Last updated: March 31, 2026
Povella (“Povella,” “we,” “us,” or “our”) operates the Povella platform, accessible at povella.net (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. By accessing or using Povella, you acknowledge that you have read and understand this Privacy Policy.
1. Information We Collect
1.1 Information You Provide Directly
We collect information that you voluntarily provide when using the Service, including:
- Account Information: Your name and email address when you create an account or submit a contact form.
- Profile Data: Character profile details you provide during the onboarding process, including your age range, location, career, personality type (e.g., MBTI), genre preferences, personal interests, aspirations, and fears. This data forms the foundation of your personalized story protagonist.
- Photographs: If you upload a selfie or photo, it is used solely to inform physical character descriptions in your generated stories. Photos are processed during story generation and are not stored permanently on our servers. You may delete your photo at any time.
- Social Links: If you optionally provide links to social media profiles (LinkedIn, Instagram, etc.), we may access publicly available information from those profiles to enrich your character profile. We never post on your behalf, access private data, or store your login credentials for third-party services.
- Communications: Messages you send through our contact form, including your name, email, selected subject category, and message content.
1.2 Information Collected Automatically
When you access the Service, we may automatically collect:
- Device and Browser Data: Browser type, operating system, device type, screen resolution, and language preferences.
- Usage Data: Pages visited, features used, reading progress, time spent on the platform, and interaction patterns.
- Network Data: IP address (used for rate limiting and security purposes), referring URL, and approximate geographic location derived from your IP address.
1.3 Information We Do Not Collect
We do not collect payment card numbers directly. If we implement paid subscriptions in the future, payment processing will be handled by a PCI-compliant third-party processor, and we will not have access to your full card details.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Story Generation: To create personalized narrative content where you are the protagonist. Your profile data, personality attributes, and descriptive details are processed by our AI storytelling engine to craft character bibles, story outlines, and chapter prose.
- Account Management: To create and manage your account, save your stories and reading progress, and provide access to your story library.
- Service Improvement: To analyze usage patterns and improve our storytelling engine, user interface, and overall user experience.
- Communication: To respond to your contact form submissions, send essential service notifications, and provide customer support.
- Security and Integrity: To detect and prevent fraud, abuse, and unauthorized access, including IP-based rate limiting on form submissions.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
3. AI-Generated Content and Third-Party AI Services
Povella uses artificial intelligence to generate personalized stories. When you initiate story generation, your profile data (name, career, personality type, genre preferences, and other onboarding details) is transmitted to third-party AI service providers for processing. Specifically:
- Anthropic (Claude):We use Anthropic's Claude language model to generate story bibles, character arcs, chapter outlines, and prose content. Your profile data is sent to Anthropic's API as part of the generation prompt. Anthropic's data handling is governed by their privacy policy and API terms, which prohibit the use of API inputs and outputs for model training.
We do not use your personal data or generated content to train our own AI models. Your stories are generated on-demand, and the prompts containing your profile data are not retained by our third-party AI providers beyond the duration of the API request, subject to their respective data retention policies.
4. Data Storage and Security
Your data is stored in PostgreSQL databases hosted on Railway's cloud infrastructure with data centers located in the United States. We implement the following security measures:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for stored data
- Secure, httpOnly session cookies for authentication
- Server-side session management with automatic expiration
- IP-based rate limiting to prevent abuse
- Input validation and sanitization on all user-submitted data
While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:
- AI Service Providers: As described in Section 3, your profile data is transmitted to Anthropic for story generation purposes only. These transmissions are governed by data processing agreements.
- Infrastructure Providers: Our hosting provider (Railway) and database services have access to stored data as part of providing their infrastructure services.
- Legal Requirements: We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
- Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via prominent notice on our Service of any change in ownership or use of your personal information.
6. Cookies and Tracking Technologies
6.1 Cookies We Use
We use only strictly necessary cookies:
- Session Cookie (
mce_admin_session): An httpOnly, secure cookie used for administrator authentication. Contains a session identifier only. Expires after 24 hours.
6.2 Cookies We Do Not Use
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track individual users. We do not participate in ad networks or cross-site tracking.
6.3 Do Not Track
Our Service does not currently respond to Do Not Track (DNT) browser signals. However, because we do not engage in cross-site tracking or serve targeted advertisements, the practical effect is equivalent to honoring DNT requests.
7. Your Rights and Choices
7.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of your account and all associated personal data.
- Data Portability: Export your generated stories in standard formats (EPUB, web).
- Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.
To exercise any of these rights, please reach out via our contact form.
7.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
- No Sale or Sharing: We do not sell your personal information or share it for cross-context behavioral advertising as defined under the CCPA/CPRA.
To submit a verifiable consumer request, please reach out via our contact form. We will verify your identity before processing your request.
7.3 European Economic Area, UK, and Swiss Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:
- Legal Basis for Processing: We process your personal data based on: (a) your consent (for optional profile data and photo uploads); (b) performance of a contract (to provide the Service you requested); and (c) our legitimate interests (for security, fraud prevention, and service improvement), balanced against your rights and freedoms.
- International Data Transfers: Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers.
- Additional Rights: You have the right to lodge a complaint with your local data protection authority. You also have the right to restrict processing and to object to processing based on our legitimate interests.
- Data Protection Officer: For GDPR-related inquiries, please reach out viaour contact form.
8. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically:
- Account and Profile Data: Retained while your account is active.
- Generated Stories: Retained while your account is active and accessible through your library.
- Photos: Processed during story generation and not stored permanently. Deleted promptly after processing.
- Contact Form Submissions: Retained for up to 2 years for customer support purposes.
- Session Data: Automatically expired and purged after 24 hours.
When you delete your account, all personal data, profile information, and generated stories are permanently removed from our active systems within 30 days. Anonymized, aggregated usage statistics that cannot be used to identify you may be retained indefinitely for service improvement purposes.
9. Children's Privacy
Povella is not directed to children under the age of 13 (or under 16 in jurisdictions where GDPR applies). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please reach out via our contact form.
10. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay via the email address associated with their account. Where required by applicable law (including GDPR and state breach notification laws), we will also notify the relevant supervisory authority within the legally mandated timeframe.
11. Third-Party Links
Our Service may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our Service.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a revised “Last updated” date. For material changes that significantly affect your rights, we will provide additional notice via email or a prominent banner on the Service. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will respond to your inquiry within 30 days (or within the timeframe required by applicable law).