Privacy Policy
Last updated: March 13, 2026
This Privacy Policy describes how AI Story Engine ("we", "us", "our") collects, uses, and protects your personal information when you use our API and related services ("Service").
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address — used for authentication, billing, and service communications
- Password — stored as an Argon2 hash; we never store or log plaintext passwords
- Display name — optional, used in the dashboard
Usage Data
We automatically collect:
- API request metadata — endpoint, timestamp, response status, latency (no request bodies)
- Billing usage — API call counts, LLM token usage, resource counts per billing period
- Error logs — anonymized error traces for debugging (no user content)
Content You Create
When you use the Service, we store the content you create (NPCs, dialogue trees, story events, knowledge graph data) in your project. This content is only accessible to you via your authenticated API keys.
BYOK Keys
If you provide your own LLM provider API keys, we store them encrypted at rest. BYOK keys are only decrypted in-memory during request processing and are never logged, cached in plaintext, or shared with third parties.
2. How We Use Your Information
- To provide and maintain the Service
- To authenticate your API requests
- To process billing and payments (via Stripe)
- To send transactional emails (account confirmation, billing receipts, security alerts)
- To monitor and improve Service performance and reliability
- To enforce our Terms of Service and prevent abuse
We do not use your content (NPCs, dialogue, stories) to train AI models or for any purpose other than providing the Service to you.
3. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing address, payment method (we never see your full card number) |
| LLM Providers (OpenAI, Anthropic, etc.) | AI content generation | Prompts and context sent for generation (using your BYOK key or our shared key) |
| Supabase | Database hosting | All Service data (encrypted at rest, SSL in transit) |
Each third-party service has its own privacy policy. We encourage you to review them.
4. Data Security
We implement the following security measures:
- Encryption in transit — all API traffic uses TLS 1.2+
- Encryption at rest — database encryption via Supabase/PostgreSQL
- API key hashing — API keys are hashed with a salt; only the prefix is stored in plaintext for identification
- Password hashing — Argon2id with recommended parameters
- BYOK key encryption — provider keys encrypted before storage
- Rate limiting — per-tenant and per-endpoint limits to prevent abuse
- Audit logging — security-relevant events are logged for compliance
5. Data Retention
- Active accounts: Data is retained as long as your account is active
- Deleted accounts: Personal data is deleted within 30 days of account deletion
- Audit logs: Security audit logs may be retained for up to 90 days after account deletion for compliance purposes
- Billing records: Transaction records may be retained as required by tax and financial regulations
6. Your Rights
You have the right to:
- Access your personal data via the API or by contacting us
- Export your content using the NPC export endpoints
- Delete your account and associated data
- Correct inaccurate personal information
- Object to processing of your data for specific purposes
To exercise any of these rights, contact privacy@aistoryengine.dev.
7. Cookies
The API itself does not use cookies. If we provide a web dashboard in the future, it may use essential cookies for authentication. We will update this policy before introducing any tracking cookies.
8. Children's Privacy
The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service at least 14 days before the changes take effect.
10. Contact
For privacy-related questions or requests, contact us at privacy@aistoryengine.dev.