PRIVACY POLICY

1. Introduction

This Privacy Policy describes how Bitmischief Inc. ("MythWeaver," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the MythWeaver platform at mythweaver.co and any associated applications (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address: Used for account authentication, notifications, and communication
• Username: Your chosen display name on the platform
• Password: Stored in encrypted/hashed form (for email/password authentication)
• Profile image: Optional avatar or profile picture

2.2 Authentication Data

When you sign in, we collect:

• OAuth tokens: If you authenticate via Google, we receive limited profile information from the OAuth provider
• Session tokens: Used to maintain your authenticated session
• IP address: Recorded for security and fraud prevention
• User agent: Browser and device information for session management

2.3 Payment Information

When you subscribe to a paid plan or purchase credits:

• Stripe Customer ID: We store an identifier linking to your Stripe account
• Subscription status: Plan type, billing interval, and subscription state
• Transaction history: Records of payments and credit purchases

We do not store your credit card numbers, bank account details, or other sensitive payment information. All payment processing is handled securely by Stripe. Please refer to Stripe's Privacy Policy for information on how Stripe handles your payment data.

2.4 User-Generated Content

When you use the Service, we store:

• Campaigns: Campaign names, descriptions, settings, and member information
• Conjurations (Lore): NPCs, locations, items, monsters, and other content you create
• Sessions: Session notes, summaries, recaps, and planning materials
• Images: AI-generated images, uploaded images, and image metadata
• 3D Models: Generated 3D models and associated STL files
• Battle Maps: Generated tactical maps and associated data
• Templates: Custom templates you create for content generation
• Collections: Organizational folders and their contents
• Conversations: Chat history with our AI assistant "Weavy"
• Uploaded Documents: Files you upload for AI context (PDFs, Word documents, text files)

2.5 Usage and Analytics Data

We automatically collect:

• Feature usage: Which features you use and how often
• Generation requests: Prompts and parameters used for AI generation (for service improvement)
• Credit usage: How credits are consumed across features
• Page views and navigation: How you move through the application
• Error logs: Technical errors encountered during your use of the Service
• Performance metrics: Load times and application performance data

2.6 Communication Preferences

We store your preferences for:

• Marketing opt-in/out: Whether you wish to receive promotional emails
• NSFW content preference: Whether you have enabled mature content generation (Pro users only)

2.7 Integration Data

If you connect third-party services:

• Discord: Your Discord username/handle when you link your Discord account
• StoryVault: Campaign linking information for StoryVault integration

3. How We Use Your Information

3.1 Providing the Service

We use your information to:

• Create and manage your account
• Process payments and manage subscriptions
• Store and display your content
• Generate AI-powered text, images, 3D models, and battle maps
• Enable collaboration with campaign members
• Provide customer support

3.2 Improving the Service

We use your information to:

• Analyze usage patterns to improve features
• Train and improve our AI models (using aggregated, anonymized data)
• Debug issues and fix errors
• Develop new features based on user needs

3.3 Communication

We use your email to:

• Send transactional emails (account verification, password resets, subscription confirmations)
• Send product updates and announcements
• Send marketing communications (if you have opted in)
• Respond to support requests

3.4 Security and Fraud Prevention

We use your information to:

• Detect and prevent fraudulent activity
• Enforce our Terms of Service
• Protect the security and integrity of the Service
• Comply with legal obligations

3.5 Marketing and Promotion

As described in our Terms of Service, we may use content generated through the Service for marketing and promotional purposes, including showcasing user-generated content in promotional materials, on our website, and in advertisements. We will not associate your personal information with marketed content without your explicit consent.

4. How We Share Your Information

4.1 With Other Users

Content you create may be shared with other users based on your visibility settings:

• Private: Only visible to you
• DM Only: Visible to you and campaign Dungeon Masters
• Campaign: Visible to all campaign members
• Public: Visible to all MythWeaver users

4.2 With Service Providers

We share information with third-party service providers who assist us in operating the Service:

These providers are contractually obligated to protect your information and may only use it to provide services to us.

4.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas). We may also disclose information to:

• Comply with legal obligations
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of users or the public

4.4 Business Transfers

If MythWeaver is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Storage and Security

5.1 Data Storage

Your data is stored on secure cloud infrastructure:

• Application data: Stored in PostgreSQL databases hosted on DigitalOcean
• Files and media: Stored in DigitalOcean Spaces (S3-compatible object storage)
• Geographic location: Data is primarily stored in the United States (San Francisco region)

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted to and from the Service uses TLS/HTTPS encryption
• Encryption at rest: Sensitive data is encrypted when stored
• Password hashing: Passwords are hashed using industry-standard algorithms
• Access controls: Employee access to user data is limited and logged
• Regular security reviews: We conduct periodic security assessments

5.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you via email within 72 hours of becoming aware of the breach, as required by applicable law.

6. Data Retention

6.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide you the Service.

6.2 Account Deletion

When you delete your account:

• Personal data: Deleted within 30 days
• User-generated content: Deleted within 30 days, except for content shared with campaigns (which may persist for other members)
• Payment records: Retained as required for tax and legal compliance (typically 7 years)
• Backups: May be retained for up to 90 days for disaster recovery purposes
• Anonymized analytics: May be retained indefinitely in aggregate form

6.3 Inactive Accounts

We may delete accounts that have been inactive for an extended period (typically 2+ years) after providing notice to your registered email address.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

• Access the personal information we hold about you
• Request a copy of your data in a portable format
• View and download your content through the Service

7.2 Correction

You can update or correct your account information at any time through your account settings.

7.3 Deletion

You can delete your account at any time through your account settings or by contacting [email protected]. Please note that some information may be retained as described in Section 6.

7.4 Marketing Opt-Out

You can opt out of marketing communications at any time by:

• Using the unsubscribe link in our emails
• Updating your preferences in account settings
• Contacting us at [email protected]

7.5 Content Marketing Opt-Out

If you do not wish for content you generate to be used in our marketing materials, you may opt out by contacting [email protected]. This opt-out applies to future use only.

7.6 Do Not Track

The Service does not currently respond to "Do Not Track" browser signals.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

We use cookies and similar technologies for:

• Essential cookies: Required for authentication and core functionality
• Analytics cookies: To understand how you use the Service (via Amplitude)
• Preference cookies: To remember your settings and preferences

8.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

9. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will delete such information.

Users between 13 and 18 may use the Service with parental consent as described in our Terms of Service.

10. International Data Transfers

If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Service, you consent to the transfer of your information to the United States.

We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, as well as the categories of sources, purposes for collection, and categories of third parties with whom we share your information.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

11.3 Right to Opt-Out of Sale

We do not sell your personal information as defined under the CCPA.

11.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, please contact us at [email protected].

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

We process your personal data based on the following legal bases:

• Contract: Processing necessary to perform our contract with you (providing the Service)
• Legitimate interests: Processing necessary for our legitimate business interests (improving the Service, security)
• Consent: Processing based on your consent (marketing communications)
• Legal obligation: Processing necessary to comply with legal requirements

12.2 Your Rights

You have the right to:

• Access: Request access to your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request restriction of processing
• Portability: Request transfer of your data to another service
• Object: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time for consent-based processing

12.3 Data Controller

Bitmischief Inc. is the data controller for your personal information.

12.4 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates applicable law.

To exercise your GDPR rights, please contact us at [email protected].

13. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting a notice on the Service
• Sending an email to your registered email address
• Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Email:[email protected]

Website:https://mythweaver.co

For privacy-specific inquiries, you may also reach out to our data protection team at [email protected] with "Privacy Inquiry" in the subject line.