Privacy Policy

This is your own experience, and we want to let you have as much privacy as possible.

Effective: January 2025

Pretty Tavern is operated from Germany. We comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

You're In Control

We believe your data should be as private as you want it to be. Pretty Tavern offers three levels of privacy - you choose what's right for you:

🔒 Privacy Mode (Maximum Privacy)

Your API keys and chat messages are encrypted in your browser using AES-256-GCM before they ever reach our servers. We store only encrypted data that we cannot read or decrypt - only you can, with your privacy key.

End-to-end encryption
Privacy key never leaves your browser
Even we can't read your chats

🔑 Local-Only API Key

Your API key is stored only in your browser's local storage and never sent to our servers at all. Simple and effective if you just want to protect your API key.

📦 Standard Mode

Your data is stored securely on our servers with AES-256-CBC encryption. Your content is protected, but not end-to-end encrypted. We don't actively monitor or read your content.

⚠️ Important: Privacy Key Warning

If you enable Privacy Mode and lose your privacy key, your encrypted data cannot be recovered - not even by us. Save your key somewhere safe!

What We Store

Your Account

To create your account, we need:

A username of your choice
A password (securely hashed with bcrypt - we never see your actual password)
Your email address (only if you sign up with Google)

Your Creative Content

Everything you create in Pretty Tavern belongs to you. We store it so you can access it from any device:

Characters and personas you create
Your conversations and chat history
Lorebooks and world-building content
Images you upload to your gallery
Your personal settings and preferences

↑ How much of this we can read depends on which privacy mode you choose above.

Technical Data

For security and to keep the service running smoothly, we automatically collect:

IP addresses
Browser type and version
Access timestamps

How We Use Your Data

Service Operation: Storing your content, syncing settings, enabling chat functionality
Security: Preventing abuse, investigating violations, protecting users
Legal Compliance: Responding to valid legal requests when required

We do not use your data for marketing, advertising, or analytics profiling. We do not sell your data.

Third-Party AI Services

Pretty Tavern connects to external AI providers (Anthropic, OpenAI, OpenRouter, etc.) using API keys you provide. When you send messages:

Your prompts and messages are transmitted to your chosen AI provider
The AI provider's privacy policy governs their handling of your data
We recommend reviewing the privacy policies of AI providers you use

YouTube Integration

Pretty Tavern offers an optional YouTube background feature that uses YouTube API Services. By using this feature:

You agree to be bound by the YouTube Terms of Service
Your use is subject to Google's Privacy Policy

YouTube videos displayed through this feature are third-party content. We do not own, control, or take responsibility for any YouTube video content. All videos remain the property of their respective creators and are subject to YouTube's terms and copyright policies.

Data Sharing

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

Legal Requirements: To comply with court orders or valid legal process
Safety: To prevent imminent harm or illegal activity
Service Providers: With trusted providers who assist in operating the service, under strict confidentiality

Your Rights (GDPR)

Under GDPR and applicable privacy laws, you have the following rights:

Access: Request a copy of personal data we hold about you
Rectification: Correct inaccurate data via your account settings
Erasure: Delete your account and all associated data
Portability: Request your data in a portable format
Objection: Object to certain processing of your data

To exercise these rights, contact us via the information on our Legal page.

Data Retention

Account Data: Retained until you delete your account
Technical Logs: Retained for a limited period for security purposes
After Deletion: Data is permanently removed, except where retention is legally required

Cookies

We use essential cookies for authentication and storing your preferences. We do not use tracking cookies or advertising networks. You may disable cookies in your browser settings, but core functionality may be affected.

Security

We implement security measures to protect your data:

Passwords are hashed using bcrypt (never stored in plain text)
All connections use HTTPS encryption
JWT-based secure authentication
Rate limiting on login and registration to prevent brute force attacks
Server-side API key encryption (AES-256-CBC) in standard mode
Optional end-to-end encryption (Privacy Mode) using AES-256-GCM with client-side key generation
File upload validation (magic byte checking) to prevent malicious uploads
Path traversal protection on all file operations

However, no system is completely secure. We recommend using strong passwords, enabling Privacy Mode for sensitive data, and keeping your API keys confidential.

Contact

For privacy-related questions or to exercise your rights, please contact us via the information on our Legal page.