We respect your
privacy.

We collect only what we need to operate the service:

• Account data. Your email address and a hashed password (or OAuth token) when you sign up via Supabase Auth. We do not store plain-text passwords.
• Profile data. Any display name or preferences you choose to set.
• Payment data. Billing is handled entirely by Stripe. We store only a Stripe customer ID and subscription status — not your card number, CVV, or full card details.
• Usage & AI logs. We log which AI features you use (e.g. date generation requests) and approximate token counts to track costs and prevent abuse. These logs are tied to your account ID, not shared externally, and are not used to build advertising profiles.
• Technical data. Standard server logs (IP address, browser type, pages visited, timestamps) retained for security and debugging.

We do not collect sensitive categories of personal data (health, financial account numbers, biometrics, government ID numbers).

We use your information only to:

• Create and secure your account.
• Deliver the features you request (date generation, kits, experiences).
• Process payments and manage your subscription tier.
• Send transactional emails (receipts, password resets, account notices). We do not send marketing emails without your explicit consent.
• Monitor AI usage costs so we can enforce per-tier credit limits and prevent financial abuse.
• Detect fraud, abuse, and security threats.
• Comply with legal obligations.

Crafted Nights uses OpenAI's API to generate date ideas, activity suggestions, and quest content. When you trigger an AI feature:

• Your inputs (preferences, prompts) are sent to OpenAI for processing. OpenAI's API usage policies apply; please review them at openai.com/policies.
• We do not intentionally send personally identifiable information (name, email) in AI prompts — only your stated preferences and activity choices.
• We log prompt metadata (token counts, feature type, cost estimates) internally for cost tracking. These logs are not sold or shared with third parties for advertising.
• AI-generated content is provided as suggestions, not professional advice. You decide what to do with it.

All payment processing is handled by Stripe, Inc., a PCI-DSS compliant payment processor. When you provide payment information, it goes directly to Stripe — we never see or store your full card details. We receive and store only a Stripe customer ID, subscription status, and invoice history. For details on how Stripe handles your data, see stripe.com/privacy.

We do not sell, rent, or trade your personal data to third parties for advertising or any other commercial purpose.

We share data only with the sub-processors necessary to run the service:

• Supabase — database hosting, authentication, and storage.
• Stripe — payment processing and subscription management.
• OpenAI — AI content generation.
• Ably — real-time messaging for interactive features.
• Vercel — hosting and delivery of the web application.
• Resend / Twilio — transactional email and optional SMS delivery.
• Sentry — error monitoring and crash reporting.

We may disclose information if required by law, court order, or to protect the safety of users or the public. In the event of a business transfer (merger, acquisition, or asset sale), your data may transfer to the successor entity, and you will be notified.

You have the following rights with respect to your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct inaccurate or incomplete data.
• Deletion. Request that we delete your account and associated personal data. We will honour deletion requests within 30 days, subject to any legal retention obligations.
• Portability. Request an export of your data in a common machine-readable format.
• Withdraw consent. Where we rely on your consent to process data, you may withdraw it at any time.

To exercise any of these rights, email us at brian.matthews@brainengine.ai with the subject line "Data Request." We respond within 30 days.

We use cookies and similar browser storage mechanisms for:

• Session authentication. Supabase sets a secure, HTTP-only session cookie to keep you logged in.
• Preferences. Storing your theme or UI choices locally.
• Analytics. Vercel Analytics collects anonymous, aggregate page-view data (no cross-site tracking, no fingerprinting).

We do not use third-party advertising cookies or cross-site tracking pixels. You can disable cookies in your browser settings, but doing so will log you out and disable authenticated features.

Crafted Nights is intended for users 18 years of age or older. Some experiences involve adult themes. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us immediately at brian.matthews@brainengine.ai and we will delete the account promptly.

We take reasonable technical and organisational measures to protect your data, including HTTPS encryption in transit, row-level security policies in our database, and access controls limiting who can view production data. No system is perfectly secure, and we cannot guarantee absolute security.

We retain your account data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations and resolve disputes. AI usage logs are retained for up to 12 months. Server logs are retained for up to 90 days.

We may update this Privacy Policy as the product evolves. When we make material changes, we will update the “Last updated” date at the top of this page and, where required, notify you by email. Your continued use of Crafted Nights after changes are posted constitutes acceptance of the updated policy.

Questions, requests, or concerns about this Privacy Policy can be sent to brian.matthews@brainengine.ai. We aim to respond to all privacy inquiries within 30 days.