Logo
myDroid.chat
/ Privacy
EN | DE

Privacy Policy

Last updated: May 2026 · According to GDPR (EU) 2016/679 · Youth Protection Act

1. Controller

The controller in the sense of the GDPR is:

VividDroid Studio UG (haftungsbeschränkt)

Ibacher Mühle 146

42111 Wuppertal

Germany

E-Mail: privacy[at]mydroid.chat

2. What data we process

2.1 Registration & Account

Registration and login are exclusively via Google Sign-In (OAuth 2.0). We receive from Google: display name, email address, and profile picture URL. If a date of birth is stored in your Google account and you grant the relevant permission, Google transmits this date to us for automatic age verification (see 2.5). In this case, the date of birth is stored as an external provider datum — it is not visible in your profile and cannot be edited. We do not collect or store a password. In addition, we store the registration time and the selected subscription plan. This data is required for contract fulfillment (account access).

2.2 Chat and Game Content

Messages you send to Personas, as well as the generated responses, are stored in our database to provide the conversation history. Game sessions in story mode (rounds, statistics, inventory) are also stored.

2.3 Generated Media

When you generate images or voice outputs, the prompt used for this purpose as well as the returned media URL are stored in our database. Media may be stored in Google Cloud Storage (see section 4).

2.4 Technical Log Data

Our hosting provider automatically collects server logs (IP address, timestamp, requested URL, HTTP status code, amount of data transferred). This data is not linked to your user account and is used exclusively for operational security.

2.5 Age Verification

For access to age-restricted content, we carry out age verification in one of two ways:

a) Automatically via Google: If your Google account contains a date of birth, we calculate your age from it and store the date of birth as an external provider datum in your account. It is not visible in your profile and cannot be edited. Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).

b) Manually via age form: You enter your date of birth. This is used exclusively for the one-time calculation of your age and is not subsequently stored. We only store a binary confirmation flag (age_verified) and the timestamp of the check.

Users under 16 cannot use the platform. Users between 16 and 18 can access all age-appropriate content; content with an 18+ rating remains blocked.

2.6 Session Cookies

We only use technically necessary session cookies to keep you logged in after login. These cookies do not contain any tracking information and do not require consent according to § 25 para. 2 no. 2 TTDSG.

4. Data Processors & Third Parties

We use the following external service providers. With each data processor, there is a data processing agreement in accordance with Art. 28 GDPR.

Google Sign-In (OAuth 2.0)

Authentication

Login is via Google OAuth 2.0. When you log in, Google transmits your display name, email address, and profile ID to our application. We store this data for account identification. Google processes the login data in accordance with its own privacy policy.

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland · Privacy Policy

Google Cloud Platform (Hosting)

Infrastructure

Our application is operated on Google Cloud Platform. On the infrastructure used there (servers, persistent block storage), profile data, chat logs, and application data are stored. Google processes this data exclusively on our behalf and according to our instructions. We have a Data Processing Addendum with Google (Google Cloud Data Processing Addendum).

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland · Data Processing Addendum

Google Cloud Storage (GCS)

Media Storage

Generated images and audio files can be stored in Google Cloud Storage to provide permanently accessible URLs. Only the media files are transferred, no personal profile information.

Google Ireland Ltd. (as above)

OpenRouter AI

AI Language Models

For the AI conversation, we forward your messages and the conversation context to OpenRouter, which provides access to various language models (e.g., Anthropic Claude, Mistral, Llama). OpenRouter stores requests according to its own privacy policy.

OpenRouter Inc., San Francisco, CA, USA · Privacy Policy

fal.ai

Image & Audio Generation

If you use the optional image or voice generation, your prompt (scene description) and, if applicable, your voice selection are transmitted to fal.ai. fal.ai states that it does not permanently store any inputs or use them for training its own models.

fal Inc., San Francisco, CA, USA · Privacy Policy

Brave Search

Web Context (optional)

When web search is enabled, interest keywords of your Droid persona are transmitted to the Brave Search API to enrich the conversation context with current thematic content. No personally identifiable data (name, email, account details) is shared with Brave. Search queries are cached server-side for up to 24 hours and then deleted.

Brave Software Inc., San Francisco, CA, USA · Privacy Policy

Providers in the USA: Data transfers are based on EU standard contractual clauses (Art. 46 para. 2 lit. c GDPR) and/or the EU-US Data Privacy Framework.

5. Storage Duration

Account Data Until account deletion; then deleted immediately
Chat Logs Until deletion by you or the account
Generated Media Until deletion by you or the account
Server Logs Max. 30 days, then automatically deleted
Session Cookies Session duration; are deleted on logout
Age Verification Flag Until account deletion — the date of birth itself is not stored

6. Your Rights

You have the following rights with respect to your personal data:

Access (Art. 15 GDPR)

What data we process about you.

Rectification (Art. 16 GDPR)

Correction of inaccurate data.

Erasure (Art. 17 GDPR)

Deletion of your account and all data via your user profile (profile page → "Delete account"). See step-by-step instructions.

Restriction (Art. 18 GDPR)

Restrict processing to what is necessary.

Data Portability (Art. 20 GDPR)

Export your data in a machine-readable format.

Objection (Art. 21 GDPR)

Object to processing based on legitimate interests.

Right to Complain

You have the right to complain to a data protection supervisory authority. The competent authority is that of the federal state in which you live or we have our registered office. A list of all authorities: bfdi.bund.de

To exercise your rights, please contact: poststelle@ldi.nrw.de

7. Data Security

We use technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Access data is stored encrypted. The transmission between your browser and our servers is exclusively via TLS (HTTPS).

8. Changes to this Policy

We reserve the right to update this privacy policy to adapt it to changed legal situations or service changes. The currently valid version is available at this URL. In case of significant changes, registered users will be informed by e-mail.

9. Contact for Data Protection Questions

If you have any questions about the processing of your personal data, please contact:

privacy[at]mydroid.chat/p>