and we will promptly delete it.
10. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area, including the United States. We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable to ensure appropriate safeguards.
11. Security Measures
- Row-Level Security (RLS) enforced on all database tables
- Encrypted connections via HTTPS/TLS
- Stripe PCI DSS compliance for payment processing
- No credit card data stored on our servers
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the service after changes constitutes acceptance.
13. Contact
For questions or requests regarding this policy, contact us at support@embertold.com.