Privacy Policy

1. Introduction and Data Controller

Welcome to Chatalystar ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI companion platform and related services (the "Service").

Chatalystar Corporation does not currently maintain an established presence in the European Union. EU, UK, and EEA data subjects may contact us directly at privacy@chatalystar.com regarding any question, request, or complaint relating to the processing of their personal data. If our processing activities trigger an obligation to designate a local representative under GDPR Article 27 (or an equivalent UK GDPR requirement), we will appoint one promptly upon notification of such a requirement and update this Privacy Policy accordingly.

By accessing or using Chatalystar, you agree to this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

1A. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interests: Improving our Service, fraud prevention, security, analytics
• Consent: Marketing communications, optional cookies, personalization features
• Legal Obligation: Compliance with applicable laws, tax requirements, legal proceedings

2. Information We Collect

2.1 Information You Provide

• Account Information: Username, email address, password (encrypted), and display name
• Profile Information: Avatar, bio, preferences, archetype selections
• Payment Information: Billing details processed through third-party processors
• Wallet Data: Your cryptocurrency wallet public address; PIN-encrypted wallet data stored locally in your browser (localStorage)
• Communication Data: Messages and interactions with AI characters
• User-Generated Content: Notes, memories, and content you create

2.2 Information Collected Automatically

• Usage Data: Interaction patterns, feature usage, session duration
• Device Information: Browser type, operating system, IP address
• Cookies and Tracking: Session cookies, authentication tokens

2A. Blockchain and Payment Data

When you use cryptocurrency features within Chatalystar, we collect and process additional data related to blockchain transactions and digital payments:

• On-Chain Transaction Hashes: Records of transactions broadcast to public blockchain networks (e.g., Base network) are stored to verify payment status and provide transaction history
• USDC Balances: Your USDC token balance as reflected on the blockchain, queried to display account balances within the Service
• Wallet Addresses (Server-Side): We store your wallet's public address on our servers to associate your account with blockchain transactions. We never store your private keys on our servers
• Third-Party Payment Processors: We integrate with MoonPay (fiat-to-crypto on-ramp) and NOWPayments (cryptocurrency payment processing). These providers collect additional information pursuant to their own privacy policies when you use their services
• Public Nature of Blockchain Data: Transactions recorded on public blockchains (including wallet addresses, transaction amounts, and timestamps) are inherently public and visible to anyone. We cannot control or limit access to on-chain data once a transaction is broadcast

2B. AI Processing of Messages

To generate character responses, simulate presence, and power AI-assisted features, we transmit your messages and related context to third-party AI providers, including OpenAI, OpenRouter, and the upstream model providers OpenRouter routes to (e.g., Anthropic). These providers process the content under their own privacy policies and contractual terms.

• What is sent: The text of your messages, the character's persona and recent conversation history, and minimal metadata required to generate a response. We do not send your wallet's private keys, payment details, or government ID information to AI providers.
• Training: We use API endpoints with providers whose default terms exclude customer API content from being used to train their public models. We do not opt your messages into training programs.
• Retention by providers: Providers may retain message content for a limited period (typically up to 30 days) for abuse monitoring and security review, after which it is deleted from their systems per their published policies.
• What you should not share: Because messages are processed by third-party AI systems, we recommend you do not share sensitive personal information in character chats, including your real legal name, home address, government ID numbers, financial account numbers, or passwords.

3. How We Use Your Information

• Provide, maintain, and improve the Service
• Process transactions and manage your account
• Personalize your experience and AI interactions
• Track progress, achievements, and engagement
• Send service-related communications
• Detect, prevent, and address security threats
• Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

• Service Providers: Third-party vendors who assist in operating our Service
• Payment Processors: MoonPay (fiat-to-crypto on-ramp services) and NOWPayments (cryptocurrency payment processing) receive transaction data necessary to process your payments. Each operates under its own privacy policy and terms of service
• Blockchain Networks: When you initiate a cryptocurrency transaction, your wallet address and transaction details are broadcast to and recorded on public blockchain ledgers (e.g., Base/Ethereum). This data is publicly accessible and cannot be deleted or modified
• AI Providers: Messages and related conversation context are transmitted to third-party AI providers (OpenAI, OpenRouter and the upstream models it routes to such as Anthropic) to generate character responses. See Section 2B for details on what is sent, retention, and what you should avoid sharing in chats.
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale

5. Data Security

We implement industry-standard security measures including encryption, secure password hashing, regular security audits, and access controls. However, no method of transmission over the Internet is 100% secure.

5.1 Wallet and Cryptographic Security

• Client-Side Encryption: Wallet private keys are encrypted on your device using AES-256-GCM encryption before being stored in your browser's localStorage. Encrypted wallet data never leaves your device in unencrypted form
• Private Keys Never Transmitted: Your wallet private keys are generated and stored exclusively on your device. They are never transmitted to, processed by, or stored on Chatalystar servers
• PIN-Based Key Derivation: Your wallet encryption key is derived from your personal PIN using PBKDF2 (Password-Based Key Derivation Function 2) with cryptographically secure parameters, ensuring that your PIN alone can unlock your wallet on your device

6. Data Retention

We retain personal data only for as long as is necessary for the purposes described in this Privacy Policy, or as required to comply with our legal, accounting, tax, or regulatory obligations. Some categories of data are subject to mandatory retention periods set by law (for example, tax records, anti-money-laundering rules, and age-verification record-keeping regulations). These legal obligations take precedence over individual deletion requests, as expressly permitted under GDPR Article 17(3)(b). Specific retention periods by category are set out below.

• Account profile data (username, email, display name, preferences): retained for the active life of the account, then deleted upon account closure with a thirty (30) day backup purge window for routine backups.
• Chat messages and interactions with Stars and Muses: retained for the active life of the account to provide conversation continuity, then deleted on the same schedule as account profile data unless retained in anonymized form for service improvement.
• Payment and transaction records (off-chain): retained for seven (7) years to comply with the record-keeping requirements of the Canada Revenue Agency and analogous tax authorities.
• Age verification records (Veriff session metadata, member age-attestation transaction hashes): retained for as long as the account is active, plus five (5) years following account closure, to satisfy adult-platform record-keeping standards and anti-money-laundering norms.
• KYC and identity documentation: retained on the same schedule as age verification records.
• Blockchain transaction hashes and on-chain wallet activity: permanent. Public blockchains are immutable; once a transaction is broadcast to the network, the associated wallet address, amount, and timestamp cannot be deleted or modified by Chatalystar or any other party.
• Server logs and security logs (IP addresses, request metadata, authentication events): retained on a rolling ninety (90) day window for fraud prevention, abuse investigation, and security incident response.
• Deleted account residual data: anonymized within thirty (30) days of a verified deletion request and fully purged from disaster-recovery backups within ninety (90) days, except for the legally-mandated categories listed above.

7. Your Rights

• Access and review your personal information
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Export your data in a portable format
• Opt-out of promotional communications

8. Children's Privacy

Chatalystar is intended for adults. Members must be at least 18 years of age and creators must be at least 21. We do not knowingly collect personal information from anyone under 18.

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your data-protection rights, please contact us at: