Privacy Policy

This Privacy Policy explains how chapter3five (“chapter3five”, “we”, “us”) collects, uses, shares, and protects information about you. It applies to the chapter3five website, the chapter3five mobile applications (iOS and Android), and any related services (collectively, the “Service”).

chapter3five is intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal information from minors.

We collect the following categories of information:

• Account information. Email address and password (we store only a hashed credential, never the password in plaintext). Your date of birth, collected at onboarding to verify you are 18 or older — we use this only for age verification and (optionally, in the future) to send you a small message on your birthday. Optionally, an identity name and language preference you choose.
• Your archive content. The text answers you record, the name and avatar you choose for your identity, the mode (real, randomized, imported, or memory) you select, and any texting-style or persona settings you provide. For randomized identities, an AI-synthesized short biography (anchored on the random answers) we generate at creation and store with the identity. For memory-mode identities, the free-text description you provided about the person, plus any additional text you later add to deepen the persona; we preserve the raw text so you can review what the identity was built from.
• Voice recordings.Audio files you record for specific archive answers. Stored in a private bucket (archive-audio) only you and beneficiaries you designate can read. Each recording is also sent (one-time, on upload) to OpenAI’s Whisper API for optional transcription — the transcript is offered back to you to use as the typed answer if you want.
• Photos in the archive. Image files you attach to specific archive answers. Stored in a private bucket (archive-photos) with the same access rules as voice.
• Conversation content.Messages you send to and receive from your archive’s conversational interface, plus any photos you attach to a message.
• Persona memories.Short structured facts extracted from your conversations (e.g., “they have a daughter named Maya”) so the identity can carry context across sessions. You can review and delete these from Settings.
• Persona traits and realism state.Each identity has a set of structured traits we extract from the archive (or roll randomly for randomized identities) and use to color the chat: orientation, romantic openness, identity quirks, sports fandom, location anchor (a specific neighborhood the persona lives in), an ambient cast of named people in the persona’s life, a rotating “this week” context (mundane recent threads), and a per-conversation mood + physical state seed (refreshed after a couple hours of inactivity). Owners can edit orientation, openness, and location from Settings. Stored with the identity row.
• Group chat content.If you create a group chat with multiple identities you own, we store the room metadata (name, language), member list (with departure timestamps if a persona walks out of the conversation), and every message exchanged in the room (yours and each persona’s). Group chats can only contain identities you created — never inherited or shared archives.
• Beneficiary group room content.If you and another beneficiary inherit access to the same archive (and its owner has passed away), either of you can create a shared room with the deceased’s persona. We store room metadata, the list of member beneficiaries, and every message exchanged in the room. Each beneficiary in a room can see every other beneficiary’s messages there — these rooms are explicitly shared spaces, unlike 1:1 conversations.
• Beneficiary designations.Email addresses (and optionally names) of people you designate as beneficiaries, plus a 32-character claim token per designation that resolves to the beneficiary’s personal claim link (chapter3five.app/legacy/[token]). The token has no semantic meaning and is generated from cryptographically secure randomness.
• Passing reports.If a beneficiary or someone else holding a valid claim link reports your passing, we store: the date they reported, optional notes (an obituary link, the funeral home, anything that helps confirm), the reporter’s name and email, and a separate 32-character veto token used to authorize the one-click cancel link in the email we send you. We track when the report was submitted, when the 72-hour veto deadline elapses, and whether you cancelled (vetoed) or the report was confirmed.
• Per-conversation read cursors and mute state. We store, on your profile, a small JSON map of when you last opened each conversation (so the dashboard can clear unread indicators) and a list of conversations you’ve muted (Hide alerts) so proactive pings + outreach + check-in emails for those conversations are suppressed. Both are private to you.
• Pinned conversations.A list of conversations you’ve pinned to your dashboard’s favorites strip, stored on your profile.
• Payment information, if you make a purchase. Card data is handled by Stripe and is never seen or stored by us; we keep only a record of the purchase (purpose, amount, timestamp, processor reference).
• Device tokens (mobile). If you grant push permission, we store an Expo push token tied to your account so we can wake your device when your identity sends a message. You can revoke this in your device settings; we delete dead tokens automatically.
• Usage and device data. Pages viewed, actions taken, IP address, device type, browser type, approximate location (inferred from IP), and timestamps. We may use cookies and similar device-storage technologies (see our Cookie Policy).
• Communications you send us, including support requests and feedback.

We do not access or collect: your contacts, your location via GPS, your photos beyond ones you explicitly attach to messages, your microphone, your call history, or content from other apps on your device.

• To provide, operate, and maintain the Service.
• To create and serve responses from the conversational interface, grounded in your archive (see Section 4 for the AI processing flow).
• To authenticate your account, prevent fraud, and protect the security of the Service (including detecting messages that suggest a user is in crisis, see Section 7).
• To send you transactional email about your account, your archive, and your beneficiaries.
• To improve the Service through aggregated, de-identified analytics.
• To comply with legal obligations and enforce our Terms.

We do not sell your personal information.We do not use Your Content to train any AI model — ours, our providers’, or anyone else’s.

chapter3five uses two AI providers. Both have default-no-retention and default-no-training-on-customer-data policies on the API tier we use. By using the AI-powered features of the Service, you explicitly consent to these transmissions.

Anthropic, PBC— for chat responses, identity backstory synthesis (randomized mode only), persona memory extraction, weekly reflection, anniversary messages, welcome messages, group chat orchestration (urge-to-respond judgments, cross-replies, walk-out detection, farewell lines), beneficiary group room orchestration (the deceased persona’s replies to multi-beneficiary threads), multi-message reply bursts (the persona occasionally splits one reply into 2-3 short messages with realistic delays), tone-judging for hostile/cruel messages, persona realism state generation (mood, physical state, weekly context, ambient cast), and extraction of structured traits (orientation, openness, identity quirks, sports fandom, location anchor) from your archive. We send: the recorded archive associated with your active identity (questions and answers), the persona memories currently held about you, the messages you send and recent prior messages (last twelve in 1:1, last thirty in group chat), any photo you attach to a chat message (as a signed URL for vision processing), and the synthesized bio + traits + cast + location + sports anchors stored on the identity.

OpenAI, Inc. — for three features:

• Embeddings(text-embedding-3-small): each persona memory’s text is embedded and stored as a vector so the AI can surface the right memory for the right moment. The full memory text is sent at write time and at every chat turn (the user’s incoming message is embedded for similarity search).
• Image moderation(omni-moderation-latest): every chat photo is run through OpenAI’s free moderation endpoint before reaching Anthropic. Photos flagged for sexual, violent, self-harm, or hateful content are rejected and the upload is deleted.
• Voice transcription (Whisper): when you record a voice answer, the audio is sent to Whisper one time on upload to produce a transcript you can optionally use as your typed answer.

If you do not consent to either provider, do not use the features that depend on them. Email privacy@chapter3five.app to revoke consent and delete your account.

We share information only with vetted service providers who help us operate the Service, under contractual confidentiality and data-protection obligations. These currently include:

• Supabase — database, authentication, file storage for avatars + chat photos + archive audio + archive photos (United States).
• Anthropic — AI processing of conversational messages, identity backstory synthesis, persona memory extraction + weekly reflection, anniversary messages, welcome messages, group chat orchestration, tone-judging for hostile messages, persona realism state generation, structured trait extraction, and attached photos via vision. See Section 4 for the data flow.
• OpenAI — embeddings for memory retrieval, image moderation on chat photos, and Whisper transcription for voice answers. See Section 4.
• Resend — transactional email delivery.
• Vercel — application hosting and content delivery.
• Stripe — payment processing for any paid features.
• Sentry — server-side error monitoring (excludes message content; only stack traces and request metadata).
• Expo — push notification delivery (mobile only).

You may grant access to your archive to specific people you designate, in two distinct ways:

• Share codes let another user import a copy of your archive into their own account. They get their own copy.
• Beneficiaries get read-only access to the same archive, with their own private conversation thread. They are notified when designated and again, with a claim link, if your account is ever marked deceased.

We are not responsible for what authorized recipients do with content you share with them.

The Service screens user messages for keywords associated with imminent self-harm or harm to others. When a match is detected: (a) the conversational interface is instructed to step out of character and provide crisis-line information; (b) the message excerpt and matched keywords are saved to a crisis_flags table and an alert is sent to our care team. We may use this information to follow up with you with care, or to refer you to professional resources.

Crisis-flagged exchanges are not used for memory extraction, are not shared with beneficiaries, and are deleted on account deletion.

We may disclose information if required by law or legal process, to protect the rights, property, or safety of chapter3five, our users, or others, or in connection with a corporate transaction (with notice to users where practicable).

Information is processed in the United States. If you are located in the EU, UK, or another jurisdiction with different data-protection rules, we rely on Standard Contractual Clauses (or equivalent) for transfers where required.

We retain your information for as long as your account is active or as needed to provide the Service.

• Soft delete (default). When you delete your account from Settings, your data is hidden and scheduled for permanent deletion thirty (30) days later. Within those thirty days, you may restore your account for a one-time fee. On day thirty-one (31), your data is irreversibly deleted by an automated job.
• Delete forever now. You may also elect immediate, irreversible deletion. All your data is removed from our active systems within minutes.
• Backups. Routine backups are overwritten in the ordinary course within ninety (90) days, after which no copies of your data exist.
• Audit and billing records. We may retain limited records (purchase history, audit log of sensitive actions) for the period required by law (typically up to seven years for tax purposes), with personal identifiers removed where possible.

Subject to your jurisdiction, you may have the right to access, correct, port, or delete your personal information; to restrict or object to certain processing; and to lodge a complaint with a supervisory authority. You can also export a complete JSON copy of your data at any time from Settings → Download your data.

To exercise any of these rights, contact privacy@chapter3five.app. We will respond within the timeframes required by applicable law.

California residents (CCPA/CPRA). You have the right to know what personal information we collect; to access and delete it; to correct inaccurate information; to opt out of any sale or sharing of personal information (we do not sell or share); and to be free from retaliation for exercising these rights.

EU/UK residents (GDPR/UK GDPR). Our lawful bases for processing are: contractual necessity (to provide the Service), legitimate interests (security, improvement, fraud prevention), explicit consent (for the AI-processing flow in Section 4 and for any optional analytics cookies), and legal obligations.

We use reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Database access is restricted via Postgres row-level security policies; passwords are hashed; transport is encrypted (TLS). Avatar and chat-photo storage is private and accessible only to the owning user. No system is impenetrable, and we cannot guarantee absolute security.

The Service is for users 18 and older. We do not knowingly collect information from children under 18. If you believe we may have collected information from a child, contact privacy@chapter3five.app and we will delete it.

chapter3five is designed so that an archive may persist after the person who created it has died. You may designate up to three (3) beneficiaries free of charge, with additional slots available for a one-time fee. Each designation generates a 32-character claim token, resolvable as a personal claim link (chapter3five.app/legacy/[token]). The token is private and inert until activated.

Passing report and 72-hour veto window. Any person holding a valid claim link may submit a passing report through that link (date plus optional notes). Submission does not immediately grant access. We email the account holder a one-click cancel link with a 72-hour deadline. If the link is used within the window, the report is dismissed, the archive remains private, and the reporter receives a polite "could not verify" notice without disclosure of who reported. If the window elapses without a cancel, the report is treated as confirmed: we mark the account deceased (using the date the reporter provided) and each designated beneficiary receives their personal claim link by email, granting read access plus their own private conversation thread.

If an account is marked deceased in error, we will reverse the designation and restore account access. Claims that have already been accepted by a beneficiary cannot be retroactively revoked (the beneficiary’s conversation is theirs). We may, after extended inactivity and notice, delete archives for which no beneficiary has been designated.

On mobile, the chapter3five app may request the following permissions, all optional and only when the corresponding feature is invoked:

• Camera— only when you tap “Take photo” while attaching a photo to a chat message.
• Photo library— only when you tap “Pick from library” while attaching a photo to a chat message.
• Microphone — only on the web archive recording surface (recording voice answers happens on the web today; mobile voice recording is a planned follow-up).
• Push notifications — to deliver a notification when your identity sends a proactive message, an anniversary acknowledgment, or your daily question nudge.
• Face ID / Touch ID / device biometrics — only if you enable the biometric lock from Settings.

We do not request: location services, contacts, calendar, health, or any other sensitive permission. You can revoke any granted permission at any time from your device settings.

We may update this Policy from time to time. Material changes will be announced via the Service or by email. The “Last updated” date above reflects the most recent revision.

For privacy questions, requests, or complaints, contact privacy@chapter3five.app.