MythicaAI Privacy Policy

1. Scope

This policy applies to the MythicaAI web application, APIs, email communications, and support channels. It covers information we collect directly from you, data generated through your use of our prep, lobby, and game systems, and limited technical information gathered automatically when you visit our services.

2. Information we collect

We collect personal information that is reasonably necessary for our functions and activities. Categories include:

• Account and identity details such as email address, display name, username, password hash, preferred pronouns, timezone, avatar selection, and third-party authentication identifiers (for example Google or Discord IDs).
• Profile preferences like narrator voice selection, ambient packs, safety tool settings, language choices, and notification opt-ins saved in your account profile.
• Gameplay records that you or your party input, including characters, lobbies, seating charts, readiness states, spotlight timers, initiative orders, dice rolls, AI narrator prompts, generated narration, lore vault entries, recap drafts, attachments, and session metrics.
• Support and communication history consisting of help tickets, bug reports, response messages, email threads, and satisfaction surveys submitted via the support centre or email.
• Device and usage information automatically collected through logs and analytics, such as IP address, device type, operating system, browser version, referrer URL, locale, event timestamps, and security metadata (including failed sign-in attempts and token expiry).
• Audio inputs when you choose to record or upload snippets for narrator voice testing. Unless you opt in, these samples are not stored and are processed transiently.
• Payment information is not currently collected because MythicaAI does not yet process subscriptions or purchases. If this changes we will implement compliant billing providers and update this policy before collecting payment details.

We only collect sensitive information (such as accessibility requirements or safety tool notes) with your consent and only where directly relevant to providing the experience you request.

3. How we collect information

We collect information in the following ways:

• Directly from you when you sign up, edit your profile, invite players, configure a session, submit support tickets, or interact with narrator and recap tools.
• Automatically when our systems capture logs, readiness states, initiative updates, or dice reactions triggered through the application interface.
• From connected services when you authorise MythicaAI to link to Google, Discord, or other identity providers. We receive tokens and identifiers needed to authenticate you.
• From other players who add you to a lobby or mention you in session notes. We expect hosts to confirm they have authority to share their party’s details.

4. How we use your information

We use personal information to:

• Authenticate and secure access, maintain sessions, and allow you to link or unlink third-party sign-in providers.
• Deliver core functionality including game creation, lobby orchestration, narrator automation, frictionless prep, safety tool tracking, scene packs, recaps, and lore vault updates.
• Personalise your experience, such as persisting narrator voice preferences, ambient lighting selections, spotlight timers, and character sheets.
• Provide support, respond to help requests, troubleshoot bugs, and send essential service communications about your account or active sessions.
• Monitor availability, prevent fraud and abuse (including blocking late joins once a session starts), and enforce our Terms of Service.
• Perform research and analytics to understand feature usage and prioritise improvements, using de-identified or aggregated data wherever possible.
• Comply with legal obligations and respond to lawful requests from regulators such as the Office of the Australian Information Commissioner (OAIC) or Victorian Information Commissioner.

5. Legal basis for handling personal information

MythicaAI handles personal information in line with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and relevant Victorian legislation including the Privacy and Data Protection Act 2014 (Vic). We rely on:

• Your consent when you provide prompts for AI narration, link external identities, enable voice capture, or opt into marketing updates. You may withdraw consent at any time.
• Performance of a contract to operate the services you request, such as hosting sessions, storing characters, or delivering recaps to your invited players.
• Legitimate interests in protecting the platform, preventing fraud, enhancing functionality, and ensuring a smooth multi-device experience—balanced against your privacy rights.
• Legal obligations where we must retain or disclose information to comply with Australian law, respond to lawful requests, or manage record-keeping requirements.

6. Disclosure to third parties

We only share personal information with service providers who help us deliver MythicaAI or when required by law. We require each provider to handle your data in accordance with applicable privacy legislation and contractual safeguards.

We do not sell personal information or share it with third parties for their independent marketing purposes. When we disclose data, we limit it to what is necessary for the intended purpose and ensure appropriate contractual and technical safeguards are in place.

7. Overseas transfers

Some third parties listed above are located outside Australia, including in the United States, the European Union, and other jurisdictions where our cloud infrastructure is provisioned. When we transfer personal information overseas, we take reasonable steps to ensure the recipient provides a level of protection substantially similar to the APPs (APP 8). This may include standard contractual clauses, encryption, and due diligence on their privacy controls.

8. Data retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy or to comply with legal obligations. Specific retention practices include:

• Account records remain active while you maintain a MythicaAI profile. You can delete characters, campaigns, and recaps from within the app at any time.
• When you close your account, associated Supabase records (including support tickets and narrator history) are queued for deletion within 30 days unless we must retain them for legal or security reasons.
• Operational logs, security audit trails, and backups are automatically cycled on rolling schedules no longer than 90 days.
• Aggregated or de-identified analytics may be retained for longer to understand platform performance and trends.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including HTTPS, role-based access controls, audit logging, least-privilege permissions, and monitoring for suspicious activity. Supabase encrypts records at rest and in transit, and we limit staff access to production data to authorised personnel only.

If we become aware of an eligible data breach under the Notifiable Data Breaches scheme, we will investigate promptly, notify affected individuals and the OAIC as required, and take steps to minimise harm.

10. Cookies and analytics

MythicaAI uses first-party cookies and local storage to keep you signed in, remember readiness states, maintain narrator selections, and persist interface preferences. We do not run advertising trackers.

We may use privacy-focused analytics (for example, Supabase edge metrics) to understand aggregate usage patterns. These tools collect de-identified information and do not follow you across other websites. You can disable cookies in your browser, but key features like secure sessions and multi-device lobby syncing may stop working.

11. Your rights

Under the Australian Privacy Principles you may request access to personal information we hold about you, ask us to correct inaccuracies, or make a complaint about how we handle your data. Submit requests through the in-app support centre or by emailing us. We aim to respond within 30 days.

To protect your privacy we may require identity verification before granting access or making corrections. If we decline a request, we will explain why (unless unlawful to do so) and tell you how to lodge a complaint.

If you are unsatisfied with our response, you may lodge a complaint with the OAIC (https://www.oaic.gov.au/privacy/privacy-complaints) or the Office of the Victorian Information Commissioner.

12. Marketing and communications

We primarily send service-related emails such as login links, security alerts, recap deliveries, or updates to your support tickets. We may occasionally send product announcements or invitations to participate in beta programs if you opt in. You can unsubscribe from non-essential communications at any time using the link in the message or via your account settings.

13. Automated decision-making

MythicaAI uses AI systems to generate narration, ambience, and recaps based on the prompts you supply. These systems do not make decisions about account eligibility or enforcement; humans review moderation or suspension actions.

14. Children

MythicaAI is intended for players aged 13 and above. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

15. Changes to this policy

We may update this policy to reflect changes to MythicaAI or Australian privacy law. We will post the revised policy on this page, update the "Last updated" date, and notify you via in-app notice or email when changes are material.

16. Contact us

For privacy questions or requests, reach us at privacy@mythica.ai or by post at MythicaAI, PO Box 1234, Melbourne VIC 3001, Australia. Please include enough detail for us to verify your identity and address your query. You can also contact us through the in-app support portal located under Settings → Support.