Privacy Policy

How SereChat collects, uses, shares, and protects your personal data.

1 Introduction

Welcome to SereChat, a product of Luvarly. We respect your privacy and are committed to protecting your personal data in compliance with applicable laws, including the General Data Protection Regulation (GDPR) in the European Union/EEA, the California Consumer Privacy Act (CCPA), and other applicable data protection legislation. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use our service.

By using SereChat, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our service.

2 Data We Collect

When you register and use SereChat, we may collect the following categories of information:

  • Account Information: Username, email address, display name, and a securely hashed password (or OAuth identity data if you sign in via Google).
  • Profile Preferences: Theme preference, and notification settings.
  • Chat & Interaction Data: Chat messages, conversation history, AI-generated responses, Anima memory contexts, and any Anima presets or personas you create.
  • Uploaded Files: Images, documents, and other files you attach to chat sessions.
  • Generated Content: Images, SVGs, music, and video generated through our media generation features, along with the prompts used to create them.
  • Technical & Usage Data: IP addresses (for security and rate limiting), browser type, device information, timestamps, and general usage patterns.
  • Payment Information: When you subscribe to a paid plan or purchase sparks, payment processing is handled entirely by Stripe. We do not store your credit card details; we only retain your Stripe customer ID and subscription metadata.
  • Authentication Data: OAuth tokens and profile data (name, email, profile picture URL) if you sign in using Google.

3 Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the SereChat service you have requested, including account management, AI chat interactions, memory features, and media generation.
  • Legitimate Interests (Art. 6(1)(f)): Security measures such as IP logging, rate limiting, fraud prevention, and service improvement. We have assessed that these interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Optional features such as referral tracking, which you explicitly enable. You may withdraw consent at any time via your account settings.

4 How We Use Your Data

Your data is used strictly to provide and improve the SereChat service:

  • To manage your account, authenticate your identity, and provide access to the service.
  • To process your chat interactions by transmitting messages to third-party AI model providers (see Section 6 below).
  • To maintain character memory and conversation context for a seamless, personalized experience.
  • To generate images, SVGs, music, and video through third-party generation services on your request.
  • To process payments and manage subscriptions through our payment processor.
  • To send transactional emails (e.g., email verification, password reset) via our email service provider.
  • To enforce our Terms of Service, prevent abuse, and secure our platform.

5 Cookies

SereChat uses only strictly functional cookies. We do not use tracking, analytics, or advertising cookies.

  • access_token / refresh_token: Authentication session cookies. Essential for keeping you logged in. These are HTTP-only, secure cookies.
  • sere_theme: Stores your dark/light theme preference. Persists for 2 years.
  • referred_by: Stores the referral code when you arrive via a referral link. Expires after 30 days.
  • cookie_consent: Records that you have acknowledged this cookie notice. Persists for 1 year.

6 Third-Party Services & Sub-Processors

We do not sell your personal data. However, to provide our service, your data is shared with the following categories of third-party processors. Each sub-processor is contractually bound to process data only as instructed by us and to implement appropriate security measures.

AI Model Providers (Chat & Text Generation)

When you send a chat message, your conversation content (including messages, system context, character data, and any attached files) is transmitted to third-party AI model providers for processing. We route requests through an AI gateway service, which in turn may forward your data to the specific model provider you have selected. These upstream providers include companies such as OpenAI, Anthropic, Google, and others.

Important: Some AI model providers may use data submitted via their APIs to improve or train their models, unless you or we have opted out. While many major providers (e.g., OpenAI, Anthropic) currently state that API data is not used for training by default, policies vary by provider and may change over time. We recommend that you do not share sensitive personal information (such as real names, addresses, financial details, or health information) in your chat conversations. SereChat displays the model name in the interface so you can see which provider is processing your data.

Media Generation Providers

When you use image, SVG, music, or video generation features, your prompts and any reference images or files you upload are transmitted to third-party generation services to produce the requested output. Generated outputs are downloaded and stored on our infrastructure.

Infrastructure & Storage

Our application is hosted on Cloudflare's global edge network. Your data (database records, uploaded files, generated media, and vector embeddings for memory features) is stored using Cloudflare's infrastructure services (Workers, D1, R2, Vectorize, and Workers AI for text embeddings). Cloudflare acts as a data processor and does not use customer data to train AI models.

Payment Processing

Subscription billing and credit purchases are handled by Stripe. When you make a purchase, you interact directly with Stripe's payment form. We never receive or store your full credit card number. Stripe is PCI-DSS Level 1 certified.

Email Services

Transactional emails (verification codes, password resets) are sent through a third-party email delivery service. Only your email address, display name, and the relevant code are shared.

Authentication

If you choose to sign in with Google, we receive your name, email address, and profile picture URL through Google's OAuth 2.0 protocol. Google does not receive any of your SereChat usage data.

External Resources

Our application loads fonts from Google Fonts and stylesheets from a CDN (jsDelivr). These services may receive your IP address and standard HTTP request headers when your browser fetches these resources. No personal content data is shared with them.

7 AI Provider Processing

SereChat does not support customer-supplied API keys or tokens. When you use chat or generation features, your data is processed through SereChat-managed provider accounts and infrastructure. The relevant third-party provider still receives the data needed to complete your request, and its privacy terms may apply to that processing.

8 Data Security & Storage

We implement robust security measures to protect your information from unauthorized access, alteration, or destruction, including:

  • Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plaintext.
  • Authentication tokens are stored as HTTP-only, secure, SameSite cookies.
  • All data in transit is encrypted via TLS/HTTPS.
  • Data at rest is stored on enterprise-grade, globally distributed cloud infrastructure with built-in encryption.
  • Rate limiting and IP-based abuse prevention protect against brute-force and DDoS attacks.

9 Data Retention

We retain your personal data for as long as your account is active and as needed to provide the service. Specifically:

  • Account data, chat history, Anima data, and memories are retained until you delete your account.
  • Uploaded files and generated media are retained until you delete them or delete your account.
  • Rate-limiting records (IP-based, without personal identifiers) are temporary and expire automatically.
  • Payment records may be retained as required by applicable tax and accounting laws.

Upon account deletion, all associated personal data (sessions, Anima data, memories, uploaded files, generated media, usage logs, and authentication tokens) is permanently and irreversibly erased from our systems.

10 International Data Transfers

Your data is processed on Cloudflare's global edge network, which operates data centers worldwide, including in the United States and other countries outside the EU/EEA.

Additionally, when your chat messages are processed by AI model providers, your data may be transferred to and processed in various jurisdictions, including the United States and other countries. Some AI models available through our service are operated by providers based in jurisdictions that may not have data protection laws equivalent to those in the EU/EEA.

For transfers of personal data outside the EU/EEA, we rely on:

  • EU Standard Contractual Clauses (SCCs) where applicable.
  • Adequacy decisions by the European Commission.
  • Your explicit consent when you choose to use a specific AI model, as the model provider and its jurisdiction are displayed in the interface.

If you have concerns about data being processed in specific jurisdictions, you may choose to use only AI models operated by providers in jurisdictions with adequate data protection standards.

11 Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Right of Access (GDPR Art. 15): You may request a copy of all personal data we hold about you.
  • Right to Data Portability (GDPR Art. 20): You can export all your data at any time from Settings > Account > Export My Data. The export is provided in machine-readable JSON format.
  • Right to Rectification (GDPR Art. 16): You can update your profile information at any time from Settings.
  • Right to Erasure (GDPR Art. 17): You can delete your account and all associated data from Settings > Account > Delete Account. Deletion is immediate and irreversible.
  • Right to Restriction (GDPR Art. 18): You may request we restrict processing of your data while a dispute is resolved.
  • Right to Object (GDPR Art. 21): You may object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent (e.g., referral tracking), you can withdraw it at any time via Settings. Withdrawal does not affect the lawfulness of prior processing.
  • CCPA Rights: California residents have the right to know what personal information is collected, to request deletion, and to opt out of data sales. We do not sell personal data.

To exercise any right that cannot be self-serviced through the application, please contact us at privacy@serechat.com. We will respond within 30 days (or within the timeframe required by applicable law).

12 Children's Privacy

SereChat is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe we may have collected data from a child under 13, please contact us at privacy@serechat.com.

13 Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the bottom of this page reflects the most recent revision. Continued use of SereChat after notification constitutes acceptance of the updated Privacy Policy.

14 Contact Us

If you have any questions or concerns regarding this Privacy Policy, or wish to exercise any of your data protection rights, please contact the Luvarly data protection team:

If you are located in the EU/EEA and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority. For residents of the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Last updated: March 2025