Privacy Policy

1. Overview

This privacy policy explains how we process personal data when you visit and use Runestone Realm. Runestone Realm is an AI-powered service for interactive stories: an AI generates narration text, voice output and sound effects based on your input. To provide this service, content is transmitted to specialised third-party providers (see Section 5).

2. Controller

Stixlieber UG (haftungsbeschränkt)
Fuldastraße 57, 56410 Montabaur, Germany
Represented by the Managing Director Julian Ernst
Phone: 0174 9211830 · Email: support@runestonerealm.com

We have not appointed a data protection officer, as there is no legal obligation to do so.

3. Legal bases and storage period

We process personal data on the following legal bases:

• Art. 6(1)(b) GDPR (contract): to provide the game and account service;
• Art. 6(1)(f) GDPR (legitimate interest): IT security, abuse and fraud prevention, stability and improvement;
• Art. 6(1)(c) GDPR (legal obligation): e.g. tax retention, reporting of unlawful content;
• Art. 6(1)(a) GDPR (consent): where we ask you separately for consent to a specific processing. You can withdraw consent at any time with effect for the future.

Storage period: Unless stated otherwise, we store personal data until the purpose ceases to apply (e.g. until your account is deleted) or you make a justified erasure request, provided no statutory retention obligations apply.

4. Website and device

Hosting (Hetzner, Germany): We host with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen. Technical connection data arising from operation is processed on the basis of Art. 6(1)(f) or (b) GDPR; a data processing agreement is in place.

Cookies and local storage: We use exclusively technically necessary cookies. These are required for operation and for the functions you request (§ 25 (2) no. 2 TDDDG, Art. 6(1)(f) GDPR). As we do not use any analytics, tracking or marketing cookies, no cookie consent banner is required. Technical settings (e.g. theme preference, age confirmation) are stored locally in your browser and do not leave your device.

No analytics/tracking tools: We do not use any web analytics, tracking or advertising services and do not load any third-party content (e.g. external fonts, maps, social media plugins) at runtime.

5. Account, gameplay and AI processing

Registration and login: You register with your email address. Login is by password (stored only as a Bcrypt hash, never in plain text) and/or by magic link. The email is sent via Brevo (Sendinblue SAS, France) as a processor. Legal basis: Art. 6(1)(b) GDPR.

Sessions and turns: We store your sessions and turns: your input (typed or speech-recognised text), the AI narration, game progress, the chosen language, audio preferences and technical processing data (e.g. model, token/character count, timing). Legal basis: Art. 6(1)(b) and (f) GDPR. Please do not enter sensitive data into the game text that is not required.

Transmission to AI providers (narration): To generate the story, your input text and the necessary conversation context are transmitted via the router OpenRouter (OpenRouter, Inc., USA) to language models. We have configured OpenRouter so that no storage takes place beyond processing ("Zero Data Retention") and the content is not used to train AI models. Your email address or account identity is not transmitted. Legal basis: Art. 6(1)(b) GDPR.

Voice output (text-to-speech): For voice output, the AI-generated narration text (not your input) is transmitted to a voice-synthesis provider located in the USA. Legal basis: Art. 6(1)(b) GDPR.

Voice input: The conversion of speech to text takes place in your browser via your browser's/device's speech recognition (Web Speech API). Depending on the browser (e.g. Google Chrome), the browser vendor may process the audio on its own servers; this happens within your browser provider's area of responsibility. Only the finished text is transmitted to us, not the audio recording.

Third-country transfer: When using third-party services, transfers to third countries may occur; we endeavour to ensure appropriate safeguards.

6. Payments / subscription (Creem)

Payments for subscriptions are processed by Creem (Armitage Labs OÜ, Telliskivi 57b/1, 10412 Tallinn, Estonia) as Merchant of Record. The purchase contract is concluded with Creem. We do not collect or store full payment/card details. Creem processes your payment and billing data under its own privacy policy. From Creem we only receive a customer identifier, the subscription status and the information needed to provide the subscription. Legal basis: Art. 6(1)(b) GDPR.

7. Abuse prevention and content moderation

IP addresses / rate limiting: To protect against abuse we process your IP address temporarily in our server's memory (not in a database, not in log files), based on our legitimate interest (Art. 6(1)(f) GDPR). IP addresses are automatically deleted after no more than 30 minutes, are not linked to your account and are not used for any other purpose.

Content flags: To enforce our terms, each turn may be automatically flagged as to whether an input indicates a violation. We store these flags together with the relevant turn in order to review violations, warn/suspend accounts and comply with legal obligations (Art. 6(1)(f) and (c) GDPR). Sexual content relating to minors is strictly prohibited; we report such incidents to the competent authorities where legally required.

8. Storage periods at a glance

• Account data (email, password hash, subscription status): until the account is deleted or as long as statutory retention obligations apply.
• Sessions/turns: until the account is deleted; we reserve the right to retain content for security, enforcement of the rules and improvement of the service.
• Generated audio files: for the duration of use; they may be deleted at our discretion for technical reasons, at the latest upon deletion of your account.
• Anonymous sessions: automatically deleted after 7 days.
• IP addresses (rate limiting): max. 30 minutes in memory.
• Payment-related records: in accordance with applicable tax/commercial retention periods.

9. Improvement of the service

We may process pseudonymised or aggregated usage and content data for analysis, debugging and improvement of the service (Art. 6(1)(f) GDPR).

10. Your rights

Under the GDPR you have the right at any time to:

• access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing based on Art. 6(1)(f) (Art. 21);
• withdraw consent given, with effect for the future.

Deleting your account and data: You can delete your account yourself at any time under Profile → Account → "Delete account". This irreversibly deletes your account and the associated personal data (saved games, history, generated audio files). Any active subscription is cancelled and access ends immediately; amounts already paid for the current billing period are not refunded, as we cannot provide the service without an account (details in Section 4 of our Terms). Alternatively, you can request deletion by email to support@runestonerealm.com ; we will carry this out without undue delay, at the latest within one month (Art. 12(3) GDPR).

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate (Hintere Bleiche 34, 55116 Mainz). You may also contact the authority of your usual place of residence.

11. Data security

We use technical and organisational measures, including TLS encryption, hashed passwords (Bcrypt), HTTP-only and secure cookies, a Content Security Policy and rate limiting. A seamless protection of data during transmission over the internet is nevertheless not possible.

11a. Recipients / processors

12. Changes to this privacy policy

We adapt this privacy policy when the data processing changes or this is legally required. The current version is always available on this page.