Privacy Policy

1. Introduction

SagaBound ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Service.

By using SagaBound, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Username/display name
• Password (encrypted via Supabase Auth)
• Avatar image (if you upload one)
• Subscription tier

2.2 Game Data

As you use the Service, we store:

• Game saves and progress (character stats, inventory, quest state, chat history)
• Character information you create (name, backstory, genre, hero image)
• Custom worlds and stories (including world rules, bestiary, and codex entries)
• Save snapshots (automatic backups of your game state)

2.3 Studio Media

When you use image or video generation features, we store:

• Your text prompts and generation settings
• Generated images and videos
• Reference images you provide for image-to-image generation

Studio media (images and videos) are automatically deleted after 3 days. Download any content you wish to keep before it expires.

2.4 Usage Information

We collect usage data including:

• Player statistics (turns taken, stories started, words generated, images created, lore discovered, worlds played, worlds created, day streak)
• Daily action counts and feature usage
• Play session data (duration, turns, completion status, platform, app version)
• Device information (type, operating system)
• Error logs and crash reports (via Sentry)

Daily usage records are retained for 90 days and then automatically deleted.

2.5 Payment Information

Subscription and coin pack purchases are processed by Stripe. We store a Stripe customer identifier linked to your account to manage your subscription tier and transaction history. We do not directly collect or store your full payment card details; all payment data is handled by Stripe under their privacy policy.

2.6 Community Data

When you interact with community features, we collect:

• Worlds you favorite and play
• Ratings and reviews you leave on community worlds
• Comments you post on worlds
• Referral codes you create or redeem
• Promo codes you redeem

2.7 Feedback

When you submit bug reports or feature requests through the app, we store the content of your submission along with your user identifier.

3. How We Use Your Information

We use collected information to:

• Provide the Service: Run games, save progress, generate AI content, sync data across devices
• Improve the Service: Analyze usage patterns, fix bugs, develop features, and monitor performance
• Personalize Experience: Remember preferences, maintain streaks, and customize AI settings
• Process Transactions: Handle subscription billing, coin purchases, and credit allocation
• Facilitate Community: Display public worlds, enable ratings and comments, track play counts
• Communicate: Send push notifications (with your permission), password reset emails, and respond to support requests
• Ensure Safety: Detect abuse, enforce Terms of Service, and protect users

4. AI and Your Data

4.1 AI Providers

SagaBound uses multiple AI providers to power different features:

• OpenRouter — Text generation (story narration, dialogue) and image generation (FLUX models). We explicitly set data_collection: 'deny' on all OpenRouter requests, instructing the provider not to use your data for training.
• Google Gemini API — Image generation (Imagen) and video generation (Veo).
• Replicate — Video generation (Wan models).

When you use AI features, your prompts and relevant game context are sent to these providers to generate responses. Each provider has its own privacy policy governing how they handle data received through their APIs.

4.2 No Training on Your Stories

We do not use your personal game content (stories, characters, custom worlds) to train AI models. Your adventures remain private to you. We also take steps to prevent our AI providers from using your content for training where their APIs allow such controls.

4.3 Content Moderation

We may review content flagged by automated systems for safety and Terms of Service compliance. This review is limited to ensuring platform safety.

5. Community and Public Information

Certain information is visible to other SagaBound users when you participate in community features:

• Public profile: Your username, avatar, and subscription tier are visible to other users.
• Public worlds: If you publish a world, its name, description, image, genre, tags, play count, favorite count, and your username as creator are publicly visible.
• Ratings and comments: Reviews and comments you leave on community worlds are visible to other users alongside your username.

You control whether your worlds are public or private. Private worlds are only accessible to you.

6. Information Sharing

We do not sell your personal information. We may share information with:

6.1 Service Providers

Third parties who help us operate the Service:

• Supabase — Authentication, database hosting, and file storage
• Stripe — Payment processing
• OpenRouter, Google Gemini, Replicate — AI generation
• Sentry — Error tracking and monitoring
• PostHog — Analytics (when enabled and consented to)
• SendGrid — Email delivery
• Twilio — SMS delivery (referral sharing)
• Expo — Push notification delivery

These providers are contractually obligated to protect your data and process it only as necessary to provide their services.

6.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, safety, or the safety of others.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

7. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (HTTPS/TLS)
• Encrypted password storage (via Supabase Auth)
• Row Level Security (RLS) on all database tables to ensure users can only access their own data
• JWT-based authentication with automatic token refresh
• Secure cloud infrastructure
• Server-side API key management (AI provider keys are never exposed to clients)

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account and profile data: Retained until you request deletion
• Game saves and worlds: Retained until you delete them or your account
• Studio images and videos: Automatically deleted after 3 days
• Daily usage records: Retained for 90 days
• Minigame session data: Retained for 24 hours
• Transaction records: Retained as required for legal and accounting purposes

You can request deletion of your account and associated data at any time by contacting us through our contact page.

9. Your Rights

Depending on your location, you may have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Portability: Receive your data in a portable format
• Opt-out: Disable analytics tracking and unsubscribe from notifications

To exercise these rights, contact us through our contact page.

10. Notifications

10.1 Push Notifications

We may send push notifications to your device for daily reminders, streak alerts, and activity updates. Push notifications require your explicit permission and can be disabled at any time through your device settings or the app's notification preferences.

10.2 Email

We send transactional emails for password resets and account verification. These are necessary for the operation of the Service and cannot be opted out of while your account is active.

10.3 SMS

If you use the referral sharing feature, we may send a one-time SMS on your behalf to the recipient. We do not use SMS for marketing purposes.

11. Analytics and Tracking

11.1 Analytics

We use PostHog for product analytics to understand how users interact with the Service. Analytics collection is consent-based and can be disabled in the app's privacy settings.

11.2 Error Tracking

We use Sentry to collect error logs and crash reports. This data helps us identify and fix bugs. Error reports may include device information and the state of the app at the time of the error but do not include your story content.

11.3 Internal Statistics

We track aggregated gameplay statistics (turns taken, stories started, etc.) to display on your profile and improve the Service. These statistics are tied to your account and are not shared with third parties.

12. Children's Privacy

SagaBound is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover such collection, we will delete the information promptly.

Users between 13 and 18 should have parental or guardian consent to use the Service.

13. International Users

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. By using the Service, you consent to such transfers.

For users in the European Economic Area (EEA), we comply with GDPR requirements and will only transfer data with appropriate safeguards in place.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes through the app or email. Your continued use after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at our contact page.