Dystopia Engine

Privacy Policy

Last updated: June 19, 2026

1. Who we are

Dystopia Engine (“the Service,” “we,” “us”) is an AI-powered interactive world-building platform operated by Tamas Sebok as an independent project, established in Hungary. For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller for the processing described here. You can contact us about this policy at support@dystopia-engine.com.

2. Data we collect

Account information

When you register, your name, email address, and authentication credentials are managed by Clerk (our authentication provider). We do not store raw passwords. We store a Clerk user ID in our database to associate your content with your account.

Content you create

Worlds, characters, stories, story turns, discoveries, and any other content you create within the Service are stored in our database. This content is associated with your account and is private by default. You may choose to make stories public.

AI usage logs

Each time an AI feature is used (world generation, story turns, character generation, etc.), we log the model used, approximate token counts, feature name, and estimated cost. These logs are used for quota enforcement, cost tracking, and abuse prevention. We do not log the raw content of AI prompts or responses beyond what is saved as part of your worlds and stories.

Billing information

If you purchase credits or a subscription, payment is handled by our payment provider, Paddle (see Sub-processors and recipients). We do not receive or store your full payment-card details. We retain a record of your purchases — such as the Paddle transaction or subscription identifier, plan, subscription status, and credit amounts — to provide the Service and maintain your credit balance.

Usage and analytics data

We use Vercel Analytics, a privacy-friendly, cookieless analytics tool, to measure aggregate traffic and page performance. It processes limited technical data (such as page visited, referrer, approximate location derived from IP, device and browser type) to produce aggregated statistics. We do not use it to build advertising profiles or to identify you individually.

Contact messages

If you submit a message via the Contact page, we store your email address and message text to allow us to respond to you.

Technical data

Standard server logs (IP addresses, request paths, timestamps) may be retained temporarily by our hosting providers for operational and security purposes. We do not use cookies for tracking beyond what Clerk requires for authentication.

3. How we use your data

  • To operate the Service and provide its features to you
  • To authenticate you and maintain your session
  • To enforce per-account usage quotas and prevent abuse
  • To process payments, manage subscriptions, and maintain your credit balance
  • To send AI-generated content requests on your behalf (worlds, story turns, characters)
  • To respond to your support or contact messages
  • To improve the Service based on aggregate, non-identifiable usage patterns
  • To comply with our legal obligations and to establish, exercise, or defend legal claims

We do not sell your personal data. We do not use your content to train AI models. We do not send marketing emails. We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you.

4. Legal bases for processing

Under the GDPR we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service, your account, AI features, purchases, and credit balance.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, enforce quotas, prevent abuse and fraud, and understand aggregate usage through privacy-friendly analytics. You may object to processing based on legitimate interests (see Your rights).
  • Legal obligation (Art. 6(1)(c)) — to keep records we are required to retain and to respond to lawful requests.
  • Consent (Art. 6(1)(a)) — where we ask for it for a specific purpose; you can withdraw consent at any time.

5. Sub-processors and recipients

We share data with the following third parties to operate the platform. Those that process personal data on our behalf do so under data processing agreements; Paddle acts as an independent controller / merchant of record for payments and processes payment data under its own privacy terms.

Clerk — Authentication

Processes your email address, name, and authentication credentials to manage sign-in and sessions. Data is stored in Clerk's infrastructure. See Clerk's Privacy Policy.

Supabase — Database & Storage

Stores all application data: worlds, characters, stories, usage logs, preferences, and contact messages. Data is hosted in Supabase's managed PostgreSQL infrastructure. See Supabase's Privacy Policy.

Anthropic — AI Generation (Claude API)

When you use any AI feature (generating world bibles, story turns, characters, or extractions), the relevant content is sent to Anthropic's Claude API for processing. Anthropic processes this data under their API usage policies. By default, Anthropic does not use API inputs to train their models. See Anthropic's Privacy Policy.

Paddle — Payments (merchant of record)

When you purchase credits or a subscription, payment is processed by Paddle, which acts as the merchant of record and an independent controller for payment data. Paddle collects and processes the payment details you provide (such as card information and billing address) to complete the transaction; we do not receive or store your full card details. See Paddle's Privacy Policy.

Render — Backend Hosting

The backend API server is hosted on Render. Server logs and ephemeral request data pass through Render's infrastructure. See Render's Privacy Policy.

Vercel — Frontend Hosting & Analytics

The web application is hosted on Vercel, and we use Vercel's cookieless Analytics to measure aggregate traffic. Edge request logs and analytics data may be retained by Vercel for a limited period. See Vercel's Privacy Policy.

6. International data transfers

Some of our providers (including Anthropic, Clerk, Vercel, Render, and Paddle) process data outside the European Economic Area, such as in the United States or the United Kingdom. Where data is transferred outside the EEA, we rely on an appropriate safeguard recognised under the GDPR — typically an adequacy decision (for example, the UK adequacy decision), the EU Standard Contractual Clauses, or a provider's certification under the EU–US Data Privacy Framework. You can ask us for more detail about the safeguards that apply to a particular provider.

7. Data retention and what remains after deletion

Your account data and all associated content are retained for as long as your account exists. If you delete your account, the following data is deleted immediately:

  • All worlds, characters, and stories you own that are not publicly released
  • All story turns, character growth records, and experience logs tied to your worlds
  • Your credit transaction history (subject to records we must retain by law — see below)
  • Your preferences and account settings

The following records are not deleted but are anonymised by removing your user ID from them:

  • AI usage logs — retained indefinitely for cost accounting and abuse prevention, with your user ID replaced by a null value
  • Admin audit log entries — administrative actions taken against your account are retained for accountability; your user ID is replaced by a null value
  • Experience log entries on other users' worlds — contributions your characters made to stories in worlds you did not own are anonymised in place

The following content may be retained in full at our discretion:

  • Released worlds— worlds you have marked as “released” for other users to play in may be retained as orphaned public content with no owner attribution, so that ongoing stories in those worlds are not disrupted
  • Completed public stories — stories marked as public at the time of deletion may be retained with owner attribution removed

Contact messages are retained for up to 12 months. Server logs are typically retained for a short period (generally up to 30 days) by our hosting providers. Tax and transaction records relating to purchases are retained for the period required by law (under Hungarian accounting rules, generally up to 8 years); where Paddle is the merchant of record, Paddle holds the invoice records. Backup copies of all data may persist for an additional period consistent with our backup rotation schedule (generally up to 30 days). Retention for any of the above may be extended where required by law or for legitimate fraud-prevention purposes.

8. Your rights

Depending on your jurisdiction, you may have rights including:

  • Access to the personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your account and associated data
  • Portability of your content (worlds, characters, stories) — contact us and we will provide an export
  • Objection to or restriction of certain processing, including processing based on our legitimate interests
  • Withdrawal of consent at any time, where processing is based on consent (this does not affect processing carried out before withdrawal)

To exercise any of these rights, email support@dystopia-engine.com. You also have the right to lodge a complaint with a data protection supervisory authority — in Hungary, the National Authority for Data Protection and Freedom of Information (NAIH, naih.hu), or the authority in your country of residence.

9. Security

We use industry-standard practices to protect your data: authentication tokens are short-lived JWTs validated server-side, database access uses service-role keys not exposed to the frontend, and all traffic is encrypted in transit via HTTPS. No system is perfectly secure; we cannot guarantee that your data will never be compromised, but we take reasonable precautions and will notify affected users and the relevant supervisory authority of a personal-data breach where required by law.

10. Children

The Service is not directed at children under 13. Where local law sets a higher age of digital consent (16 in Hungary and parts of the EU/EEA), users below that age may use the Service only with the consent of a parent or guardian, and any consent-based processing relies on that authorisation. We do not knowingly collect personal data from children in breach of these requirements. If you believe a child has provided us with personal data without the necessary consent, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be noted in the changelog and, where feasible, communicated to registered users by email. The “last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or requests, contact: support@dystopia-engine.com