This Privacy Policy describes how Poetiq ("we", "us", or "our") collects, uses, and shares information when you use Unwritten (the "Service"). By using the Service you agree to this Policy.
1. Information We Collect
Account information
When you sign in through our identity provider (Clerk), we receive your email address, a unique user identifier, and any profile information you choose to share, such as a display name or avatar.
Payment information
When you purchase credits, our payment processor (Stripe) collects and processes your payment details. We do not store full card numbers on our servers; we receive only a token, the last four digits, the card brand, and the country.
Game content
We store the sessions, characters, premises, narration, prompts, images, video, and other content you create or interact with through the Service so we can render your game state and continue your sessions.
Generated content
We send your prompts and game state to third-party AI providers (Anthropic, OpenAI, Google, fal.ai) so they can generate text, images, and video for your sessions. The outputs are stored in your account.
Device and usage data
We collect technical information such as IP address, browser type, operating system, request timestamps, and pages visited. We use this for security, abuse prevention, and product improvement.
Cookies and similar technologies
We use cookies and local storage to keep you signed in (Clerk session cookie), remember your preferences, and detect abusive activity.
Push notifications
If you enable push notifications, we store the push subscription endpoint provided by your browser or operating system so we can send you notifications about your sessions.
2. How We Use Your Information
- Provide, operate, and maintain the Service
- Authenticate users and secure accounts
- Process payments and credit balances
- Generate text, images, and video using third-party AI providers
- Send transactional notifications (e.g., session updates, credit purchases)
- Detect, prevent, and respond to fraud and abuse
- Comply with legal obligations
- Improve the Service
3. Legal Bases for Processing (EEA/UK/Swiss users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)) — to provide, operate, and bill for the Service after you sign up.
- Legal obligation (Art. 6(1)(c)) — to retain transaction records for tax and accounting law.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent fraud and abuse, and maintain operational logs. You can object to this processing using the contact below.
- Consent (Art. 6(1)(a)) — only where we ask for it (e.g., enabling push notifications via your browser's permission prompt). You can withdraw consent at any time.
4. How We Share Your Information
We share information with the following categories of service providers, each only to the extent necessary to perform their function. A current list with the data each provider receives is maintained internally and available on request to the privacy mailbox below.
- Clerk — authentication and session management.
- Stripe — payment processing.
- AI providers — Anthropic, OpenAI, Google (Gemini), and fal.ai for text, image, and video generation.
- Google Cloud Platform — application hosting, database, and blob storage.
- Sentry — error monitoring. Receives exception messages, stack traces, and our internal identifiers when something breaks. We strip IP addresses and cookies before the event leaves our servers.
- Browser push services (operated by Mozilla, Google, Apple, or Microsoft, depending on your browser) — only if you have enabled push notifications, and only to deliver the notification.
We do not sell your personal information and we do not use it for advertising. We may disclose information if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others. If we are involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before that transfer becomes subject to a different privacy policy.
5. Data Retention
We retain personal data only as long as we have a basis to do so:
- Account data — for the life of your account.
- Account deletion — when you delete your account, we start a 30-day grace window during which you can recover it. After 30 days, we permanently delete or anonymize your personal data. In multi-player sessions where other players' narrative depends on your participation, your account row is anonymized in place so the remaining players' data stays intact; the deleting user's name is replaced with a generic label.
- Reference images, push subscriptions, friend connections, rate-limit counters — hard-deleted after the 30-day grace window.
- Audit / security events — personal identifiers scrubbed at the 30-day mark; anonymized records retained for up to one further year for fraud and abuse investigation.
- Billing records (credit purchases, model-spend ledger) — retained for 7 years as required by tax and accounting law.
- Stripe records — retained by Stripe under their own financial-records obligations, which we cannot override.
- Operational logs — 30 days, after which they are deleted automatically.
6. International Data Transfers
The Service is hosted in the United States, in Google Cloud Platform regions in the US. Our other subprocessors (Clerk, Stripe, Anthropic, OpenAI, Google Gemini, fal.ai, Sentry) are also US-based. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-export rules, your information will be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission (and the UK Addendum where applicable) contained in each subprocessor's Data Processing Agreement.
7. Your Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Delete your information
- Restrict or object to processing
- Receive your information in a portable format
- Withdraw consent where processing is based on consent
To exercise these rights, email us at mike@poetiq.ai.
California residents have the rights described in the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, and not be discriminated against for exercising those rights.
Residents of the European Economic Area, United Kingdom, or Switzerland have the rights described in the General Data Protection Regulation (GDPR), including those listed above. You may also lodge a complaint with your local data protection authority.
8. Children
The Service is not directed to children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.
9. Security
We use industry-standard measures to protect your information, including encryption in transit, access controls, and regular security review. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
10. AI-Generated Content
The Service uses third-party AI models to generate text, images, and video based on your prompts. These outputs may be inaccurate, offensive, or unexpected. Do not submit personal information about others without their consent and do not rely on AI-generated content for medical, legal, financial, or other professional advice.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be communicated through the Service or by email. Continued use after the change constitutes acceptance.
12. Contact
Poetiq
Email: mike@poetiq.ai