Privacy Policy
Welcome to Conch ("we," "us," "our," or the "Platform"). Conch is operated by Gadi Zimerman.
This Privacy Policy explains how we collect, use, share, and protect personal information when you use our website at https://conch.ing, our mobile applications, and related services (the "Service"). This policy applies to all users, including children under the age of 13.
We take children's privacy very seriously. Please see Section 7 for our specific practices regarding children's data and COPPA compliance.
1. Information We Collect
1.1 Information You Provide Directly
Account Registration (Adults and Teens 13+):
- Email address
- Password (stored as a hash; we never store plaintext passwords)
- Display name (optional)
- Birth year (used for age verification)
- Avatar image (optional)
- Authentication tokens from Google OAuth (if you sign in with Google)
Child Accounts (Under 13):
- System-generated username only (no real name or email collected from the child)
- Password (stored as a hash)
- Birth year (provided by parent/guardian during account setup)
- Parental email address (for verifiable consent)
Adventure Creation Content:
- Adventure titles, descriptions, and prologues
- Scene descriptions, names, and instructions
- Character (being) names, descriptions, and attributes
- Item (possession) names, descriptions, and attributes
- Scene graph data (adventure map structure)
- Narrator instructions and voice preferences
Waitlist and Early Access:
- Email address (for waitlist signups)
- Alpha tester preference
Bug Reports:
- Description of the issue
- Email address (optional)
- Browser and device information
- Related adventure and session context
- Error messages and stack traces (automatically captured)
1.2 Information Collected Automatically
Technical Data:
- IP address
- Browser type and version
- Device type and operating system
- Referring URL and page views
Usage Data (only with cookie consent):
- Pages visited and features used
- Adventures played and game progress
- Session duration and interaction patterns
- Performance metrics (load times, response latency)
Game State Data:
- Current scene, inventory, and character status
- Conversation history with the AI (capped at 5 messages per scene)
- Adventure completion status
Error and Performance Data:
- Application errors and crash reports (via Sentry)
- Performance metrics (via Vercel Speed Insights)
1.3 Information from Third-Party Authentication
If you sign in via Google OAuth, we receive your email address and basic profile information from Google. We do not receive or store your Google password.
1.4 Audio Data
When you use voice input features:
- Your speech audio is transmitted to our speech-to-text provider (Groq) for real-time transcription.
- Audio is processed for transcription only and is not used for other purposes.
- For debugging purposes, audio recordings may be temporarily stored in a secure, admin-only storage bucket and periodically deleted.
1.5 Cookies and Local Storage
Cookies: We use cookies for:
- Authentication session management (Supabase Auth cookies) -- essential for the Service to function.
- Cookie consent preferences.
Local Storage (browser): We use browser local storage for:
- Authentication flow state (birth year, redirect path)
- Cached user profile data
- Form draft persistence (unsaved adventure creation progress)
- Gameplay preferences (e.g., always-on listening mode)
- Cookie consent status
- Early access approval status
- Debug mode preferences
Analytics Cookies (only with consent):
- PostHog analytics cookies (only initialized after explicit cookie consent)
- Vercel Analytics and Speed Insights
We display a cookie consent banner on your first visit. Analytics tools are not activated unless you click "Accept." If you decline, only essential cookies and local storage are used.
2. How We Use Your Information
We use your personal data for the following purposes:
- Providing the Service: Account management, adventure creation and gameplay, game state persistence, audio narration and voice input processing.
- AI Content Generation: Sending your gameplay text and voice input to AI providers to generate narrative responses, images, and audio.
- Safety and Moderation: Reviewing User Content for Community Guidelines compliance, age-appropriate content enforcement, and preventing abuse.
- Communication: Service updates, account notifications, and responding to support requests. We do not send marketing emails unless you opt in.
- Improvement and Development: Analyzing usage patterns (with consent) to improve features, fix bugs, and develop new capabilities.
- Security: Preventing fraud, unauthorized access, and abuse of the Service.
- Legal Compliance: Meeting legal obligations, responding to legal requests, and protecting our rights.
3. How We Share Your Information
3.1 Third-Party AI Service Providers
To generate AI-powered content, we transmit portions of your gameplay data to AI service providers. The data shared depends on the interaction:
| Provider | Data Shared | Purpose |
|---|---|---|
| OpenAI | Player text input, adventure context | AI narrative generation, classification |
| Google (Gemini) | Player text input, adventure context | AI narrative generation, text-to-speech |
| ElevenLabs | Narration text | Text-to-speech voice generation |
| Groq | Voice audio recordings | Speech-to-text transcription |
| fal.ai | Text descriptions | Image generation for adventures |
These providers process data under their own privacy policies and data processing agreements. We send the minimum data necessary for each function. We do not send your email address, real name, or account credentials to AI providers.
All AI requests are routed through the Vercel AI Gateway, which acts as a proxy and does not retain request data beyond processing.
3.2 Infrastructure and Service Providers
| Provider | Data Shared | Purpose |
|---|---|---|
| Supabase | Account data, game state, User Content | Database hosting and authentication |
| Vercel | Page views, performance metrics | Web hosting, analytics (with consent) |
| Sentry | Error data, user ID, email | Error monitoring and debugging |
| PostHog | Usage events, user ID (with consent) | Product analytics |
| LiveKit | Audio streams | Real-time audio communication |
| Lemon Squeezy | Payment information | Subscription billing |
3.3 What We Do NOT Do
- We do not sell your personal data to third parties.
- We do not share personal data for advertising or ad targeting purposes.
- We do not use children's data for any purpose other than providing the Service.
3.4 Legal Disclosures
We may disclose your information if required by law, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4. Data Security
We implement appropriate technical and organizational security measures, including:
- Encrypted data transmission (HTTPS/TLS).
- Hashed and salted passwords (via Supabase Auth).
- Row-Level Security (RLS) in our database ensuring users can only access their own data.
- Role-based access controls separating admin and user permissions.
- Secure, access-restricted storage for sensitive data (e.g., debug audio recordings).
- JWT-based authentication with token verification on every API request.
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
5. Data Retention
- Account Data: Retained as long as your account is active. When you delete your account, we delete or anonymize your personal data unless retention is required for legal obligations.
- Adventure Content: User-created adventures remain on the platform as long as the creator's account is active. Published adventures may remain accessible to other users.
- Game State Data: Active game states are retained until the adventure is completed, abandoned, or the account is deleted.
- Voice Recordings (Debug): Temporarily retained for debugging and deleted periodically.
- Analytics Data: Retained according to PostHog's and Vercel's data retention policies.
- Bug Reports: Retained for troubleshooting purposes and deleted when no longer needed.
6. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request that we limit how we process your data.
- Portability: Request a machine-readable copy of your data.
- Objection: Object to the processing of your personal data.
- Withdraw Consent: Withdraw consent for analytics cookies at any time by clearing your browser's local storage for our domain.
To exercise any of these rights, contact us at info@conch.ing. We will respond within 30 days.
6.1 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and its amendments. You have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of the sale of personal information. We do not sell personal information.
6.2 European Residents (GDPR)
If you are located in the European Economic Area, we process your personal data based on the following legal bases:
- Contract performance: To provide the Service you have requested.
- Legitimate interests: To improve the Service, ensure security, and prevent fraud.
- Consent: For analytics and non-essential cookies.
- Legal obligation: To comply with applicable laws.
You may lodge a complaint with your local data protection supervisory authority.
7. Children's Privacy (COPPA Compliance)
We are committed to protecting the privacy of children under 13. This section describes our specific practices for child users.
7.1 Verifiable Parental Consent
We do not knowingly collect personal information from children under 13 without verifiable parental consent. Before a child account is created:
- A parent or guardian must provide their email address and explicit consent.
- The child's age is verified via the age gate (birth year selection).
7.2 Limited Data Collection for Children
For child accounts, we collect only:
- A system-generated username (children may customize with a profanity-filtered alternative).
- A password (hashed, never stored in plaintext).
- Birth year (to maintain age-appropriate experiences).
- Game state and adventure progress data necessary for gameplay.
We do not collect from children:
- Real names or email addresses.
- Location data.
- Photos or videos.
- Persistent identifiers for advertising or behavioral tracking.
7.3 No Behavioral Tracking of Children
Analytics tools (PostHog, Vercel Analytics) are only activated with cookie consent. We do not use behavioral tracking or targeted content for child accounts. Child accounts are flagged with is_child = true in our database to enforce these restrictions.
7.4 AI Processing for Children
When children play adventures, their text and voice input is processed by AI services to generate gameplay responses, just as it is for adult users. This processing is necessary for the core gameplay function. No additional profiling or data retention occurs for children beyond what is required for the gameplay session.
7.5 Parental Rights
Parents and guardians may at any time:
- Review the personal data we have collected from their child.
- Request deletion of their child's personal data and account.
- Refuse further collection or use of their child's data.
- Contact us at info@conch.ing to exercise these rights.
We will respond to parental requests within 30 days.
7.6 Safety Measures
- Child accounts use system-generated or profanity-filtered usernames.
- Content moderation and age ratings help ensure age-appropriate adventure experiences.
- No direct messaging or social features are available between users.
8. International Data Transfers
Our Service is hosted on infrastructure in the United States. If you access the Service from outside these regions, your data may be transferred to and processed in these locations. By using the Service, you consent to such transfers.
Where required, we rely on Standard Contractual Clauses to ensure adequate data protection for international transfers.
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page with a new "Last Updated" date.
- For significant changes, notifying you via email or in-app notification.
We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
10. Contact Us
If you have questions or concerns about this Privacy Policy, or if you are a parent wishing to exercise rights regarding your child's data, please contact us at:
- Email: info@conch.ing
- Website: https://conch.ing
- Data Protection Inquiries: info@conch.ing (subject line: "Privacy Request")
For data protection inquiries, please contact us at info@conch.ing.
Your privacy matters to us. We are committed to being transparent about how we collect and use your data. If you have any concerns, please do not hesitate to reach out.