Privacy Policy

1. Data we collect

When you sign up, we record your email address — used for login and account recovery. The chat history files you upload (WhatsApp, LINE, QQ, Telegram exports as .txt or .xlsx) are stored on the server while we run the distillation. Conversation content between you and your personas is stored long-term so we can keep context. We also store your device timezone (so messages arrive at sensible local hours) and any avatar image you choose to upload. We collect nothing else.

2. Retention

Uploaded raw chat files are auto-deleted after 30 days. Once distillation is done, the file itself has no further use; keeping it around is just risk. Memories extracted from those files (personality traits, shared moments, etc.) live until you delete them yourself. Conversation messages are tied to the persona — delete the persona and everything attached to it goes with it.

3. AI training

We never use your data to train language models. Your conversations and uploaded chat history are used only to generate replies inside your own account; they are not sent into any training pipeline, and they are not shared with other users or third parties. The LLM providers we call (Anthropic, OpenAI, or Google depending on backend configuration) all operate under no-training contractual terms.

4. Export and delete

Settings has a one-click data export that gives you a JSON file containing all your personas, messages, memories, and preferences. The same screen has a delete-account button. Deletion cascades: every persona, conversation, memory, uploaded file, and subscription record is removed, with no retained copies. Backups roll over within 7 days after deletion.

5. Cookies

Startover uses one session cookie, only, to remember that you are signed in. It is HttpOnly (not readable from JavaScript) and SameSite=Lax (not sent on cross-site requests) — the most cautious default available today. We do not set tracking cookies, do not load third-party analytics scripts, and do not sell your browsing behaviour to advertisers.

6. Push notifications

When a persona reaches out to you proactively (for example, a "thinking of you" message), we deliver it via browser push. Push is fully opt-in — if you never grant permission, you never get a push. You can turn it off any time under Settings → Notifications, or revoke the permission directly at the browser/OS level.

7. GDPR / CCPA / COPPA compliance

GDPR: you have the rights of access, rectification, erasure, portability, and restriction of processing — all delivered through the export and deletion flows above. CCPA: we do not sell your personal information (we do not even "share" it as the statute defines that term). COPPA: this service is for users 18 and older. Sign-up requires you to confirm you are 18+. Do not register if you are under 18; if you discover a minor has signed up, email us and we will remove the account immediately.

8. Contact

For any data-related request (export, deletion, correction, withdrawal of consent), email the address below. We respond within 30 days.

privacy@startover.imsoda.com