Privacy Policy
Last updated: May 2026 · According to GDPR (EU) 2016/679 · Youth Protection Act
1. Controller
The controller in the sense of the GDPR is:
VividDroid Studio UG (haftungsbeschränkt)
Ibacher Mühle 146
42111 Wuppertal
Germany
E-Mail: privacy[at]mydroid.chat
2. What data we process
2.1 Registration & Account
Registration and login are exclusively via Google Sign-In (OAuth 2.0). We receive from Google: display name, email address, and profile picture URL. If a date of birth is stored in your Google account and you grant the relevant permission, Google transmits this date to us for automatic age verification (see 2.5). In this case, the date of birth is stored as an external provider datum — it is not visible in your profile and cannot be edited. We do not collect or store a password. In addition, we store the registration time and the selected subscription plan. This data is required for contract fulfillment (account access).
2.2 Chat and Game Content
Messages you send to Personas, as well as the generated responses, are stored in our database to provide the conversation history. Game sessions in story mode (rounds, statistics, inventory) are also stored.
2.3 Generated Media
When you generate images or voice outputs, the prompt used for this purpose as well as the returned media URL are stored in our database. Media may be stored in Google Cloud Storage (see section 4).
2.4 Technical Log Data
Our hosting provider automatically collects server logs (IP address, timestamp, requested URL, HTTP status code, amount of data transferred). This data is not linked to your user account and is used exclusively for operational security.
2.5 Age Verification
For access to age-restricted content, we carry out age verification in one of two ways:
a) Automatically via Google: If your Google account contains a date of birth, we calculate your age from it and store the date of birth as an external provider datum in your account. It is not visible in your profile and cannot be edited. Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).
b) Manually via age form: You enter your date of birth. This is used exclusively for the one-time calculation of your age and is not subsequently stored. We only store a binary confirmation flag (age_verified) and the timestamp of the check.
Users under 16 cannot use the platform. Users between 16 and 18 can access all age-appropriate content; content with an 18+ rating remains blocked.
2.6 Session Cookies
We only use technically necessary session cookies to keep you logged in after login. These cookies do not contain any tracking information and do not require consent according to § 25 para. 2 no. 2 TTDSG.
3. Legal Basis
4. Data Processors & Third Parties
We use the following external service providers. With each data processor, there is a data processing agreement in accordance with Art. 28 GDPR.
Google Sign-In (OAuth 2.0)
AuthenticationLogin is via Google OAuth 2.0. When you log in, Google transmits your display name, email address, and profile ID to our application. We store this data for account identification. Google processes the login data in accordance with its own privacy policy.
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland · Privacy Policy
Google Cloud Platform (Hosting)
InfrastructureOur application is operated on Google Cloud Platform. On the infrastructure used there (servers, persistent block storage), profile data, chat logs, and application data are stored. Google processes this data exclusively on our behalf and according to our instructions. We have a Data Processing Addendum with Google (Google Cloud Data Processing Addendum).
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland · Data Processing Addendum
Google Cloud Storage (GCS)
Media StorageGenerated images and audio files can be stored in Google Cloud Storage to provide permanently accessible URLs. Only the media files are transferred, no personal profile information.
Google Ireland Ltd. (as above)
OpenRouter AI
AI Language ModelsFor the AI conversation, we forward your messages and the conversation context to OpenRouter, which provides access to various language models (e.g., Anthropic Claude, Mistral, Llama). OpenRouter stores requests according to its own privacy policy.
OpenRouter Inc., San Francisco, CA, USA · Privacy Policy
fal.ai
Image & Audio GenerationIf you use the optional image or voice generation, your prompt (scene description) and, if applicable, your voice selection are transmitted to fal.ai. fal.ai states that it does not permanently store any inputs or use them for training its own models.
fal Inc., San Francisco, CA, USA · Privacy Policy
Brave Search
Web Context (optional)When web search is enabled, interest keywords of your Droid persona are transmitted to the Brave Search API to enrich the conversation context with current thematic content. No personally identifiable data (name, email, account details) is shared with Brave. Search queries are cached server-side for up to 24 hours and then deleted.
Brave Software Inc., San Francisco, CA, USA · Privacy Policy
Providers in the USA: Data transfers are based on EU standard contractual clauses (Art. 46 para. 2 lit. c GDPR) and/or the EU-US Data Privacy Framework.
5. Storage Duration
6. Your Rights
You have the following rights with respect to your personal data:
Access (Art. 15 GDPR)
What data we process about you.
Rectification (Art. 16 GDPR)
Correction of inaccurate data.
Erasure (Art. 17 GDPR)
Deletion of your account and all data via your user profile (profile page → "Delete account"). See step-by-step instructions.
Restriction (Art. 18 GDPR)
Restrict processing to what is necessary.
Data Portability (Art. 20 GDPR)
Export your data in a machine-readable format.
Objection (Art. 21 GDPR)
Object to processing based on legitimate interests.
Right to Complain
You have the right to complain to a data protection supervisory authority. The competent authority is that of the federal state in which you live or we have our registered office. A list of all authorities: bfdi.bund.de
To exercise your rights, please contact: poststelle@ldi.nrw.de
7. Data Security
We use technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Access data is stored encrypted. The transmission between your browser and our servers is exclusively via TLS (HTTPS).
8. Changes to this Policy
We reserve the right to update this privacy policy to adapt it to changed legal situations or service changes. The currently valid version is available at this URL. In case of significant changes, registered users will be informed by e-mail.
9. Contact for Data Protection Questions
If you have any questions about the processing of your personal data, please contact:
privacy[at]mydroid.chat/p>