1. Overview
onsoul.ai ("we", "us", "Platform") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.
By using onsoul.ai, you consent to the practices described in this policy. If you do not agree, please do not use the Platform.
The data controller for your personal data is OUTSI SP. Z O.O., Kartuska 2, 83-334 Miechucino, Poland (KRS: 0000935494, NIP: 5892069190).
2. Data We Collect
2.1 Information You Provide
- Account data: Name, email address, date of birth (required for age verification).
- Payment data: Processed directly by our payment provider. We do not store credit card numbers, CVVs, or full payment details on our servers. We retain transaction IDs and billing history for record-keeping.
- Content you create: Characters, character settings, uploaded images, and associated metadata.
- Communications: Messages you send to our support team.
- Creator verification data (KYC): If you participate in the Creator Program and request a payout, we collect identity-verification documents and data required by anti-money-laundering and tax-reporting laws. This includes a government-issued photo ID, a selfie holding the ID, a proof of address (utility bill, bank statement, or equivalent), declared legal name and residential address, declared tax residency and tax identification number, and a signed content-ownership and model-release attestation. These documents and the data they contain are collected only from creators and only at the moment they request their first payout. They are never collected from regular users. See Section 4 of the Creator Agreement for the full verification flow.
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, session duration, interaction patterns.
- Device data: Browser type, operating system, device type, screen resolution.
- IP address: Used for security, fraud prevention, and approximate geolocation (country-level).
- Cookies: Essential cookies for authentication and session management. See Section 8 for details.
2.3 Information We Do NOT Collect
- Automated biometric templates or face-recognition data (fingerprints, voiceprints, or algorithmic face embeddings). The selfie submitted during creator KYC is reviewed visually by a human compliance officer and is not used to generate or store any biometric template.
- Health or medical data.
- Precise geolocation (GPS coordinates).
- Data from third-party social media accounts beyond OAuth profile.
3. Chat Data & Conversations
Your conversations with AI characters are stored to provide continuity across sessions (chat history, memory features).
How we handle chat data:
- Chat content is sent to our AI provider (Anthropic / third-party LLM providers) for generating responses. These providers process the data according to their own privacy policies and data processing agreements.
- We may use anonymized, aggregated conversation data to improve our AI models and Platform features. Individual conversations are never linked to specific users for this purpose.
- We do not sell chat data to third parties.
- We do not read individual conversations unless required for safety enforcement (e.g., responding to a report of prohibited content or detecting CSAM).
4. How We Use Your Data
- Providing the Service: Account management, chat functionality, character creation, payment processing, creator payouts.
- Safety & moderation: Detecting and preventing prohibited content (CSAM, non-consensual imagery, impersonation), enforcing Terms of Use, automated content scanning.
- Improving the Platform: Analytics, usage patterns, feature development, bug fixes.
- Communication: Service updates, security alerts, billing notifications. We do not send marketing emails without your explicit consent.
- Legal compliance: Responding to legal requests, enforcing our Terms, protecting our rights.
5. Data Sharing & Third Parties
We share your data only in the following circumstances:
- AI providers: Chat messages are sent to LLM providers for response generation. No personal account data is included in these requests.
- Payment processor: Transaction data is shared with our payment provider to process payments and payouts.
- Content moderation services: Uploaded images may be scanned by third-party moderation APIs for prohibited content detection.
- Creator KYC documents: Creator verification documents are reviewed internally by our compliance team and are not shared with third parties, except when disclosure is required by law, court order, or to respond to a legal request from a tax authority or financial regulator.
- Law enforcement: We will disclose data when required by law, court order, or to report illegal content (CSAM, NCII) to NCMEC or relevant authorities.
- Business transfers: In the event of a merger, acquisition, or sale, user data may be transferred as part of the transaction. You will be notified in advance.
We do not sell your personal data to advertisers or data brokers.
6. Data Retention
- Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
- Chat history: Retained for as long as your account is active. You can delete individual conversations at any time.
- Payment records: Retained for 7 years for tax and legal compliance.
- Creator KYC documents and verification data: Retained for as long as the creator remains active on the Platform, plus an additional period required by applicable anti-money-laundering and tax-reporting laws (typically 5 to 7 years after the last payout). Documents are stored encrypted and access is restricted to named compliance personnel. After the retention period expires, KYC documents are permanently deleted.
- Content moderation logs: Retained for 1 year for safety enforcement.
- Anonymous analytics: Retained indefinitely in aggregated, non-identifiable form.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
7.1 All Users
- Access: Request a copy of the personal data we hold about you.
- Deletion: Request deletion of your account and associated data.
- Correction: Update or correct inaccurate personal information.
- Data portability: Request your data in a machine-readable format.
7.2 EU/EEA Users (GDPR)
- Right to restrict processing.
- Right to object to processing based on legitimate interests.
- Right to withdraw consent at any time.
- Right to lodge a complaint with your local supervisory authority.
Legal basis for processing: contract performance (providing the Service), legitimate interests (security, fraud prevention), legal obligation (tax records, law enforcement), and consent (marketing communications).
7.3 California Users (CCPA/CPRA)
- Right to know what personal information is collected and how it is used.
- Right to delete personal information.
- Right to opt out of the sale of personal information. Note: we do not sell personal information.
- Right to non-discrimination for exercising your rights.
To exercise any of these rights, contact us at privacy@onsoul.ai. We will respond within 30 days.
8. Cookies
We use the following types of cookies:
- Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
- Analytics cookies: Help us understand how users interact with the Platform. Can be disabled via browser settings.
We do not use advertising cookies or third-party tracking cookies.
9. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest.
- Regular security reviews and updates.
- Access controls limiting employee access to personal data on a need-to-know basis.
No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you and the relevant authorities as required by law within 72 hours of discovery.
10. Children's Privacy
onsoul.ai is not intended for anyone under 18 years of age. We do not knowingly collect personal information from minors. If we discover that we have collected data from a user under 18, we will delete the account and all associated data immediately.
If you believe a minor is using our Platform, please report it to safety@onsoul.ai.
11. International Data Transfers
Your data may be processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required by GDPR.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.