1. Introduction
Twistloom ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our interactive psychological thriller storytelling platform.
2. Information We Collect
2.1 Personal Information
When you create an account, we collect:
- Name and username
- Email address
- Authentication credentials (stored securely as hashed passwords)
- Profile information (optional)
2.2 Usage Data
We automatically collect information about your use of the Service:
- Reading progress and bookmarks
- Stories you create and interact with
- Choices made in branching narratives
- Session information and preferences
- Device and browser information
- IP address and location data
2.3 Guest Users
For guest users who haven't created an account, we use browser cookies to identify your session and associate your story progress. This data is migrated to your account when you sign up.
3. How We Use Your Information
We use your information to:
- Provide and improve the Service
- Personalize your reading experience
- Save your reading progress and story choices
- Generate AI-powered stories based on your preferences
- Authenticate users and prevent fraud
- Communicate with you about the Service
- Analyze usage patterns to improve our platform
- Ensure the security and integrity of the Service
4. Data Storage and Security
4.1 Cookie-Based Authentication
We use NextAuth v5 (Auth.js) for authentication with a JWT session strategy. Our implementation uses httpOnly cookies for enhanced security:
- NextAuth v5: Version 5.0.0-beta.31 for authentication and session management
- JWT Session Strategy: Stateless and scalable session management using JSON Web Tokens
- Google OAuth: Social login integration via Google OAuth provider
- httpOnly Cookies: Cannot be accessed by JavaScript (XSS protection)
- Secure Cookies: Transmitted only over HTTPS in production
- SameSite: none: Required for cross-origin architecture (frontend/backend on different domains)
- Cookie Names: next-auth.session-token (development) / __Secure-next-auth.session-token (production)
- We do not store authentication data in localStorage or sessionStorage
4.2 Password Security
Your password is never stored in plain text. We use industry-standard hashing algorithms (bcrypt or argon2) to securely store password hashes.
4.3 Data Encryption
All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Sensitive data in our database is encrypted at rest.
5. AI-Generated Content
When you use our AI story generation features:
- Your prompts and story choices are sent to AI providers for content generation
- We use multiple AI providers with fallback mechanisms for reliability
- AI providers may process your inputs according to their own privacy policies
- Generated stories are stored in our database for your access
- We do not share your personal data with AI providers beyond what is necessary for generation
6. Third-Party Services
We use third-party services to operate our platform:
- Authentication: NextAuth v5 (Auth.js) with Google OAuth provider for social login
- Internationalization: next-intl 4.11.0 for multi-language support (English, Indonesian)
- Analytics: Vercel Analytics 2.0.1 for performance and usage analytics
- Database: Neon PostgreSQL for data storage
- Hosting: Vercel for application hosting
- AI Providers: GitHub Models, Google Gemini, Mistral AI, Cohere, Groq, Cerebras, and NVIDIA for story generation
These services may collect data according to their own privacy policies. We encourage you to review their policies.
7. Data Retention
We retain your data for as long as necessary to provide the Service and for legitimate business purposes:
- Account data: Retained while your account is active
- Story content: Retained indefinitely unless you delete it
- Usage analytics: Retained for up to 2 years
- Guest data: Deleted after 30 days of inactivity
You can request deletion of your data at any time by contacting us or using account deletion features.
8. Your Rights
You have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Request deletion of your personal data
- Object to processing of your personal data
- Request data portability
- Withdraw consent at any time
To exercise these rights, please contact us through our support channels.
9. Children's Privacy
The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.
11. Language and Localization
Twistloom supports multiple languages through next-intl:
- Supported Languages: English (en), Indonesian (id)
- Language Preference: Stored in cookies for both client and server-side access
- Accept-Language Header: Used for API requests to communicate language preference
- Server-Side Rendering: Content is rendered in your preferred language on the server
Your language preference is stored in a cookie and is used to personalize your experience across sessions.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.
13. Contact Information
If you have any questions about this Privacy Policy or our data practices, please contact us at flias.test@gmail.com or through our support channels.