Privacy Policy

Effective 3 May 2026.

This Privacy Policy describes how 25°N Media ("we," "us," or "our") collects, uses, and shares information when you use UrStory.ai (the "Service"), including the version of the Service hosted at characters.25media.com. By using the Service, you agree to the practices described here.

Who we are

25°N Media is an independent media company based in Florida, USA. For the purposes of the EU and UK General Data Protection Regulation, we are the controller of the personal information processed through the Service. You can reach us at privacy@25media.com.

Eligibility

The Service is intended for adults aged 18 and older. Some content available on paid tiers depicts mature themes intended for adult audiences. By creating an account or using the Service, you affirm that you are at least 18 years old.

Information we collect

Information you provide

Account information. When you sign in using a magic link, we collect your email address and the timestamps of your sign-in events.
Conversations. Messages you send to characters in the Service, and the AI-generated responses returned to you. Conversations are primarily stored on your device using your browser's local storage. We may store a copy of recent conversation context on our servers temporarily for the purpose of generating the next response, and we may retain limited transcripts as part of routine logging for safety and abuse-prevention purposes.
Personas. Optional personas you create in the Service (a name, a short bio, a photo) are stored on your device using your browser's local storage. If you choose to enable cross-device synchronization in a future version of the Service, we will store these on our servers tied to your account.
Memory. Facts that the Service extracts about you from conversations to personalize future replies (for example, "user is a software engineer who likes hiking"). These are stored on your device using your browser's local storage.
Payment information. When you subscribe to UrStory+ or UrStory Pro, we do not collect or store your credit card or bank account details. Stripe, our payment processor, collects payment information directly from you, processes the transaction, and shares with us only the information we need to fulfill your subscription (your subscription status, the tier you selected, the renewal date, and an opaque customer identifier).
Communications with us. If you contact us directly, we collect the contents of that message and any information you choose to share.

Information collected automatically

When you use the Service, we and our infrastructure providers automatically receive certain technical information such as your approximate location (country / region), your IP address, the type of device and browser you use, the pages you view, and the timestamps of your activity. This information is used to operate the Service, analyze aggregate usage, prevent abuse, and meet legal obligations.

How we use information

We use the information we collect to:

Operate the Service, including authenticating you, generating AI responses, and processing your subscription.
Personalize your experience by passing the context you have shared (your persona, your memory, your conversation history) to the AI providers that generate replies.
Send you operational emails (sign-in links, subscription receipts, important account notices). We do not send marketing emails without your consent.
Detect, prevent, and address abuse, fraud, security incidents, and violations of our Terms of Use.
Comply with our legal obligations, respond to lawful requests from authorities, and enforce our Terms of Use.
Understand how visitors use the Service in aggregate so we can improve it.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Legal bases (EU / UK visitors)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Articles 6(1)(a), (b), and (f) of the GDPR / UK GDPR:

Performance of a contract — to operate the Service for you, deliver the subscription you have purchased, and respond to your support requests.
Consent — where you have provided it (for example, by checking the 18+ confirmation at sign-up, or by enabling optional features).
Legitimate interests — for service operation, abuse prevention, security monitoring, and to improve the Service. We have weighed these interests against your rights and freedoms and believe they are appropriate; you can object to this processing at any time.
Legal obligation — when we must process information to comply with applicable law or a regulatory request.

Who we share information with

We share information only with the following categories of recipients, each acting as our processor under written agreement or under contractual terms equivalent to a Data Processing Agreement:

AI model providers (for generating replies, voice, and images)

Anthropic (Claude family) — chat, memory extraction, image-impulse classification.
OpenAI (GPT family) — chat.
xAI (Grok family) — chat, image generation fallback.
Google (Gemini family) — chat.
Mistral, Z.ai, Qwen, Groq, Venice (Dolphin) — chat (when you select these models).
ElevenLabs — voice synthesis when you tap "Listen" on a message.
fal.ai — primary provider for image generation (FLUX with PuLID identity preservation).

We send each AI provider only the conversation context, character information, and references needed to generate the requested output. None of these providers receive your account email or payment information.

Infrastructure

Vercel, Inc. — hosts the Service, provides serverless compute, and handles request routing.
Upstash, Inc. (Vercel KV) — stores user account records, subscription state, rate-limiting counters, and webhook idempotency keys.
Resend — delivers magic-link sign-in emails and account notifications.
Stripe — processes subscription payments and manages billing.

Legal and safety

We may disclose information if required by law, subpoena, or valid legal process; if necessary to investigate or address suspected violations of our Terms of Use; or to protect the rights, property, or safety of 25°N Media, our users, or the public.

Business transfers

If 25°N Media is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify subscribers of any material change in this policy resulting from such a transaction.

International transfers

Our service providers are based in the United States, the European Union, and other jurisdictions where they operate. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries, which may have different data protection laws than your country. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards offered by our processors.

How long we keep information

Account information — kept for the lifetime of your account, plus a reasonable window after deletion to comply with legal, accounting, or reporting requirements (typically up to 24 months).
Conversations — primarily stored on your device. We may retain limited server-side transcripts for safety and abuse-prevention purposes for up to 90 days.
Subscription records — kept for as long as required by financial recordkeeping laws (typically 7 years).
Aggregate analytics — retained according to our infrastructure providers' standard retention windows.

We delete or anonymize information when it is no longer needed for the purposes described above.

Your rights

Depending on where you live, you may have the following rights with respect to your personal information. To exercise any of them, email privacy@25media.com from the address on file. We will respond within the time frame required by applicable law.

All users. You can sign out at any time, manage your subscription through the billing portal, and request account deletion by contacting us.
EU / UK / Swiss residents (GDPR & UK GDPR). You have the right to access, rectify, erase, restrict processing of, and port your personal information; the right to object to processing based on legitimate interests; the right to withdraw consent; and the right to lodge a complaint with your local supervisory authority (for example, the Irish Data Protection Commission or the UK Information Commissioner's Office).
California residents (CCPA & CPRA). You have the right to know what personal information we collect and how we use it, the right to request deletion or correction, the right to opt out of any "sale" or "sharing" of personal information (we do neither), the right to limit our use of sensitive personal information, and the right not to be discriminated against for exercising any of these rights. We honor Global Privacy Control (GPC) signals as opt-out preference signals where applicable.
Other US states. Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) have rights similar to those above.

Important note about local-storage data. Because conversations, personas, and memory are primarily stored on your device, a deletion request from us cannot remove data that exists only in your browser's local storage. To remove that data, sign out and clear your browser's site data for UrStory.ai.

Children

The Service is intended for adults aged 18 and older and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@25media.com and we will delete it.

AI-generated content

The Service uses artificial intelligence models to generate text, voice, and images in response to your input. These outputs are not produced by, reviewed by, or representative of any real person. Conversations with characters are fictional. The Service is not a substitute for medical, legal, mental health, or other professional advice.

Cookies and similar technologies

The Service uses your browser's local storage to remember your sign-in token, your conversations, your personas, your memory facts, and your interface preferences. We do not use cookies for advertising or cross-site tracking. You can clear local storage at any time through your browser's settings; doing so will sign you out and clear your locally-stored conversation history.

If we add product analytics in the future, we will use a privacy-respecting provider and update this policy accordingly.

Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, or loss. Authentication uses time-limited magic links; account sessions are protected with cryptographically signed tokens. Payment data is handled directly by Stripe; we do not store credit card details. No method of transmission over the internet is completely secure; we cannot guarantee absolute security.

Changes to this policy

We may update this Privacy Policy from time to time. The "effective" date at the top reflects the most recent substantive revision. If we make material changes, we will notify users through the Service or by email. Continued use of the Service after the effective date of a revised policy means you accept the revised policy.

Contact

Questions about this policy, or to exercise any of the rights described above, can be sent to privacy@25media.com. Please write "Privacy Request" in the subject line so we can route it appropriately.