Privacy Policy

Maeum Story Last updated: May 16, 2026 Effective date: May 16, 2026

This Privacy Policy explains how Francesco Rugiati, operating under the brand name Maeum Story ("we," "us," "our"), collects, uses, shares, and protects personal data when you use Maeum Story (the "Service"). It has been prepared in compliance with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, the Italian Privacy Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018), the EU AI Act (Regulation (EU) 2024/1689), and the ePrivacy Directive (2002/58/EC).

Please read this policy carefully. If you do not agree, you should not use the Service.

1. Data Controller

The Data Controller responsible for your personal data is:

Francesco Rugiati, operating as Maeum Story Physical address: available upon written request Email: legal@maeum-story.com

For all privacy-related requests, inquiries, or complaints, please contact us at the address above.

Data Protection Officer (DPO): The Data Controller has assessed that mandatory DPO designation under Article 37 GDPR is not currently required, as the processing does not fall within the categories specified in Art. 37(1)(b) and (c) and does not constitute large-scale systematic monitoring of data subjects. All data protection queries should be directed to legal@maeum-story.com.

2. Scope

This Policy applies to:

• Visitors to our website at https://maeum-story.com.
• Users who register for the beta waitlist.
• Users who access the Service using an invite code.
• Users who interact with the AI-powered gameplay.

It does not apply to third-party websites or services linked from our platform.

3. Data We Collect

We collect personal data only where it is necessary for the purposes described below, applying the principle of data minimisation under Article 5(1)(c) GDPR.

3.1 Data You Provide Directly

3.2 Data Generated Automatically

Additional notes on the three categories introduced in May 2026 (analytics, attribution and parsed user agent):

• Approximate geolocation (country and city level). We derive an approximate location from an IP-based lookup using the MaxMind GeoLite2 database. The database is queried locally on our infrastructure; no individual record is shared with MaxMind. We do not collect GPS coordinates, device location services data, or any location more precise than city-level IP geolocation.
• URL parameters and referrer headers. When you reach the Service via a marketing link, we read the standard UTM parameters together with the HTTP Referer header and the landing page path. These values are used to measure traffic sources and the performance of communication activities. They are stored in our analytics records, not as cookies.
• Parsed user agent. From the User-Agent HTTP header sent automatically by your browser, we extract device class (mobile, tablet, desktop), browser name and version, and operating system name and version. We use these values to monitor service quality, debug rendering issues and produce aggregate technical statistics.

The three categories above are processed for analytics purposes only if you grant the corresponding consent on our banner (see Section 10). For security purposes (rate limiting, fraud prevention), approximate geolocation may also be processed on the legal basis of legitimate interest, as described in Section 4.

3.3 Data We Do NOT Collect

We do not collect:

• Special category data (health, race, religion, political opinions, biometric data) under GDPR Article 9.
• Financial or payment data (no payments are currently processed).
• GPS coordinates, device location services data, or any location more precise than city-level IP geolocation.
• Social media profile data.
• Real names, surnames, or any identity document data beyond email address.

4. Purposes and Legal Bases

We process your personal data only where we have a valid legal basis under Article 6 GDPR.

Legitimate Interests Assessment

Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that: (i) the interest is genuine and specific; (ii) the processing is necessary and there is no less intrusive means to achieve the same purpose; and (iii) the processing does not override your fundamental rights and freedoms, given the reasonable expectations of users of an interactive AI service and the safeguards we apply (pseudonymisation, limited retention, encryption). You may object to any processing based on legitimate interests at any time by contacting us at legal@maeum-story.com.

Use of Anonymised Data for System Improvement

We may use anonymised and aggregated gameplay data to improve our internal AI system prompts and pipeline quality (for example, evaluating narrative consistency, choice diversity, and NPC behaviour). This data cannot be attributed to any individual user. This use does not constitute personal data processing and is therefore not subject to GDPR restrictions.

5. AI Processing and the EU AI Act

Maeum Story uses AI systems to generate narrative content in real time. In compliance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689):

• Transparency: All narrative content, character responses, and story events are generated by AI. You are interacting with fictional AI characters, not humans.
• No automated decisions with legal or similarly significant effects: The AI system makes narrative and creative decisions only. It does not make automated decisions that produce legal effects concerning you (for example, credit, employment, access to services).
• Human review: Abuse reports and content flagged by automated systems are reviewed by a human before any enforcement action.

Data processed by AI models: Your gameplay inputs (choices, free-text actions) are passed to multiple third-party AI model providers as part of prompt construction. This constitutes processing of personal data by sub-processors under data processing agreements. We do not name individual providers in this Policy, as our provider stack may evolve over time; however, the current list of named sub-processors is available upon written request at legal@maeum-story.com. See Section 9 for the general categories of processing and applicable safeguards.

In compliance with EDPB guidance on AI models, we conduct Data Protection Impact Assessments (DPIAs) for high-risk AI processing operations and apply technical safeguards (including pseudonymisation of prompts) to minimise re-identification risk. We maintain records of processing activities (ROPA) as required by Article 30 GDPR.

6. AI Model Training

Your personal gameplay data is not used to train third-party AI models without your explicit, separately obtained consent. We contractually require our AI model providers to process your data solely for the purpose of generating responses to your requests, and not for the purpose of training or improving their foundational models. We continuously monitor providers' terms of service to ensure this commitment is upheld. If any provider's policy changes in a way that affects this commitment, we will notify you and update this Policy.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in compliance with applicable law.

When the retention period expires, we securely delete or irreversibly anonymise the data.

8. International Data Transfers

8.1 General Framework

Maeum Story uses third-party AI providers whose infrastructure is located outside the European Economic Area (EEA), including in the United States and the People's Republic of China. For transfers to countries that benefit from an EU adequacy decision (such as the United Kingdom, Switzerland, the Republic of Korea or Japan, where the relevant Commission decision applies), or to providers in the United States certified under the EU-U.S. Data Privacy Framework, we rely on the corresponding adequacy decision. For all other transfers outside the EEA, we apply Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated into Data Processing Addenda with each sub-processor, and supplemented where appropriate by additional technical safeguards (strict prompt pseudonymisation, data minimisation, encryption in transit).

By using the Service, you acknowledge that your data may be transferred to countries outside the EEA under these safeguards. You may request a copy of the applicable SCCs by contacting us at legal@maeum-story.com.

8.2 Transfers to Countries Without an Adequacy Decision: Explicit Consent (Article 49(1)(a) GDPR)

The People's Republic of China does not benefit from an EU adequacy decision. The Service routes a limited portion of your gameplay context to a Chinese AI provider (currently DeepSeek) for the sole purpose of running internal narrative reasoning agents (relationship updates, thread lifecycle, world state, social ecosystem modelling, narrative thread tracking).

In line with the conservative reading of Chapter V GDPR adopted by the European Data Protection Board (Guidelines 02/2018 on Article 49 derogations) and by the Italian Garante per la protezione dei dati personali (cautionary advisories issued during 2025 regarding AI providers based in the People's Republic of China), Maeum Story does not rely on Standard Contractual Clauses alone for these transfers. Instead, the transfer is performed on the basis of Article 49(1)(a) GDPR, which permits the transfer of personal data to a third country in the absence of an adequacy decision and of appropriate safeguards where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer.

This Section 8.2 constitutes the information notice required by Article 49(1)(a) GDPR. The corresponding consent is collected at two separate moments:

1. At account activation, when you accept these Terms and confirm a dedicated check box stating that you have read this Section 8.2 and explicitly consent to the transfer.
2. At first gameplay interaction, through an in-product consent prompt that reiterates the essential information in this Section and asks you to confirm or refuse.

Specific risks you are informed of, in line with EDPB Guidelines 02/2018:

1. The Chinese authorities may, under Articles 35 and following of the Personal Information Protection Law (PIPL) and Article 35 of the Data Security Law (DSL), require disclosure of personal data held by a Chinese processor for purposes of national security, public security or criminal investigation, without the same procedural safeguards available in the EEA.
2. Effective administrative or judicial redress against a Chinese processor may be limited, and a Chinese supervisory authority does not benefit from the cooperation framework established by Articles 50 and 60 to 76 GDPR.
3. Onward transfers within the People's Republic of China may occur in accordance with Chinese law, although our contractual safeguards with the processor prohibit onward transfers outside the scope of the agreed processing.
4. The use of the Article 49(1)(a) derogation reflects, by its nature, that the level of protection afforded by the third country is not equivalent to that guaranteed within the EEA.

Mitigating factors specific to the Maeum Story Service (relevant to the assessment of whether you give your consent freely and on an informed basis):

How to withdraw your consent. You may withdraw your explicit consent at any time, with effect from the moment we receive your request, by sending an email to legal@maeum-story.com with the subject line "Withdraw DeepSeek consent" and indicating the email address associated with your account. We will, within five (5) business days, configure your account so that no further prompts are routed to AI providers in the People's Republic of China. The withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal (Article 7(3) GDPR).

Consequences of withdrawal. If you withdraw consent, your gameplay turns will be processed using alternative AI providers based in the EEA, in the United States under the EU-U.S. Data Privacy Framework, or in other adequacy-decision countries (currently Google Gemini Flash as the technical fallback). This may produce minor variations in the quality or style of narrative reasoning, but the Service will remain fully functional and your access will not be restricted, suspended, throttled, downgraded or otherwise penalised.

Right to refuse before activating your account. If you do not wish to consent to transfers to the People's Republic of China at all, you may either (a) contact us before account activation at legal@maeum-story.com to request that your account be provisioned in "EEA-only mode" from the outset, or (b) decline to activate the invite code and remain on the waitlist with no obligation. In either case, no part of your gameplay data will ever be transmitted to a Chinese processor.

Effect of using the Service. By accepting the dedicated check box in the account-activation flow, by confirming the in-product consent prompt at first gameplay interaction, and by continuing to use the Service thereafter, you confirm that you have read this Section 8.2, that you understand the specific risks set out above, and that you provide your explicit, specific, freely given and informed consent under Article 49(1)(a) GDPR to the transfer of your pseudonymised gameplay context to DeepSeek for the limited purposes described.

Re-assessment. We continuously monitor regulatory developments concerning transfers to the People's Republic of China. Should an adequacy decision be adopted, should the Garante or the EDPB issue binding guidance that alters the lawful basis for these transfers, or should we determine that the residual risk has materially changed, we will update this Section 8.2 and, where required, seek your renewed consent.

9. Sub-Processors and Third-Party Recipients

We share your personal data with the following categories of recipients, all of whom are bound by appropriate data protection agreements:

9.1 AI Model Providers (Data Processors)

Your gameplay inputs are processed by AI models to generate narrative content. We engage multiple third-party AI model providers operating under GDPR-compliant Data Processing Addenda. These providers are located in jurisdictions including the United States, the People's Republic of China, and, where applicable, the EEA. All international transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by additional technical and contractual safeguards where required (see Section 8).

The categories of processing performed by AI sub-processors are:

Minimisation note: We do not pass your email address, real name, or directly identifying information to AI model providers. Prompts contain only pseudonymised session identifiers and gameplay context.

We may update the list of specific providers without prior notice, provided that the categories of processing, jurisdictions of transfer, and applicable safeguards remain consistent with those described in this Policy. Users may request the current list of named sub-processors at any time by contacting legal@maeum-story.com. Where a material change involves a new category of processing or a new jurisdiction not previously disclosed, we will update this Policy and notify users in accordance with Section 14.

9.2 Email and Communication Services

Marketing communications are sent only with your explicit prior consent, in compliance with the ePrivacy Directive (2002/58/EC) and Italian D.Lgs. 196/2003 as amended. You may withdraw consent and unsubscribe at any time via the unsubscribe link in any email or by contacting us at legal@maeum-story.com.

9.3 Error Monitoring and Infrastructure

9.4 Other Disclosures

We may also share personal data:

• With law enforcement or regulatory authorities: Where required by law, court order, or to protect the rights, safety, or property of the Data Controller, users, or the public.
• In a corporate transaction: In the event of a transfer of the Service to a third party (including company formation), your data may be transferred to the successor entity, subject to the same or equivalent privacy protections. We will notify you of any such change at least 14 days in advance.
• With your consent: For any other purpose, only with your explicit, informed consent.

We do not sell your personal data to third parties.

10. Cookies and Tracking Technologies

The Service uses cookies, similar technologies and first-party analytics tracking. Full details are available in our Cookie Policy. A consent banner is displayed on first visit and lets you choose, for each of the three levels below, whether to accept or refuse non-essential processing. You can review and modify your preferences at any time via Settings, Privacy.

In addition to the categories above, the Service performs first-party UTM tracking via URL parameters when you arrive from a marketing link. UTM tags and the HTTP Referer header are read from the request URL and stored in our analytics records: they are not cookies and they do not write any identifier to your device. UTM data is processed for analytics purposes only if you accept the Analytics level on the banner.

We do not use third-party advertising cookies, retargeting cookies, or third-party profiling technologies.

11. Children's Privacy

Users Under 16

We do not knowingly collect personal data from children under 16 years of age without parental or guardian consent, in accordance with Article 8 GDPR and Article 2-quinquies of the Italian Privacy Code. If we become aware that a user under 16 has registered without appropriate consent, we will delete their account and associated data as promptly as possible.

Reporting

If you believe a minor under 16 has created an account without appropriate consent, please notify us immediately at legal@maeum-story.com.

Romantic Content and Age Appropriateness

Maeum Story is designed for users aged 18 and over due to the romantic and emotionally mature nature of its content. Users between 16 and 17 may access the Service subject to verified parental consent. We apply content safeguards to ensure that the AI does not generate content involving minors in romantic or sexual contexts, regardless of user age.

12. Your Rights Under the GDPR

As a data subject in the European Union (or where equivalent rights apply), you have the following rights. To exercise any of these rights, contact us at legal@maeum-story.com. We will respond within 30 days of receiving your request (extendable by a further 60 days for complex requests, with prior notice).

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, providing written justification.

Identity verification: To protect your data, we may ask you to verify your identity before fulfilling a data subject request. We will not retain verification documents beyond what is strictly necessary for this purpose.

13. Security

We implement technical and organisational measures appropriate to the risk to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption in transit: HTTPS/TLS for all communications between your browser and our servers.
• Database security: SQLite with WAL mode, access-controlled server environment.
• Pseudonymisation: AI model prompts use session IDs rather than directly identifying information.
• Access controls: Access to personal data is restricted to authorised personnel only.
• Error monitoring: Sentry is configured to anonymise IP addresses where possible.
• Retention limits: Automatic deletion of data after retention periods expire.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33), and affected individuals without undue delay where required (GDPR Art. 34).

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. If we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice within the Service at least 14 days before the changes take effect.

We encourage you to review this Policy periodically. The "Last updated" date at the top indicates when the most recent revision was made. Archived versions of this Policy are available upon request at legal@maeum-story.com.

15. Contact and Complaints

For any privacy-related questions, data subject requests, or complaints, please contact:

Francesco Rugiati (Maeum Story) Email: legal@maeum-story.com Physical address: available upon request

If you are not satisfied with our response, you have the right to lodge a complaint with the Italian Data Protection Authority:

Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Roma, Italia Web: www.garanteprivacy.it Tel: +39 06 69677 1

You may also contact the supervisory authority of your country of residence within the EU.

This Privacy Policy was drafted with reference to: GDPR (Regulation (EU) 2016/679); D.Lgs. 196/2003 as amended by D.Lgs. 101/2018; EU AI Act (Regulation (EU) 2024/1689); ePrivacy Directive (2002/58/EC); EDPB Guidelines and Opinions; and guidance from the Italian Garante per la protezione dei dati personali.