FANTASIA PRIVACY POLICY

Effective Date: October 1, 2025
Last Updated: February 9, 2026
Version: 1.5

1. INTRODUCTION

FineApps ("we," "us," "our") operates Fantasia, an AI-powered tabletop RPG platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our desktop application, mobile application, and cloud services.

We respect your privacy and are committed to protecting your personal data in compliance with GDPR, CCPA, and other applicable privacy laws.

2. INFORMATION WE COLLECT

2.1 Information You Provide

Account Information

• Email address (required)
• Username (required)
• Display name (optional)
• Profile picture (optional)
• Google account ID (if using Google OAuth)
• Facebook account ID (if using Facebook Login)
• Apple account ID (if using Apple Sign In)

Game Information

• Character names and descriptions
• Game preferences and settings
• Campaign participation history
• In-game messages and actions
• Player analysis data (if Herodotus personalization enabled): gameplay patterns, preferences, and style
• Communication preferences: messaging permissions
• Young Adult protection status: whether you have enabled YA protection mode
• YA compliance data (for GMs): game content compliance status if your game is marked for minors

Payment Information (if applicable)

• Billing name and address
• Payment method details (processed by Stripe)
• Transaction history
• Subscription status

2.2 Information Collected Automatically

Usage Data

• Session timestamps
• Feature usage patterns
• Game participation metrics
• Error logs and crash reports

Device Information

• Device type and model
• Operating system version
• App version
• IP address (for security and region detection)
• Time zone

2.3 Information We DON'T Collect

• Claude Code credentials (stored locally only)
• Credit card numbers (handled by Stripe)
• Social Security numbers
• Government ID numbers
• Biometric data

3. HOW WE USE YOUR INFORMATION

3.1 Primary Uses

• Provide Services: Enable game hosting and participation
• Account Management: Authenticate users and manage profiles
• Communication: Send game invitations and notifications
• Payment Processing: Handle subscriptions and payouts
• Support: Respond to inquiries and resolve issues

3.2 Service Improvement

• Analytics: Understand platform usage patterns
• Development: Improve features based on user behavior
• Bug Fixes: Identify and resolve technical issues
• Performance: Optimize server and app performance

3.3 Legal & Security

• Compliance: Meet legal obligations
• Security: Detect and prevent fraud or abuse
• Enforcement: Enforce Terms of Service
• Protection: Protect rights and safety of users

4. DATA SHARING & DISCLOSURE

4.1 We Share Data With:

Service Providers

• Stripe: Payment processing
• Google Cloud/Render: Infrastructure hosting
• SendGrid: Email delivery
• Sentry: Error tracking
• Meta/Facebook: Authentication (Facebook Login)
• Apple: Authentication (Apple Sign In)

Other Users (Public Information)

• Username and display name
• Public game listings (if GM chooses)
• Character names (within games)
• Public profile information
• Player analysis (only if you enable visibility in Settings): your gameplay style, preferences, and Herodotus analysis may be visible to other users
• YA violation warning badge (only after 2+ violations in YA-safe games): a warning badge becomes visible on your profile to Game Masters and Young Adult accounts only. Game Masters can view your violation history to make informed decisions about their games. This limited disclosure serves the legitimate purpose of protecting minors. Your violation status is NOT visible to the general public.

4.2 We DON'T Share:

• Email addresses with other users
• Payment information with GMs or players
• Private messages outside intended recipients
• Personal data with advertisers (we don't use ads)
• User data for marketing to third parties

5. DATA RETENTION

5.1 Active Accounts

We retain your data while your account is active and as needed to provide services.

5.2 Inactive Accounts

• Accounts inactive for 12 months: Notification sent
• Accounts inactive for 18 months: May be deleted
• Paid subscriptions: Never auto-deleted while payments active

5.3 Post-Deletion

After account deletion:

• Most data: Deleted within 30 days
• Backups: Deleted within 90 days
• Legal records: Retained as required by law
• Anonymized data: May be retained for analytics

6. DATA SECURITY

6.1 Technical Measures

• Encryption: TLS/SSL for data in transit
• Database encryption: At-rest encryption for sensitive data
• Access controls: Role-based permissions
• Regular updates: Security patches applied promptly
• Monitoring: 24/7 security monitoring

6.2 Your Responsibilities

• Strong passwords: Use unique, complex passwords
• Account security: Don't share login credentials
• Prompt reporting: Report suspicious activity immediately

7. YOUR RIGHTS & CHOICES

7.1 Access & Control

You have the right to:

• Access: Request a copy of your personal data
• Correct: Update inaccurate information
• Delete: Request account and data deletion
• Port: Export your data in machine-readable format
• Restrict: Limit how we process your data
• Object: Opt-out of certain data uses

7.2 How to Exercise Rights

Contact us at info@fineapps.gr with subject line: Subject: PRIVACY - [your request]

Include:

• Your account email
• Specific right you're exercising
• Verification information

We'll respond within 30 days (GDPR) or 45 days (CCPA).

7.3 Data Deletion Requests

To request deletion of your account and all associated data, visit our dedicated Data Deletion Request page or email info@fineapps.gr with subject line: PRIVACY - Delete my account.

If you signed up using a social login provider (Facebook, Google, or Apple), submitting a deletion request will also remove all data obtained through that provider. See our Data Deletion page for full details on what gets deleted and the deletion timeline.

8. COOKIES & TRACKING

8.1 What We Use

• Session cookies: Maintain login state
• Preference cookies: Remember settings
• Security cookies: Prevent fraud
• Analytics cookies: Understand usage (anonymized)

8.2 What We DON'T Use

• Third-party advertising cookies
• Cross-site tracking
• Social media pixels
• Behavioral advertising

9. CHILDREN'S PRIVACY

9.1 Age Requirements

• Minimum age: 13 years old
• Under 18: Requires parental consent
• Under 13: Account will be terminated if discovered

9.2 Young Adult (YA) Protection Mode

Users who identify as minors can enable YA Protection Mode in Settings:

• How to enable: Settings > System tab > "Are you a young adult?" > Yes
• Self-identification: This is voluntary; we do not verify age
• Reversible: Can be disabled at any time in Settings

When YA Protection Mode is enabled:

• Privacy settings locked: All privacy settings are forced to maximum protection
• Profile hidden: Your profile is hidden from non-friends
• Messaging restricted: Only you can initiate conversations
• Friend requests blocked: Only you can send friend requests
• AI personalization disabled: Herodotus analysis is turned off
• Game access restricted: You can only see and join games marked as "suitable for minors"
• YA badge displayed: A green "YA" badge appears next to your name
• Safety warnings visible: You can see warning badges on users who have violated YA content policies, helping you make informed decisions about interactions. However, detailed violation history is not accessible to YA-protected users (only visible to Game Masters).

9.3 YA-Safe Game Content Scanning

Games marked as "suitable for minors" are subject to automated content scanning:

• AI content analysis: Our Herodotus system scans game content for inappropriate material
• Violation detection: Content categories checked include violence, sexual content, substance abuse, hate speech, and profanity
• Compliance status tracked: Games have a compliance status (pending, compliant, violation)
• Automatic enforcement: Games with violations are automatically hidden from YA users until fixed
• Audit trail: Compliance events are logged for child safety reporting

9.4 Parental Controls

Parents/guardians can:

• Request data access for their child
• Request account deletion
• Restrict features or interactions
• Review GM profiles before game participation
• Enable YA Protection Mode on their child's account

Contact: info@fineapps.gr (Subject: PRIVACY - Parental Request)

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Location

• Primary servers: EU (GDPR compliant)
• Backup servers: US (Privacy Shield equivalent measures)
• CDN: Global (encrypted transmission only)

10.2 Transfer Safeguards

• Standard Contractual Clauses with providers
• Encryption for all transfers
• Limited access to transferred data
• Regular audits of data handling

11. CALIFORNIA PRIVACY RIGHTS (CCPA)

California residents have additional rights including:

• Know what personal information we collect
• Delete personal information (with exceptions)
• Opt-out of "sale" (we don't sell data)
• Non-discrimination for exercising rights

We do not sell personal information as defined by CCPA.

12. EU PRIVACY RIGHTS (GDPR)

12.1 Legal Basis for Processing

• Consent: For optional features and marketing
• Contract: To provide platform services
• Legitimate interests: Security and improvement
• Legal obligation: Compliance with laws

12.2 Data Protection Officer

Contact: info@fineapps.gr (Subject: PRIVACY - Data Protection)

12.3 Supervisory Authority

EU residents may lodge complaints with their local data protection authority.

13. AI & AUTOMATED PROCESSING

13.1 AI Usage

• NPCs: AI-generated responses in games
• Content moderation: Flag inappropriate content
• Recommendations: Suggest games or features
• Player profiling (Herodotus): If enabled in Settings, AI analyzes your gameplay patterns, preferences, and style to personalize your experience
• YA content enforcement: Games marked for minors are automatically scanned for inappropriate content; violations trigger game lockdown
• Future matchmaking: Player profiles may be used for player-matching features to help find compatible gaming groups

13.2 Human Oversight

• No automated decision-making affecting legal rights
• Human review available for all AI decisions
• Opt-out from AI features where possible

13.3 Claude Integration

• Local processing: Claude Code runs on GM's machine
• No API data: We don't access Claude conversations
• GM responsibility: GMs control AI behavior

13.4 Intellectual Property Content Monitoring

• No Content Validation: We do not monitor or validate the intellectual property compliance of user-generated content
• User Responsibility: Users are solely responsible for ensuring they have proper licensing for any copyrighted game systems they use
• DMCA Compliance: We respond to valid DMCA takedown requests but do not proactively screen for IP violations
• Data Retention: Game content data is retained according to our standard policies regardless of IP compliance status
• No Legal Advice: We do not provide guidance on intellectual property law or licensing requirements

13.5 Your AI & Privacy Controls

You can control AI personalization and data sharing via Settings:

• Herodotus Personalization: Enable/disable AI analysis of your gameplay style and preferences. When disabled, your experience will be generic rather than personalized.
• Player Analysis Visibility: Control whether other users can see your player analysis and preferences. Default is visible; you can make it private at any time.
• Messaging Permissions: Control whether other users can send you direct messages.
• Changes take effect immediately and apply to future data processing. Previously collected data can be deleted by contacting support.

14. DATA BREACH NOTIFICATION

In case of a data breach:

• User notification: Within 72 hours of discovery
• Authority notification: As required by law
• Public disclosure: If required by severity
• Mitigation steps: Immediate action to limit damage

15. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect:

• Changes in our practices
• New features or services
• Legal requirements
• User feedback

Material changes: 30 days advance notice via email
Minor changes: Updated policy posted immediately

16. CONTACT US

For privacy questions or concerns:

Email: info@fineapps.gr
Subject Line: PRIVACY - [your concern]
Website: fineapps.gr/fantasia
Address: Athens, Greece

We respond within 30 days.