Privacy

Privacy Policy

This page describes how nekotalk (the "Service") handles user information.

1. Information We Collect

• Account data (email, display name, OAuth identifiers, X username)
• Authentication data (hashed passwords, MFA/TOTP secrets stored encrypted)
• Chat, discussion, and battle messages, votes, and evaluations
• Avatar/character data (profiles, VRM files, background/floor items)
• Usage data (page views, follow relationships, daily usage, reports)
• Payment and credit data (purchase history, balances, ledgers)
• Support inquiries (messages, attachments, reply history)
• Technical data (IP address, user agent, referrer, access timestamps)
• Cookies and authentication tokens

2. Purposes of Use

• Provide the Service, verify identity, and maintain sessions
• Generate AI responses and operate Arena/Battle experiences
• Process payments, manage credits, and prevent abuse
• Support inquiries, quality improvements, and feature enhancements
• Analytics and security monitoring

3. Sharing with External Services

• OpenAI / Anthropic: Messages and character definitions are sent for AI generation.
• Stripe: Used for payment processing for credit purchases.
• Resend: Used to send support reply emails.
• Sentry: Used for error monitoring on frontend and backend.
• Google Analytics: Used to analyze usage.
• Google OAuth / X OAuth: Used for external authentication.
• Cloudflare: Used as CDN/WAF and processes technical request data.
• GitHub: Used when creating issues from support inquiries.
• Slack/Discord: Used for operational notifications.

4. Cookies & Authentication Tokens

We use cookies to maintain authentication, such as `nekotalk_session` (JWT, 7 days) and temporary OAuth cookies. You can manage cookies in your browser settings, but disabling them may limit functionality.

5. Data Retention

We retain data as long as necessary to operate the Service. At present, we do not specify fixed retention periods and may review this policy in the future.

6. Data Deletion & Rights

To request access, correction, or deletion of your information, contact [email protected]. We currently do not provide self-service deletion/export tools.

7. Security

We apply security measures such as password hashing and encryption of MFA secrets (AES-256-GCM).

8. International Data Transfers

Data may be processed outside Japan (e.g., in the United States) due to the use of services such as OpenAI, Google, Stripe, and Sentry.

9. Children

The Service is not intended for users under 13. If we discover data from users under 13, we will delete it appropriately.

10. Changes

This policy may be updated without prior notice. Significant changes will be announced appropriately.

11. Contact

For questions about this policy, contact [email protected].