Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is Astral Prism Srls, a company incorporated under Italian law, with registered office at Piazza Roma 5, 00015 Monterotondo (RM), Italy, VAT/Tax Code (PIVA/CF) 18380411001, REA RM-1781416.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, you may contact us at: [email protected].

Astral Prism Srls is the sole controller for all personal data processing activities described in this Privacy Policy, unless otherwise specified.

2. Data We Collect

We collect personal data in the following categories:

Data You Provide Directly

When you create an account, we collect your email address, name, first name, last name, country, locale preference, and avatar URL. If you register or sign in via Google OAuth, we also receive your Google account identifier. When you set up a billing profile, we collect your full name, billing address, country, and optionally your codice fiscale (Italian tax identification number) and PEC (certified email address). During gameplay, we collect the text inputs you submit to the game, which form part of your game session data.

Data Collected Automatically

When you use Narraxion, we automatically collect certain technical and usage data, including your device information, IP address, browser or app version, and session duration. We collect this data through our error monitoring service (Sentry) and through cookies and similar technologies. We also collect gameplay analytics, including total interactions, playtime, completion rate, coherence scores, and per-interaction metrics such as execution time, processing cost, and retry count.

Data from Game Sessions

During gameplay, we generate and store game session data including AI-generated narrative responses, audio URLs for text-to-speech output, game status indicators, and interaction summaries. This data is created as part of the service you use and is associated with your account.

Data from Third Parties

If you choose to authenticate via Google OAuth, we receive your basic profile information (name, email address, profile picture URL, and Google account identifier) from Google. We do not receive your Google password.

Feedback Data

When you respond to feedback forms (in-game or via email links), we collect your answers, the timestamp, and the associated game session if applicable. Feedback forms may include free text responses, multiple choice selections, and numeric ratings.

3. Purposes and Legal Bases

We process your personal data for the following purposes, each supported by a legal basis under Article 6 of the General Data Protection Regulation (GDPR):

Service Provision and Account Management. We process your account data (email, name, locale, avatar, Google ID) and gameplay data (sessions, inputs, AI responses, audio) to provide the Narraxion game service, maintain your account, save your progress, and deliver the core gameplay experience. Legal basis: Article 6(1)(b) — processing is necessary for the performance of a contract to which you are a party.

AI Narrative Generation. We process your in-game text inputs and game session context by transmitting pseudonymized game messages to AI providers to generate narrative responses, character dialogue, and story content. Legal basis: Article 6(1)(b) — processing is necessary for the performance of a contract, as AI-generated narratives are the core function of the service.

Payment Processing and Billing. We process your billing profile data (full name, address, country, codice fiscale, PEC) and transmit payment information to our payment processor to handle transactions, generate invoices, and comply with fiscal obligations. Legal basis: Article 6(1)(b) — processing is necessary for the performance of a contract; and Article 6(1)(c) — processing is necessary for compliance with legal obligations under Italian fiscal law.

Analytics and Service Improvement. We process usage analytics (total interactions, playtime, completion rate, coherence scores, per-interaction metrics) and data collected via Google Analytics to understand how users interact with the service, identify issues, and improve the gameplay experience. Legal basis: Article 6(1)(f) — processing is necessary for the purposes of our legitimate interest in improving and optimizing the service. You may object to this processing at any time.

Security, Fraud Prevention, and Error Monitoring. We process technical data (device information, IP address, browser/app version, session duration) through Sentry to detect errors, prevent fraud, ensure the security of our systems, and maintain service reliability. Legal basis: Article 6(1)(f) — processing is necessary for the purposes of our legitimate interest in maintaining the security and integrity of the service.

Marketing Communications. Where you have given your explicit consent, we may process your email address and name to send you marketing communications about Narraxion updates, new features, or promotional offers. Legal basis: Article 6(1)(a) — you have given consent to the processing. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Authentication. We process data received from Google OAuth (Google ID, email, name, avatar URL) to verify your identity and enable secure sign-in. Legal basis: Article 6(1)(b) — processing is necessary for the performance of a contract.

Feedback Collection and Product Improvement. We may contact you via the email address associated with your account to request your feedback on the service through surveys and feedback forms. We also collect your responses to in-game feedback prompts (triggered at specific gameplay milestones) and feedback forms accessible via direct links. Feedback responses are stored alongside your user identifier and, if submitted during a game session, the session context. We use this data to improve the service, identify issues, and enhance the gameplay experience. Legal basis: Article 6(1)(f) — legitimate interest in improving our service and understanding user needs. You may opt out of feedback emails at any time by contacting us at [email protected].

4. How AI Works in the Game

Narraxion is an AI-powered text-based RPG. The core gameplay experience relies on artificial intelligence to generate narrative content, including story progression, character dialogue, scene descriptions, and game events. We believe it is important for you to understand exactly how your data interacts with AI systems.

When you play Narraxion, the text inputs you submit during a game session — such as character actions, dialogue choices, and commands — are sent to third-party AI providers (currently OpenAI, Anthropic, and DeepSeek) for narrative generation. However, these messages are pseudonymized before transmission. This means that no personally identifiable information — including your name, email address, account identifier, or any other data that could identify you — is sent to the AI providers. The AI providers receive only the game narrative context necessary to generate a coherent response.

The AI providers act strictly as data processors under contractual agreements with Astral Prism Srls. They process the pseudonymized game messages solely for the purpose of generating narrative responses and are contractually prohibited from using this data for any other purpose.

Your data is not used to train any AI models. We have contractual and technical safeguards in place to ensure that neither the game messages you submit nor the AI-generated responses are used by any AI provider to train, fine-tune, or improve their models.

In addition to text generation, we use ElevenLabs for text-to-speech synthesis (converting AI-generated narrative text into audio) and Runware for AI-generated character portrait images. These services also receive only the content necessary to perform their function and do not receive any personally identifiable information.

All AI-generated content in Narraxion — including narrative text, character dialogue, audio narration, and character portraits — is clearly the product of artificial intelligence. By using the service, you acknowledge and understand that the game narratives are AI-generated.

5. Sharing with Third Parties

We do not sell, rent, or trade your personal data to any third party. We share personal data only with the categories of recipients described below, and only to the extent necessary for the stated purposes.

The following third-party service providers act as data processors on our behalf under appropriate contractual agreements:

Stripe (United States) — receives payment and billing information for the purpose of processing payments and managing transactions.

Amazon Web Services S3 (European Union, Frankfurt region) — receives and stores media files, including AI-generated images and audio files, for the purpose of content delivery and storage.

OpenAI (United States) — receives pseudonymized game messages (narrative context only, no personal identifiers) for the purpose of AI narrative generation.

Anthropic (United States) — receives pseudonymized game messages (narrative context only, no personal identifiers) for the purpose of AI narrative generation.

DeepSeek (China) — receives pseudonymized game messages (narrative context only, no personal identifiers) for the purpose of AI narrative generation.

ElevenLabs (United States) — receives AI-generated narrative text for the purpose of text-to-speech audio synthesis.

Runware (United States) — receives character description prompts for the purpose of AI image generation for character portraits.

Sentry (United States) — receives technical data including device information, IP address, browser/app version, and error logs for the purpose of error monitoring and crash reporting.

Google Analytics via Google Tag Manager (United States) — receives usage data and anonymized interaction data for the purpose of analytics and service improvement.

Google OAuth (United States) — facilitates authentication by providing basic profile information (name, email, avatar) upon your authorization.

Astral Prism Invoicing (Italy) — receives billing profile data (name, address, codice fiscale, PEC) for the purpose of invoice generation and fiscal compliance.

We may also disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

6. International Data Transfers

Astral Prism Srls is based in Italy, within the European Economic Area (EEA). Some of the third-party service providers we use are located outside the EEA, specifically in the United States and China. When your personal data is transferred to countries outside the EEA that have not been deemed to provide an adequate level of data protection by the European Commission, we ensure that appropriate safeguards are in place to protect your data.

For transfers to the United States (Stripe, OpenAI, Anthropic, ElevenLabs, Runware, Sentry, Google Analytics, Google OAuth), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Decision 2021/914 of 4 June 2021, as supplemented by additional technical and organizational measures where necessary. Where applicable, we also take into account the EU-US Data Privacy Framework adequacy decision.

For transfers to China (DeepSeek), we rely on Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914, supplemented by a transfer impact assessment and additional safeguards including the pseudonymization of all data transmitted, ensuring that no personally identifiable information reaches DeepSeek servers.

For data stored within the EU (AWS S3, Frankfurt region), no international transfer mechanisms are required as the data remains within the EEA.

You may request a copy of the relevant Standard Contractual Clauses or further information about international transfers by contacting us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are as follows:

Account Data (email, name, locale, avatar, Google ID): retained for the duration of your active account, plus 30 days following account deletion to allow for account recovery and to complete any pending processes.

Gameplay Data (game sessions, player inputs, AI responses, audio URLs, game status, interaction summaries): retained for the duration of your active account, plus 30 days following account deletion. After this period, gameplay data is permanently deleted.

Analytics Data (total interactions, playtime, completion rate, coherence scores, per-interaction metrics): retained for a maximum of 26 months from the date of collection, after which it is automatically deleted or anonymized.

Billing and Financial Records (billing profile, invoices, transaction records): retained for 10 years from the date of the relevant transaction, as required by Italian fiscal law (Article 2220 of the Italian Civil Code and applicable tax regulations).

Error Logs and Crash Reports (Sentry): retained for 90 days from the date of collection, after which they are automatically purged.

Cookies: retention periods vary by cookie type and are detailed in our separate Cookie Policy.

When the applicable retention period expires, personal data is securely deleted or irreversibly anonymized. Data that must be retained for legal obligations beyond the standard retention period is stored in restricted-access systems, accessible only to authorized personnel for the specific legal purpose.

8. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the personal data and receive information about how it is processed.

Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data concerning you and to have incomplete personal data completed.

Right to Erasure (Article 17): You have the right to request the deletion of your personal data when, among other circumstances, the data is no longer necessary for the purposes for which it was collected, you withdraw your consent, or the data has been unlawfully processed.

Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose deletion.

Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where the processing is based on consent or a contract and is carried out by automated means.

Right to Object (Article 21): You have the right to object at any time to the processing of your personal data based on legitimate interests, including processing for analytics purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Withdraw Consent (Article 7): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please send a request to [email protected]. We will respond to your request within 30 days of receipt. In exceptional circumstances, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period. We may ask you to verify your identity before processing your request.

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Roma, Italy, website: www.garanteprivacy.it.

9. Account Deletion

You may request the deletion of your Narraxion account at any time through the self-service account deletion feature available within the app settings.

Upon initiating account deletion, the following process applies:

All personal account data — including your email address, name, locale, avatar, and Google ID — will be permanently deleted within 30 days of the deletion request.

All gameplay data — including game sessions, player inputs, AI-generated responses, audio files, and interaction summaries — will be permanently and irreversibly deleted within the same 30-day period.

Analytics data associated with your account will be anonymized so that it can no longer be linked to you.

Billing and financial records that must be retained under Italian fiscal law will not be deleted but will be moved to restricted-access storage. These records are accessible only to authorized personnel for the sole purpose of legal and fiscal compliance and will be retained for the period required by law (10 years), after which they will be permanently deleted.

Once the 30-day deletion period has elapsed, account recovery is no longer possible. We recommend that you export any data you wish to keep before initiating the deletion process.

10. Cookies and Tracking

Narraxion uses cookies and similar tracking technologies on its website and landing pages. We use the following categories of cookies:

Essential Cookies: These cookies are strictly necessary for the operation of the service. They include session cookies, authentication tokens, and locale preference cookies. These cookies cannot be disabled as they are required for the service to function. No consent is required for essential cookies under applicable law.

Analytics Cookies: We use Google Analytics, implemented via Google Tag Manager, to collect anonymized usage statistics about how visitors interact with our website. These cookies are placed only after you have provided your consent through our cookie consent mechanism.

For comprehensive information about the specific cookies we use, their purposes, durations, and how to manage your cookie preferences, please refer to our separate Cookie Policy, accessible from the website footer and cookie consent banner.

11. Minors

Narraxion is designed for and directed exclusively at users who are 18 years of age or older. The service contains AI-generated narrative content that may include mature themes, and is not intended for children or minors.

We do not knowingly collect, use, or disclose personal data from anyone under the age of 18. We do not knowingly allow anyone under 18 to create an account or use the service.

If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take immediate steps to terminate the associated account and permanently delete all personal data collected from that individual. If you believe that we may have collected information from a minor, please contact us immediately at [email protected] so that we can investigate and take appropriate action.

12. Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

Technical Measures: All data transmitted between your device and our servers is encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher. Personal data stored on our servers and in cloud storage is encrypted at rest. Access to databases and storage systems is protected by strong authentication controls, network segmentation, and firewall rules. We conduct regular security reviews of our infrastructure and application code.

Organizational Measures: Access to personal data is restricted on a strict need-to-know basis. Only authorized personnel whose roles require access to specific categories of personal data are granted such access. Personnel with access to personal data receive training on data protection obligations and security best practices.

Despite our efforts, no method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with Articles 33 and 34 of the GDPR.

13. Regional Provisions

In addition to the rights described elsewhere in this Privacy Policy, the following provisions apply to residents of specific jurisdictions:

California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. The categories of personal information we collect are described in Section 2 of this Privacy Policy and include identifiers (name, email, IP address), commercial information (billing data, transaction records), internet or other electronic network activity information (gameplay data, analytics, device information), and inferences drawn from the above (gameplay analytics and scores).

You have the right to know what personal information we collect, use, disclose, and sell. You have the right to request deletion of your personal information. You have the right to correct inaccurate personal information. You have the right to opt out of the sale or sharing of your personal information. We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising purposes. You have the right to non-discrimination for exercising your privacy rights. To exercise any of these rights, please contact us at [email protected].

United Kingdom Residents

If you are a resident of the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data. Your rights under the UK GDPR are substantially the same as those described in Section 8 of this Privacy Policy. International transfers of your personal data from the UK are protected by Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO) or by the UK's international data transfer agreement. If you wish to lodge a complaint about our processing of your personal data, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Brazilian Residents (LGPD)

If you are a resident of Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with rights regarding your personal data, including the right to confirmation of processing, access to your data, correction of incomplete or inaccurate data, anonymization, blocking, or deletion of unnecessary or excessive data, data portability, deletion of data processed with consent, information about third parties with whom data is shared, information about the possibility of denying consent and its consequences, and revocation of consent. To exercise any of these rights, please contact us at [email protected]. If you wish to file a complaint, you may contact the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.

14. EU AI Act Compliance

Narraxion uses artificial intelligence systems for entertainment narrative generation. Under Regulation (EU) 2024/1689 (the EU AI Act), the AI systems used in Narraxion are classified as minimal risk, as they are used solely for creative and entertainment purposes and do not fall within the categories of unacceptable, high, or limited risk AI systems as defined by the regulation.

In the interest of transparency, we provide the following information about our use of AI:

All game narratives, character dialogue, scene descriptions, and story content presented within Narraxion are generated by artificial intelligence. Users are informed of this upon registration and throughout the gameplay experience.

AI-generated audio narration (text-to-speech) and character portrait images are also produced by AI systems, and are presented as such.

We do not use AI systems for profiling users, generating risk scores, making automated decisions that produce legal or similarly significant effects, real-time biometric identification, or any other purpose that would constitute a higher-risk application under the EU AI Act.

The AI systems are used exclusively to enhance the entertainment experience by generating dynamic, responsive game content based on pseudonymized gameplay context. Human oversight is maintained through our content guardrail systems, which filter and moderate AI-generated content before it is presented to users.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

For material changes — meaning changes that significantly affect the way we collect, use, or share your personal data, or that materially reduce your rights — we will provide you with at least 30 days advance notice before the changes take effect. This notice will be sent to the email address associated with your account.

For non-material changes, such as minor wording clarifications or formatting adjustments, we may update this Privacy Policy without prior notice. The date of the most recent revision will always be indicated at the top of this page.

Your continued use of Narraxion after the effective date of any changes to this Privacy Policy constitutes your acceptance of those changes. If you do not agree with the revised Privacy Policy, you should stop using the service and delete your account.

16. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

Astral Prism Srls Piazza Roma 5, 00015 Monterotondo (RM), Italy

VAT/Tax Code (PIVA/CF): 18380411001 REA: RM-1781416

Email: [email protected]

We will make every effort to respond to your inquiry promptly and in accordance with applicable data protection law.