Privacy Policy

We use the information we collect to:

• •Provide, operate, maintain, and improve the Services
• •Authenticate accounts and prevent unauthorized access
• •Process and display entries, interactions, and Generated Content
• •Process User Content through AI systems for generation, moderation, analysis, summarization, and transformation
• •Process subscription payments, manage billing, and handle taxes
• •Communicate with you about your account, transactional matters, and (where you have not opted out) product updates
• •Enforce our Terms of Service and Usage Policy, and detect, investigate, and prevent fraud, abuse, or illegal activity
• •Analyze usage patterns to improve platform performance and user experience
• •Evaluate and improve our AI systems using de-identified, aggregated data
• •Comply with legal obligations and respond to lawful requests

We do not use individually-identifiable User Content to train AI models. Any model evaluation or tuning is performed on data that has been de-identified and aggregated so that it cannot reasonably be linked back to you.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the EU General Data Protection Regulation (GDPR), UK GDPR, and Swiss FADP:

• •Contract (Art. 6(1)(b)). To provide the Services you have requested, including account creation, content hosting, AI generation, and subscription management.
• •Legitimate Interests (Art. 6(1)(f)).To secure the Services, prevent fraud and abuse, defend our legal rights, analyze usage in an aggregated form, and improve features. We balance these interests against your rights and freedoms.
• •Consent (Art. 6(1)(a)). For non-essential cookies, marketing communications, and any other processing for which we ask for your explicit consent. You may withdraw consent at any time.
• •Legal Obligation (Art. 6(1)(c)). To comply with tax, accounting, anti-fraud, and law-enforcement obligations.

Pebcrow is an AI-mediated platform. AI is used to generate content (Pebcrow Play), moderate content (both surfaces), summarize and transform content (Pebcrow Think), and detect abuse.

• •Self-hosted models. Pebcrow operates its own AI inference infrastructure. We do not send User Content to third-party AI model vendors (such as OpenAI, Anthropic, or Google) for processing as part of the Services. This may change in the future; if it does, this Privacy Policy will be updated and any new third-party recipients will be identified.
• •AI outputs may differ from inputs.AI-processed versions of your content may differ substantially from the original submission and may be publicly displayed on the platform.
• •No training on identifiable data.We do not train AI models on individually identifiable User Content. We may use de-identified, aggregated data to evaluate and improve our AI systems.
• •Output non-exclusivity. AI outputs may be similar or identical to outputs produced for other users in response to similar prompts. No output is exclusive to any user.
• •Automated decision-making (GDPR Art. 22).Pebcrow uses automated systems to make moderation decisions (such as flagging, removing, or restricting content). These decisions do not produce legal effects or similarly significant effects on you within the meaning of GDPR Art. 22, but where you believe a moderation decision was wrong, you may contact privacy@pebcrow.com to request human review.

We use cookies and similar technologies to operate the Services. We do not use marketing or cross-context behavioral advertising cookies. The categories below describe what we set:

You can manage cookies through your browser settings. Disabling essential cookies will prevent the Services from working. All users may use our cookie banner — shown on first visit and reopenable any time via the "Cookie Preferences" link in the site footer or the "Manage cookie preferences" button on the Privacy Choices page — to grant or refuse consent to non-essential cookies.

Global Privacy Control (GPC) and Do Not Track.Where applicable law requires, we treat a GPC signal from your browser as a valid opt-out of "sale" and "sharing" of personal information under U.S. state privacy laws. We do not respond to "Do Not Track" browser signals as there is no industry consensus on how to interpret them.

We share information only in the circumstances and with the categories of recipients listed below:

• •
  Cloud infrastructure provider: Amazon Web Services (AWS) hosts our application, databases, and storage. AWS acts as a processor on our behalf.
• •
  Authentication provider: Google (for Google OAuth sign-in). Google receives your authentication request; we receive only the profile information you authorize Google to share.
• •
  Payment processor: Stripe processes subscription payments. Stripe is the controller of your payment-card data; see "Payment Information" below.
• •
  Analytics provider: Cloudflare Web Analytics, to help us understand aggregated platform usage. The service is cookieless, does not collect personal data, and does not track users across sites.
• •
  Email provider: Zoho Corporation (Zoho Mail), to send transactional and account-related messages.
• •
  Legal requirements: When required by law, regulation, valid legal process, or a governmental request, and where we have a good-faith belief that disclosure is necessary.
• •
  Protection of rights and safety: To protect Pebcrow, our users, or others, including to enforce our Terms of Service and Usage Policy and to prevent fraud or harm.
• •
  Business transfers: In a merger, acquisition, reorganization, financing, bankruptcy, or sale of assets, your information may be transferred to the successor entity, subject to standard confidentiality protections and applicable law. We will provide notice and choices where required by law.
• •
  Public content: Content you publish on the platform (such as published entries and votes) is visible to other users and may be indexed by search engines.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Pebcrow is based in the United States, and our infrastructure and personnel are primarily located in the United States. If you access the Services from outside the United States, your information will be transferred to, processed in, and stored in the United States and potentially other jurisdictions where our service providers operate.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or other jurisdictions that have not been deemed adequate by the relevant authority, we rely on appropriate safeguards, which may include:

• •The European Commission's Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum, with our processors;
• •Other legally recognized transfer mechanisms permitted by GDPR Chapter V.

Note: the Services are not directed at, marketed to, or offered to residents of the European Economic Area, the United Kingdom, or Switzerland, so cross-border transfers from those territories are not part of our routine operations.

You may request a copy of the relevant safeguards by contacting privacy@pebcrow.com.

Subscription payments are processed by Stripe, a PCI-DSS compliant third-party payment processor. Pebcrow does not directly receive or store full payment-card numbers, CVV codes, or other sensitive cardholder data. Stripe handles payment information in accordance with its own privacy practices and security standards. We receive and store transaction identifiers, subscription status, plan information, billing metadata, and invoice records necessary to manage your subscription, comply with tax and accounting obligations, and prevent fraud.

We use reasonable administrative, technical, and organizational measures to protect personal information, including encryption in transit (TLS), encryption of data at rest where supported by our cloud provider, access controls and least-privilege permissioning, audit logging of administrative actions, and regular review of our security posture. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Breach notification. In the event of a personal data breach that is reasonably likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR or UK GDPR, and we will notify affected individuals without undue delay where required by applicable law (including U.S. state breach notification laws).

We retain personal information for as long as necessary to provide the Services and for the additional periods described below. The criteria we use to determine retention periods include the nature of the data, the purposes for which it was collected, our legal and regulatory obligations, and the existence of any legal claim or investigation.

• •Account data: retained for the life of your account and for a reasonable period after deletion (typically up to 90 days) to allow account recovery, address fraud, and resolve disputes.
• •User Content and Generated Content:published or AI-processed content may be retained indefinitely as part of the platform's record, subject to your privacy rights described below.
• •Billing records: retained for the period required by applicable tax and accounting laws (typically 7 years in the United States).
• •Server and security logs: retained for a limited period for security, abuse detection, and operational troubleshooting (typically up to 12 months), then deleted or anonymized.
• •Legal hold: we may retain information longer where required to comply with legal obligations, defend legal claims, or as otherwise permitted by law.

The Services are intended exclusively for users aged 18 and older and are not directed to children. We do not knowingly collect personal information from anyone under the age of 18.

If we learn that we have collected personal information from a person under 18, we will delete it as soon as reasonably practicable. If you are a parent or guardian and believe your child has provided personal information to us, please contact privacy@pebcrow.com with sufficient information to identify the account, and we will investigate and, where appropriate, delete the account and associated information.

This commitment is in addition to, and not a substitute for, parental supervision. As described in our Terms of Service, subscribers are responsible for ensuring that minors do not access content (including AI-generated games) using their account or payment method.

Depending on where you live, you have specific rights regarding your personal information. We honor these rights for all users where practical, and we will always honor them where required by law. To exercise any right, contact privacy@pebcrow.com with sufficient information to verify your identity. We will respond within the timeframe required by applicable law (typically within 30–45 days).

Account deletion will remove your personal account information, but published content, Generated Content, and AI-processed material may persist on the platform as described in our Terms of Service.

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the Effective Date and, where appropriate, by in-product notice or email. It is your responsibility to review this Policy periodically. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Pebcrow, Inc.

3107 Robinwood Ct., High Point, NC 27265, USA

The Services are not offered to residents of the EU, the UK, or Switzerland, and Pebcrow has not appointed an EU/UK Article 27 representative.