This Privacy Policy explains what information darkmes ("we", "us", "our") collects when you use darkmes.com ("the Service"), the lawful bases on which we rely, how long we keep it, with whom we share it, and the rights you have under data protection laws — including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
By using the Service you confirm that you have read this Policy. Where the law requires consent (e.g. for analytics or marketing cookies), we ask for it through the cookie banner and you can change your mind at any time.
Table of contents
- Who we are (controller details)
- Information we collect
- How we use information & lawful bases (GDPR Art. 6)
- Sharing of information
- International data transfers
- Cookies and similar technologies
- Data retention
- Your rights (GDPR Art. 15–22, CCPA equivalents)
- Children's data
- Security measures
- Marketing and communications
- Right to lodge a complaint with a supervisory authority
- Changes to this Policy
- Contact
1. Who we are (controller details)
| Item | Detail |
|---|---|
| Service name | darkmes ("the Service") |
| Website | darkmes.com |
| Data controller | Operated by an individual sole proprietor; no legal entity has been incorporated at the time of this Policy. A controller name will be added once a legal entity is registered. (Placeholder — to be updated.) |
| General contact | night@darkmes.com |
| Privacy contact (DSAR, complaints) | night@darkmes.com |
| EU representative (GDPR Art. 27) | Not appointed. The Service has no establishment in the European Union. We nonetheless welcome users in the EU/EEA and allow you to exercise the rights set out in Section 8 by writing to the privacy contact above. We acknowledge that formal Art. 27 designation is a requirement we do not currently satisfy and we will reconsider this once we incorporate. |
| Data Protection Officer | Not designated. Our processing activities do not meet the mandatory threshold under GDPR Art. 37 (we are not a public authority, our core activity does not consist of large-scale systematic monitoring, and we do not process special categories of data at scale). Privacy queries are handled directly by the operator at the email above. |
2. Information we collect
2.1. Information you provide
- Account information: email address, password (stored hashed with argon2id), username, optional avatar, optional bio.
- Profile data: user personas you create (name, description); preferred tags/interests selected during onboarding; NSFW settings.
- Content you submit: characters you create (name, persona, scenario, greeting, examples, tags, avatar), messages in chats, lorebook entries, reports of other content.
- Age confirmation: the timestamp and IP at which you confirmed you are 18 or older.
- Consent records: the categories of cookies/processing you accept or decline, with timestamp, hashed IP and hashed user-agent — kept in our
consent_logtable to demonstrate compliance with GDPR Art. 7(1). - Payment context (applicable once payments are activated; not in MVP): transaction metadata when you purchase credits (timestamp, amount in USD, cryptocurrency and network used, transaction hash). We do not collect or store cryptocurrency private keys, wallet credentials, or banking information — payments are processed via a third-party cryptocurrency processor which handles the wallet interaction.
2.2. Information collected automatically
- Device and connection data: IP address (truncated where required by law), browser type and version, operating system, screen resolution, language, time zone.
- Browser fingerprint: generated by FingerprintJS Open Source (self-hosted) to deter multi-account abuse. The fingerprint is a hash, not personal information directly.
- Approximate location: with your analytics consent, we derive an approximate location (country, region, and city) from your IP address to understand where our audience is. This lookup is performed locally on our own server using an offline database — your IP address is not sent to any third party for this purpose, and we store only the derived country/region/city, never the raw IP (the IP itself is only ever kept as a salted hash). City-level precision is approximate and may be inaccurate.
- Usage data: pages visited, characters viewed, chats created, messages sent, models used, credits spent, features clicked, session duration.
- Traffic source: with your analytics consent, the website you arrived from (HTTP referrer) and any campaign tags in the link you clicked (
utm_source,utm_medium,utm_campaign), so we can see which channels bring visitors. - Cookies: see Section 6.
2.3. Information from third parties
- OAuth providers (Google, Discord — Phase 6): if you sign in via OAuth, we receive a unique identifier and your verified email from the provider. We do not receive your password.
- Payment processor (once activated; not in MVP): transaction confirmation, payment status, blockchain transaction hash.
2.4. AI chat content
The text of your conversations with AI characters is stored in our database to:
- Provide the Service (chat history, memory, summarisation)
- Allow you to view and continue past conversations
- Allow you to delete content you no longer want stored
We do not use your chat content to train AI models. We send messages to the upstream model (via OpenRouter) only ephemerally for the purpose of generating the next reply; OpenRouter and the underlying providers have their own retention policies and act as our processors under written terms.
3. How we use information & lawful bases (GDPR Art. 6)
For every category of processing we rely on a specific lawful basis. Where consent is the basis, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
| Processing activity | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Account creation, login, password reset, refresh tokens | Provide the Service you signed up for | Contract — Art. 6(1)(b) |
| Rendering catalog, generating AI replies, storing chats, applying credits | Performance of the Service | Contract — Art. 6(1)(b) |
| Transactional emails (verification, password reset, receipts, deletion confirmation) | Necessary to operate the account | Contract — Art. 6(1)(b) |
| Optional product emails (low-balance warning, monthly free refill notification) | User has opted in via Settings → Notifications | Consent — Art. 6(1)(a) |
| Marketing or promotional emails (none sent today; opt-in will be requested before any are sent) | Marketing | Consent — Art. 6(1)(a) |
| Analytics events (page views, feature usage, approximate location derived locally from IP, device/OS/browser, traffic source and UTM tags), self-hosted in our own database | Improve the Service and understand our audience | Consent — Art. 6(1)(a) — collected only after you accept analytics cookies |
| Rate-limiting, browser fingerprinting, multi-account detection, fraud prevention | Protect the Service and other users | Legitimate interest — Art. 6(1)(f). We have weighed our interest in fighting abuse against your privacy interest and consider the minimal hashed data we keep proportionate. You may object — see Section 8. |
| Manual moderation of public avatars and characters | Keep public content lawful | Legitimate interest — Art. 6(1)(f) |
| Age confirmation (18+ gate) and retention of the confirmation record | Comply with adult-content age requirements in multiple jurisdictions | Legal obligation — Art. 6(1)(c) |
| Audit logs, security event logs, consent log | Demonstrate compliance with GDPR Art. 5(2) and respond to incidents | Legal obligation — Art. 6(1)(c) / Legitimate interest — Art. 6(1)(f) |
| Responding to lawful requests from authorities | Comply with the law | Legal obligation — Art. 6(1)(c) |
We do not sell personal information and we do not engage in cross-context behavioural advertising (CCPA).
4. Sharing of information
We share information only with:
- Service providers we directly use, acting as our processors:
- Unisender Go — transactional email (Russian Federation-based; sub-processor; see Section 5 for the international-transfer mechanism that applies to this provider).
- OpenRouter — AI inference for chat (US-based; messages sent ephemerally; bound by their terms).
- FingerprintJS Open Source — self-hosted; no data leaves our servers.
- Cryptocurrency payment processor — added once payments are activated; will be listed by name in an update to this Policy.
- All static assets and user-uploaded media are served directly from our adult-friendly VPS without an external CDN in MVP. Each processor is bound by confidentiality and security obligations to handle your data only as we direct.
- For legal reasons: to comply with subpoenas, court orders, lawful government requests, or to enforce our Terms.
- In an emergency: to prevent imminent harm to a person.
- In a business transfer: if darkmes is acquired or merged, your information may transfer to the new owner under terms equivalent to this Policy.
We do not sell, rent or trade personal data with third parties for their own marketing.
5. International data transfers
The Service is hosted on a VPS located in Poland (Warsaw, operated by Datacamp Ltd) — an EU member state and part of the European Economic Area (EEA). For users accessing from the EU/EEA or UK, your data stays within the EEA on our servers and no international transfer mechanism is required for that processing leg.
Transfer safeguards we rely on:
- Poland (primary hosting) — intra-EEA processing, no additional safeguards required under GDPR Chapter V.
- If we ever relocate hosting outside the EEA (a possibility we keep open for resilience), we will rely on the European Commission Standard Contractual Clauses (SCCs) (Module 1 — controller-to-controller, or Module 2 — controller-to-processor, as applicable) and, where strictly necessary, the derogation in GDPR Art. 49(1)(b) ("transfer necessary for the performance of a contract with the data subject"), and we will update this section before any such move.
- OpenRouter (United States) — transfers are covered by the EU–US SCCs incorporated into their terms.
- Unisender Go (Russian Federation) — Russia is not the subject of a European Commission adequacy decision under GDPR Art. 45. We rely on GDPR Art. 49(1)(b) ("transfer necessary for the performance of a contract with the data subject" — namely, the transactional emails required to operate your account: email verification, password reset, account-security notifications, and DSAR delivery). The email payload limited to: recipient address, subject, and the body of the transactional message (no chat content, no character data, no payment data). If you are a resident of the EU/EEA or UK and prefer that we do not transfer your email address to a Russian-Federation processor, please contact us at the address in Section 1 — we will, on request, switch your account to an EEA email relay or, if that is not yet available, suspend non-essential email sends to your address.
A copy of the SCCs and any supplementary measures we rely on is available on request at the privacy contact in Section 1.
6. Cookies and similar technologies
Full detail is in our Cookie Policy. Summary:
We classify cookies and similar technologies into three categories:
| Category | Examples | Consent required? |
|---|---|---|
| Essential | refresh_token (auth), cookie_consent (records your choice), nsfw_acknowledged (18+ gate), CSRF tokens | No — strictly necessary for the Service to work |
| Analytics | First-party, self-hosted page-view and feature-usage events stored in our own database | Yes — opt-in |
| Marketing | None today. Reserved for future first-party retargeting cookies. | Yes — opt-in; will only ever be set after explicit opt-in |
How to manage your choices:
- A cookie banner appears on first visit with three options: Accept all, Reject non-essential, or Manage preferences.
- A "Manage cookies" link is available in the footer and inside Settings → Privacy on every page — clicking it re-opens the consent manager.
- You can also withdraw consent at any time by clearing the
cookie_consentcookie in your browser.
We do not use third-party advertising cookies, cross-site trackers, or behavioural-profiling pixels.
7. Data retention
We keep personal data only as long as necessary for the purpose it was collected. Retention summary:
| Data category | Retention period |
|---|---|
| Account data (email, username, password hash, profile) | Until account deletion + 30-day grace (soft-delete window during which deletion can be reversed by the user) → then permanent purge |
| Chat history and messages | Until you delete the chat, or until account deletion + 30-day grace |
| User-created characters | Until you delete, or until account deletion + 30-day grace |
| Lorebook entries, personas | Same as account data |
| Email send log (Unisender Go bounces, delivery, opens/clicks for opt-in messages) | 90 days |
Audit logs (consent_log, login attempts, admin actions, security events) | 1 year |
| Backups (Postgres + media) | 30-day rolling — restored from a backup only in case of disaster |
| Moderation reports (user reports, moderation decisions) | 2 years — legal-compliance evidence |
| Analytics events | Raw events 90 days, then anonymised; aggregated metrics retained indefinitely (e.g. monthly active users — no individual identifier) |
| Age-confirmation record | Lifetime of account + 2 years after deletion (proof of compliance with adult-content laws) |
| Payment transaction records (once payments are activated) | 7 years (tax / anti-fraud) |
| Browser fingerprint hashes | While account is active + 90 days after deletion |
After the retention period, data is either permanently deleted from primary storage and the next backup rotation, or anonymised so that it can no longer be linked to you.
8. Your rights (GDPR Art. 15–22, CCPA equivalents)
Subject to applicable law, you have the following rights. Where you are in the EU/EEA or UK, these flow from GDPR Articles 15–22; where you are in California, they flow from CCPA/CPRA; equivalent rights apply in many other jurisdictions.
| Right | What it means | How to use it |
|---|---|---|
| Right of access (Art. 15) | Get a copy of the personal data we hold about you. | Click Export my data in Settings → Account. A JSON archive is generated and emailed to you within minutes. While the in-app export is being built (W2 milestone), email night@darkmes.com and we will export manually within 30 days. |
| Right to rectification (Art. 16) | Correct inaccurate or incomplete data. | Update your profile in Settings, or email us for fields you cannot edit yourself. |
| Right to erasure / "right to be forgotten" (Art. 17) | Have your data deleted. | Click Delete my account in Settings → Account. Soft-delete begins immediately (your account is closed and you can no longer log in). The actual permanent deletion of your account record and associated data is executed by an automated job that runs daily at 04:30 UTC and removes every account whose soft-delete timestamp is more than 30 days old — so the longest your data may remain in primary storage after deletion is 30 days plus up to 24 hours. Within that window you can email us to cancel the deletion if you change your mind. After the cron has run, your account row is gone; your email-send log is anonymised (template + status preserved, recipient address removed); your credit-transaction ledger is anonymised (amount + balance preserved for tax/dispute records, link to your identity removed); your analytics events are anonymised (event type + payload preserved, link to your identity removed); and everything else (chats, characters, comments, ratings, sessions, OAuth links) is permanently deleted. Some data (legal/tax records, moderation logs) is retained per Section 7. Backups are not individually edited but are rotated out within 30 days, so your data is fully gone from all storage within 60 days of your deletion request at the outside. |
| Right to restrict processing (Art. 18) | Ask us to temporarily stop processing your data in disputed cases. | Email the privacy contact. We will lock your account from further use while we investigate. |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) and have it transmitted to another controller where technically feasible. | Same JSON export as the right of access above. |
| Right to object (Art. 21) | Object to processing based on legitimate interest (e.g. analytics, fingerprinting). | Use the cookie manager to withdraw analytics consent, and email the privacy contact for other legitimate-interest processing. |
| Rights related to automated decision-making (Art. 22) | We do not carry out solely-automated decisions that produce legal or similarly significant effects. AI replies are content generation, not decisions about you. | No action needed. |
| Right to withdraw consent (Art. 7(3)) | Withdraw any consent you gave (analytics, marketing emails, optional notifications). | Use the cookie manager and Settings → Notifications. Withdrawal does not affect the lawfulness of past processing. |
| CCPA: Right to know / delete / opt-out of sale | Equivalent to access/erasure above. | Same channels. We do not sell personal information, so there is no "sale" to opt out of. |
| CCPA: Right to non-discrimination | We will not punish you for exercising your rights. | — |
How to exercise any right: email night@darkmes.com from the address associated with your account (we may ask additional verifying questions if the request is unusual).
Response time: within 30 days of a verified request, extendable by up to 2 further months for complex requests, in which case we will tell you within the first 30 days and explain why.
Cost: free of charge, unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, per GDPR Art. 12(5)).
9. Children's data
The Service is strictly for users 18 and older. We do not knowingly collect personal data from anyone under 18.
- An age-gate modal is shown on first visit and must be confirmed before the Service can be used.
- Account creation requires a separate "I confirm I am 18 or older" checkbox.
- If we learn that we have collected data from someone under 18 we will delete it promptly and terminate the account, and report the incident to relevant authorities where required.
- This Policy aligns with GDPR Art. 8 (children's consent — not applicable because we do not offer the Service to children) and COPPA (US — same reason).
If you believe a child has provided us with personal data, please contact night@darkmes.com immediately.
10. Security measures
We implement technical and organisational measures appropriate to the risk:
- Encryption in transit: TLS 1.3 for all client–server traffic and all server–service-provider traffic.
- Encryption at rest: Postgres data files and Redis snapshots reside on full-disk-encrypted volumes on the VPS.
- Password hashing: argon2id with parameters tuned for ≥250 ms of CPU work.
- Strength check:
zxcvbnis used at signup to reject weak passwords. - Anti-abuse: rate-limiting at the edge, FingerprintJS Open Source for multi-account detection, Altcha CAPTCHA on sensitive endpoints.
- Account lifecycle: soft-delete with 30-day reversible window, then permanent purge across primary store (daily 04:30 UTC cron) and the next backup rotation. Within the 30-day window an account can be restored on request. After the cron runs, the user row is removed, financial-ledger and analytics-event rows are anonymised (identity link severed, audit values preserved), and the email-send log has recipient addresses scrubbed. See docs/tech/05_database.md "Right to be forgotten — purge cron schedule" for the implementation.
- Access control: production database access is restricted to the operator with SSH-key + IP allowlist; administrative actions are logged.
- Manual moderation: public avatars and characters are reviewed manually (no automated NSFW classifier sends your content to a third party).
- Backups: Postgres + uploaded media are backed up daily and retained for 30 days on the same VPS provider (off-site rotation deferred — see docs/product/18_risks.md).
- Dependency hygiene: automated dependency-version alerts; security-relevant updates applied within 7 days of disclosure.
No system is perfectly secure. If we discover a personal-data breach we will notify affected users without undue delay and, where the breach is likely to result in a risk to your rights and freedoms, notify the competent supervisory authority within 72 hours of becoming aware of it, in line with GDPR Art. 33–34.
11. Marketing and communications
- Transactional emails (verification, password reset, purchase receipt, account-deletion confirmation, security alerts) are essential and cannot be opted out of while you have an active account — they are sent on the basis of contract (Art. 6(1)(b)).
- Optional product emails (low-balance warning, monthly free-refill notification) are opt-in in Settings → Notifications and can be turned off at any time.
- Promotional / marketing emails: we do not currently send any. If we start, we will request a separate explicit opt-in and provide a one-click unsubscribe link in every message.
12. Right to lodge a complaint with a supervisory authority
If you are in the EU, EEA or UK, you have the right to lodge a complaint with your local data protection authority if you believe our processing infringes data protection law. We would appreciate the chance to address your concerns first — please contact night@darkmes.com — but you do not have to do so before filing a complaint.
The list of EU/EEA supervisory authorities is maintained by the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en.
For the UK, the relevant authority is the Information Commissioner's Office (ICO): ico.org.uk.
13. Changes to this Policy
We may update this Policy from time to time. When we do, we will:
- Update the Version and Last updated fields at the top of this page.
- For material changes (new processing activity, new categories of data, new transfer routes, new sub-processors that materially change risk), we will notify registered users by:
- In-app banner on next login, and
- Email to your verified address, provided you have opted in to marketing / product update emails (otherwise the banner alone serves as notice for non-marketing changes).
Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy. If you do not agree, you can delete your account at any time per Section 8.
Previous versions of this Policy are kept on file and can be requested by email.
14. Contact
For any question about this Privacy Policy, your data, or to exercise any of the rights in Section 8:
Email: night@darkmes.com
Please use the email associated with your account when contacting us about data requests, so we can verify your identity faster.
darkmes — talk to anyone. write your story.