Privacy Policy
At-a-Glance (summary)
Mythoria asks only for the minimum data needed to open an account (name, e-mail and phone) and to craft personalised stories from the prompts you supply.
All content is stored in EU-based Google Cloud data centres; story prompts are relayed to OpenAI's Enterprise API, which keeps them for ≤ 30 days solely to detect abuse and never uses them to train public models unless you opt-in. You may delete your account at any time and, except for legal archives (e.g. invoices), your personal data disappear from active systems within 30 days.
Below you can read all mandatory GDPR disclosures, children's-privacy rules (Portuguese digital age of consent 13 years), cookie details and your rights.
1. Who we are
Controller
Aventuras Contemporâneas, Lda.
Rua Cais do Lugan, nº 224, 2.º Direito, 4400-492 Vila Nova de Gaia, Portugal
E-mail (general): geral@mythoria.pt
Privacy enquiries / exercise of rights: privacy@mythoria.pt
Data-Protection Officer: dpo@mythoria.pt (Art. 37 RGPD)
Supervisory authority
Comissão Nacional de Proteção de Dados (CNPD) – Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, geral@cnpd.pt
2. Scope of this Policy
This notice applies to mythoria.pt and any mobile or desktop apps branded "Mythoria". It does not cover external links that have their own privacy terms.
3. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, e-mail, mobile phone | User provides |
| Story inputs | Text prompts, character names, images you upload | User provides |
| Generated content | The stories/books our AI returns to you | Created by service |
| Usage logs & telemetry | IP address, browser type, device ID, timestamps | Collected automatically |
| Cookies / local-storage | see § 7 | Browser |
We ask you not to include special-category data (health, biometrics, political views, etc.). If you enter third-party personal data, you confirm you have a lawful basis to do so (Art. 14 GDPR).
4. Why we process your data & legal bases
| Purpose | Data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create & deliver personalised stories | Account data, story inputs, generated content | Contract – to provide the service you requested |
| Account administration & security | Account data, logs | Legitimate interest in running a safe service (recital 47) |
| Abuse prevention & spam filtering | Story inputs briefly analysed by OpenAI | Legitimate interest |
| Analytics & product improvement | Usage logs, aggregated cookie data | Consent via cookie banner (§ 7) |
| Legal compliance & invoicing | Account data, payments (if any) | Legal obligation (tax law) |
OpenAI and Google act as processors under Art. 28 GDPR; details in § 5.
5. AI & Cloud disclosure
OpenAI Enterprise API
Story prompts and outputs transit to OpenAI's EU endpoint. They are stored max. 30 days to detect abuse and are not used to train OpenAI models by default.
Google Cloud
All databases and file storage sit in the europe multi-region. Google relies on the Commission's Standard Contractual Clauses for any transfer outside the EEA.
No other third-party receives identifiable data unless you explicitly integrate optional services (e.g. payment, mailing list), in which case those processors will be listed here before activation.
6. Children's privacy
Portugal fixed the digital age of consent at 13: if a user is younger, a parent or guardian must authorise the processing (Lei 58/2019, art. 16). Mythoria's stories may target children, but accounts must be created by someone 13+ and, where required, with parental consent.
7. Cookies & similar technologies
| Cookie / storage key | Purpose | Expiry | Consent needed? |
|---|---|---|---|
| myth_session | Keep you logged-in | Session | No (strictly necessary) |
| __Secure-next-auth.session-token | Authenticate API calls | 1 day | No |
| _ga, _gid (Google Analytics) | Aggregate usage stats | 13 months / 24 h | Yes |
| cookie_consent | Remember your preferences | 6 months | No |
The banner shown on first visit follows EDPB Consent Guidelines 05/2020 and the Cookie-Banner Task-force report (pre-ticked boxes are disabled, reject button is first-layer).
8. How long we keep your data
| Data set | Retention rule |
|---|---|
| Active account data | While account is active + 30 days, then deleted or anonymised |
| Story prompts & outputs in OpenAI | ≤ 30 days (processor) |
| Server logs | 90 days for security audits |
| Back-ups | Encrypted, rolling 30-day cycle |
| Financial/Invoice records | 10 years (Decreto-Lei 28/2019) |
9. Security measures
We implement ISO 27001-aligned controls: encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access, MFA for staff, automated patching, and annual penetration tests. Incident response follows GDPR Art. 33 breach-notice rules.
10. Your rights
You may access, correct, erase, restrict, object, or port your personal data and withdraw consent at any time. Requests sent to dpo@mythoria.pt are answered within one month (Art. 12 GDPR). If you believe your rights are infringed, you can lodge a complaint with CNPD (contacts in § 1).
If you want to exercise your right to erasure (GDPR Art. 17) and delete your account permanently, you can do so through our dedicated account deletion page.
Delete Account11. International transfers
Where data leave the EEA (e.g. to US-located OpenAI disaster-recovery servers), transfers are covered by:
- Standard Contractual Clauses (Google Cloud, OpenAI)
- Encryption and strict access controls (§ 9).
12. Changes to this Policy
We may update this notice to reflect legal or technical changes. If the changes are material we will e-mail account holders and show an in-app banner at least 15 days before they take effect. The version history is kept at the top of this page.
13. Contact
Questions about privacy? E-mail dpo@mythoria.pt or write to the address in § 1. We're here to help!
Last updated: 2 June 2025