Last updated: April 17, 2026
Underfiction is designed with privacy as a core principle. We don't sell your information, we don't use advertising trackers, and we keep creative storage scoped to what the product needs: local device storage by default, optional story sync with encryption at rest, and cloud sync for account library data.
Stories are stored locally on your device by default. If you enable story sync, stories are encrypted at rest on our servers using a per-user key so they can sync across your devices.
Characters, worlds, and settings can sync to the cloud so they're available across devices. You can turn sync off in settings to keep supported data local.
When you create an account, we collect your email address, name (if provided via OAuth), and password hash (for email/password accounts only — we never store plaintext passwords).
When you generate content, we record the AI model used, token counts (input and output), and the associated cost. This data is linked to your account for billing. We do not store prompt or response text in generation usage records.
Payment processing is handled by Stripe on the web and Apple for iOS in-app purchases. We store provider identifiers needed to reconcile purchases and credit balances. We never receive or store your full card number, CVV, or bank details.
To provide and operate the service, process credit purchases, track usage for billing, authenticate your identity, send transactional emails (password resets, account verification), sync your library when enabled, and detect and prevent abuse.
We do not use your data for advertising, profiling, or marketing. We do not sell your personal information to third parties.
Venice AI — AI inference Your story context is sent to Venice for generation. Venice separates your identity from your content at the infrastructure level — the model provider does not receive your Underfiction account identity.
Stripe and Apple — Payment processing Stripe handles web payment transactions. Apple handles iOS in-app purchases.
Google & Apple — Authentication If you sign in with Google or Apple, we receive basic profile information (name, email, profile image) as authorized by you during the OAuth flow.
We use a session cookie for authentication. This cookie is strictly necessary for the service to function and does not track your behavior across other sites.
We use Umami, a cookie-free, open-source analytics tool, to collect anonymous usage statistics — page views, referrer sources, and device types. Umami does not use cookies, does not collect personal data, and cannot identify individual visitors.
We do not use advertising trackers or third-party tracking scripts.
Account data is retained for as long as your account is active. Usage records (token counts, costs) are retained for billing and accounting. Locally stored content persists until you delete it or clear local app/browser data. Cloud-synced content can be deleted from your account settings.
We implement reasonable security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), encryption at rest for synced stories, and secure session management. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Depending on your jurisdiction, you may have the right to access the personal data we hold about you, request correction of inaccurate data, request deletion of your account and associated data, object to or restrict certain processing, or request a copy of your data in a portable format. To exercise any of these rights, contact us at [email protected] or through our Discord.
The service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a minor has provided us with personal information, please contact us at [email protected] and we will delete it.
We may update this policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes are posted constitutes acceptance of the revised policy.
If you have questions about this privacy policy, reach us at [email protected] or through our Discord.