Polyhedral

1. Introduction

Polyhedral ("we," "our," or "us"), operated by Michael Heilemann, 266 Ct Rte 2, Accord, NY 12404, USA, respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our AI-enhanced tabletop RPG platform.

2. Information We Collect

2.1 Account Information

Account Details: Email address, username, profile information
Authentication Data: Password hashes, login sessions, security tokens
Profile Data: Display name, avatar images, preferences and settings

2.2 Game Content

Game Data: Game sessions, character information, campaign details
Chat Messages: Text conversations with other players and AI participants
File Uploads: PDFs, images, documents shared in games
Notes and Documentation: Game notes, rules, and custom content

2.3 Audio and Voice Data

Voice Recordings: Audio captured for transcription purposes
Transcribed Text: Speech-to-text conversions of voice recordings
Audio Preferences: Voice selection and audio settings

2.4 AI Interaction Data

Prompts and Responses: Messages sent to and received from AI systems
Usage Patterns: How you interact with AI features and tools
Preference Data: AI personality settings, role configurations

2.5 Technical Information

Device Data: Browser type and operating system (we do not collect device fingerprints or persistent device identifiers)
Usage Analytics: Page views, feature usage, session duration
Performance Data: Error logs, response times, system performance
Network Information: IP address, general geographic region

2.6 Cookies

We use a minimal set of cookies:

Authentication Cookies: Session cookies set by Supabase for login and account security. These are essential for the service to function.
Locale Preference: A cookie storing your preferred language setting.

Our primary analytics provider (Plausible) does not use cookies and does not track you across websites. Vercel Analytics, used for performance monitoring in production, uses minimal cookies. We do not use third-party advertising or tracking cookies.

3. How We Use Your Information

3.1 Legal Basis

We process your data on the following legal grounds: (a) contract performance — your account data, game content, and AI processing are necessary to deliver the service you signed up for; (b) legitimate interest — analytics, security monitoring, and bug detection help us keep the platform secure and improve it; (c) consent — optional features like voice recording require your explicit action to activate. You can withdraw consent for optional features at any time by disabling them.

3.2 Service Provision

Platform Operation: Providing core RPG platform functionality
Account Management: User authentication, profile management
Game Facilitation: Enabling multiplayer games and AI interactions
Content Storage: Saving and organizing your game content

3.3 AI Services

Content Processing: Analyzing uploads for search and AI enhancement
Response Generation: Creating AI-powered game master and player responses
Personalization: Customizing AI behavior based on your preferences
Context Understanding: Processing game history to provide relevant AI responses

3.4 AI Training and Model Improvement

No Training Data Usage: Your content is never used to train or improve AI models
Provider Selection: We specifically choose AI providers who do not train on user data
Immediate Processing Only: AI interactions are processed solely for real-time response generation
No Persistent Storage: User data is not stored by AI providers for training purposes
Aggregated Analytics: Only anonymized, aggregated usage patterns may inform platform improvements

3.5 Platform Improvement

Feature Development: Understanding usage to build better features
Performance Optimization: Improving platform speed and reliability
Bug Detection: Identifying and fixing technical issues
Security Enhancement: Protecting against threats and abuse

4. Information Sharing and Disclosure

We do not sell your personal data. We share data only with service providers necessary to operate the platform, and only for the purposes described below.

4.1 Third-Party Service Providers

Supabase (Database and Authentication)

Purpose: User authentication, data storage, real-time features
Data Shared: Account information, game content, usage data
Location: Primary data storage in the United States
Privacy Policy: https://supabase.com/privacy

Anthropic (AI Services)

Purpose: AI-powered game master and player functionality
Data Shared: Game context, chat messages, user prompts
Processing: Temporary processing for response generation
API Data Policy: Anthropic's consumer training policies do not apply to API usage. Our API data is not used for model training.
Privacy Policy: https://www.anthropic.com/privacy

OpenAI (Speech & Embedding Services)

Purpose: Text-to-speech, speech-to-text, and semantic search embeddings
Data Shared: Voice recordings, text for speech generation, document text for search indexing
Processing: Real-time processing for audio features and search
API Data Policy: OpenAI does not use API data for training by default. Our API usage is governed by commercial terms, not consumer policies.
Privacy Policy: https://openai.com/policies/row-privacy-policy/

Vercel (Hosting and Performance)

Purpose: Platform hosting, performance monitoring
Data Shared: Performance metrics, error data
Location: Global content delivery network
Privacy Policy: https://vercel.com/legal/privacy-policy

Plausible (Analytics)

Purpose: Privacy-focused usage analytics
Data Shared: Anonymized page views and feature usage events (no personal data, no cookies, no cross-site tracking)
Location: EU-hosted infrastructure
Privacy Policy: https://plausible.io/privacy

4.2 Legal Requirements

We may disclose your information when required by law, including:

Legal Process: Court orders, subpoenas, legal investigations
Safety Protection: Preventing harm to users or the public
Rights Enforcement: Protecting our intellectual property and rights
Regulatory Compliance: Meeting applicable legal obligations

5. Data Security and Protection

5.1 Security Measures

Encryption: Data encrypted in transit (TLS) and at rest
Access Controls: Limited access to personal data on a need-to-know basis
Authentication: Secure session management via Supabase
Monitoring: Security monitoring and threat detection

5.2 Data Retention

Account and Game Data: Retained while your account is active. Your games, notes, uploads, chat messages, and other content persist until you delete them or close your account.
After Account Closure: Account data is deleted within 30 days of cancellation. Backups containing your data are purged within 90 days.
Voice Recordings: Raw audio is deleted after transcription. Text transcripts remain in your game.
Analytics Data: Anonymized, aggregated analytics are retained indefinitely for platform improvement. These cannot be linked back to you.

6. Your Privacy Rights

6.1 All Users

Regardless of where you live, you can:

Access: Request a copy of the personal data we hold about you
Correct: Update or fix inaccurate account information
Delete: Delete your account and all associated data
Export: Download your content (games, notes, uploads) in a portable format. Your data is yours — you can take it with you.
Control: Manage, edit, or remove specific game content at any time

6.2 European Economic Area and UK (GDPR)

If you are in the EEA or UK, you also have the right to:

Data Portability: Receive your personal data in a structured, machine-readable format
Restrict Processing: Ask us to limit how we use your data in certain circumstances
Object to Processing: Object to processing based on legitimate interest
Withdraw Consent: Withdraw consent for optional data processing at any time, without affecting processing that occurred before withdrawal
Lodge a Complaint: File a complaint with your local data protection authority

6.3 California (CCPA/CPRA)

If you are a California resident:

Right to Know: You can request the categories and specific pieces of personal information we have collected
Right to Delete: You can request deletion of your personal information
No Sale of Data: We do not sell or share your personal information for cross-context behavioral advertising
Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at support@polyhedral.co. We will respond within 30 days (or sooner where required by law).

7. International Data Transfers

Your data is primarily stored in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. We use service providers that may process data in other regions:

Supabase, Anthropic, OpenAI: United States
Vercel: Global CDN with edge processing
Plausible: European Union

For transfers from the EEA/UK, we rely on standard contractual clauses and our providers' data processing agreements. Where our providers are certified under the EU-US Data Privacy Framework, that certification provides an additional transfer mechanism.

8. Children's Privacy

Minimum Age: The service is intended for users 13 years and older. Users 13–16 in the EEA/UK require parental consent.
No Knowing Collection: We do not knowingly collect personal data from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly.
Parental Contact: If you believe your child has provided us with personal data, contact support@polyhedral.co.

9. Changes to This Privacy Policy

We may update this policy from time to time. For significant changes — especially changes to what data we collect, how we use it, or who we share it with — we will notify you via email or in-app notice before the changes take effect. The "last updated" date at the top reflects the most recent revision.

10. Contact

For questions about this Privacy Policy, to exercise your privacy rights, or to raise a concern about how your data is handled, contact us at support@polyhedral.co. We aim to respond within 30 days.

This Privacy Policy is effective as of the last updated date and applies to all users of Polyhedral.