Privacy Policy

This Privacy Policy explains how Kawaii Candy ("we," "us," or "our") collects, uses, shares, and protects personal information when you use kawaiicandy.ai and related services (the "Service").

We do not sell your personal information. This policy is effective as of June 21, 2026.

We collect information you provide directly and information generated when you use the Service.

• Account data: email, password hash, handle, display name, age, and content preferences.
• Profile and community data: public profile details, characters, personas, comments, likes, and visibility settings.
• Chat data: conversation history and messages you send to AI characters.
• Payment data: subscription status, credit balances, and billing metadata processed by Stripe. We do not store full payment card numbers.
• Creator payout data: Stripe Connect account status and payout-related metadata for eligible creators.
• Usage data: logs, device/browser information, and interactions needed to secure and operate the Service.

We use personal information to provide and improve the Service, including:

• Creating and authenticating your account.
• Delivering chat, discovery, billing, and creator features.
• Enforcing age and content controls for mature material.
• Processing payments, subscriptions, credit purchases, and creator payouts.
• Sending transactional email such as verification and password reset messages.
• Preventing fraud, abuse, and security incidents.
• Complying with legal obligations.

We share personal information only as described here. We do not sell personal information.

Public content you choose to make visible (such as public characters, profile pages, and comments) can be seen by other users.

We may disclose information if required by law, to protect rights and safety, or in connection with a merger, acquisition, or asset sale with appropriate safeguards.

We use trusted processors to operate the Service. They process data on our instructions and subject to contractual protections.

• Stripe: subscription billing, credit purchases, and customer billing portal.
• Stripe Connect: real-money creator payouts for eligible creators.
• OpenRouter: AI inference for chat responses based on prompts and conversation context.
• Resend: transactional email delivery.
• PostgreSQL hosting: account and application data storage.
• S3-compatible object storage: user-uploaded files such as character avatars in production.
• Google Fonts: typography delivery when you load the site.

We use cookies and similar technologies to keep you signed in and protect your session.

Authentication is handled through NextAuth session and JWT cookies. These are necessary for account access and security.

We do not use third-party advertising cookies on the Service today.

Community features may display your handle, display name, public characters, comments, and engagement signals such as likes.

You control whether certain content is public or private where the product provides those settings.

Mature content is off by default. To access mature content, you must meet age requirements and complete our age verification and gating controls.

We store age-related settings and verification outcomes needed to enforce these controls and keep mature content restricted to eligible adults.

User-uploaded content in production is stored in S3-compatible object storage. It is not stored on operator local machines.

Application data is stored in managed database infrastructure. We apply access controls and encryption in transit for sensitive operations.

We retain personal information while your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce our policies.

When you delete your account, we delete or de-identify data linked to your account subject to limited backup and legal retention periods.

Aggregated or de-identified data that cannot reasonably identify you may be retained for analytics and service improvement.

Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to certain processing.

You can update profile information in settings. You may delete your account in settings, which removes linked personal data as described in this policy.

To exercise privacy rights, contact [email protected]. We may need to verify your request.

We use administrative, technical, and organizational measures designed to protect personal information, including access controls, hashed passwords, and encrypted connections.

No method of transmission or storage is completely secure. Please use a strong, unique password and keep it confidential.

The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18.

If you believe a child has provided us personal information, contact [email protected] and we will take appropriate steps.

We may process and store information in the United States and other countries where we or our processors operate.

By using the Service, you understand that your information may be transferred to jurisdictions with different data protection laws than your own, subject to appropriate safeguards where required.

We may update this Privacy Policy from time to time. We will post the revised policy and update the effective date.

Material changes will be communicated through the Service or by email where appropriate.

Privacy questions and requests can be sent to [email protected].

Kawaii Candy operates kawaiicandy.ai.