Privacy Policy

We collect the following categories of personal data:

• Account data — your email address and profile information (such as a display name and preferences).
• Communications — messages you send us by email or in our Discord (for example, support or privacy requests).
• Gameplay content — your Stories (text and AI-generated images), custom characters, prompts and messages, your Sparks balance, and in-app transaction records.
• Technical & usage data — device and browser type, IP address, log data, and aggregated usage telemetry. Aggregated telemetry does not contain the content of your chats.
• Payment metadata — confirmation that a web purchase occurred and which pack was purchased. We do not collect or store payment-card numbers or billing-card details; those are handled by the payment provider identified at checkout under its own privacy policy (see Section 4).

We do not ask for or store your real legal name.

We use your data only for the purposes below. Where the GDPR applies, the legal basis is shown in brackets:

• To provide the Service — run your account, store your Stories, process turns and generate content (performance of a contract — Art. 6(1)(b)).
• To process purchases and keep records — handle Spark purchases and meet tax and accounting duties (contract; legal obligation — Art. 6(1)(c)).
• To secure the Service — prevent abuse and fraud (legitimate interests — Art. 6(1)(f)).
• To improve the Service — debugging, prompt quality, and safety testing (legitimate interests; see Section 3).
• To provide support and handle your requests — respond to you and act on data-rights requests (contract; legal obligation).
• Strictly-necessary cookies — keep you signed in and the Service secure (necessary to provide the Service you request; see Section 10).

Generating gameplay. Your prompts and the relevant Story context are sent — encrypted in transit — to third-party AI providers that generate text and images (see Section 4). These providers process the content under their applicable service and data-processing terms. We do not control the underlying third-party models.

Model training. We do not train or fine-tune our own AI models on your content. The third-party providers above process prompts under their own terms and, under their current terms, do not use API data to train their models; we do not control their models or their terms. We use gameplay logs to operate, debug, secure, and improve the Service, including prompt quality and safety testing. If we later decide to train models ourselves on gameplay content, we will update this Policy first and provide a clear opt-out before that use begins.

We do not sell your personal data. We share it with service providers ("subprocessors") only as needed to run the Service, each bound by a data-processing agreement and acting on our instructions. A payment provider identified at checkout may process payment data as an independent data controller, rather than as our subprocessor, under its own privacy policy.

Current subprocessors:

Railway, Clerk, Google Gemini

We may disclose personal data where required by law, to enforce our Terms, or to protect rights and safety. If the Operator's business, or part of it, is sold, merged, or otherwise transferred — including a change of owner — personal data may be transferred as part of that transaction; the recipient will be bound by a privacy policy at least as protective as this one, and we will notify you of any change of data controller. This list is kept current; we update it as our providers change.

Some of our subprocessors — including hosting, authentication, payment, and AI providers — may process data in other countries, which may be outside the European Economic Area (EEA).

Where personal data is transferred outside the EEA, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or a transfer to a country covered by an adequacy decision.

We keep your account data for as long as your account is active. We may delete accounts that have been inactive for more than 24 months, after notifying the email on file.

Technical logs and support messages. Technical and usage logs, including IP addresses, are kept only for a limited period — for security, abuse prevention, and debugging — and are then deleted or aggregated. Support correspondence is kept while your account is active and for a reasonable period afterwards to handle follow-up questions and any dispute.

Deleting your account. For now, you delete your account by emailing [email protected] from the email tied to your account — there is no in-app self-serve deletion yet. Deletion is processed within 30 days and removes your email address, profile, account record, all Stories (text and images), the gameplay logs that hold your prompts and the AI's responses, your settings, and custom characters.

You can cancel a pending deletion within the 30-day window by replying to us. After the window closes, the data is purged and cannot be recovered.

Retained after deletion. We keep de-identified transaction logs to meet tax and accounting obligations — these carry a hashed account identifier with no email or name attached. Backups are encrypted and cycled out on a rolling basis.

We protect your data with technical and organisational measures, including:

• Encryption at rest — data is encrypted with AES-256 on the storage layer, including database backups and cold storage.
• Encryption in transit — all communication uses TLS (the Service is HTTPS-only).
• Access control — access to systems is restricted to those who need it, and database access is logged and audited.

Encryption keys are managed server-side. This enables account recovery and AI inference, and it means the Service does not offer end-to-end encryption — cloud AI needs readable text to function.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority, and affected users, without undue delay and as required by law.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Your Stories are private by default and our team does not browse them.

A team member reads specific content only when:

• you file a Dislike report — we see that turn and its immediate context;
• you email support with details that require us to look; or
• it is needed to handle a specific support ticket you opened.

Other players. In a co-op session, your display name and the turns you contribute are visible to the other players in that session.

Shared Stories. Stories are private by default. If you choose to share or publish one, that Story — and the display name attached to it — becomes visible to the people you share it with, or publicly if you pick a public option. Stories you submit to us or make public may be featured (for example, a community spotlight), shown by display name, never by your email.

Depending on where you live — for example, the EEA and UK under the GDPR, or California — you have rights over your personal data, including the right to:

• access a copy of the data we hold about you;
• correct inaccurate data;
• delete your data;
• receive your data in a portable format;
• object to or restrict certain processing; and
• withdraw consent where our processing relies on it (if we introduce AI training in the future, the opt-out for it will live here).

To exercise a right, email [email protected] from the email tied to your account and tell us which right you want to use. We respond within 30 days (often sooner). We verify your identity through your reply from the account email — no ID upload is needed for a standard export.

Exports are provided as structured JSON (account and transaction data), readable text/markdown (Stories and chats, including both your turns and the AI's replies), and a .zip of generated images.

You also have the right to lodge a complaint with your local data protection authority.

Email. We only email you for essential service reasons — sign-in links, purchase receipts, and security notices. We don't send marketing email; if that changes, it will be opt-in with an unsubscribe link.

We use only strictly-necessary cookies:

• a session cookie that keeps you signed in;
• a locale-preference cookie that remembers your language; and
• CSRF / security cookies (anonymous) that protect the Service.

We do not use advertising cookies or cross-site tracking cookies. We do not currently set analytics cookies; if privacy-friendly analytics are added later, they will not fingerprint you or track you across sites, and an opt-out will be provided.

Blocking strictly-necessary cookies will break sign-in.

Myriad Paths is intended for users aged 18 or over (higher where local law requires) and is not directed to children.

We do not knowingly collect personal data from anyone under the required age. If we learn that an account belongs to a minor, we suspend it pending review and then ban and delete it. If you believe a minor has provided us with personal data, contact [email protected] and we will act on it.

We may update this Privacy Policy from time to time. For material changes, we will update the effective date at the top and, where appropriate, notify you in-app or by email.

Your continued use of the Service after an update takes effect means you accept the revised Policy.