Privacy Policy
Last updated: December 2025
1. Data Controller
Who we are: Oswald Verse is a platform for interactive storytelling where readers vote on story outcomes.
Data Controller:
- Platform: Oswald Verse
- Email: [email protected]
- Website: https://oswaldverse.com
Supervisory Authority (Poland): If you are in Poland, you can lodge a complaint with the Urząd Ochrony Danych Osobowych (UODO): https://uodo.gov.pl
2. Information We Collect
We collect information you provide directly to us, such as when you create an account, participate in interactive features, or communicate with us.
- Account information (email, username)
- Profile information (avatar, bio)
- Content you create (stories, votes, comments)
- Usage data and analytics
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data based on the following legal grounds:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Account Data (email, username) | Contract Performance (Art. 6(1)(b)) | Necessary to provide you with the service |
| Content (stories, votes, comments) | Contract Performance (Art. 6(1)(b)) | Core functionality of the platform |
| Analytics & Usage Data | Legitimate Interest (Art. 6(1)(f)) | Improve platform performance and user experience |
| Marketing Cookies (future) | Consent (Art. 6(1)(a)) | Personalized advertising (when activated) |
| Security Logs | Legitimate Interest (Art. 6(1)(f)) | Fraud prevention and platform security |
| Newsletter (optional) | Consent (Art. 6(1)(a)) | Send updates about new content (opt-in only) |
You can withdraw consent at any time in your Privacy Settings.
4. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Personalize your experience
- Communicate with you about updates and features
- Monitor and analyze trends and usage
- Detect and prevent fraud and abuse
5. Data Retention Periods (GDPR Art. 5(1)(e))
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period | Justification |
|---|---|---|
| Active user accounts | While account is active | Service delivery |
| Deleted accounts (soft delete) | 30 days | Account recovery period |
| Published stories & comments | Permanent (anonymized after account deletion) | Platform content integrity |
| Analytics data (aggregated) | 13 months | Business intelligence & trends |
| Security logs & error logs | 90 days | Security monitoring & debugging |
| Token transactions & financial records | 6 years | Legal & tax obligations |
| Cookie consent records | 3 years | Proof of consent (GDPR requirement) |
| Database backups | 30 days | Disaster recovery |
After retention periods expire, data is permanently deleted or anonymized. You can request immediate deletion via your Privacy Settings.
6. Information Sharing & Third-Party Processors
We do not sell your personal information. We may share information in limited circumstances:
- With your consent
- To comply with legal obligations
- To protect our rights and safety
- With service providers who assist our operations (see below)
Third-Party Processors (GDPR Art. 28)
We work with the following service providers:
| Service | Purpose | Location | DPA Status |
|---|---|---|---|
| Supabase | Database, Authentication | EU & USA | DPA Available |
| Sentry | Error tracking & monitoring | Germany (de.sentry.io) | DPA Available |
| Vercel | Hosting & CDN | Global CDN | DPA Available |
| OpenAI | AI features (translations, descriptions) | USA | DPA Available |
| Google AdSense | Advertising (future) | USA | DPA Available |
International Data Transfers (GDPR Art. 44-50)
Some of our service providers are based outside the European Economic Area (EEA). We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) - EU Commission-approved contracts that guarantee GDPR-level protection
- Data Processing Agreements (DPAs) - Signed contracts with all processors specifying data protection obligations
- Adequacy Decisions - Using services in countries approved by the EU Commission where possible
- EU Data Residency - Sentry uses Germany-based servers (de.sentry.io)
For OpenAI: Data transfers are protected by Standard Contractual Clauses. OpenAI's API terms prohibit using your data for model training. Learn more
7. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption - HTTPS for data in transit, AES-256 for data at rest
- Access Controls - Row-Level Security (RLS) with 495+ database policies
- Authentication - Secure password hashing (bcrypt), session management
- Monitoring - 24/7 security monitoring via Sentry (Germany-based)
- Data Sanitization - Automatic removal of sensitive data from error logs
- Regular Backups - 30-day backup retention with encrypted storage
Despite our best efforts, no security system is 100% secure. If you discover a security vulnerability, please report it to [email protected].
8. Data Breach Notification (GDPR Art. 33-34)
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Supervisory Authority within 72 hours of becoming aware
- Notify Affected Users without undue delay if the breach poses a high risk
- Provide Details including nature of breach, likely consequences, and measures taken
- Document the Breach including facts, effects, and remedial action taken
We maintain incident response procedures and will communicate transparently if a breach affects your data.
9. Your Rights (GDPR Art. 15-22)
You have the following rights regarding your personal data:
✅ Right to Access (Art. 15)
Download all your personal data in JSON format via Privacy Settings.
✅ Right to Rectification (Art. 16)
Update your profile information anytime in Dashboard → Profile.
✅ Right to Erasure (Art. 17)
Delete your account with a 30-day recovery period via Privacy Settings. Your published content will be anonymized but preserved for platform integrity.
✅ Right to Data Portability (Art. 20)
Export your data in machine-readable JSON format (same as Right to Access).
✅ Right to Object (Art. 21)
Manage cookie preferences and withdraw consent at any time via Privacy Settings.
⏳ Right to Restriction (Art. 18) - Not Yet Implemented
Currently not available. Contact us if you need to restrict processing of your data.
To exercise any of these rights, visit your Privacy Settings or contact us at [email protected]. We will respond within 30 days.
10. Cookies & Tracking
We use cookies and similar technologies to improve your experience. You have full control over cookie preferences via our consent banner.
- Essential Cookies - Required for platform functionality (authentication, session management)
- Analytics Cookies - Help us understand usage patterns (requires consent)
- Marketing Cookies - For future personalized advertising (requires consent, not yet active)
For detailed information, see our Cookie Policy. Manage your preferences in Privacy Settings.
11. Children's Privacy (GDPR Art. 8)
⚠️ Age Requirement: 13+ Years
Our platform requires users to be at least 13 years old. This complies with GDPR Article 8 (minimum age for Poland and EU) and protects children's online privacy.
- Age Verification - Required checkbox during registration confirming user is 13+
- Parental Rights - Parents can contact us to request deletion of their child's data if they believe a user is under 13
- No Targeted Advertising to Minors - Users under 18 will have marketing cookies disabled by default (when advertising launches)
- Content Moderation - Platform is designed for general audiences, with community moderation to ensure age-appropriate content
If you believe a user under 13 has created an account, please contact [email protected] immediately and we will delete the account.
12. Advertising (Future Feature)
Status: ⚠️ Not Active Yet (as of 1/25/2026)
To keep Oswald Verse free for all users, we plan to introduce optional personalized advertising in the future.
7.1 Advertising Partner
We have registered with:
- Google AdSense (Publisher ID: pub-5170608316863531)
- Legal Entity: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- Privacy Policy: https://policies.google.com/privacy
7.2 Before We Activate Ads
You will receive:
- Email notification 30 days in advance
- Details about what data will be shared
- Instructions on how to opt-out
- Option to upgrade to Premium (ad-free)
7.3 Data That Would Be Shared (When Active)
✓ Data we would share with Google AdSense:
- Story categories you read (e.g., fantasy, romance)
- Reading frequency (daily/weekly/monthly)
- Device type and browser
- Country-level location (e.g., "Poland")
- Language preference
✗ Data we would NEVER share:
- Email address or real name
- Account passwords
- Payment information
- Private messages
- Exact location (GPS/IP address)
7.4 International Data Transfer
Google AdSense is based in the USA. If we activate advertising, data transfer will be protected by Standard Contractual Clauses (SCCs) - EU-approved legal mechanisms ensuring GDPR protection for data sent outside the EU.
7.5 Your Control
Even if you opt into marketing cookies now:
- No ads will appear until you receive 30-day notice
- You can withdraw consent anytime in Settings → Privacy
- You can use the platform ad-free (Premium: €3.99/month)
- Disabling ads doesn't limit any features
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Notification - We will notify you of significant changes via email or prominent notice on the platform
- Last Updated Date - Always displayed at the top of this policy
- Consent for Material Changes - For changes that materially affect your rights, we will request your consent
- Version History - Previous versions available upon request
Your continued use of the platform after changes take effect constitutes acceptance of the updated policy, unless explicit consent is required.
14. Contact Us & Complaints
📧 Data Protection Inquiries
- General Privacy Questions: [email protected]
- Security Issues: [email protected]
- User Rights Requests: Use Privacy Settings or email [email protected]
- General Support: Contact Form
🇪🇺 Right to Lodge a Complaint
If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local Data Protection Authority:
- Poland (UODO): https://uodo.gov.pl
- EU-wide list: https://edpb.europa.eu/about-edpb/board/members_en
We encourage you to contact us first so we can address your concerns directly.