novelia Privacy Policy
Privacy Policy for the AI story generation service "novelia" operated by Novelia ("we," "us," or "our")
Last Updated: May 1, 2026
1. Introduction & Legal Basis for Processing
We collect and process personal data in accordance with the Japanese Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and applicable local laws.
Our legal bases for processing personal data (GDPR Art. 6) include:
- Contract performance — processing necessary to provide the Service you have subscribed to
- Legitimate interests — fraud prevention, security, analytics, service improvement
- Legal obligation — compliance with applicable laws
- Consent — marketing communications, optional analytics/advertising cookies (you may withdraw consent at any time)
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person (GDPR Art. 4 / APPI Art. 2)
- User: any individual using the Service
- Cookie: small data file stored on your browser used for authentication, analytics, and advertising
- Sensitive / Special Category Data: information requiring explicit consent, such as race, religion, health, criminal records (GDPR Art. 9 / APPI Art. 2.3)
- Processing: any operation performed on personal data (collection, use, storage, disclosure, deletion, etc.)
3. Data Controller
EU Representative (Art. 27 GDPR): Currently being appointed. EU/EEA users may direct privacy inquiries to support@novelia.site; we will route to our EU representative once designated.
4. Data We Collect
4.1 Information You Provide
- Account: email, username, password (hashed), date of birth or age, profile photo (optional)
- Payment: billing info processed by Stripe — we do not store raw card data
- Support: inquiry content, name, email
- Service input: story prompts, character settings, generated novels/images/audio
4.2 Automatically Collected
- IP address, browser type/version, OS, device info
- Access logs, activity history, viewing history, dwell time
- Approximate location (country/region inferred from IP)
- Cookie / similar identifiers
4.3 From Third Parties
- SNS login (Google, LINE, etc.): user ID, display name, email, profile image (per service settings)
- Payment processors (Stripe, etc.): transaction outcomes, transaction IDs
5. Purposes & Legal Basis for Use
- Service provision and operation (Contract performance)
- Authentication, account management (Contract / Legitimate interests)
- Points and billing processing (Contract / Legal obligation)
- Customer support (Contract / Legitimate interests)
- Service improvement and new feature development (Legitimate interests)
- Fraud prevention and security (Legitimate interests / Legal obligation)
- Marketing communications and advertising (Consent / Legitimate interests)
- Statistical analysis (Legitimate interests)
- Legal compliance and dispute resolution (Legal obligation)
6. AI Training Data
- By default, we do not use your prompts, settings, or generated Content to train our AI models.
- We may aggregate anonymized statistics for service improvement.
- Third-party AI providers (Anthropic Claude, OpenAI GPT, ElevenLabs) handle data per their own policies. Please review each provider's privacy policy.
6.1 Opt-out
To opt out of all training-related uses, including data transmission to third-party AI providers, contact support@novelia.site. Some features may be limited in exchange for minimized data transmission.
7. Automated Decision-Making & Profiling
- The Service uses AI for the following automated processing:
- Genre and derivative-IP auto-classification
- Inappropriate content auto-detection
- Ranking and recommendation calculation
- We do not believe these constitute "solely automated decisions producing legal or similarly significant effects" under GDPR Art. 22, but EU/EEA users have the right to object to such processing or request human intervention.
- Send objections to support@novelia.site.
8. Disclosure to Third Parties
- We do not disclose your personal data to third parties without your consent, except as required by law (e.g., legal process, public safety, child welfare, cooperation with national authorities) or as outlined below.
- We do not sell personal data (CCPA "sale") or share for cross-context behavioral advertising (CCPA "sharing") without consent.
9. Data Processors
We engage the following processors to operate the Service. We ensure appropriate data protection through contracts (DPA / Standard Contractual Clauses where applicable):
- Cloud infrastructure: Amazon Web Services (AWS), Google Cloud — data storage and processing
- Payments: Stripe — billing and subscription management
- AI providers: Anthropic (Claude), OpenAI (GPT), ElevenLabs — AI generation
- Analytics & advertising: Google Analytics, Google AdSense, Datadog — usage analytics, advertising
- Email delivery: Amazon SES and other email services — notification emails
- Other: CDN, monitoring, and other infrastructure providers
10. Joint Use
We do not currently engage in joint use of personal data with affiliates or group companies. If we begin such joint use, we will provide advance notice in this Policy specifying the data items, scope of users, purposes, and management responsibility.
11. Third-Party Services
The Service transmits data to third-party services such as Google Analytics, Google AdSense, and Datadog. These services may collect usage information through cookies and similar technologies.
12. Cookies & Tracking
- We use cookies and similar technologies (local storage, etc.) for authentication, usability, service improvement, and advertising.
- Categories:
- Strictly necessary: authentication, session management (refusal disables some functionality)
- Analytics: Google Analytics and similar (used with consent)
- Advertising: Google AdSense and similar (used with consent)
- You may refuse cookies via your browser settings.
13. International Data Transfers
- The Service uses global cloud infrastructure (AWS, Google Cloud, etc.). Your personal data may be processed in countries outside your country of residence, including the United States and EU/EEA.
- Primary destinations: United States, EU/EEA, and other countries where our cloud providers operate.
- We ensure adequate protection through contractual safeguards (e.g., Standard Contractual Clauses for GDPR, where applicable).
14. Cross-Border Transfer Consent
By accepting this Policy, you consent to the international transfers described in Section 13. To withdraw consent, you must discontinue use of the Service and request account deletion. Note that our AI generation features rely on US/EU AI providers; withdrawal of consent will result in loss of access to such features.
15. Security Measures
We implement appropriate organizational, physical, technical, and human safeguards to protect personal data against loss, theft, unauthorized access, disclosure, alteration, and destruction:
15.1 Organizational
- Designated privacy officer and accountability framework
- Internal personal data handling policies and manuals
- Periodic audits and reviews
- Incident response and breach notification procedures
15.2 Physical
- Access control and locking for areas handling personal data
- Theft and loss prevention for devices, media, and documents
- Defined disposal procedures for devices and media
15.3 Technical
- Access permission management (least privilege principle)
- Encrypted communication (TLS/HTTPS)
- Encryption at rest for stored data
- Password hashing (bcrypt or equivalent)
- Intrusion detection and prevention systems
- Regular software updates and vulnerability management
15.4 Human
- Employee training on data protection
- Confidentiality agreements with personnel
- Revocation of access upon role change or termination
16. Data Breach Notification
- If we become aware of a data breach affecting your personal data, we will promptly investigate the facts, cause, and scope.
- For breaches subject to Japanese law: we will report to the Personal Information Protection Commission (initial within 3–5 days; final within 30 days).
- For breaches affecting EU/EEA users: we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected data subjects without undue delay if there is a high risk to their rights (GDPR Art. 34).
- For breaches affecting California residents: we will notify in accordance with California Civil Code Section 1798.82.
17. Data Retention
- Account info: retained for the duration of your account; deleted within 90 days after account closure
- Payment / transaction info: retained for legal periods (typically 7 years)
- Access logs: up to 13 months
- Support records: 3 years after inquiry resolution
- Generated content: retained for the duration of your account; deletable at user's option
- Where retention is required by law, we retain data for the required period.
18. Your Rights
GDPR Rights (EU/EEA residents)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right not to be subject to solely automated decision-making (Art. 22)
- Right to withdraw consent at any time
CCPA / CPRA Rights (California residents)
- Right to know what personal information is collected
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising your rights
APPI Rights (Japanese residents)
- Right to disclosure
- Right to correction, addition, or deletion
- Right to suspend use
- Right to suspend third-party disclosure
Response Times
- Japanese users: without undue delay (typically within 30 days)
- GDPR users: within 1 month (extendable to 3 months for complex requests, with notice)
- CCPA/CPRA users: within 45 days (extendable to 90 days)
How to Exercise Your Rights
Contact support@novelia.site with your request. We will verify your identity before responding.
19. Complaints & Supervisory Authorities
20. Children's Privacy (COPPA)
- The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13.
- Users aged 13–17 require parental or guardian consent. We may verify such consent.
- If we learn we have collected personal data from a child under 13, we will delete it promptly. Please contact support@novelia.site.
21. Sensitive / Special Category Data
- We do not collect special category data (race, religion, social status, medical history, criminal records, etc.) without your consent.
- If you input sensitive information into story prompts or character settings, this is treated as your voluntary disclosure. We do not recommend entering highly sensitive information.
- Biometric data (e.g., facial recognition) is not collected by the Service.
22. Anonymized & Pseudonymized Information
- For service improvement, statistical analysis, and AI model accuracy, we may create and use anonymized or pseudonymized information that cannot identify individuals.
- Anonymization is performed in accordance with applicable laws (e.g., APPI Enforcement Regulations Art. 19).
- For pseudonymized information, we will not combine it with other information to identify specific individuals.
23. Changes to This Policy
We may update this Policy due to legal changes or service updates. Material changes will be communicated via in-Service notice or email at least 14 days before taking effect. Your continued use after the effective date constitutes acceptance.
24. Contact Us
Novelia Privacy Contact
Email: support@novelia.site
For privacy-specific inquiries, please use subject line "[Privacy]".
Hours: Weekdays 10:00–18:00 JST (excluding holidays)