Privacy Policy

Last updated: May 2026 • Early Alpha — this policy will be revised before public launch.

Short version: We store the minimum needed to run the platform. Your API keys are encrypted. We do not sell your data. Chat content is never read by us.

1. What We Collect

Account data: Username, hashed password (bcrypt). No email is required.
API keys: Encrypted at rest using AES-256. Decrypted only to make requests on your behalf.
Content you create: Characters, scenarios, plays, scripts you publish. Stored in our database.
Chat sessions: Session metadata (play, persona, timestamps) and message history. Stored only for your account.
Usage data: Server access logs (IP, timestamp, endpoint) for security and debugging. Retained for 30 days.

2. What We Do Not Collect

Email addresses (not required to register).
Payment information (the platform is free during alpha).
Third-party tracking cookies or analytics scripts.

3. How We Use Your Data

To authenticate you and maintain your session.
To forward your messages to the AI provider you selected, using your API key.
To store and retrieve your content, sessions, and settings.
To moderate reported content and enforce Terms of Service.

4. API Keys

Your API keys are encrypted with AES-256 before storage. The encryption key is stored separately from the database. We decrypt your key only when you make a chat request, and the plaintext key is never logged or stored. You can delete your keys at any time from Settings.

5. Chat Content

Your chat messages are stored in our database linked to your account. We do not read or use your chat content for any purpose other than displaying it to you. Chat content is forwarded to the AI provider of your choice per your request — their privacy policies apply to that data.

6. Cookies and Local Storage

Session cookie: an HTTP-only cookie used to keep you logged in.
Age verification: a localStorage flag that persists your age confirmation in your browser.

We do not use tracking cookies or third-party analytics.

7. Data Sharing

We do not sell or share your personal data with third parties, except:

AI providers: your messages are sent to the provider you choose (Google, OpenAI, etc.) using your own API key.
Legal requirements: if required by law, court order, or to prevent harm.

8. Data Retention and Deletion

Your account data is retained until you delete your account. To delete your account and all associated data, contact us through the platform. We will process deletion requests within 30 days.

9. Security

We use bcrypt for password hashing, AES-256 for API key encryption, and HTTPS for all data in transit. During alpha, we cannot guarantee enterprise-grade security. Do not store sensitive data in chat sessions.

10. Children

JessicaAI is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has registered, contact us and we will remove the account.

11. Changes

We may update this policy as the platform evolves. Material changes will be announced. Continued use constitutes acceptance.

12. Contact

Privacy questions or data deletion requests can be submitted through the platform or our community channels.