EMORA
ExploreCommunityMarketCreateChatGroup Chat
Sign InGet Started
Back

Privacy Policy

Last updated: April 2026

1. Introduction & Data Controller

EMORA AI operates this platform and acts as the data controller for all personal data processed through this service.

Contact: privacy@emora.ai | DPO: dpo@emora.ai

By using EMORA AI, you acknowledge this Privacy Policy governs how we collect, use, and protect your information.

2. Data We Collect

  • Account: email address, username, hashed password, registration date
  • Profile: display name, avatar, bio, language preference
  • Usage: chat logs, characters interacted with, session activity, mission progress
  • Payment: billing details processed via Stripe (we do not store raw card data)
  • Technical: IP address, browser/device type, cookies, log data
  • Age verification: confirmation of 18+ status (verified flag only, no document stored)
  • Communications: support emails, feedback submissions

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): operating your account, delivering services
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, security, analytics, improving services
  • Legal obligation (Art. 6(1)(c)): tax records, law enforcement requests, safety obligations
  • Consent (Art. 6(1)(a)): optional features such as marketing communications

4. How We Use Your Data

  • Providing and maintaining the platform and its features
  • Processing payments and managing GEM balances
  • Personalising your experience (language, character recommendations)
  • Detecting fraud, abuse, and illegal content
  • Complying with legal and regulatory obligations
  • Communicating service updates, security notices, and support responses

5. Data Sharing & Disclosure

We do NOT sell, rent, or trade your personal data.

  • Stripe: payment processing (PCI-DSS compliant)
  • Vercel: hosting and edge delivery (United States)
  • Supabase / AWS Tokyo (ap-northeast-1): database storage
  • Law enforcement: when required by valid legal process
  • NCMEC / IWF: mandatory reporting of child sexual abuse material if detected

6. International Data Transfers

  • South Korea: primary development and operations
  • Japan / AWS Tokyo (ap-northeast-1): database and storage
  • United States / Vercel: hosting infrastructure
  • Transfers to countries outside the EEA are covered by Standard Contractual Clauses (SCCs) pursuant to GDPR Chapter V.

7. Data Retention

  • Account data: retained for the life of the account + 90-day grace period after deletion
  • Chat logs: 12 months from creation
  • Payment records: 7 years (tax and legal obligation)
  • Safety / moderation logs: 3 years
  • Encrypted backups: purged within 30 days of the original data deletion

8. Your Rights Under GDPR

EEA/UK residents may exercise the following rights. We respond within 30 days.

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate or incomplete data
  • Erasure ('right to be forgotten'): request deletion where no overriding legal basis exists
  • Restriction: limit processing while a dispute is resolved
  • Portability: receive your data in a structured, machine-readable format
  • Object: oppose processing based on legitimate interests
  • Automated decisions: request human review of automated decisions that affect you
  • Lodge a complaint: contact your local Data Protection Authority
  • Email privacy@emora.ai or dpo@emora.ai to exercise your rights.

9. CCPA Rights (California Residents)

  • Know: request disclosure of the categories and specific pieces of data we collect
  • Opt-out of sale: N/A — we do not sell personal information
  • Deletion: request erasure of your personal information
  • Correction: request correction of inaccurate personal information
  • Non-discrimination: exercising your rights will not affect your access to services
  • Submit requests to: ccpa@emora.ai — we respond within 45 days

10. Korean Personal Information Protection Act (PIPA / 개인정보보호법)

  • Data controller (처리자): EMORA AI
  • Purpose of collection (수집 목적): account management, service delivery, legal compliance
  • Retention period (보유 기간): 90-day grace period following account closure, unless otherwise required by law
  • Users in South Korea may exercise rights under PIPA by contacting privacy@emora.ai

11. Cookies

  • Essential cookies: required for authentication and session management — cannot be disabled
  • Functional cookies: language preference, theme settings — optional
  • We do NOT use tracking cookies or third-party advertising cookies

12. Children's Privacy (COPPA)

EMORA AI is strictly for users aged 18 and over.

We do not knowingly collect data from minors. If we discover a user is under 18, we will immediately delete their account and all associated data.

To report a minor's account: privacy@emora.ai

13. Security

  • Data in transit: TLS 1.2+ encryption
  • Data at rest: AES-256 encryption
  • Passwords: bcrypt hashing (never stored in plaintext)
  • Regular security reviews and penetration testing
  • Data breach notification: affected users and relevant authorities notified within 72 hours per GDPR Art. 33

14. Contact Us

  • General: contact@emora.ai
  • Privacy / GDPR: privacy@emora.ai
  • Data Protection Officer: dpo@emora.ai
  • Legal: legal@emora.ai
  • Safety / CSAM: safety@emora.ai
  • CCPA requests: ccpa@emora.ai

Last updated: April 2026. This Privacy Policy supersedes all prior versions.