Privacy Policy

Last updated: June 16, 2026

Operator: Dramafy is operated by Zeto Global Inc. Contact: [email protected].

This Privacy Policy explains how Zeto Global Inc. ("Dramafy", "we", "us", or "our") collects, uses, shares, retains, and protects personal data when you use the Dramafy website, web and mobile applications, and related services (together, the "Service"), and describes your rights and choices.

This Policy is part of our Terms of Service and should be read with our Cookie Policy, AI Disclaimer, Community Guidelines, and Content Policy.

This Policy is written to meet, at a single global standard, the requirements of the EU/UK GDPR, the California Consumer Privacy Act as amended by the CPRA, Brazil's LGPD, Singapore's PDPA, and comparable laws in other jurisdictions where the Service is offered (see §11 for jurisdiction-specific notices). Where local law grants you stronger rights than described generally in this Policy, the local-law right applies.

1. Who is the data controller

Zeto Global Inc., incorporated in the United States, is the controller (or "business"/"controller" under equivalent local terminology) for personal data processed through the Service, unless stated otherwise for a specific feature. Our affiliate BLACKHOLEAR LTD acts as our establishment and point of contact for users in the United Kingdom. Personal data is hosted and processed primarily in Singapore (see §6).

Contact our privacy team:

• Email: [email protected]
• Web: /contact
• EU/UK representative or establishment (where required under GDPR Art. 27 / UK GDPR): [to be appointed/identified based on EU/UK user volume]

2. The data we collect

We collect personal data in three ways: (a) data you give us, (b) data collected automatically, and (c) data from third parties.

2.1 Data you give us

• Account data. Email address, username, password (stored hashed), profile information (display name, avatar, bio).
• Authentication data. If you sign in via a third-party provider (Google, Apple, etc.), the basic profile information you authorize (e.g., email, name).
• Age and consent data. The age you declare at sign-up (and any age changes), guardian consent for users 13–17, your acceptance of our legal policies, your content-preference and mature-content settings, and the date, IP address, and user agent at the moment of each consent or preference change.
• Chat and creation data. Messages you send to and receive from AI characters, characters and worlds you create, character configurations (names, backstories, prompts, tags, avatars, voices), scene and story data, generated images/audio/video, and any files you upload.
• Support and safety data. Information you provide to support, in feedback, or in reports about other users or content.
• Payment data. Our payment processor collects your payment method details directly. We receive only non-sensitive transaction metadata (last four digits, transaction ID, amount, plan, status, billing region for tax purposes).

2.2 Data collected automatically

• Device and usage data. Device/browser identifiers, operating system, language, IP address and IP-derived approximate location, access times, pages/features used, session duration, in-product interaction patterns (including how you interact with AI characters, e.g., message frequency and timing), referral URLs, crash and error logs.
• Cookies and similar technologies. As described in our Cookie Policy.
• Safety and integrity signals. Automated signals generated from your activity to detect abuse, fraud, coordinated manipulation, or policy violations (e.g., rate, pattern, keyword/classifier matches, flagged categories), including automated screening of messages for self-harm or crisis indicators as described in §3.4.

2.3 Data from third parties

• Identity providers, for sign-in.
• Payment processors and fraud-prevention services — transaction status, chargeback, fraud signals.
• Analytics, attribution, and advertising-measurement partners (subject to your cookie/consent preferences).
• Reports from other users.

We do not intentionally collect sensitive categories of data (e.g., race/ethnicity, religious or political beliefs, health data, sexual orientation, criminal history, precise geolocation, biometric identifiers) as a registration requirement. However, because Service conversations are free-form, you may voluntarily disclose such information in chats. By doing so, you direct us to process that data for the purposes in §3, subject to any additional protections required by applicable law (e.g., GDPR Art. 9, CPRA "Sensitive Personal Information"). We recommend you avoid sharing sensitive information you do not want processed as described in this Policy.

3. How we use your data

Purpose	Examples
Provide the Service	Create/maintain accounts, deliver chats, generate AI Output, run creator tools, process subscriptions, enforce content ratings and regional availability
Personalize	Recommend characters, remember preferences/language, content-preference-aware feeds
Safety and trust	Detect/prevent abuse, enforce policies, respond to reports, age-appropriate protections, crisis-response screening
Develop and improve our AI systems	Train, fine-tune, evaluate, and benchmark Dramafy's AI models (including models used for features other than the one you used), build new features, and create de-identified/aggregated datasets for ongoing model development
Operate and grow the business	Analytics, product research, debugging, capacity planning, and — where you consent — marketing
Legal compliance	Comply with law, respond to lawful requests, enforce agreements, protect rights/property/safety, meet record-keeping obligations

3.1 AI training and model improvement

Your conversations, character creations, and Output may be used by Dramafy and our AI service providers to (a) generate responses, and (b) develop, train, fine-tune, and evaluate Dramafy's AI models and related products, including models and features beyond the one you used. This is, by default, enabled for all accounts and is one of the core ways we improve the Service.

Your control. You can turn this off prospectively at any time via Settings → Privacy & Data → "Do not use my conversations to improve AI models." Turning it off:

• stops new conversations from being used for training going forward;
• does not retroactively remove your past conversations from models already trained, or from de-identified/aggregated datasets derived from them (see §7); and
• does not affect our processing of your data to deliver the Service, ensure safety, comply with law, or enforce agreements.

If you are located in the EU/EEA, UK, Switzerland, Brazil, or California, see §11 for region-specific information about the legal basis for this processing and how to exercise rights that function as an opt-out (e.g., GDPR Art. 21 right to object).

3.2 De-identified and aggregated data

We may create de-identified, pseudonymized, or aggregated data from your personal data (e.g., usage statistics, training datasets stripped of direct identifiers). Once data no longer identifies you and we have implemented technical and contractual controls against re-identification, we treat it as outside the scope of this Policy's individual-rights provisions and may use, retain, and share it without time limitation, including for research, product development, and commercial purposes such as benchmarking or licensing aggregate insights.

3.3 Automated decisions and profiling

We use automated systems to: rank/recommend content; detect abuse and policy violations; apply content-rating and regional-availability controls based on your declared age, content preferences, and detected region; and screen messages for safety signals (§3.4). These systems may flag a message, restrict a feature, hide content, or suspend an account. Significant enforcement actions (e.g., account termination) involve human review on appeal — see Community Guidelines.

3.4 Safety screening, including crisis-response

To meet legal and safety obligations (including emerging AI-companion laws that require crisis-intervention protocols), messages you send may be automatically screened for indicators of self-harm, suicide risk, or harm to others. If such indicators are detected, the Service may interrupt the normal character interaction to provide safety resources, and a record of the detection event (category and timestamp, not full message content) may be created and reviewed by trained safety staff. This processing relies on our legitimate interest in protecting life and safety (and, where applicable, vital-interests and legal-obligation bases) and applies regardless of your AI-training opt-out choice.

4. Legal bases for processing (EU/UK/EEA/Brazil and equivalent frameworks)

• Contract — processing necessary to provide the Service you request (accounts, chat delivery, subscriptions, content-rating enforcement).
• Legitimate interests — our default basis for product analytics, safety and integrity, fraud prevention, service security, and — subject to §3.1 and §11 — AI model development, where these interests are not overridden by your rights and a balancing assessment supports the processing. You can object to legitimate-interest processing at any time (§9); for AI training, the toggle in §3.1 implements this.
• Consent — required for: optional/advertising cookies, marketing communications, enabling mature content (which also requires an age representation), and — for users in jurisdictions where law requires it (see §11) — AI training on identifiable conversation data.
• Legal obligation — record-keeping, responding to lawful requests, and age/consent-record retention.
• Vital interests — emergency processing to protect life or physical safety (§3.4).

You can withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.

5. How we share your data

We do not sell personal data for money. Depending on your jurisdiction, certain data-sharing described below (e.g., with analytics/advertising partners, or for AI training with third-party model providers) may be considered a "sale" or "share" under laws like the CPRA — see §11.3 for your opt-out rights.

5.1 Service providers / sub-processors

Categories include: cloud hosting and storage; AI model providers (including third-party foundation-model providers used to generate or help train responses); payment processors; email/customer-support tools; analytics, attribution, and error monitoring; security and fraud prevention; age-assurance vendors (if and where deployed). All are bound by contracts requiring protection of your data consistent with this Policy. An up-to-date sub-processor list is available at /sub-processors or on request to [email protected].

5.2 Other users

Your public profile, published characters, public comments, and anything you post in shared/public spaces are visible to other users by design. Private 1:1 chats with AI characters are not shown to other users, except as needed for safety review, abuse investigation, or legal process.

5.3 Legal and safety disclosures

We may disclose data to law enforcement, regulators, or other parties where we believe in good faith it is necessary to: comply with law or valid legal process; enforce our Terms/policies; detect/prevent fraud, security, or technical issues; protect the rights, property, or safety of Dramafy, our users, or the public; or investigate child-safety or other serious-harm matters (including, where applicable, reporting child sexual abuse material to the U.S. National Center for Missing & Exploited Children (NCMEC) and to competent authorities in the regions we operate).

5.4 Business transfers

In a merger, acquisition, reorganization, financing, or asset sale, personal data may be transferred as part of that transaction, subject to confidentiality commitments and, where required, notice to you.

6. International data transfers

Singapore is our primary location for hosting and processing personal data. Because our controlling entity is in the United States and our sub-processors and AI providers operate in multiple countries, your data may also be processed in the United States, parts of the EU/EEA, and other jurisdictions.

• Transfers from the EEA/UK/Switzerland to Singapore or the United States, or to any other country without an adequacy decision, are made under Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum), together with a transfer impact assessment and additional technical and organizational safeguards as appropriate. Where personal data is processed in the United States by an entity that self-certifies to the EU-US / UK Data Privacy Framework, that mechanism may also apply.
• Transfers from Brazil rely on LGPD-compliant transfer mechanisms.
• Transfers from other jurisdictions rely on consent, contractual safeguards, or other mechanisms permitted by local law.

Contact [email protected] for details on the specific safeguards applicable to your data.

7. How long we keep data

We keep personal data only as long as necessary for the purposes in this Policy, plus any period required by law. You may request earlier deletion subject to the exceptions below.

Category	Default retention
Account data	While active, plus up to 24 months after deletion in backup/archive systems (purged on the next backup cycle thereafter)
Chat, creation, and Output data	While active, plus up to 24 months after account deletion, except data already incorporated into AI training, model evaluation sets, or de-identified/aggregated datasets, which may be retained indefinitely per §3.2
Age, consent, and content-preference records	Minimum 5 years after the relevant consent/declaration is superseded, to demonstrate compliance with age-verification and consent obligations
Safety/crisis-screening event logs	Up to 3 years, longer if related to an active investigation or legal hold
Payment and tax records	As required by applicable tax/accounting law (typically 5–10 years)
Support tickets	Up to 3 years
Cookies	As set out in the Cookie Policy

When a retention period ends, we delete the data or render it non-identifying (at which point §3.2 applies).

8. How we protect your data

We use technical and organizational measures including: encryption in transit (TLS) and at rest where supported by our infrastructure providers; role-based access controls, audit logging, and least-privilege access for staff; monitoring/alerting for anomalous access; vendor security review for sub-processors; and incident-response procedures, including breach notification to regulators and affected users as required by applicable law (e.g., GDPR 72-hour notification, LGPD notification to ANPD, Singapore PDPA notification to the PDPC, and applicable US state breach-notification laws).

9. Your rights (general / GDPR-aligned baseline)

Subject to the jurisdiction-specific notices in §11, you generally have the right to:

1. Be informed — this Policy is our primary notice.
2. Access — request a copy of personal data we hold about you.
3. Rectification — correct inaccurate or incomplete data.
4. Erasure — request deletion, subject to the retention exceptions in §7 and the license-survival terms in the Terms of Service §5.3.
5. Restriction — request we limit processing in certain circumstances.
6. Object — object to processing based on legitimate interests (including, per §3.1, AI-training use) or direct marketing.
7. Portability — receive a machine-readable copy of data you provided to us.
8. Withdraw consent at any time, without affecting prior lawful processing.
9. Lodge a complaint with us first ([email protected]) and, if unresolved, with your local data-protection authority (see §11 for examples).

Most of these can be exercised directly from Settings → Privacy & Data (export, delete account, manage AI-training and marketing preferences, manage cookie preferences). For anything else, email [email protected]. We will respond within the timeframe required by applicable law (generally 30 days, extendable as permitted) and may need to verify your identity first.

A parent or legal guardian may exercise these rights on behalf of a minor in their care, subject to verification.

10. Children and minors

The Service is intended for users aged 13 and above (or the higher minimum age required by local law — see §11.5 for examples). Users 13–17 may only use the Service with parental/guardian consent and cannot enable mature content. We do not knowingly collect personal data from children below the applicable minimum age; if we learn we have, we will delete the account and associated data, and you may report suspected violations to [email protected].

11. Jurisdiction-specific notices

11.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

• The legal bases in §4 apply. Where §3.1 (AI training on identifiable conversations) relies on legitimate interests, we have conducted (or will conduct) a documented Legitimate Interest Assessment; you may object at any time as described in §3.1, which we will honor as an erasure/restriction of future use.
• You have the right to lodge a complaint with your local supervisory authority (e.g., the Irish Data Protection Commission, the UK Information Commissioner's Office (ICO), or your member-state authority).
• International transfers are made under SCCs / the UK IDTA (and, for US processing, the Data Privacy Framework where applicable) as described in §6.

11.2 Brazil (LGPD)

• We act as "controlador" (controller). Legal bases mirror §4 (Art. 7 LGPD): execution of contract, legitimate interest, consent, and legal obligation.
• You may exercise your LGPD Art. 18 rights (confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent) via [email protected] or in-product where available.
• You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

11.3 California, USA (CCPA/CPRA) and other US state privacy laws

• Categories collected/used/disclosed correspond to §2 and §3 (identifiers, account/profile information, internet/network activity, geolocation (approximate), audio/visual data you submit, inferences drawn from interactions, and — only if you voluntarily disclose it in chat — sensitive personal information).
• "Sale"/"Share." We do not sell personal information for monetary consideration. To the extent any analytics, advertising, or AI-training data flow with third parties is considered a "share" (e.g., for cross-context behavioral advertising) under the CPRA, you may opt out via Settings → Privacy & Data → "Do Not Sell or Share My Personal Information" or by submitting a Global Privacy Control (GPC) signal, which we will honor as an opt-out request.
• Right to Limit Use of Sensitive Personal Information, where applicable, is available via the same settings page.
• Rights to Know/Access, Delete, Correct, and Portability, and the right to non-discrimination for exercising these rights, are available via Settings → Privacy & Data or [email protected]. Some rights (e.g., deletion of training-relevant data) are subject to §3.1/§7's prospective-only effect.
• We will respond to verifiable consumer requests within 45 days (extendable by 45 days as permitted).
• Residents of other US states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, and others as they take effect) have substantially similar rights; contact [email protected] to exercise them.

11.4 Singapore (PDPA) — our primary data-processing location

Because personal data is hosted and processed primarily in Singapore, the Personal Data Protection Act 2012 (PDPA), as amended, governs that processing, in addition to applying to Singapore-resident users as one of our priority markets.

• The PDPA's Legitimate Interests Exception and Business Improvement Exception permit certain uses of personal data — including improving and developing our products and services — subject to a reasonableness test. We rely on these exceptions, alongside the bases in §4, as part of the legal basis for Singapore-based data processing, including aspects of AI model development described in §3.1, for users not otherwise covered by GDPR/LGPD/CPRA-style requirements.
• We do not use NRIC, FIN, or other Singapore national identification numbers for account authentication or identity verification, consistent with PDPC guidance.
• You may exercise the rights in §9 (access, correction, withdrawal of consent where consent is the basis, and — where the Data Portability Obligation applies — portability) via [email protected] or Settings → Privacy & Data.
• You may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

11.5 Other jurisdictions (Asia-Pacific priority markets and beyond)

Jurisdiction	Framework	Notable points
Indonesia	UU PDP (2022)	Access, correction, erasure, consent withdrawal, objection to profiling, portability; complaints to the relevant PDP authority. Mature-content availability is also subject to Indonesian content regulations reflected in our Content Policy.
Thailand	PDPA (2019)	Access, rectification, erasure, restriction, portability, objection, consent withdrawal; complaints to the PDPC (Thailand). Thai law independently restricts certain adult content — see Content Policy.
Vietnam	Decree 13/2023 (PDPD)	Access, rectification, deletion, restriction, objection, portability; complaints to the Ministry of Public Security. Local-storage/representative obligations may apply on request under Decree 53/2022.
Malaysia	PDPA (2010)	Access and correction; right to limit direct-marketing processing; complaints to the JPDP.
Philippines	Data Privacy Act (RA 10173)	Access, rectification, erasure/blocking, objection, portability; complaints to the National Privacy Commission.
Japan	APPI	Right to disclosure, correction, suspension of use, and deletion; complaints to the PPC. Cross-border transfer notices apply where required.
South Korea	PIPA	Right to access, correction, deletion, and suspension of processing; complaints to the PIPC. Explicit consent generally required for cross-border transfer and for "sensitive information."
Taiwan	Personal Data Protection Act (PDPA)	Right to inquire/review, request copies, supplement/correct, demand cessation of collection/processing/use, and deletion; complaints to the competent authority.
Hong Kong	Personal Data (Privacy) Ordinance (PDPO)	Right to access and correction; complaints to the Office of the Privacy Commissioner for Personal Data (PCPD).
India	DPDP Act (2023)	Access, correction, erasure, grievance redress, right to nominate; complaints to the Data Protection Board of India; verifiable parental consent for children.
Canada / Australia	PIPEDA / Privacy Act 1988	Access, correction, and withdrawal of consent; complaints to the OPC (Canada) / OAIC (Australia).

This table is illustrative and non-exhaustive; if your jurisdiction is not listed and grants rights not otherwise described in this Policy, contact [email protected] and we will honor applicable rights.

12. Cookies and tracking

See our Cookie Policy. On first visit, you can accept or decline optional (analytics/advertising) cookies; essential cookies are always active. You can change choices anytime via Settings → Privacy & Data → Cookie Preferences or the cookie banner.

13. Third-party links and services

The Service may link to third-party sites/apps not covered by this Policy. Review their privacy notices separately.

14. Changes to this Policy

We may update this Policy. For material changes, we will update the "Last updated" date and notify you (in-product banner, email, or similar) before changes take effect, and — where required by law — ask you to review/accept. Non-material changes take effect when posted.

15. Contact

• Privacy team: [email protected]
• General support: [email protected]
• Safety and abuse: [email protected]
• Legal and regulatory: [email protected]

---

By creating an account or continuing to use Dramafy, you acknowledge that you have read and understood this Privacy Policy.

Cookie Policy

Last updated: June 16, 2026

Operator: Dramafy is operated by Zeto Global Inc. Contact: [email protected].

This Cookie Policy explains how Dramafy ("we", "us", "our") uses cookies and similar technologies on our website and web app at dramafy.ai and related domains (together, the "Service"). It should be read together with our Privacy Policy and Terms of Service.

By using Dramafy you agree to our use of essential cookies, which are required for the Service to work. You can accept or decline optional cookies (such as analytics) using the cookie banner shown on your first visit, or at any time from Settings → Privacy & Data → Cookie Preferences.

1. What are cookies?

Cookies are small text files that a website places on your device to store information about your visit. Similar technologies include local storage, session storage, pixels, and software development kits (SDKs). In this policy we refer to all of these as "cookies" for simplicity.

Cookies can be:

• First-party (set by Dramafy directly) or third-party (set by a service provider we use).
• Session cookies (deleted when you close your browser) or persistent cookies (kept for a defined period).

2. Categories of cookies we use

Dramafy groups cookies into three categories. You can control the optional categories from the cookie banner or your settings.

2.1 Essential cookies (always on)

These cookies are strictly necessary for the Service to function. You cannot turn them off, and no consent is required under applicable law.

Examples of what we use them for:

• Authentication and session. Keeping you signed in across pages.
• Security. Protecting against cross-site request forgery, account takeover, and abuse.
• Load balancing and routing. Making sure requests reach the right server.
• Preferences. Remembering your language choice, theme, and cookie preferences themselves.
• Legal compliance. Remembering that you have accepted or declined a given policy version.

Without essential cookies, core functionality such as sign-in, chat, and subscriptions will not work.

2.2 Analytics cookies (optional, off by default)

These cookies help us understand how users interact with Dramafy so we can improve the product. They do not identify you personally to advertisers and are not used for cross-site tracking.

Examples of what we use them for:

• Counting how many users visit a page or feature.
• Measuring how long actions take and where users encounter errors.
• Understanding which characters, flows, or onboarding steps work well.

Analytics cookies are off by default. They are only set after you affirmatively accept them in the cookie banner or in Settings → Privacy & Data → Cookie Preferences. You can change your choice at any time.

2.3 Advertising cookies

Dramafy does not currently use advertising cookies. If we introduce them in the future, we will update this Cookie Policy and ask for your consent before setting any such cookie.

3. Third-party services

Some essential and analytics cookies are set by service providers we use. Third parties access only what they need to perform their service and are bound by contracts that protect your information.

Providers may include, among others:

• Hosting and content delivery providers (essential)
• Authentication and fraud prevention providers (essential)
• Payment processors, when you subscribe (essential; see our Subscription Terms)
• Product analytics providers (optional, only with your consent)

We maintain an up-to-date list of our sub-processors in our Privacy Policy.

4. Your choices

You have several ways to control cookies on Dramafy:

1. Cookie banner. On your first visit we show a banner with three options: Accept all, Essential only, and Manage preferences.
2. Cookie preferences in settings. You can change your choices anytime in Settings → Privacy & Data → Cookie Preferences.
3. Browser controls. Most browsers let you block or delete cookies. Doing so may break essential functionality such as sign-in.
4. Global Privacy Control. Where legally required, we respect Global Privacy Control ("GPC") signals as an opt-out of optional analytics and of any "sale"/"share" as defined under applicable US state law.

If you decline optional cookies, you will still be able to use the Service. Essential cookies will continue to be used as described above.

5. Retention

The period each cookie stays on your device depends on its purpose. Session cookies expire when you close your browser. Persistent cookies typically expire between 30 days and 24 months after they are set, depending on the category. Your cookie preference record itself is kept for up to 12 months so we do not have to ask you again on every visit.

6. Your rights

You have the right to access, correct, delete, object to, and export personal data we process through cookies, as explained in our Privacy Policy. You can exercise these rights from Settings → Privacy & Data or by emailing [email protected].

The specific rights available to you depend on your jurisdiction (for example, the EU/UK GDPR, California's CCPA/CPRA, Brazil's LGPD, Singapore's PDPA, and other applicable laws). See the jurisdiction-specific notices in our Privacy Policy for details.

7. Changes to this policy

We may update this Cookie Policy from time to time. When we make material changes — for example, adding a new category of cookies or a new analytics provider — we will notify you by updating the "Last updated" date and, where appropriate, asking you to review your cookie preferences again.

8. Contact

If you have questions about this Cookie Policy or our use of cookies, contact:

• Privacy team: [email protected]
• General support: [email protected]
• Contact page: /contact