← Back

Privacy Policy

Valid for lorath.eu and all associated subdomains, the social media pages Instagram @lorath_eu and TikTok @lorath_eu, and emails sent by us (only @lorath.eu).

All listed domains are operated from the same server hosted in Germany. Regardless of the URL you access, your data is stored and processed on the same server. The same technical security measures and data protection standards apply.

Effective: March 2026

1. Introduction

This Privacy Policy explains how Lorath collects, uses, stores, and protects your personal data when you use our platform at lorath.eu, app.lorath.eu and beta.lorath.eu. All domains are operated from the same server hosted in Germany. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

This policy applies to all users of the platform, regardless of their location or the domain used. If you do not agree with this policy, please do not use our services.

2. Data Controller

The data controller responsible for the processing of your personal data is:

Julius Berger
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach, Germany
Email: support@lorath.eu

If you have any questions or concerns about how your data is processed, please contact us at the address above.

3. Data We Collect

We collect and process the following categories of personal data:

a) Account Data

• Username — freely chosen, no real name required
• Email address — optional, provided in your profile settings
• Password — stored exclusively as a cryptographic hash (bcrypt); we never store your password in plain text
• Account creation date and last login date

b) Profile Data (optional)

• First and last name — only if you choose to provide them
• Address — only if provided for invoicing purposes
• Phone number — only if you choose to provide it
• Profile picture — uploaded or AI-generated, stored as an image file on our server

c) Payment Data

• Payments are processed through Stripe and PayPal. We do not store your credit card numbers, bank account details, or other sensitive payment information on our servers.
• We store transaction records including the payment amount, date, payment method used, and transaction reference for invoicing and accounting purposes.

d) Usage Data (Analytics)

• We operate our own cookie-free analytics system (see Section 6 for details).
• Analytics data includes page views, time on page, interactions (e.g. campaign creation, purchases), screen width, and browser type.
• No personal data is stored in our analytics system. A random, non-traceable session ID is generated in sessionStorage and is deleted when the browser tab is closed.

e) AI Interaction Data

• Chat messages you send and receive within campaigns
• Campaign settings, character data, and system prompts used to generate AI responses
• This data is transmitted to the relevant AI provider to generate responses (see Section 5).

f) Technical Data

• IP address — processed only for rate limiting and security purposes (e.g. preventing brute-force attacks). We do not store IP addresses in our own logs or analytics.

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

• Service provision — To create and maintain your account, provide the platform's features, and deliver AI-powered gameplay. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
• Payment processing — To process your coin purchases, generate invoices, and maintain financial records. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
• Transactional emails — To send you important service-related communications such as purchase confirmations, password resets, and account notifications. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
• Anonymous analytics — To understand how the platform is used and to improve our service. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving and maintaining the service).
• Fraud prevention and security — To protect the platform against abuse, unauthorised access, and fraudulent activities. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security of our systems and users).

5. Third-Party Services

To provide our service, we share data with the following third-party providers. Data is transmitted encrypted (HTTPS) and only to the extent necessary for the respective purpose.

a) Payment Providers

• Stripe, Inc. (USA) — Credit/debit card payment processing. Stripe is certified under the EU-US Data Privacy Framework. Privacy Policy: https://stripe.com/privacy
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — PayPal payment processing. Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

b) AI Model Providers

When you use AI features, your chat messages and campaign context are sent to the AI provider of the model you select. The following providers are used:

• Anthropic (USA) — Claude language models. Privacy Policy: https://www.anthropic.com/privacy
• MiniMax (China) — Chat and image generation. Privacy Policy: https://www.minimax.io/privacy
• Mistral AI (France) — Chat models. Privacy Policy: https://mistral.ai/privacy
• Google (USA) — Imagen image generation. Privacy Policy: https://policies.google.com/privacy

c) Google Ads (Marketing Website Only)

On the marketing website (lorath.eu), we use Google Ads Conversion Tracking, but only after you have given your explicit consent via the cookie banner. Google Ads is not used on the app (app.lorath.eu). Privacy Policy: https://policies.google.com/privacy

d) International Data Transfers

Some of the providers listed above are located outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place for any international data transfers:

• USA: Stripe and Anthropic are certified under the EU-US Data Privacy Framework (DPF), established by the EU Commission adequacy decision of 10 July 2023 (Art. 45 GDPR). Additionally, Standard Contractual Clauses (SCCs) are used as supplementary safeguards.
• China (MiniMax): Data transfers to MiniMax are covered by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
• France (Mistral AI): Located within the EEA; no additional transfer mechanism required.
• Luxembourg (PayPal): Located within the EEA; no additional transfer mechanism required.

5a. Sign in with Google (Google OAuth)

You can sign in to Lorath using your Google account. The following data is transmitted from Google to us: email address, name, and profile picture URL. We store this data for account management. The legal basis is your consent (Art. 6(1)(a) GDPR), which you give by clicking "Sign in with Google." You can view the connection status in your profile. For more information on data processing by Google, see Google's Privacy Policy.

6. Analytics (Cookie-Free)

We operate our own analytics system that is designed with privacy in mind. Our analytics system:

• Does not use cookies
• Does not use browser fingerprinting
• Does not store IP addresses
• Does not track users across sessions or devices
• Uses sessionStorage only (data is automatically deleted when the browser tab is closed)
• Stores all analytics data exclusively on our own server in Germany
• Does not share analytics data with any third party

For logged-in users, the user ID may be associated with usage data to generate aggregate statistics. All analytics data is automatically deleted after 90 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving and maintaining the service).

6a. Beta Environment

We operate a beta environment (beta.lorath.eu) for testing new features. This environment uses a copy of the production database to perform realistic testing. This means your user data (such as username, email address, campaigns and game progress) may also be present in the beta environment.

The beta environment is subject to the same security measures and data protection standards as the production environment. No additional personal data is collected. Payment data is not processed in the beta environment — only sandbox systems of the payment providers are used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in quality assurance and further development of the service).

6b. Age Verification

To comply with youth media protection regulations, we store whether a user has confirmed being at least 18 years old (yes/no). Additionally, we verify whether at least one purchase via PayPal or Stripe has been completed. No additional personal data is collected — the verification is based on existing order data. The legal basis is Art. 6(1)(c) GDPR (legal obligation).

Verified adults gain access to uncensored AI content and NSFW image generation via the Promptchan AI service. Only prompt texts and image settings are transmitted to Promptchan AI — no personal data. Generated NSFW images are stored on our server in Germany and are only accessible to the respective user. For abuse prevention, anonymized prompt hashes (no plain texts) are recorded in a log.

7. Cookies

Lorath uses only the following cookies:

• token — Authentication cookie containing an encrypted JSON Web Token (JWT) to identify logged-in users. Duration: 24 hours. Properties: HttpOnly, SameSite: Strict, Secure in production. This is a technically necessary cookie.
• ff_lang — Stores your preferred language setting (e.g. “en” or “de”). This is a technically necessary cookie for providing the service in your preferred language.
• ff_cookie_consent — Stores your cookie consent preferences. Used only on the marketing website (lorath.eu) where Google Ads may be active.

We do not use any tracking cookies, advertising cookies, or third-party analytics cookies on the app platform (app.lorath.eu).

8. Data Retention

We retain your data for the following periods:

• Account data: Retained while your account is active. Accounts that have been inactive for 180 consecutive days are automatically deleted along with all associated data.
• Payment and invoice data: Retained for 10 years after the transaction, as required by German tax law (§147 AO — Abgabenordnung).
• Analytics data: Automatically deleted after 90 days.
• Chat messages: Retained as long as the associated campaign exists. When a campaign is deleted, all related messages are permanently deleted.
• Invoices: Retained for 10 years in accordance with German commercial and tax law requirements.

When your account is deleted (whether by you, due to inactivity, or by us), all personal data associated with your account is permanently and irreversibly deleted, except for data we are legally required to retain (e.g. invoices and payment records).

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to access that data along with information about how it is processed.
• Right to Rectification (Art. 16 GDPR) — You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to Erasure (Art. 17 GDPR) — You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Restriction of Processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21 GDPR) — You have the right to object to processing based on our legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent — Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. This does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI), Lautenschlagerstraße 20, 70173 Stuttgart, Germany. Website: https://www.baden-wuerttemberg.datenschutz.de

To exercise any of these rights, please contact us at support@lorath.eu.

10. UK GDPR Addendum

If you are located in the United Kingdom, we process your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The rights described in Section 9 apply equally under the UK GDPR. In addition:

• International data transfers from the UK are protected by the UK adequacy regulations, UK Standard Contractual Clauses, or other approved transfer mechanisms as applicable.
• The competent supervisory authority for UK data subjects is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: https://ico.org.uk

Nothing in this Privacy Policy is intended to limit or exclude any rights you may have under UK data protection law.

11. California Privacy Notice (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request that we delete the personal information we have collected about you, subject to certain exceptions permitted by law.
• Right to Opt-Out of Sale: We do not sell your personal information to third parties. We do not sell, rent, or trade user data for monetary or other valuable consideration.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or treatment for exercising your rights.

To exercise your rights under the CCPA, please contact us at support@lorath.eu.

12. Children’s Privacy

Lorath is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as promptly as possible.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at support@lorath.eu so that we can take appropriate action.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy from time to time. If we make material changes, we will notify you with reasonable advance notice via email (if you have provided an email address) or through an in-app notification.

The updated policy will be published on this page with the new effective date. We encourage you to review this page periodically to stay informed about how we protect your data.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

Julius Berger
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach, Germany
Email: support@lorath.eu

Last updated: March 2026