Privacy Policy

1. Introduction

Aoru ("the Service"), operated by ONETOOL ("we", "us", "our"), is an AI-powered character chat and storytelling platform. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding your data. We are committed to complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

The Service is provided in English and is intended for an international audience aged 18 and older. We do not knowingly collect personal data from individuals under 18.

2. Information We Collect

2.1 Information You Provide

• Account data: Email address, password (hashed), display name, profile image, bio.
• Social login data: User ID and profile information from Discord, Google, X/Twitter, Twitch, or Steam when you sign in via those providers.
• Chat & conversation data: All messages you send in AI chats, group chats, direct messages, and community channels.
• User-generated content: Characters, stories, images, memory cartridges, comments, and other content you create.
• Payment data: When you make a purchase, your payment information is collected and processed directly by our third-party payment processor. We receive only transaction confirmations, subscription status, and a truncated card identifier. We do not receive or store your full credit card number.
• Support & reports: Messages sent through in-app support chat and content reports.
• Survey data: Acquisition channel, content preferences, and marketing consent (optional).

2.2 Information Collected Automatically

• Device & browser info: Browser type, device type, collected through push notification registration.
• Usage data: Pages visited, features used, interaction events, collected via Google Analytics 4.
• IP address: Used for rate limiting, security, and approximate geolocation.

2.3 AI-Derived Data

• Memory & context: AI systems extract facts, preferences, and relationship data from your conversations to maintain character memory (Memory Cartridges, Character Shards).
• Vector embeddings: Semantic representations of conversation content for search and memory retrieval.
• Affinity data: The Service tracks affinity levels between you and AI characters based on your interactions. This data is used to personalize character responses and behavior over time.

3. How We Use Your Information

• Provide the Service: Process your messages with AI models, maintain conversation history and character memory, serve your content.
• Authentication & security: Verify your identity, prevent fraud, enforce our Terms of Service, rate-limit requests.
• Safety & moderation: Detect and filter harmful content, enforce content policies. Authorized personnel may access conversation data for content moderation, safety enforcement, debugging, and service improvement purposes. We limit access to the minimum necessary and do not review conversations except when required for these purposes.
• Payment processing: Process transactions, manage subscriptions, and handle billing inquiries through third-party payment processors.
• Analytics: Understand usage patterns to improve the Service (via Google Analytics 4).
• Notifications: Send push notifications about account activity, new features, or support updates (with your consent).

4. Legal Basis for Processing (GDPR)

If you are in the EEA/UK, we process your data based on:

• Contract: To provide the Service you signed up for (account, chat, subscriptions).
• Consent: For marketing communications, optional analytics, and push notifications.
• Legitimate interests: For security, fraud prevention, service improvement, and content moderation.
• Legal obligation: For responding to lawful requests and reporting obligations (e.g., CSAM reporting to NCMEC).

5. AI Data Processing

When you chat with AI characters, your messages are sent to third-party AI providers for processing:

These providers process your data under their own privacy policies. We do not use your conversations to train our own AI models. The AI memory system (cartridges, shards, embeddings) stores conversation-derived data on our servers to maintain character continuity.

5A. Discord Bot ("Aoru AI Bot")

We operate a Discord bot that integrates with our platform. When you interact with the Aoru AI Bot, we collect and process the following data in addition to what is described above:

Data Collected via Discord

• Discord User ID & username: Used to identify your account and link it to your Aoru profile.
• Message content: We read messages you send in bot-activated threads to forward them to AI models for generating in-character responses. Messages are stored as conversation history for continuity.
• Server member status: We access server membership data to detect server boost status changes and provide boost-related rewards.
• Server & channel IDs: Used to manage active conversation sessions.

How Discord Data Is Used

• Message Content Intent: Required to read user messages in conversation threads and pass them to AI models. Without reading message content, the bot cannot function as an AI chat service. Messages are only processed in threads where the bot is actively engaged.
• Server Members Intent: Used solely to detect when a user starts or stops boosting the support server, enabling us to grant or revoke daily message bonus rewards.

Discord Data Retention

• Conversation data is retained until the user deletes the conversation or requests deletion of their account.
• Discord User IDs are retained as long as the linked Aoru account exists.
• You may request deletion of your data at any time by contacting us through our Discord community or by emailing appeal@aoru.app.

5B. Payment Data

Payment transactions are processed by third-party payment processors that are PCI DSS compliant. These processors handle your payment data (card number, expiration, CVV, billing address) directly on their secure servers. We never receive or store your full payment card details.

We receive from our payment processor:

• Transaction confirmation (success/failure)
• Subscription status and billing dates
• Truncated card identifier (last 4 digits)
• Transaction amounts

6. Third-Party Services

We share data with the following categories of third parties:

We do not sell your personal information to third parties.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your own, including the United States. Where required, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection of your data.

8. Cookies & Tracking

We use the following cookies:

Google Analytics 4 may set additional cookies for analytics purposes.

Cookie Settings

9. Data Retention & Deletion

• Account data is retained as long as your account is active.
• Chat history, AI memory data, and affinity data are retained until you delete them or request deletion of your account.
• Payment records are retained for the period required by applicable tax and financial regulations.
• Upon account deletion, we remove your personal data within 30 days, except where retention is required by law.
• Anonymized or aggregated data may be retained indefinitely for analytics.

10. Data Security

We implement appropriate technical measures to protect your data:

• AES-256-GCM encryption for sensitive data at rest.
• bcrypt hashing for passwords.
• HTTPS/TLS for all data in transit.
• HttpOnly, Secure, SameSite cookies for session management.
• Rate limiting and IP-based access controls.

11. Your Rights

EEA/UK Residents (GDPR)

You have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten").
• Restrict processing.
• Data portability — receive your data in a structured format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time.
• Lodge a complaint with your local data protection authority.

California Residents (CCPA/CPRA)

You have the right to:

• Know what personal information we collect and how it is used.
• Delete your personal information.
• Opt-out of the sale or sharing of personal information. We do not sell your personal information.
• Non-discrimination for exercising your rights.

All Users

Regardless of your location, you may:

• Request to delete your account and associated data through support.
• Request a copy of your data by contacting us.
• Opt out of marketing communications at any time.

12. Age Requirement

The Service is intended for users aged 18 and older. We do not knowingly collect or process personal data from individuals under 18. If we become aware that we have collected data from an individual under 18, we will promptly delete that data and terminate the associated account.

13. Content Moderation & Reporting

To maintain platform safety, we employ automated content detection systems (including CSAM detection) and human review processes. If illegal content is detected or reported, we may:

• Immediately terminate the associated account.
• Preserve relevant data as required by law.
• Report to relevant authorities, including NCMEC (for CSAM) and applicable law enforcement agencies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or via email. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact Us

For privacy-related inquiries, data requests, or complaints:

• Email: appeal@aoru.app
• In-app support chat
• Discord: discord.gg/aoru

EEA/UK residents may also contact their local supervisory authority.