Privacy Policy

1. Introduction

Welcome to Eidolon ("we," "our," or "us"), operated from Sacramento, California. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI companion platform, including our web application, mobile applications, and related services (collectively, the "Service").

We are committed to protecting your privacy. Please read this policy carefully. By using Eidolon, you consent to the collection and use of your information as described herein.

2. Information We Collect

2.1 Account Information

• Registration data: Email address and authentication credentials (processed through Firebase Authentication).
• Profile information: Display name and any optional profile details you provide.
• Age confirmation: You confirm you are 18+ during registration. We may implement additional age assurance measures as required by law.

2.2 Conversation and Interaction Data

• Chat messages: Text messages sent to and received from your AI companions, stored to maintain conversation continuity and companion memory.
• Companion memory: Structured facts and relationship context derived from your conversations, stored to personalize the companion experience.
• AI-generated content: Companion diary entries, dreams, musings, and other generated text associated with your account.
• Generated images: Images created through the co-creative image generation feature, stored in cloud object storage and linked to your account.
• User-uploaded images: Photos or images you share with your companions within chat.
• Imported agentic memory: Memory context, character files, or chat histories you choose to import from other AI platforms (e.g., ChatGPT) to bring your existing companion to Eidolon.

We recognize that your conversations with companions may contain personal, emotional, or intimate content. We treat all conversation data as sensitive and apply heightened protections accordingly. We process this information solely to provide the Service and do not use it for advertising, profiling, or any purpose beyond what is described in this policy.

Conversation confidentiality: Our staff does not access, read, or review your conversations unless you explicitly contact support and grant permission to investigate a specific issue. Automated safety systems may process messages to detect crisis situations (as described in our Safety Protocols), but no human reviews this content outside of the support context described above.

2.3 Technical and Usage Data

• Device information (device type, operating system, app version).
• IP addresses and general location data (city/region level only).
• Usage patterns (feature usage frequency, session duration) — collected in aggregate for service improvement.
• Error logs and crash reports for debugging and service reliability.

2.4 API Keys (BYOK Users)

If you choose to bring your own API key for third-party LLM providers, we store your key in encrypted form (Fernet encryption). We do not use your key for any purpose other than processing your requests.

3. How We Use Your Information

• Providing the Service: Processing your messages, maintaining companion memory and journals, generating images, and delivering a personalized companion experience.
• Safety and moderation: Applying content safety measures to help ensure compliance with our Terms of Service, detect potential crisis situations, and provide crisis resource referrals as required by California SB 243.
• Service improvement: Analyzing anonymized, aggregated usage patterns to improve features and fix bugs. We do not use your individual chat content to train our AI models.
• Communication: Sending important service announcements, security alerts, and policy updates.
• Customer support: When you contact us for help, authorized personnel may access your account information and, where necessary to resolve your issue, relevant conversation or content data. Access is limited to what is reasonably needed to address your request and is subject to the same confidentiality and security protections described in this policy.
• Legal compliance: Fulfilling our obligations under applicable laws, including responding to lawful legal requests.

4. AI Processing and Third-Party LLM Providers

To generate companion responses, images, and journal content, your input data is processed by third-party large language model (LLM) providers. You should be aware that:

• Your messages are sent to LLM providers (such as those accessible via OpenRouter) for processing. We select providers with strong privacy practices and favor those that offer zero data retention policies where available.
• We do not sell your conversation data to LLM providers or any other third party.
• No model training: We contractually and technically ensure that no LLM provider we use trains on your data. OpenRouter, our primary routing partner, enforces provider-level data policies and does not retain your prompts or responses.
• Image generation: Image generation requests are processed by Black Forest Labs (BFL) via their Flux image generation API. Prompts submitted for image generation are used solely to produce the requested image and are not used for model training by us or, per BFL's API terms, by BFL.
• No professional advice: AI companion responses are provided for entertainment and general conversation purposes only. They do not constitute professional medical, mental health, legal, or financial advice. Please consult qualified professionals for such matters.

5. Data Storage and Security

• Account, conversation, and companion data is stored in managed PostgreSQL databases hosted on Fly.io infrastructure.
• Real-time message delivery uses Firebase Firestore with security rules restricting access to authenticated users.
• Generated images are stored in Tigris cloud object storage.
• Data is encrypted in transit (TLS) and at rest where supported by our infrastructure providers.
• API keys are encrypted using Fernet symmetric encryption before storage.
• We implement access controls, regular security reviews, and monitoring to protect your data.

While we employ industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach, consistent with GDPR requirements.
• Provide a clear description of what information was affected and what steps we are taking to mitigate the impact.
• Report the breach to relevant supervisory authorities as required by applicable law.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share data only in the following circumstances:

• Service providers: Third-party infrastructure providers (Fly.io, Firebase, Tigris, Black Forest Labs) that host or power our services, under strict data processing agreements.
• LLM providers: As described in Section 4, for the purpose of generating AI responses.
• Legal requirements: When required by law, legal process, or government request.
• Safety: To protect the safety of our users or the public, or to prevent fraud.

8. Your Rights and Choices

8.1 General Rights

• Access: You can view your conversation history, companion memories, and generated content within the app.
• Correction: You can edit or curate companion memories through the memory management feature.
• Deletion: You can request deletion of your account and all associated data by contacting us at support@geteidolon.app.
• Data portability: You may request an export of your personal data in a machine-readable format.

8.2 United States - State-Specific Privacy Rights

If you are a resident of California, New York, Colorado, Virginia, or other U.S. states with comprehensive privacy laws, you may have additional rights regarding your personal information:

• Right to know/access: What personal information we collect, use, and disclose.
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out: We do not "sell" or "share" your personal information for cross-context behavioral advertising as those terms are defined under state laws.
• Right to limit use of sensitive personal information: We only process sensitive personal information to provide the Service (e.g., maintaining your companion's memory).
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at support@geteidolon.app. We will verify your identity and respond within the timeframe required by your state's law (typically 45 days).

8.3 European Economic Area (EEA) and UK Residents (GDPR)

If you are located in the EEA or the UK, you have specific rights under the General Data Protection Regulation (GDPR) and UK GDPR. Our legal bases for processing your data include: performance of a contract (providing the Service), your explicit consent (which you may withdraw at any time), and our legitimate interests (such as improving the Service and maintaining safety), provided these interests are not overridden by your fundamental rights.

Your rights include:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure (Right to be forgotten): Request deletion of your personal data.
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, commonly used format.
• Right to object: Object to our processing of your data.

To exercise any of these rights, contact us at support@geteidolon.app. You also have the right to lodge a complaint with your local data protection supervisory authority.

9. Data Retention

• Account data is retained for as long as your account is active.
• Conversation history, companion memories, and generated content are retained to provide continuity of service.
• Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law or for legitimate safety purposes.
• Anonymized, aggregated data may be retained indefinitely for analytics and service improvement.

10. Cookies and Tracking

We use minimal cookies necessary for authentication and session management. We do not use third-party advertising trackers. Firebase Authentication may set cookies for session persistence.

10.1 "Do Not Track" Signals

California law requires us to let you know how we respond to web browser "Do Not Track" (DNT) signals. Because there is currently no industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

11. Children's Privacy

Eidolon is strictly an 18+ platform. We do not knowingly collect personal information from anyone under 18. In compliance with COPPA (Children's Online Privacy Protection Act) and California SB 243:

• We require age confirmation during registration.
• We will implement age bracket signal processing from operating system providers as required by the California Digital Age Assurance Act (AB-1043) when operative.
• If we discover a user is under 18, we will immediately terminate the account and delete all data.
• If you believe a minor is using our Service, please report it immediately to support@geteidolon.app.

12. International Data Transfers

Eidolon is operated from Sacramento, California, in the United States. If you access the Service from outside the U.S. (such as the EEA or the UK), your data will be transferred to, stored, and processed in the U.S. By creating an account and using the Service, you acknowledge and consent to this transfer. We ensure that appropriate safeguards are in place to protect your personal data during such transfers, in accordance with applicable data protection laws.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Last Updated" date at the top of this policy indicates the most recent revision.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, contact us at:

support@geteidolon.app