Privacy Policy

Last updated: 2026-03-18

This Privacy Policy explains how Truemium OÜ ("we", "us", "our") collects, uses, and protects your personal data when you use the Diss Arena mobile application ("the App"). By using the App you agree to the practices described in this policy.

1. Data Controller

The data controller responsible for your personal data is:

Truemium OÜ
Paavli tn 5a/1, Tallinn 10412, Estonia
Email: privacy@dissarena.com
Website: truemium.studio

2. Information We Collect

When you use the App, we may collect the following categories of data:

• Device identifier: On iOS, your identifierForVendor is used to create an anonymous guest account automatically on first launch — no registration required. On Android, a randomly generated UUID is used. This identifier is stored on our servers to maintain your account across sessions.
• Account information (optional): If you choose to sign in with Google or Apple, we receive your email address and display name from those providers.
• Device information: Device type, operating system version, and app version, used to provide technical support and AI context.
• Usage data: Chat history, character interactions, heat scores, session summaries, unread counts, and in-app behavior. These are stored to deliver the service and improve it.
• Payment information: Subscription and purchase transactions are processed by RevenueCat. We do not collect or store your credit card or payment details directly.
• IP-derived location: Approximate country and city inferred from your IP address via reverse-proxy headers (Cloudflare). Used solely to enrich AI character context (not stored as a separate profile field).
• Preferred culture (optional): If you complete the culture selection onboarding step, your chosen country code (e.g., "TR", "US") is stored. You may decline this step.
• Push notification tokens: FCM (Android) and APNs (iOS) device tokens, stored to deliver push notifications.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the App's core features — account creation, AI chat, push notifications, and subscription management.
• Legitimate interests (Art. 6(1)(f)): Service improvement, fraud prevention, security monitoring, and analytics. We balance these interests against your rights and they do not override them.
• Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable laws.
• Consent (Art. 6(1)(a)): For optional features such as culture sharing. You may withdraw consent at any time by contacting us.

4. How We Use Your Information

Collected data is used to:

• Create and authenticate your account (guest or social login)
• Deliver AI chat features and generate in-character responses
• Process subscription (Rage Pass) and credit pack purchases
• Send push notifications for new messages, daily credits, and re-engagement
• Enrich AI system prompts with contextual data (display name, timezone, language, device info, IP-derived country/city, culture preference) to improve response quality
• Monitor and improve App performance and fix bugs
• Detect and prevent abuse, fraud, or policy violations
• Comply with legal obligations

5. Data Sharing

We do not sell your personal data to advertisers or third parties. Your data may be shared only with the following service providers under appropriate data processing agreements:

• AI providers: Chat messages are sent to large language model providers — OpenAI, Anthropic, Google (Gemini), and xAI (Grok) — for response generation. These providers process your messages per their own privacy policies.
• RevenueCat: Subscription and purchase processing. Handles App Store and Google Play transactions.
• Amazon Web Services (AWS): S3 for file storage, RDS for database, SNS for push notification dispatch. Servers in EU (Ireland, eu-west-1) and US regions.
• Firebase (Google): Firebase Analytics and Crashlytics for usage statistics and crash reporting.
• Apple and Google: When you use Sign in with Apple or Sign in with Google.

All third-party providers are subject to GDPR-compliant data processing terms or Standard Contractual Clauses for transfers outside the EU/EEA.

6. Data Storage and Security

Your data is stored on AWS servers primarily in the EU (Ireland). We apply industry-standard security measures:

• All data in transit is encrypted using TLS/SSL
• Data at rest is encrypted using AES-256
• Access to personal data is restricted to authorized personnel only
• API requests are authenticated via token-based security

7. Data Retention

We retain your personal data for as long as your account is active. If you request account deletion:

• All personal data is removed within 30 days of the deletion request
• Data may be retained beyond this period only where required by applicable law (e.g., financial records)
• Anonymized or aggregated data that cannot identify you may be retained indefinitely for analytics purposes

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to restriction: Request that we restrict processing of your data in certain circumstances
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing

We will respond to your request within 30 days. To exercise your rights, contact us at privacy@dissarena.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (info@aki.ee, aki.ee).

9. Turkish Users — KVKK

If you are located in Turkey, your personal data is also protected under the Personal Data Protection Law (KVKK) No. 6698. Under KVKK, you have the right to:

• Learn whether your personal data is being processed
• Request information if your data is processed
• Learn the purpose of processing and whether it is used in accordance with the purpose
• Know the third parties to whom your data is transferred domestically or abroad
• Request rectification if your data is incomplete or inaccurate
• Request deletion or destruction of your data
• Request notification to third parties of rectification or deletion
• Object to any outcome against you arising from automated processing
• Claim compensation for damages arising from unlawful processing

To exercise your KVKK rights, send your request to privacy@dissarena.com with the subject line "KVKK Request". For unresolved matters, you may contact the Kişisel Verileri Koruma Kurumu (KVKK) at kvkk.gov.tr.

10. Children's Privacy

Diss Arena is strictly an 18+ platform. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that a minor has provided us with personal data, we will delete that data immediately. If you believe a minor has used the App, please contact us at privacy@dissarena.com.

11. Policy Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification or on this page. Continued use of the App after changes have been posted constitutes your acceptance of the updated policy. The "last updated" date at the top of this page always reflects the most recent version.

12. Contact

For any privacy-related questions or to exercise your rights:

Truemium OÜ
Paavli tn 5a/1, Tallinn 10412, Estonia
privacy@dissarena.com