Privacy Policy & Data Governance Framework

Effective Date: March 2026 | Document Control Number: POL-AR-V2-0097-REV-H

1. General Introduction

Welcome to the Privacy Policy of AR Love Letters (hereinafter referred to as "the Platform," "We," "Our," or "Us"). By accessing our application, generating URL payloads, or establishing authenticated sessions, you consent to the data practices articulated within this document. The Platform operates as an independent digital utility.

2. Bifurcated Architecture (The "No Persistent Database Storage" Policy)

We employ a strict data-minimization philosophy dynamically adapted to your usage:

• Stateless Ephemeral Operations (URL-Based Sharing): When you utilize our public interface to construct a digital message without logging in, your textual payload and sender names are encrypted directly into the shareable link (`?data=`). We do not save, archive, or host these custom messages in our persistent databases. The data exists in transit. However, please note that standard ephemeral server logs operated by our hosting provider may temporarily process these routing URLs for network diagnostic purposes.
• Stateful Persistent Operations (Authenticated Users): Only when you voluntarily register an account and generate an "AI Magic Letter" or explicitly save a letter, do we provision persistent storage. We store necessary authentication credentials (email) and the textual payload within our cloud database to facilitate your Dashboard history. You maintain the right to delete these hosted letters at any time.

3. Explicit Third-Party Sub-Processors

To operate the Platform securely and efficiently, we rely on industry-standard third-party infrastructure providers. By using our service, you acknowledge that your data may be processed by:

• Hosting and Edge CDN: Netlify Inc. (For global website delivery and serverless function routing).
• Database and Authentication: Google Firebase (For secure login management, credential storage, and stateful letter hosting).
• Artificial Intelligence Processing: Third-party Large Language Model (LLM) infrastructure providers are used to generate AI-assisted letter content based on user prompts. These providers process requests strictly for execution purposes and do not retain prompts for model training under our configuration.

Third-Party Infrastructure Disclaimer: While we carefully select reputable infrastructure vendors, AR Love Letters does not control the internal security practices of these third-party providers. External services operate under their own privacy and security policies.

4. Telemetry and Geographic Analytics

To ensure minimal latency and mitigate automated abuse (DDoS), our backend middleware continuously aggregates macro-level diagnostic telemetry. This includes aggregated country-level geographic analytics used to understand general usage patterns, mitigate automated abuse, and assist in selecting appropriate language preferences for AI-generated letters. This data is strictly utilized for algorithmic rate-limiting and CDN optimization. It is never mapped to your personal identity or private communications.

5. Local Storage and Tracking

We strictly utilize HTML5 Web Storage (`localStorage` and `sessionStorage`) to temporarily cache your interface preferences (e.g., Dark Mode) and unsubmitted form data. We do not deploy third-party advertising trackers, marketing cookies, or cross-site surveillance pixels.

6. Absolute Data Sovereignty and Account Deletion

You retain ultimate control over your stateful data. Authenticated users can permanently delete individual letters from their Dashboard. For permanent account erasure, you may submit a formal "Account Deletion" request via our Support Desk. Upon receipt, our administrators will systematically purge your associated Firebase authentication tokens and hosted letters from our active databases within a commercially reasonable timeframe.

7. Children's Privacy (Age Restriction)

This Platform is strictly intended for individuals who are at least 13 years of age (or 16 years of age for users residing within applicable European Union jurisdictions). We do not knowingly collect personal information from children under these age limits. If we become aware that a minor has provided us with personal data, we will take immediate steps to delete such information.

8. Governing Law and Jurisdiction

The Platform is operated and maintained from India. These terms and your use of the Platform are governed by the laws of India. Any legal disputes or claims arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in New Delhi, India.

Contact Information: Initiate Secure Communication via Support Desk