Privacy Policy

Controller: Endless Circuit Technologies OÜ Registered address: Pärnu mnt 139b, Kesklinna, Tallinn, 11317, Harju County, Estonia Registry code: 17343218 Legal form: Private Limited Company (OÜ) Email for privacy inquiries: privacy@ollala.ai General enquiries: info@ollala.ai Support: support@ollala.ai Data Subject Access Requests (DSAR): data@ollala.ai Data Protection Officer: dpo@ollala.ai

We collect account details, usage data, and content you submit. If you provide sensitive information (e.g., sexual preferences), we process it only with your explicit consent. Data are used to operate, secure, and improve our Services; process payments; provide support; prevent fraud; comply with legal obligations; and communicate service updates. We share data only with trusted service providers (e.g., payments, hosting, security, AI model providers). We do not sell your personal data. You have rights under applicable laws (EEA/UK, U.S. states, Canada, etc.), including access, deletion, correction, restriction, portability, objection, and the right to withdraw consent at any time. The Services are intended only for adults (18+). We do not knowingly process data from children. When you delete your account, we delete your personal data within 24 hours, except where longer retention is required by law (e.g., billing records retained up to 7 years). Analytics cookies load only after you consent via the cookie settings tool; you can manage them any time through the on-site cookie settings tool or via your browser/device controls.

This policy applies to all data processing activities related to ollala.ai and associated services. "Personal Data" means any information relating to an identified or identifiable natural person. "Special Categories" or "Sensitive Data" refers to information such as sexual preferences or health details that receive heightened protection under data-protection law.

5.1 Data You Provide Directly Account and profile: email address, username/display name, optional avatar, communication preferences. Content and interactions: story prompts, generated outputs, comments, ratings, feedback, and other content you submit. Billing and transactions: limited payment information (e.g., last 4 digits of card, card brand, transaction IDs), invoices, and refund records processed through our payment provider. 5.2 Data Collected Automatically Log and device data: IP address, device type, operating system, browser, language, approximate geographic location including country, region, and city (derived from IP address), timestamps, referring/exit URLs, error logs, and diagnostic data. Login history: When you sign in, we record your IP address, geographic location (country, city), device type, browser, operating system, and authentication method (e.g., email, Google, Apple). This data helps us detect unauthorized access and protect your account. Usage data: feature usage, session metadata, performance metrics, reliability metrics, crash reports, and session recordings (via Mtrix) for product improvement. Chat emotional profiling: When you use character chat, we analyse your messages using AI to compute an emotional profile for each conversation, including mood indicators (positivity, energy, arousal), relationship metrics (trust, intimacy, attachment, stage), and active emotional feelings. This profile personalises character responses and determines access to certain media features (e.g., voice messages, images). Conversation memories (facts inferred from your messages) are stored to maintain continuity across sessions. Rate limiting: We temporarily store identifiers (user ID or IP address for unauthenticated requests) to enforce rate limits and prevent abuse. These records are automatically purged after the rate‑limiting window expires (typically within minutes). Age verification: When you complete age verification, we record your IP address, device information, and country code to maintain a compliance audit trail. 5.3 Cookies and Local Storage We use first‑party cookies and local storage for session management, security, preferences, and analytics. Analytics cookies load only after you give consent. You can disable analytics at any time using the on-site cookie settings tool or block cookies through your browser or device settings (which may affect functionality). Refer to our Cookie Policy for details. 5.4 Optional Marketing Data If you opt in to receive marketing communications, we collect your preferences for email or in‑product messages. 5.5 Haptic Device Integration If you connect a haptic device (e.g., via Intiface), all communication occurs locally on your device. No device data, connection status, or usage patterns are transmitted to our servers or any third party.

Processing sensitive data: We process sensitive personal data (e.g., sexual preferences, emotional arousal data generated through the character chat feature) only with your explicit consent and solely to provide requested features such as personalized story generation. You can withdraw consent at any time via your settings or by contacting data@ollala.ai. Withdrawal does not affect processing already performed. Age restriction: The Services are intended exclusively for adults (18+). We do not knowingly collect personal data from anyone under 18. If you believe that a minor has provided personal data, please contact us immediately; we will promptly delete the data and close the account.

We do not use your private stories, prompts, or outputs to train our foundation models. If we integrate third‑party AI providers, we contractually instruct them not to train on your private content. Only de‑identified, aggregated data may be used for statistical learning if the provider's terms require it, and we apply strict safeguards. Content you intentionally make public (e.g., published stories visible to other users) may be used to improve our Services (e.g., quality and discovery). Private content (unpublished stories, chat messages, prompts) is never used for model training.

We process personal data to: Provide and operate the Services (e.g., account creation, authentication, content generation, moderation, customer support). Process payments, manage subscriptions, handle chargebacks/refunds, and prevent fraud. Monitor login activity to detect unauthorized account access, suspicious behavior, and protect account security. Maintain the safety and integrity of the platform, enforce our Terms of Service, and detect or respond to abuse. Communicate service‑related messages, security alerts, billing notices, and policy updates. Develop, improve, and test features through de‑identified analytics and A/B testing. Comply with legal and regulatory requirements (e.g., tax obligations, lawful requests). Protect vital interests in emergency situations.

We process personal data under one or more of the following bases: Consent: For optional marketing and for processing sensitive data. Contract: To provide the Services you request and administer subscriptions. Legitimate interests: To secure, maintain, and improve the Services; understand aggregated usage patterns; prevent fraud; and send essential communications, provided these interests do not override your rights and freedoms. Legal obligation: To meet record‑keeping, tax, and regulatory requirements, and to respond to lawful requests. Vital interests: To protect the life and safety of users in emergencies.

We use essential cookies for core functionality and security. Analytics cookies run only after you consent through the cookie settings tool or accept them via the banner. You can withdraw consent at any time through the cookie settings tool or your browser/device controls. Disabling essential cookies may affect the platform's functionality.

If you sign up or log in using a third‑party provider (e.g., Google), we receive limited personal data such as your name, email address, and profile picture to create and authenticate your account. We do not control or assume responsibility for how the provider processes your personal data outside our Services. Review their privacy policy for more details.

We use automated tools (including machine‑learning classifiers and rule‑based filters) to moderate content, detect abuse, and enforce our Terms of Service. Automated moderation may result in content removal, feature restrictions, or account suspension. When automated moderation takes action, we endeavour to notify you and provide an opportunity to appeal (see our Terms of Service, Section 8). Human review is available as part of the appeals process. We do not use solely automated processing to make decisions that produce legal effects (such as terminating your account) without the possibility of human intervention.

Account data: Retained while your account is active and deleted within 24 hours of your account deletion request, subject to legal holds. Content: Private content is deleted with your account. You can delete specific content at any time. Deleted chat messages are marked for removal and permanently purged from active systems within 30 days; residual copies may persist in encrypted backups until the next backup rotation. Public content you intentionally publish may remain visible until you remove it; residual copies may persist where necessary for legal reasons or backups. Billing and compliance records: Retained for up to 7 years (or longer if required by law). Login history: Retained for up to 180 days for security monitoring and account protection. Logs and security telemetry: Typically retained up to 180 days for security and incident investigations. We delete or irreversibly anonymize data when retention periods expire.

We are based in the EU. When personal data are transferred outside your jurisdiction (e.g., to processors in the United States), we use safeguards such as Standard Contractual Clauses and, where applicable, the UK Addendum. We conduct transfer risk assessments and implement supplementary measures as needed to protect your data.

We do not sell personal data. We share personal data only with: Payments: Payment processors (e.g., Finby) to handle subscriptions, billing, and refunds. Hosting and infrastructure: Service providers (e.g., Supabase, cloud hosting) for storage, backups, and content delivery; security providers (e.g., Cloudflare). Diagnostics and reliability: Providers (e.g., Mtrix) for session recording, error monitoring, performance analysis, and incident resolution. Communications: Services for sending transactional emails. Email validation: We check email domains (not your full email address) against a disposable‑email detection service during registration to prevent fraud and abuse. AI model providers: Third‑party providers (e.g., xAI, Google Gemini, Runware, Replicate, ElevenLabs, Murf.AI) to generate text, image, and voice content based on your inputs. They do not train on your private content unless permitted by you and the provider processes only aggregated or de‑identified data. Professional advisors: Auditors, accountants, and legal counsel under confidentiality obligations. Business transfers: In connection with mergers, acquisitions, or financing; your data will remain protected. Legal and safety disclosures: Authorities or law enforcement as required to comply with laws, protect rights, or respond to emergencies. We require our processors to follow our instructions and implement appropriate safeguards. For a current list of sub‑processors, contact privacy@ollala.ai.

We implement technical and organizational measures to protect your data, including: Encryption: TLS 1.3 for data in transit and AES‑256 for data at rest, where applicable. Access controls: Role‑based access control, multi‑factor authentication for privileged accounts, and regular access reviews. Secret management: Secure vault storage and periodic key rotation. Secure development: Code reviews, dependency scanning, static/dynamic analysis, and supply‑chain hygiene. Testing and monitoring: Continuous vulnerability scanning, logging, and security assessments. Business continuity: Backups, disaster recovery, and incident‑response procedures. Compliance alignment: Controls aligned with frameworks such as SOC 2 and ISO 27001 (even where certification is not yet held). No system is completely secure. You should use strong, unique passwords and keep them confidential.

Depending on your jurisdiction, you may have rights to: Access your personal data and obtain a copy. Request correction of inaccurate data. Request deletion of your data. Restrict or object to processing. Obtain data portability. Not be subject to automated decisions that produce legal or similarly significant effects. Withdraw consent where consent is the basis of processing. Lodge a complaint with a supervisory authority. To exercise any of these rights, email data@ollala.ai or use available in‑product tools. We aim to respond within 30 days or within the timeframe required by law.

Residents of certain U.S. states (e.g., California, Virginia, Colorado, Connecticut, Utah) may have additional rights, including the right to opt out of targeted advertising and data sales or sharing. To exercise these rights, contact data@ollala.ai or use the in‑product tools described in Section 18.

Requests: Submit via data@ollala.ai or our in‑product request tools. Verification: We may need to verify your identity (e.g., via email confirmation or transaction metadata). Appeals: If we deny your request in a state with an appeal right, you may appeal by replying to our response. If unresolved, contact your state's attorney general. Authorized agents (California): You may designate an agent to act on your behalf. We may require proof of authorization and your verification. Marketing opt‑out: Unsubscribe using the link in marketing emails or adjust preferences in your account settings.

There is no industry consensus on Do‑Not‑Track (DNT) signals; therefore, we do not respond to DNT at this time. Where legally required, we process Global Privacy Control signals as a valid opt‑out of certain data processing (e.g., targeted advertising).

If Endless Circuit Technologies OÜ is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We may also share data with our affiliates under common control, provided they follow this policy. We will ensure the confidentiality of personal data and provide notice before personal data become subject to a materially different privacy policy.

We may disclose personal data to comply with applicable laws, respond to lawful requests, protect rights, privacy, safety, or property, enforce our terms, or investigate suspected violations and security incidents. Where permitted by law, we will notify affected users before making such disclosures.

We may update this policy from time to time to reflect changes in law or our practices. Material changes will be communicated through prominent notices in the Services or via email. The date at the top of the policy indicates when it was last updated.

For questions or concerns about this policy or our privacy practices: Privacy inquiries: privacy@ollala.ai Data subject requests: data@ollala.ai General inquiries: info@ollala.ai Support: support@ollala.ai Postal address: Endless Circuit Technologies OÜ Registry code: 17343218 Pärnu mnt 139b, Kesklinna Tallinn, 11317, Harju County Estonia We take your privacy seriously and are committed to handling your personal data transparently and responsibly. If you have any questions, please contact us using the details above.