Privacy Policy

1. Scope & Applicability

1.1 Covered Services. This Privacy Policy applies to all personal information collected by One Creator through:

• Our website at onecreator.chat
• Our AI-powered chatbot and spiritual exploration services
• Our mobile applications (if any)
• Email and other communications with us

1.2 Data Controller. ONE CREATOR SRL (Societate cu Răspundere Limitată), a limited liability company registered in Romania (Trade Registry no. J2026018356007; CUI/CIF: 54291316), trading as One Creator, is the data controller responsible for processing your personal information under this Policy.

1.3 Third-Party Services. Our Service may contain links to third-party websites or integrate with third-party services. This Policy does not apply to those third parties. We encourage you to review their privacy policies.

1.4 Agreement. By using our Service, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

• OAuth Providers: If you sign in via Google or other OAuth providers, we receive your basic profile information as permitted by your privacy settings.
• Payment Processor: Stripe provides us with transaction status and limited payment information (not full card numbers).

3. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on the following legal grounds:

4. How We Use Your Information

4.1 Service Provision

• Create and manage your account
• Provide AI-powered spiritual exploration features
• Maintain conversation history and context
• Process your notes and saved content
• Handle subscription billing and payments

4.2 Service Improvement

• Analyze usage patterns to improve features
• Debug issues and fix errors
• Develop new features and services
• Conduct research and analysis (using aggregated data)

4.3 Communication

• Send transactional emails (receipts, password resets, account alerts)
• Respond to your support inquiries
• Send service announcements and updates
• Send marketing communications (with your consent)

4.4 Security & Legal

• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service
• Comply with legal obligations and respond to lawful requests

5. AI Data Processing

5.1 How AI Processing Works

• Your messages are sent to OpenAI, Inc. (San Francisco, CA, USA) via their API for response generation
• We use OpenAI's embedding models (text-embedding-3-small) to match your queries against our knowledge base
• We use OpenAI's language models to generate contextual responses based on retrieved content
• Conversation history may be used to maintain context within a session
• Your user ID and session ID are sent to our self-hosted RAG (Retrieval-Augmented Generation) service, which forwards your query to OpenAI

5.2 Data Sent to OpenAI

When you use the chat feature, the following data is transmitted to OpenAI's API:

• Your chat message text (which may contain or reveal religious/spiritual beliefs — see Section 6)
• Relevant context retrieved from our knowledge base (religious texts and spiritual materials)
• System prompts that instruct the AI how to respond

We do not send your email address, name, IP address, or payment information to OpenAI.

5.3 OpenAI's Data Practices

• OpenAI's API data is not used to train their models (per OpenAI's Enterprise Privacy policy)
• API inputs and outputs may be retained by OpenAI for up to 30 days for abuse monitoring, after which they are deleted
• We have a Data Processing Agreement (DPA) with OpenAI that includes EU Standard Contractual Clauses (2021 version, Module 2: Controller → Processor)
• OpenAI is not certified under the EU-US Data Privacy Framework; transfers to OpenAI rely solely on SCCs as the transfer mechanism

5.4 AI Training & Improvement

• We do not use your personally identifiable data to train AI models
• We may use anonymized, aggregated conversation patterns to improve our retrieval accuracy
• OpenAI does not use API data to train their models

OpenAI may process de-identified, anonymised, and/or aggregated data derived from chat interactions to improve their services. This processing does not identify you individually and is separate from model training.

5.5 Agent Personalisation & Memory

Our AI agents build a per-user memory to personalise responses across sessions (for example, remembering topics you have explored or preferences you have expressed). This memory:

• Is stored in our self-hosted RAG service within the EU (Hetzner infrastructure)
• Is scoped exclusively to your account and is never shared with other users
• Is used only to contextualise your own conversations — we do not profile you or make automated decisions based on it
• Can be deleted at any time via Settings → Privacy & Data → Agent Memory → Clear Agent Memory
• Is also deleted when you delete your account

Stateless "Tutor" mode conversations are never stored in agent memory.

6. Special Category Data (Religious & Spiritual Content)

6.1 What Constitutes Special Category Data in Our Service

The following activities may reveal your religious or philosophical beliefs:

• Chat conversations about Bible passages, Quran verses, and related study topics
• Questions you ask about spiritual practices, beliefs, or teachings
• Notes you create about religious or spiritual topics
• Your choice of which spiritual agents/topics to engage with

6.2 Legal Basis: Explicit Consent (Art. 9(2)(a))

We process this special category data solely based on your explicit consent, which we collect:

• At account registration, via a separate, specific consent checkbox
• This consent is recorded with a timestamp, your IP address, and the consent version in our database
• This consent is separate from your general Terms of Service / Privacy Policy acceptance

6.3 Your Right to Withdraw Consent

• You may withdraw your special category data consent at any time via Settings → Privacy & Data
• Withdrawal will disable the chat feature, as the Service cannot function without processing this data
• Withdrawal does not affect the lawfulness of processing performed before withdrawal
• You may also request deletion of all your special category data by contacting us or deleting your account

6.4 Safeguards for Special Category Data

• Chat data is encrypted in transit (TLS) and at rest
• Access to chat data is restricted to essential service operations only
• Our self-hosted RAG service processes data within the EU (Hetzner infrastructure)
• When data is sent to OpenAI's API (US-based), it is protected by EU Standard Contractual Clauses (SCCs, Module 2: Controller → Processor). OpenAI is not certified under the EU-US Data Privacy Framework
• OpenAI does not use API data for training and retains it for a maximum of 30 days for abuse monitoring
• We do not profile you based on your religious or spiritual beliefs
• We do not share your spiritual/religious chat content with advertisers or data brokers

7. Sharing & Disclosure

7.1 Service Providers (Sub-Processors)

We share data with the following named third parties where necessary to operate our Service:

Internal services (error monitoring via self-hosted Sentry, operational telemetry) are hosted on our own Hetzner infrastructure within the EU and do not involve additional sub-processors.

7.2 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal process (subpoenas, court orders, warrants)
• Government or regulatory requests
• Protecting our rights, property, or safety
• Preventing fraud or illegal activities
• Emergency situations involving potential threats to safety

7.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control.

7.4 With Your Consent

We may share your information in other circumstances with your explicit consent.

8. Essential Cookies & Internal Telemetry

8.1 Essential Cookies Only

We use only essential first-party cookies required for authentication, security, and core navigation. We do not use third-party analytics cookies or advertising cookies.

8.2 Managing Cookies

You can control cookies through:

• Your browser settings (blocking or deleting cookies)

Note: Disabling essential cookies may prevent you from using certain features of our Service.

8.3 Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. We currently do not respond to DNT signals, but we respect your other privacy choices as described in this Policy.

9. Data Retention

9.1 Retention Periods

9.2 Deletion Process

When you delete your account or request data deletion:

• We begin deletion within 30 days of your request
• Some data may persist in backups for up to 90 days
• Certain data may be retained for legal compliance
• Anonymized, aggregated data may be retained indefinitely

10. Data Security

10.1 Security Measures

We implement industry-standard security measures including:

• Encryption: TLS/SSL encryption for data in transit; encryption at rest for sensitive data
• Access Controls: Role-based access, multi-factor authentication for internal systems
• Infrastructure: Secure cloud hosting with regular security audits
• Password Security: Passwords are hashed using industry-standard algorithms
• Monitoring: Continuous monitoring for security threats and anomalies

10.2 Your Responsibilities

• Use strong, unique passwords for your account
• Do not share your login credentials
• Log out from shared or public devices
• Notify us immediately of any suspected unauthorized access

10.3 Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours (or as required by law)
• Notify relevant supervisory authorities as required
• Take immediate steps to contain and remediate the breach

11. International Data Transfers

11.1 Transfer Locations

Your information may be transferred to and processed in countries outside your country of residence. Specifically, data is sent to the United States when processed by the following sub-processors:

• OpenAI, Inc. — Chat messages and knowledge base context for AI response generation
• Cloudflare, Inc. — IP addresses and request metadata routed through global edge network for CDN and security (DPF certified)
• Stripe, Inc. — Payment and billing data for subscription processing
• Amazon Web Services (SES) — Email addresses for transactional emails

All other data (databases, application servers, error monitoring, telemetry) is stored and processed within the EU on Hetzner infrastructure in Germany/Finland.

11.2 Transfer Safeguards

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses (2021 version, Decision 2021/914) are in place with all US-based sub-processors. For OpenAI, SCCs (Module 2: Controller → Processor) are the sole transfer mechanism.
• EU-US Data Privacy Framework (DPF): Stripe, Inc. (DPF #6436) and Cloudflare, Inc. (DPF #5666) are certified under the EU-US Data Privacy Framework adequacy decision. OpenAI, Inc. is not DPF-certified; transfers to OpenAI rely solely on SCCs.
• Data Processing Agreements: Contractual obligations with all sub-processors include GDPR Art. 28 requirements, data retention limits, and restrictions on onward transfers.

11.3 Transfer Impact Assessment

We have conducted a Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020 to evaluate the legal framework of the United States and the effectiveness of the supplementary measures we apply to protect your data during international transfers. The TIA confirms that, with the technical and organizational measures described above, your data receives an essentially equivalent level of protection to that guaranteed within the EEA. You may request further details about our transfer safeguards by contacting us at nick@onecreator.chat.

11.4 Exercise of Rights. If you have concerns about how your data is handled in connection with international transfers, you may exercise your rights under Section 12 of this Policy or contact us at nick@onecreator.chat. You may also lodge a complaint with your local data-protection supervisory authority.

12. Your Privacy Rights

Depending on your location, you may have the following rights:

Exercising Your Rights

To exercise any of these rights, contact us at nick@onecreator.chat. We will respond within one month (or sooner if required by law). We may need to verify your identity before processing your request.

No Discrimination

We will not discriminate against you for exercising your privacy rights.

13. Children's Privacy

13.1 Age Requirement. During account registration, users are asked to confirm that they are at least 18 years old. This confirmation is recorded as an auditable consent record in our system.

13.2 Account Access Without Age Confirmation. Users who do not confirm they meet the minimum age of 18 may still create an account and access non-AI features (e.g., browsing, account settings). However, access to AI-powered chat and study tutor features is restricted until age confirmation is provided.

13.3 Technical Enforcement. Our chat and tutor API endpoints verify that the user has an active age confirmation record before processing any request.

13.4 Updating Age Confirmation. Users can confirm or update their age confirmation at any time through their account's Privacy Settings page (Settings > Privacy).

13.5 COPPA Compliance (United States). In accordance with COPPA, we do not knowingly collect, use, or disclose personal information from children under 13 years of age.

13.6 GDPR Article 8 (European Economic Area). Under GDPR, the digital age of consent varies by EU/EEA member state (ranging from 13 to 16). We apply a minimum threshold of 18 for all users, which exceeds the GDPR baseline.

13.7 International Digital Age of Consent. We apply a floor of 18 for all users regardless of location, which exceeds all local digital consent thresholds.

If you believe we have inadvertently collected information from a child below the applicable age threshold, please contact us immediately at nick@onecreator.chat.

14. EU/EEA Privacy Rights (GDPR)

As ONE CREATOR SRL is established in Romania, the GDPR applies to all processing we carry out. If you are in the European Union, European Economic Area, or United Kingdom, you have the following rights in addition to those listed in Section 12:

14.1 Additional Rights

• Right to lodge a complaint with a supervisory authority
• Right not to be subject to automated decision-making (we do not make automated decisions with legal or significant effects about you)
• Right to information about international transfers and safeguards

14.2 Supervisory Authority

Our lead supervisory authority is the Romanian ANSPDCP (dataprotection.ro). You also have the right to lodge a complaint with the data-protection authority in your own EU/EEA member state. A list of EU data protection authorities is available at: edpb.europa.eu

14.3 Data Protection Contact

For GDPR-related inquiries, contact our Data Protection team at: nick@onecreator.chat

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

15.1 Right to Know

You may request information about:

• Categories of personal information we collect
• Sources of that information
• Business purposes for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information we have collected about you

15.2 Right to Delete

You may request deletion of your personal information, subject to certain exceptions.

15.3 Right to Correct

You may request correction of inaccurate personal information.

15.4 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

15.5 Right to Limit Use of Sensitive Information

We do not use sensitive personal information for purposes beyond what is necessary to provide our Service.

15.6 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authorization.

15.7 "Shine the Light"

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

16. Changes to This Policy

16.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

16.2 Notification

We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this Policy
• Posting a prominent notice on our website
• Sending an email notification for significant changes (where we have your email)

16.3 Material Changes to Data Processing. Where we make material changes to the purposes or legal bases for processing your personal data, or to the categories of recipients of your data, we will seek your renewed consent where legally required under GDPR.

16.4 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: