Privacy Policy

LoreWeaver AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services (the "Services"). By using LoreWeaver AI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services. LoreWeaver AI acts as the controller of your personal data and operates from the Commonwealth of Virginia, United States.

We collect the following categories of information: Account Information: Email address, display name, account credentials, and any profile details you choose to provide. Content Data: The worlds, stories, characters, Lore Cards, Loom threads, and other creative content you author or publish within the Services. Conversation Data: Prompts and AI-generated responses generated during your narrative sessions, along with associated session metadata. Subscription and Payment Data: Subscription tier and billing history, along with payment metadata. Full payment card details are collected and stored by our payment processor (Stripe) and are never stored on our servers. Usage Data: Features accessed, session duration, navigation patterns, and other behavioral signals used to operate and improve the Services. Device and Technical Data: IP address, browser type and version, operating system, device identifiers, language preferences, and referral URLs. Communications: Support requests and community feedback, along with any other correspondence you send to us. We collect this information directly from you and automatically as you use the Services, along with information received from third-party authentication providers if you sign in through them.

We use the information we collect for the following purposes: • Provide, operate, and maintain the Services • Authenticate your account and protect account security • Process subscription payments and deliver paid features • Generate AI responses within your narrative sessions • Send technical notices, updates, and support messages • Respond to your inquiries and customer support requests • Monitor and analyze usage trends to improve the Services • Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service • Comply with applicable legal obligations We do not use your personal information for automated decision-making that produces legal or similarly significant effects.

When you interact with the narrative and generative features of LoreWeaver AI, the content you submit (including prompts, world data, character information, and prior message history) is transmitted to third-party AI model providers to generate responses. Model Routing: Prompts are routed through OpenRouter, our AI orchestration partner, which forwards requests to underlying model providers based on the model you have selected or that your subscription tier provides access to. Model Providers: Depending on routing, providers may include OpenAI, Anthropic, Google, xAI, DeepSeek, Chutes, and other inference providers integrated by OpenRouter. The set of providers may change as we add or remove models from the platform. Third-Party Processing: Each model provider processes content according to its own terms and privacy practices. OpenRouter maintains zero-retention arrangements with many providers, but terms vary by provider and model. Once content is transmitted to a provider, we cannot control how that provider handles it beyond the contractual terms in place. Model Training: LoreWeaver AI does not use your content to train or fine-tune our own AI models. We configure routing to prefer providers with zero-retention or no-training terms where available. Any use of your content for model training beyond this narrow scope requires your separate, explicit opt-in. Retention of Prompts and Responses: Prompts and responses are retained within your account for session history and platform features such as memory and summarization. Deleting a session or your account removes this data according to the Data Retention schedule below. For information on specific provider practices, you may review OpenRouter's privacy documentation and the published privacy policies of individual model providers.

You own your stories. LoreWeaver AI does not claim ownership of any content you create. Your worlds, characters, narratives, and Lore Cards remain entirely yours, as set out in our Terms of Service. We process your content only to: • Provide the Services to you • Generate AI responses within your narrative sessions • Power platform features such as memory, summarization, and publishing to the Hub at your direction • Maintain backups for recovery and disaster purposes We never sell your content. We do not use your private content to train AI models.

We do not sell your personal information. We share personal information only as described below: Service Providers and Sub-Processors: With third parties that perform services on our behalf, as detailed in the Sub-Processors section below. These parties are bound by contractual data protection obligations and may process data only as necessary to provide their services. With Your Consent or Direction: When you choose to publish a world to the Hub, the content you designate as public becomes visible to other users of the Services according to the sharing settings you select. Legal Requirements and Safety: When we believe disclosure is reasonably necessary to comply with a legal obligation or court order, or to respond to a lawful request from governmental authorities. We may also disclose information to protect the legal rights and property of LoreWeaver AI, or to protect the safety of our users or others. Business Transfers: In connection with a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control that materially affects how your personal data is processed. Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you.

We rely on a limited number of trusted service providers to operate the Services. Each provider processes only the data necessary for its function and is bound by contractual data protection obligations. • Vercel: Application hosting and edge delivery (United States) • Neon: Primary database and content storage (United States) • Redis: Session caching and rate limiting (United States) • OpenRouter: AI model orchestration and routing (United States) • Chutes: Inference infrastructure (distributed) • Stripe: Payment processing (United States) • Sentry: Error monitoring and diagnostics (United States) We review sub-processor practices on engagement and when material changes are communicated to us. We may add, replace, or remove sub-processors as the Services evolve and will update this list accordingly.

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. • Account Data: Retained while your account is active and for up to 30 days after deletion to allow recovery. After 30 days, account data is permanently removed from active systems. • Content and Conversation Data: Retained alongside your account. Individual sessions and content entries can be deleted by you at any time. • Payment and Billing Records: Retained for up to 7 years where required by tax and accounting regulations, or similar financial recordkeeping requirements. • Error and Diagnostic Logs: Retained for up to 90 days in our error monitoring systems. • Backup Systems: Residual copies may persist in rolling backups for up to 35 days after deletion before being overwritten. Where we retain data beyond the periods above, we do so in aggregated or de-identified form that cannot reasonably be used to identify you.

We implement technical and organizational measures designed to protect your personal information against unauthorized access, loss, misuse, alteration, and disclosure. These measures include: • Encryption in transit using modern TLS standards • Encryption at rest provided by our infrastructure providers • Role-based access controls for administrative systems • Credential management and secrets rotation practices • Logging and monitoring of administrative access No system is fully secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by law.

LoreWeaver AI operates from the United States and our service providers are primarily located in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, including for storage. If you are located in the European Economic Area or the United Kingdom, or if you are a Swiss resident, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms, to provide appropriate safeguards for cross-border transfers of your personal data. By using the Services from outside the United States, you consent to the transfer and processing of your information in the United States.

Subject to applicable law, you have the following rights regarding your personal information: • Access: Request a copy of the personal data we hold about you • Correction: Request correction of inaccurate or incomplete data • Deletion: Request deletion of your account and associated personal data • Portability: Request an export of your content and account data in a portable format • Objection: Object to processing based on legitimate interests • Restriction: Request restriction of processing in certain circumstances • Withdrawal of Consent: Withdraw consent where processing is based on your consent To exercise any of these rights, contact us at hello@loreweaverai.com. We will respond within the timeframes required by applicable law, which is typically within 30 days.

To protect your information, we verify the identity of anyone making a privacy request before acting on it. We may ask you to confirm your request from the email address associated with your account or to provide additional information sufficient to verify ownership of the account. Requests that we cannot verify will be declined. We do not charge a fee for processing a verified request unless the request is manifestly unfounded or excessive, as permitted by applicable law. You may designate an authorized agent to make a request on your behalf. We may require the agent to provide proof of authorization and may still require you to verify your own identity directly with us.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you additional rights regarding your personal information. Categories of Personal Information Collected: In the preceding twelve months, we have collected the following categories of personal information: • Identifiers such as email address, account identifier, IP address, and device identifiers • Commercial information including subscription and billing records • Internet or other electronic network activity information including usage and interaction data • Content you submit in connection with the Services • Inferences drawn from the above to create preference profiles related to use of the Services Sources: We collect this information directly from you, automatically from your device as you use the Services, and from third-party authentication providers if you use them to sign in. Purposes of Collection: We collect these categories for the business purposes described in "How We Use Your Information" above. Sale or Sharing: We do not sell your personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising. Your California Rights: • Right to know what personal information we collect about you and how we use and disclose it • Right to request deletion of personal information we have collected from you • Right to correct inaccurate personal information • Right to opt-out of the sale or sharing of personal information (not applicable as we do not engage in such activities) • Right to limit the use or disclosure of sensitive personal information • Right to non-discrimination for exercising your rights To exercise your California rights, contact us at hello@loreweaverai.com.

Residents of Colorado, Connecticut, Utah, Virginia, Texas, and other US states with comprehensive consumer privacy laws may have rights similar to those described in the California section above, including rights to access, correct, delete, and obtain a portable copy of personal information, along with rights to opt-out of certain processing activities. We do not sell personal information, engage in targeted advertising based on personal data, or process personal information for profiling that produces legal or similarly significant effects. To exercise any rights available to you under your state's privacy law, contact us at hello@loreweaverai.com. We will respond within the timeframes required by applicable law.

If you are located in the European Economic Area (EEA) or the United Kingdom, or if you reside in Switzerland, the following information applies to you. Data Controller: LoreWeaver AI is the controller of your personal data. Legal Bases for Processing: We process personal data on the following lawful bases under the GDPR and UK GDPR: • Contract: To provide the Services you request and fulfill our contractual obligations to you • Legitimate Interests: To operate and secure the Services, and to improve them over time, where our interests are not overridden by your rights and freedoms • Consent: Where required, for example for certain optional marketing communications • Legal Obligation: To comply with applicable laws and regulations Your GDPR and UK GDPR Rights: You have the rights described in "Your Privacy Rights" above, exercisable under the GDPR or UK GDPR as applicable to you. Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law. You may do so without first contacting us, although we encourage you to reach out to us so we can address your concerns directly. International Transfers: As described in "International Data Transfers" above, we rely on Standard Contractual Clauses and other lawful mechanisms for transfers of your personal data to the United States.

LoreWeaver AI is not directed to individuals under 18 years of age, and the Terms of Service require account holders to be at least 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at hello@loreweaverai.com. If we become aware that we have collected personal information from a child under 18 without verified parental consent, we will take steps to delete that information from our systems.

We use a limited set of cookies and similar storage technologies to operate the Services: • Authentication: To keep you signed in and maintain your session • Preferences: To remember your display and feature preferences • Security: To detect and prevent abuse of the Services We do not use cookies for advertising. We do not participate in cross-context behavioral advertising networks or sell your browsing data. Our error monitoring provider (Sentry) may collect diagnostic information such as IP address and browser details when an error occurs on the Services in order to help us identify and fix bugs. You can control cookies through your browser settings. Disabling essential cookies may prevent the Services from functioning correctly.

The Services may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to third-party sites or services. We encourage you to review the privacy policies of any third-party site before providing them with personal information.

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date at the top. For material changes, we will provide additional notice by email or through the Services. Your continued use of the Services after the effective date of an updated Privacy Policy constitutes acceptance of the changes. If you do not agree to the updated Policy, you should discontinue use of the Services.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us at: Email: hello@loreweaverai.com We aim to respond to all privacy inquiries within the timeframes required by applicable law.