Privacy Policy

ImmersiVerse OS Inc. ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services ("the Platform"). By using ImmersiVerse OS, you consent to the practices described in this policy.

1. Information We Collect

We collect information in the following categories:

Account Information (CCPA category: identifiers)

When you create an account, we collect your name, email address, and authentication credentials. If you subscribe to a paid plan or claim a Founder Seat, we collect billing information through our payment processor, Stripe; we never store full payment card numbers on our servers.

Content Data (CCPA category: commercial information & user-generated content)

We store prompts, concepts, generated scripts, character bibles, reference images you upload, generated images, generated audio, generated video, and other content you create through the Platform.

Usage Data (CCPA category: internet/network activity)

We automatically collect information about how you interact with the Platform, including pages visited, features used, generation requests, credit consumption, timestamps, device type, browser type, IP address, and referring URLs.

Cookies and Tracking

We use cookies, local storage, and similar technologies to maintain your session, remember preferences, and analyze usage patterns. See Section 5 for the specific cookies we set.

2. Sensitive Personal Information

For California residents, the California Privacy Rights Act (CPRA) defines a category of "Sensitive Personal Information" (SPI). We collect the following SPI:

• Account login credentials (email + password hash via Supabase Auth) — required to operate the Platform
• Precise payment information (handled by Stripe; we hold only a Stripe customer ID and last-4/brand of card)

We do not collect government IDs, biometric identifiers, health information, precise geolocation, racial/ethnic/religious data, union membership, sexual orientation, or genetic data. We use SPI only for the purposes described in this policy and do not sell or share SPI for cross-context behavioral advertising.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Platform and its features
• Process transactions, manage your subscription, and track credit balances
• Generate AI content based on your prompts and inputs (which requires sending them to third-party AI providers — see Section 6)
• Communicate with you about updates, security alerts, billing, and support
• Analyze aggregated, anonymized usage patterns to improve performance and user experience
• Enforce our Terms of Service and prevent prohibited use
• Comply with legal obligations

4. AI Training and Model Improvement

We want to be transparent about how your data interacts with our AI systems:

• Your prompts and inputs are processed by our AI systems (and by the third-party model providers listed in Section 6) to generate content in real time
• We do not use your individual prompts or generated content to train or fine-tune base AI models without your explicit, opt-in consent
• Aggregated and anonymized usage data may be used to improve general platform performance and AI quality
• You may opt in to a voluntary data-sharing program that contributes to model improvement. This is entirely optional and can be revoked at any time by emailing us
• Automated decision-making (GDPR Art. 22): The Platform uses AI to generate creative content but does not make solely-automated decisions that have legal or similarly significant effects on you. Where AI assists in rate-limiting, quota enforcement, or content moderation, you can request human review by contacting us

5. Cookies & Local Storage

We set the following:

• Supabase auth cookies (essential): sb-access-token, sb-refresh-token — maintain your logged-in session.
• Stripe cookies (essential when checkout is active): Stripe sets cookies on its own domain during card capture and checkout for fraud prevention. See Stripe's cookie policy.
• Local storage (preference): iv_onboarded — remembers whether you've completed onboarding so we don't send you back through it.
• Vercel Analytics (analytics): If enabled, captures aggregate page-view metrics. No personal identifiers.

You can clear cookies and local storage through your browser. Disabling essential cookies will log you out of the Platform.

6. Subprocessors & Data Sharing

We do not sell your personal information. The Platform is built on the following third-party processors, each of which receives only the data necessary to deliver its service:

• Supabase — database, authentication, storage, real-time messaging. Hosted on AWS.
• Vercel — application hosting, edge runtime, deployment.
• Stripe — payment processing, SetupIntent flows for Founder Seats, subscription management.
• SendGrid (Twilio) — transactional email delivery (welcome, billing, security notices).
• Anthropic — text and reasoning AI (Claude). Receives your prompts and concept inputs; per Anthropic's terms, prompts are not used for model training.
• OpenAI — when used, video generation (Sora). Receives shot prompts.
• Google — when used, video generation (Veo). Receives shot prompts.
• Kling / Kuaishou — when used, mid-tier video generation. Receives shot prompts.
• Black Forest Labs (Flux) / Stability AI — when used, image generation and character lock. Receives reference images and image prompts.
• ElevenLabs — when used, voice synthesis. Receives dialogue text and voice configuration.

We may also share data:

• Legal requirements: When required by law, regulation, valid legal process, or government request
• Business transfers: In connection with a merger, acquisition, or sale of assets; the successor entity is bound by this policy
• With your consent: When you explicitly authorize sharing (e.g., publishing to the marketplace, public premieres, or brand partnerships)

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing of your data for certain purposes
• Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, email us at Justin@immersiverseos.com. We will respond within thirty (30) days. We may need to verify your identity before fulfilling certain requests.

8. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know what categories of personal information we collect, sources, business purposes, and third-party recipients
• Right to Delete the personal information we have collected about you
• Right to Correct inaccurate personal information
• Right to Opt Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information — we use SPI only for the purposes described in Section 2
• Right to Non-Discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised these rights

To exercise these rights, email us at Justin@immersiverseos.com with the subject "CCPA Request." You may also designate an authorized agent to make a request on your behalf; we will require written proof of the agent's authority.

Do Not Sell or Share My Personal Information: We do not sell or share personal information. If our practices ever change, this section will be updated and a "Do Not Sell or Share" link will be added to the Platform.

9. EU/EEA & UK Residents (GDPR / UK GDPR)

If you are in the EU, EEA, UK, or Switzerland, we process your personal data under the following legal bases:

• Contract performance: to provide the Platform under our Terms of Service
• Legitimate interests: to secure the Platform, prevent fraud, and improve service quality (balanced against your rights)
• Consent: for optional features like the voluntary AI-training data-sharing program
• Legal obligation: to comply with tax, accounting, anti-money-laundering, and other regulatory requirements

You have the right to lodge a complaint with your local data protection authority. International data transfers from the EU/UK are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK provisions.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. If you delete your account, we will delete or anonymize your personal data within ninety (90) days, except where retention is required by law (tax, accounting, dispute resolution) or for legitimate business purposes (fraud prevention, enforcement of our Terms). Generated content associated with deleted accounts may be retained in anonymized form for product analytics. Credit ledger records are retained for at least seven (7) years for financial-records compliance.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and do not knowingly collect data from children under 13. If we become aware that we have collected data from a minor, we will take steps to delete the information promptly. If you believe a child has provided us with personal information, please contact us at Justin@immersiverseos.com.

12. International Data Transfers

The Platform is operated from the United States. By using the Platform, you understand that your data will be transferred to and processed in the United States and any other country where our subprocessors operate (see Section 6). These countries may have different data protection laws than your country of residence. When we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK Addendum, and contractual confidentiality with subprocessors.

13. Security & Breach Notification

We implement industry-standard security measures to protect your data, including TLS encryption in transit, encryption at rest on our database, row-level security policies, regular security assessments, and least-privilege access controls. We use Supabase Row Level Security to ensure users can only access their own data within the database. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

If a security incident materially affects your personal data, we will notify you within the timeframes required by applicable law (e.g., 72 hours under GDPR) by email and/or in-product notice, with a description of the incident, the data affected, and the remedial steps we are taking.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by posting a notice on the Platform and/or sending an email to your registered address, and we will bump the version number at the top of this page. Material changes take effect thirty (30) days after posting. We encourage you to review this policy periodically.