GDPR — data protection summary
Last updated: July 15, 2026
This page supplements our Privacy Policy for users in the European Economic Area, United Kingdom, and similar jurisdictions. It does not replace the full policy.
1. Data controller
nheek (operator of Enfee). Contact: [email protected].
2. What we process
| Category | Examples | Purpose | |----------|----------|---------| | Account | Email, hashed password, display name | Sign-in, account management | | Story saves | Genre, dialogue history, reply options, library status | Continue and manage your stories | | Technical | IP, session tokens, security logs | Operate and protect the Service | | Device (guest) | localStorage draft, age-preference cookie | Guest play and content mode |
Conversation text is sent to OpenAI as a processor to generate story responses.
3. Legal bases
- Contract — providing stories, accounts, and library features you request.
- Legitimate interests — security, abuse prevention, and keeping the Service reliable.
- Consent — where we ask for it (for example creating an account after guest play).
- Legal obligation — when we must retain or disclose data by law.
4. Cookies and storage
See the Privacy Policy for session cookies, the age-preference cookie, and local storage used for guest drafts. We do not use third-party advertising or analytics cookies today.
5. Processors
We use infrastructure hosting, a PostgreSQL database, and OpenAI for story generation under appropriate contractual safeguards where required.
6. Retention
Data is kept while your account is active. Trashed stories may be retained until permanent deletion. Backups and security logs may be kept for a limited period afterward.
7. Your rights
You may have the right to access, rectification, erasure, restriction, objection, data portability, and to withdraw consent where processing is consent-based.
How to exercise rights today:
- Delete individual stories via Trash → Delete permanently in your library.
- Email [email protected] for account deletion or export requests we cannot yet fulfill in-product.
We respond within the timeframes required by applicable law (typically one month).
8. Supervisory authority
You may lodge a complaint with your local data protection authority if you believe our processing violates applicable law.
9. International transfers
Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards (such as standard contractual clauses) where required.
10. Personal data breaches
If we become aware of a breach likely to affect your rights, we will notify you and relevant authorities as required by law, including within 72 hours where GDPR mandates regulator notice.
11. Changes
We will update this page when our processing or your rights pathways change. Check the Last updated date above.