You are reading the child-friendly short version. You can open the legally binding version with "Full version".
You are reading the legally binding full version. For an easier overview, click "Simple Language".
This page explains in simpler language which data Lorath processes about you. You can find the exact legal version above by using the "Full version" switch.
Lorath is operated by:
Julius Berger
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach
Email: datenschutz@lorath.eu
If you have questions, you can write to us. If you are not yet an adult, it is best to also talk with your parents or legal guardians.
When you use Lorath, we store for example:
If you sign in with Google or Apple, we receive certain login data from Google or Apple, for example a unique ID and, if you share them, your email address and name.
Lorath contains stories, battles and AI content that are not suitable for every age. That is why we check your date of birth and assign your account to an age level.
After you enter your date of birth for the first time, it cannot simply be changed again, so nobody can trick the protection rules.
No, not if you are under 18. Paid purchases, subscriptions or in-app purchases must be made by your parents or another adult with parental responsibility. Even if your parents buy something, that does not give you access to adult content.
When you use Lorath, we store content that you create or generate with the AI, for example:
We also store prompts and technical AI data. This means that not only your single message may be stored, but also the context the AI needs to answer properly. This can include earlier messages, characters, world information, memories and system instructions.
We store prompts and technical AI data so that:
Yes, when you use AI functions. So the AI can answer, create images or process speech, we send the necessary content to external providers. These may include MiniMax, Google, OpenAI, Anthropic, Mistral, DeepSeek, ElevenLabs or Promptchan.
We send only what is needed for the particular function. Adult content is intended only for adult users.
Lorath is an AI app. You should be able to recognise when you are writing with an AI or when an image, audio, video or text was created or changed by AI. That is why such content should be shown in the app with suitable notices, labels or similar markings where technically possible and legally required.
You must not use AI content to deceive, threaten or expose others, or to pretend that a real person is something they are not.
Lorath has a beta environment for testing new features. A copy of the real database may be used for this.
Many account details of normal users are anonymised there, for example username, email address, names, passwords and payment data. But game content such as chats, adventures, world elements, age levels and stored prompts may still be included in the beta so real bugs can be found.
Only authorised people may access the beta. Access is logged, and beta data should be deleted, anonymised or replaced with test data when it is no longer needed.
Normally, not just like that. But if there is a justified suspicion of illegal content, abuse or serious rule violations, authorised staff may read the affected content. This is logged internally.
If someone harasses you, you see serious or illegal content, or you think your account is being misused, you can write to us at support@lorath.eu. If the app has report or block functions, you can use those too.
We may review content, remove it, restrict accounts or block users when necessary. For difficult decisions, a human should review what happened.
You can ask us:
Write to datenschutz@lorath.eu. If you are under 18, it may be useful or necessary for your parents or legal guardians to support you with this.
This Privacy Policy applies to the main domain https://lorath.eu, the web app https://app.lorath.eu, other Lorath subdomains and beta environments, the native mobile apps Lorath for iOS and Lorath for Android, and emails sent by us under @lorath.eu.
The web app and the mobile apps use the same server endpoints. Regardless of whether you use Lorath in a browser or in an app, the same data protection principles apply. Specific details concerning app stores, mobile devices and in-app purchases are described separately below.
The current version is available at https://app.lorath.eu/datenschutz.html.
The controller responsible for data processing is:
Julius Berger
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach
Email: datenschutz@lorath.eu
We process personal data in accordance with the General Data Protection Regulation (GDPR), in particular Art. 13 GDPR and, where data is not collected directly from you, additionally Art. 14 GDPR.
No data protection officer has currently been appointed. Data protection enquiries may be sent at any time to datenschutz@lorath.eu. If a legal obligation to appoint a data protection officer arises, the contact details will be added here.
The competent data protection supervisory authority for the controller's registered office is currently the State Commissioner for Data Protection and Freedom of Information Baden-W?rttemberg (LfDI BW), Heilbronner Stra?e 35, 70191 Stuttgart, email: poststelle@lfdi.bwl.de, website: https://www.baden-wuerttemberg.datenschutz.de/.
When the website is visited and when server requests are made from the apps, technically necessary data is processed so Lorath can be provided, secured and technically improved. This may include in particular:
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and functional operation of Lorath. Server log data is stored only for as long as required for operation, security, error analysis and abuse prevention, or where legal obligations apply.
When downloading, updating and making in-app purchases, Apple or Google process data under their own privacy policies. We have no direct influence over this.
Within the apps, we process in particular device type, operating-system version, app version, selected language and technical wrapper information where this is necessary for operation, security, error analysis, login handover and app compatibility. The legal basis is Art. 6(1)(b) GDPR where this is necessary for use, and Art. 6(1)(f) GDPR for operational security and error analysis.
For purchases via Apple or Google, we do not receive complete payment data such as credit card numbers or bank details. We process only the purchase data required for assignment and activation, for example receipt, transaction ID, purchase token, order ID, product ID, status, price and term information.
The legal bases are Art. 6(1)(b) GDPR for contract performance and Art. 6(1)(c) GDPR for tax and commercial-law retention obligations.
The technical basis for push notifications via APNs (Apple) and FCM (Google) has been prepared. At present, however, push is not actively used to send notifications. If push notifications are activated, we process device tokens only after your express consent via the system dialog or a comparable app setting. The legal basis is then Art. 6(1)(a) GDPR.
Consent may be withdrawn at any time in the system or app settings.
The apps access device functions only after permission has been granted:
You can revoke permissions in the operating-system settings. Individual functions may then be limited.
We currently do not use a tracking-based advertising network or IDFA for app tracking in the native apps. Google Ads conversion tracking takes place only on the website and web app, not in the native apps.
In the native apps, session tokens and settings are stored via secure local storage of the operating system or app wrapper. In the browser, cookies and local storage are used as described below.
For paid services, we process the data required for ordering, payment, activation, invoicing, tax and accounting obligations, refunds, chargebacks and fraud checks. This may include in particular user identifiers, email address, invoice data, order numbers, product and price details, payment status, payment-provider references, invoice numbers, tax information, IP address, device and security data, refund and chargeback information.
Depending on the selected payment method, data may be transmitted to or independently processed by the following recipients:
We do not store complete credit card numbers or complete online banking access data. Payment providers may process such data under their own privacy information. The legal bases are Art. 6(1)(b) GDPR for contract performance and payment processing, Art. 6(1)(c) GDPR for tax and commercial-law obligations, and Art. 6(1)(f) GDPR for fraud prevention, chargeback handling and legal defence.
Invoice, booking and tax-relevant data is generally stored for the statutory retention periods, in particular up to 10 years. Payment and chargeback data is otherwise stored only for as long as required for processing, evidence, outstanding claims, abuse checks or legal defence.
A user account is required for Lorath's core functions. Depending on the registration path and profile status, we process in particular:
The legal basis is Art. 6(1)(b) GDPR for providing the user account and contractual functions. Art. 6(1)(c) GDPR applies to statutory records and accounting. For security, abuse prevention and evidentiary purposes, we also process data on the basis of Art. 6(1)(f) GDPR.
Username, display name and profile picture may be visible to other users within the app where the respective function provides for this, for example in multiplayer sessions. Email address, date of birth and payment data are not publicly visible.
Lorath uses age levels to provide age-appropriate content. For this purpose, the date of birth is stored and a maximum content level is derived from it. The date of birth is locked after first determination so the protective mechanisms cannot be bypassed arbitrarily.
The following mechanisms are currently provided in particular:
The legal bases are Art. 6(1)(b) GDPR for age-appropriate provision of the service, Art. 6(1)(c) GDPR in conjunction with youth-protection obligations, and Art. 6(1)(f) GDPR for abuse prevention. Where a child's consent is required, the requirements of Art. 8 GDPR apply.
Explicit content, in particular sexual content and certain uncensored AI functions, is intended exclusively for adults. Promptchan AI is used only for correspondingly enabled functions.
These rules concern the website and web app. In native apps, the technical data may instead be managed through app storage of the operating system.
We use technically necessary cookies and local storage for login, security, language, display and app recognition. These include in particular:
The legal basis for technically necessary cookies is Art. 6(1)(f) GDPR. No additional consent is required for storing or reading technically necessary information on terminal equipment where this is strictly necessary for the digital service expressly requested.
Google Ads conversion tracking is used only on the website and web app and only where consent has been given. Google cookies such as _gcl_aw, _gcl_dc, _gcl_au or _gac_* may be set. The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. Consent may be withdrawn at any time.
When Lorath is used, content and usage data required for gameplay, AI functions, multiplayer functions, billing, error analysis and security are stored. This includes in particular:
Important: For many AI functions, we store not only your visible message but also the context actually passed to an AI model. Depending on the function, this context may contain system instructions, previous chat histories, character data, world information, memories, age and safety settings, and your prompts. This prompt and API debug data helps us trace errors, investigate abuse, check costs and improve the quality of AI functions.
The legal basis is Art. 6(1)(b) GDPR for providing the AI and game functions. For error analysis, abuse prevention, cost control and legal defence, the legal basis is Art. 6(1)(f) GDPR.
Where there is justified suspicion of violations of applicable law or our Terms of Use, authorised employees of the provider may view the content created in the affected account. This includes in particular campaign chats, table rounds, character chats, Helpbot conversations, AI-generated content, stored prompts and debug data where this is necessary for clarification.
The review is read-only and is logged internally with date, time, employee identifier and reason. Content is not changed and messages are not sent in the user's name.
The legal bases are Art. 6(1)(f) GDPR for abuse prevention, platform protection and legal defence, and Art. 6(1)(c) GDPR in the case of statutory or official obligations.
To prove consent to the Terms of Use and Privacy Policy, we store in particular for each relevant version change:
The legal bases are Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR and Art. 6(1)(f) GDPR.
Implementation note: The current technical documentation currently stores mainly versions for the Terms of Use and Privacy Policy. If the Terms and Conditions are to be managed as a separate document requiring acceptance, the technical version management should be expanded accordingly or clearly bundled with the Terms of Use.
When a user deletes an adventure or table round, the record is first marked for 30 days and is no longer visible to the user. After the period expires, the record including related messages is deleted unless overriding reasons prevent this.
The grace period serves abuse prevention, restoration in case of error and preservation of evidence. The legal basis is Art. 6(1)(f) GDPR.
When the entire account is deleted, game and profile data is deleted unless statutory retention obligations or legitimate interests prevent this. Payment, invoice and accounting data may continue to be stored or anonymised for statutory retention periods.
If content, users, prompts, AI outputs or other processes are reported, or if we investigate suspected legal or rule violations, we process the data required for this. This may include reported content, affected user identifier, reporting user identifier, reason for the report, communication data, moderation decision, reasoning, internal review notes, technical security data, filter hits, timestamps, status, complaint or review processes and authority communication.
This processing serves the handling of notice-and-action reports, protection of users and minors, compliance with DSA, App Store, Google Play, law-enforcement and youth-protection requirements, abuse prevention and legal defence. The legal bases are Art. 6(1)(f) GDPR and, where legal obligations exist, Art. 6(1)(c) GDPR.
We generally store moderation and report documents only for as long as they are required for review, complaint handling, statutory evidence, abuse prevention or legal defence. Clearly unfounded reports may be deleted or anonymised after a short time; cases connected to legal, payment, youth-protection or security issues may be retained longer, in particular until relevant limitation or evidence periods expire.
Lorath uses external providers to provide AI text, images, audio, video and voice input. Depending on the selected function and model, prompts, system context, chat histories, character/world information, images, audio data, technical metadata, model parameters, request times and technical error data may be transmitted to these providers.
The following providers may currently be used in particular:
Transmission is encrypted. Which provider is used depends on model choice, function, availability, age level and safety rules. The legal basis is Art. 6(1)(b) GDPR where transmission is necessary to provide the selected function. Art. 6(1)(f) GDPR may additionally apply for error analysis, security and abuse prevention.
Depending on the service, providers act either as processors, sub-processors or independently responsible providers of their respective AI, payment or infrastructure service. Where a provider is used as a processor and this is available, we conclude a data processing agreement. Where providers pursue their own purposes, such as security, abuse detection, billing, model protection or legal obligations, their own privacy information applies additionally.
We store prompts sent to AI providers, API debug data and model responses locally for as long as required for game functions, error analysis, abuse prevention, billing, legal defence or the deletion and retention periods stated in this Privacy Policy. Storage periods at external AI providers are governed by the respective provider terms and may differ from our local storage period.
For third-country transfers, we rely where necessary on adequacy decisions, the EU-U.S. Data Privacy Framework, standard contractual clauses or other suitable safeguards under Art. 44 et seq. GDPR.
You can sign in with Google or link your account with Google. Depending on Google's release, we receive in particular Google ID, email address, names and profile-picture URL. We use this data for login, account linking and re-authentication.
The legal basis is Art. 6(1)(b) GDPR for login and account management, and Art. 6(1)(a) GDPR where you expressly start the OAuth link.
Further information: https://policies.google.com/privacy
You can sign in with Apple or link your account with Apple. We receive from Apple in particular a unique Apple ID (sub) and, where Apple transmits them, email address and names. If you use "Hide My Email", we receive the relay address provided by Apple. We store the Apple ID for recognition and linking of your account. No password is stored for pure OAuth accounts.
The legal basis is Art. 6(1)(b) GDPR for login and account management, and Art. 6(1)(a) GDPR where you expressly start the OAuth link.
Further information: https://www.apple.com/legal/privacy/
The web app may load JavaScript libraries, fonts and other resources via external content delivery networks. When such resources are loaded, in particular IP address, user agent, referrer, time of retrieval and the requested file may be transmitted to the respective provider.
The following external resources may currently be used in particular:
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in consistent display, technical compatibility, secure app integration and performant delivery of the web app. For third-country transfers, the safeguards described in Section 6 apply accordingly. Providers may store their own log data according to their respective privacy information.
Where resources are served locally in the future, transmission to the relevant CDN provider for that resource will no longer occur.
If you contact us by email or use support functions, we process the transmitted data to handle your request. The legal bases are Art. 6(1)(b) GDPR for contract-related enquiries and Art. 6(1)(f) GDPR for general communication, support and legal defence.
We send newsletters, advertising and other marketing emails only if you have expressly consented or a statutory exception applies. For newsletters we regularly use double opt-in or a comparably verifiable procedure. We store email address, time of registration, confirmation, IP address, source of registration, consent text and unsubscribe status.
The legal basis is Art. 6(1)(a) GDPR. Consent may be withdrawn at any time with effect for the future, for example via an unsubscribe link in the email or by message to support@lorath.eu. After unsubscribing, we store data required as evidence only for as long as necessary to defend against claims or prove consent.
We operate a beta environment to test new features under realistic conditions. The beta environment may regularly be updated from a copy of the production database.
In doing so, personal master data of normal users is anonymised or pseudonymised, in particular user ID, username, email address, names, passwords and invoice, order and payment references. Production passwords are overwritten; normal production users cannot log into the beta with their real credentials. Certain technical test, admin, sample or role accounts may remain for beta operation.
Not all content is anonymised. So the beta can be tested realistically, in particular campaigns, chat histories, table rounds, characters, world elements, dates of birth, age levels, stored prompts, debug data and AI context data may be transferred unchanged to the beta. The beta is therefore not a fully anonymised environment.
The beta is subject to the same technical safeguards as the production environment and additional organisational restrictions: access is granted only to authorised persons, access and security-relevant actions are logged, payment functions are not processed productively and production credentials of normal users are not transferred. Registrations are blocked or restricted in the beta; where payments are tested, they are made via sandbox systems.
Beta copies should be stored only for as long as required for testing, error analysis, quality assurance or security review. Where realistic content is no longer needed, it is deleted, anonymised or replaced with test data. The anonymisation logic is reviewed continuously and expanded where possible.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in quality assurance, error analysis, security review and further development of the service.
We collect internal usage data to improve Lorath, detect errors and manage operations. This may include page views, function calls, purchase and abandonment events, screen width, browser identifier, session ID, user ID for logged-in users, timestamps and technical metadata.
This data is processed on our own systems and is not sold to external advertising networks. Where the analysis is not technically necessary, we take cookie and consent settings into account. The legal basis is Art. 6(1)(f) GDPR; where consent is required, Art. 6(1)(a) GDPR.
We use Google Ads conversion tracking on the website and web app. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; the parent company is Google LLC, USA.
Google Ads conversion tracking is used only where consent has been given. Cookies and similar technologies may be set and information such as IP address, browser/device information, referrer, time, Google Click ID and conversion events may be processed.
The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You can withdraw your consent at any time with effect for the future.
Further information:
The following overview summarises the most important processing activities. It does not replace the detailed descriptions in the preceding sections, but specifies purpose, categories of data, recipients and storage logic.
| Processing | Purpose | Categories of data | Legal basis | Recipients / providers | Third-country transfer / safeguards | Storage period / deletion logic |
|---|---|---|---|---|---|---|
| Website, app and server access | Provision, security, error analysis | IP address, timestamps, endpoints, user agent, app version, error and security data | Art. 6(1)(f) GDPR | Hosting/infrastructure providers, internal admins | Hosting generally in Germany; third country only for specialist services used, with safeguards under Art. 44 et seq. GDPR | generally only as required for operation/security; longer storage for security incidents |
| Account and authentication | Registration, login, account management | Username, email, password hash, OAuth ID, profile picture, language, last login | Art. 6(1)(b), (f) GDPR | Hosting, Google/Apple for OAuth | Google/Apple may involve third countries with adequacy decision, DPF or standard contractual clauses | until account deletion; security/evidence data longer where required |
| Age, parental consent and protection of minors | Age-appropriate content, blocks, evidence | Date of birth, age level, parental approval, parent-supervised account status, block and review notes | Art. 6(1)(b), (c), (f) GDPR; where applicable Art. 8 GDPR | internal systems, possibly age-verification providers if introduced later | depending on the provider; then with suitable safeguards | until account deletion or as long as required for protection of minors, evidence or abuse prevention |
| Prompts, chats and game content | AI and game functions, storage, continuation of adventures | Prompts, model context, chat histories, characters, worlds, media, system states, debug data | Art. 6(1)(b), (f) GDPR | Hosting, AI providers, authorised staff in case of suspicion | depending on the AI provider; DPF, standard contractual clauses or other safeguards | until deletion by user/account deletion; deleted adventures/table rounds generally marked for 30 days; longer storage for legal/security reasons |
| AI, audio and media services | Generation of text, image, video, audio, speech-to-text | Prompts, media, audio, model parameters, technical metadata | Art. 6(1)(b), (f) GDPR | MiniMax, DeepSeek, Mistral, Anthropic, OpenAI, Google, ElevenLabs, Promptchan AI | depending on location/processing with DPF, standard contractual clauses, adequacy decision or other safeguards | locally according to the periods above; at the provider according to its terms and deletion logic |
| Payments and invoices | Order, payment, activation, accounting, refund | Order data, product, price, tax data, payment status, provider references, invoices | Art. 6(1)(b), (c), (f) GDPR | Stripe, PayPal, banks, Apple, Google, tax advisers, authorities | payment providers may involve third countries with suitable safeguards | tax and commercial-law data generally up to 10 years; otherwise after processing/limitation period |
| Subscriptions and cancellations | Contract management, renewal, cancellation confirmation | Subscription status, term, cancellation time, confirmation, payment reference | Art. 6(1)(b), (c) GDPR | Stripe/PayPal/store providers, internal systems | depending on the provider with suitable safeguards | for the contract term and statutory evidence periods |
| Moderation, DSA reports and app-store safety | Notice-and-action, review, blocks, protection of minors | Reports, content, reasons, filter hits, review notes, decisions, complaints | Art. 6(1)(c), (f) GDPR | authorised staff, authorities, store operators, technical security providers | third country only where required and with safeguards | as long as required for review, complaint, evidence, legal defence or abuse prevention |
| Support and email communication | Handling enquiries, legal defence | Email, name, account details, support content, attachments, timestamps | Art. 6(1)(b), (f) GDPR | Email/hosting providers, internal processors | depending on the email/infrastructure provider | until completion and thereafter according to limitation/evidence periods where required |
| Newsletter and marketing | Sending optional information, proof of consent | Email, opt-in/opt-out timestamps, IP, source, consent text | Art. 6(1)(a) GDPR; evidence Art. 6(1)(f) GDPR | Email/newsletter system, internal systems | depending on the provider; with safeguards for third countries | until withdrawal; evidence data thereafter as long as required for legal defence |
| Internal usage analysis | Product improvement, error detection, capacity planning | Function calls, events, session/user ID, device/browser data | Art. 6(1)(f) GDPR; where applicable Art. 6(1)(a) GDPR | internal systems | generally no external disclosure; otherwise with safeguards | aggregated or anonymised as soon as possible; raw data only as long as required |
| Google Ads conversion tracking | Conversion measurement after consent | Cookies, GCLID, IP, device, referrer, conversion events | Art. 6(1)(a) GDPR, Section 25(1) TDDDG | Google Ireland/Google LLC | DPF, standard contractual clauses or other safeguards | according to cookie/Google requirements and consent status; withdrawal possible at any time |
| Beta environment | Quality assurance, error analysis, security review | pseudonymised master data, not fully anonymised game content, prompts, debug data, age levels | Art. 6(1)(f) GDPR | authorised internal testers/admins, hosting | generally as in production; third country only for embedded services | only as long as required for the beta purpose; deletion, anonymisation or replacement with test data as soon as possible |
Under the GDPR, you have in particular the following rights:
To exercise your rights, contact datenschutz@lorath.eu. You may also complain to any competent data protection supervisory authority; for the controller's registered office, the State Commissioner for Data Protection and Freedom of Information Baden-W?rttemberg is currently competent.