Privacy Policy

Last Updated: January 2025

1. Data Controller

Branchverse ("we", "us", "our") is the data controller responsible for your personal information. Contact: privacy@branchverse.app

2. What Data We Collect

2.1 Account Data

**Email address**: Required for account creation, authentication, and password reset
**Password**: Stored as a secure hash (never in plaintext)
**Username**: Public identifier displayed with your content

2.2 Content Data

**Stories and chapters**: The narrative content you create
**Votes**: Your upvotes on chapters
**Read events**: Records of chapters you've read (for analytics)

2.3 Technical Data

**IP address**: Collected for abuse prevention (retained for 30 days)
**Request logs**: Server logs for debugging and security (retained for 30 days)
**Device information**: Browser type, operating system (via analytics)

3. How We Use Your Data

3.1 Service Provision

We use your data to:

Authenticate your account and provide access to the Service
Display your content and attribution
Enable branching narratives and story discovery
Send essential service emails (password reset, email verification)

Legal Basis: Contract (necessary to provide the Service)

3.2 Analytics

We analyze usage patterns to improve the Service:

Which chapters are most read
How users navigate branching stories
Feature usage and engagement metrics

Legal Basis: Legitimate interest (improving our product) Data Minimization: Analytics use aggregated, anonymized data where possible.

3.3 Security and Abuse Prevention

We use your data to:

Detect and prevent abuse, spam, and illegal activity
Enforce our Terms of Service and Content Policy
Investigate reports of harmful content

Legal Basis: Legitimate interest (protecting the Service and users)

4. Third-Party Processors

We share data with the following processors to operate the Service: | Processor | Purpose | Data Shared | EU Region | |-----------|---------|-------------|-----------| | Vercel | Hosting and CDN | Request data, logs | ✅ Configured | | Supabase/Neon | Database hosting | All user data | ✅ Configured | | Clerk | Authentication | Email, username | ✅ EU available | | Resend | Email delivery | Email addresses | ✅ EU processing | | PostHog | Analytics | Anonymous events | ✅ EU Cloud | | Sentry | Error monitoring | Error context | ✅ EU available | All processors have appropriate data processing agreements (DPAs) in place. Data is processed in the EU/UK where possible.

5. Data Retention

| Data Type | Retention Period | Post-Retention Action | |-----------|------------------|----------------------| | Account data | Until account deletion | Anonymized, then archived | | Chapter content | Forever | Hidden on moderation (never deleted) | | Votes | Forever | Anonymized on user deletion | | Read events | 180 days | Aggregated, then deleted | | IP addresses | 30 days | Auto-purged | | Request logs | 30 days | Auto-purged | | Reports | Forever | Legal/audit requirement | | Admin actions | Forever | Immutable audit log |

6. Your Rights (GDPR)

Under the UK GDPR and EU GDPR, you have the following rights:

6.1 Right of Access

You can request a copy of all personal data we hold about you. How to exercise: Contact privacy@branchverse.app

6.2 Right to Rectification

You can update your email and password via your account settings. Username changes are not permitted to maintain content attribution.

6.3 Right to Erasure

You can request deletion of your account and personal data. Important: Due to the immutable nature of chapters (§5.3 in Terms of Service), published content cannot be deleted. Instead:

Your username will be anonymized to "[deleted]"
Your email and other PII will be deleted
Chapter content remains for narrative tree integrity

How to exercise: Contact privacy@branchverse.app

6.4 Right to Data Portability

You can request an export of your data in a machine-readable format. How to exercise: Contact privacy@branchverse.app (manual export for MVP)

6.5 Right to Object

You can object to processing based on legitimate interest (e.g., analytics). How to exercise: Contact privacy@branchverse.app

6.6 Right to Restrict Processing

You can request that we limit how we process your data. How to exercise: Contact privacy@branchverse.app Response Time: We will respond to all requests within 30 days.

7. Cookies

7.1 Essential Cookies

We use essential cookies for authentication and session management:

**Session cookie** (httpOnly): Required for logged-in users
**No consent required**: These are strictly necessary for the Service

7.2 Analytics

We use PostHog in cookieless mode (no persistent cookies) to avoid requiring cookie consent while still providing analytics. If we introduce non-essential cookies in the future, we will:

Show a cookie consent banner
Allow you to manage preferences
Block non-essential cookies until consent is given

8. International Transfers

Your data is processed in the EU/UK. All third-party processors are configured for EU data residency where available.

9. Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit (HTTPS/TLS 1.3)
Encryption at rest (database encryption)
Secure password hashing (bcrypt/Argon2)
Regular security audits
Access controls and authentication

10. Children's Privacy

Branchverse is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe we have collected data from a child under 16, contact us immediately at privacy@branchverse.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the Service. Last Updated: January 2025

12. Contact

For privacy-related questions or to exercise your rights: Email: privacy@branchverse.app Data Protection: We will respond to all requests within 30 days. --- *This Privacy Policy explains how Branchverse collects, uses, and protects your personal information in compliance with UK GDPR and EU GDPR.*