Privacy Policy

Our role depends on the data:

• Your account data (creators/agencies): we are the controller.
• Fan conversation data (inbound fan messages and generated replies on your connected account): we act as a processor on your behalf. You (the creator) are the controller of your relationship with your fans. Our processing is governed by these terms and any data processing agreement between us.
• Moderation event records (records that content was screened/blocked): we are the controller, because we generate and retain these for our own legal, compliance and safety purposes.

If you are an agency, you and your creators are responsible for the controller obligations owed to fans; we process on your collective instruction.

From creators/agencies:name, email, login/account identifiers, billing identifiers (payment is handled by our payment processor — we do not store full card numbers), platform account identifiers and OAuth tokens, support communications, and usage/technical data (IP, device, logs).

Through the connected platform account:fan messages received and AI replies sent in your persona. This text can include flirtatious and sexually explicit content. We access this via the platform's official API; we do not collect or store fan platform passwords.

Moderation events: a record that a given message/reply was screened and the moderation outcome (e.g. blocked category), retained for compliance and legal-defence purposes.

We do not generate or process images, audio or video, and we do not create any visual likeness of any person.

Where we rely on legitimate interests, we balance them against your rights; you may ask for details of that assessment.

Sexually explicit conversation content may constitute special category data (data concerning sex life or sexual orientation) under Article 9 UK GDPR, and may relate to fans as well as to you.

The appropriate Article 9 condition for processing fan conversation content is normally the fan's explicit consent, obtained through the relationship between the fan and the creator on the platform, where the fan engages with an account that is disclosed as adult and AI-operated. The connected platform's API terms place responsibility for having a valid legal basis on the operator of a connected application. Accordingly, and as set out in our Terms of Service, you (the creator) are responsible for ensuring an appropriate lawful basis and, where required, the fan's explicit consent and any platform third-party-app consent are in place and maintained for the processing the Service performs on your account. We process this data only on your instruction and to operate and moderate the Service.

For our own moderation event records(Section 1), we rely on Article 9(2)(f) — processing necessary for the establishment, exercise or defence of legal claims.

We do not use sensitive content for any purpose other than providing and moderating the Service, and we do not permit our AI providers to retain or train on it (see Section 5).

Conversation text is sent only to the AI providers below, to generate and moderate replies. Our analytics and error-monitoring tools do not receive fan conversation content.

• OpenAI(direct relationship) — content moderation (CSAM/minor/hate/self-harm screening). United States. Used under API terms that do not train on our data, with a data processing agreement in place.
• OpenRouter— AI model gateway (United States) used to access the policy-moderation model (DeepSeek family) and the reply-generation model (xAI Grok). We configure routing to Zero Data Retention (ZDR) endpoints only and to exclude China-based providers, and we do not enable prompt logging, so conversation content is not retained or trained on by the onward providers and is not routed to or stored in China. The specific onward inference providers are available on request.
• Microsoft Azure— application hosting and storage (UK/EU region).
• CCBill— payment processing (onboarding in progress).
• PostHog— product analytics (no conversation content).
• Sentry— error monitoring (no conversation content).

We do not sell personal data. We may disclose data where required by law, to enforce our terms, or to protect rights and safety. A current list of sub-processors is available on request at support@entranced.ai.

Our application data and stored conversation data are hosted on Microsoft Azure servers in the UK/EU. Our AI providers (OpenAI directly, and the providers reached via OpenRouter) process conversation text in the United States; routing is configured so that this content is not processed in or transferred to China.

Where personal data is transferred outside the UK/EEA, we put in place an appropriate transfer mechanism — such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum — together with a transfer risk assessment, or rely on another lawful transfer condition (including the UK Extension to the EU–US Data Privacy Framework where the recipient is certified).

Conversation text is transferred to the United States (to OpenAI directly, and via the OpenRouter gateway to its onward inference providers). Routing is configured to exclude China-based endpoints and to use Zero Data Retention endpoints, so fan conversation content is not routed to, retained in, or trained on in China. Details of our current provider configuration and transfer safeguards are available on request.

• Account and conversation data: retained for the lifetime of your account. When you delete your account, we delete this data.
• Moderation event records: retained after account deletion to establish, exercise or defend legal claims (for example, to evidence that prohibited content was screened and blocked) and to meet payment-scheme requirements. We retain these for 6 years from the moderation event, aligned to the limitation period for most civil claims in England & Wales under the Limitation Act 1980, after which they are deleted or anonymised. Wherever possible these records are minimised— limited to data such as timestamp, category flagged, the screening outcome, and a reference/hash rather than the full message content — so the long-term audit record contains little or no identifiable personal data. This retention is documented in our retention schedule and reviewed annually.
• Billing records: retained as required by UK tax/accounting law (generally 6 years).

Subject to conditions and exemptions under UK GDPR, you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent where processing is based on consent.

Because we act as processor for fan conversation data, requests from fans about that data should generally be directed to the relevant creator (the controller); we will assist the creator in responding.

To exercise rights, contact support@entranced.ai. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use technical and organisational measures including encryption in transit, access controls, OAuth-based platform access (no password storage), audit logging, and AI-provider routing configured for zero data retention with prompt logging disabled. No system is perfectly secure; we cannot guarantee absolute security.

The Service is strictly for adults (18+). It is not directed to anyone under 18, and we do not knowingly process the data of minors. Content involving minors is prohibited and blocked.

We may update this policy. Material changes will be notified by email or in-product, and the effective date above will change.