The Living Chronicle Last updated: 2026-04-10 Effective date: [LAUNCH DATE]
1. Who We Are
The Living Chronicle (the "Service") is operated by Aegis Brightsmark Capital MB ("we", "us", "our"), a Lithuanian company registered under company code 307576279, with registered office at Sembu 6, Buivydiskes, LT-14166, Vilniaus raj., Lithuania.
Contact for privacy matters: info@aegisbrightsmark.com
We are the data controller for personal data collected through the Service under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
2. What Data We Collect
2.1 Account Data
- Email address
- Username (chosen by you)
- Device identifier (hashed)
- Authentication tokens (stored securely)
2.2 Gameplay Data
- Investigations performed, outcomes revealed
- Votes cast
- Faction membership and operations
- Codex progress, artifacts collected
- Action Point balance
- Player rank and progression
2.3 Subscription Data
- Subscription tier (Free, Chronicle+, Season Pass)
- RevenueCat customer ID
- Purchase history (managed via Apple/Google payment systems)
2.4 Social Data
- Coven membership
- Friends list
- Theory submissions
- Discussion messages (within covens)
2.5 Analytics Data
- In-app event logs (sessions, screen views, interactions)
- Feature usage patterns
- Retention metrics
- Crash reports
2.6 Technical Data
- IP address (stored in server logs for a maximum of 30 days)
- Device type and model
- Operating system version
- App version
- Expo push notification token
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
- Contract (Art. 6(1)(b)): Account management, subscription delivery, core gameplay features
- Consent (Art. 6(1)(a)): Analytics tracking, marketing communications, push notifications
- Legitimate interest (Art. 6(1)(f)): Security, fraud prevention, content moderation, service improvement
- Legal obligation (Art. 6(1)(c)): Tax records, regulatory compliance
4. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data (active) | Lifetime of your account |
| Account data (after deletion request) | 12 months, then permanently deleted |
| Gameplay state | Lifetime of your account |
| Analytics events | 24 months, then aggregated |
| Server logs | Maximum 30 days |
| Support tickets | 24 months |
| Financial records | 7 years (Lithuanian tax law) |
5. Who We Share Data With
We do not sell your personal data. We share data only with the following third-party processors necessary to provide the Service:
| Processor | Purpose | Location | Legal Transfer Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure | Germany (EU) | N/A (EU) |
| Supabase / Neon | Database hosting | EU region | N/A (EU) |
| Anthropic PBC | AI chapter generation | United States | Data Privacy Framework |
| Google LLC | AI chapter validation, Analytics | United States | Data Privacy Framework |
| RevenueCat, Inc. | Subscription management | United States | Data Privacy Framework |
| Expo / Exponent.io | Push notification delivery | United States | Data Privacy Framework |
| Pusher Ltd. | Real-time messaging | United Kingdom | Adequacy Decision |
| Vercel Inc. | Web hosting | Global | Data Privacy Framework + SCCs |
| Sentry.io (Functional Software) | Error monitoring | United States | Data Privacy Framework |
| Apple Inc. / Google LLC | App store distribution | Global | Data Privacy Framework |
All transfers to non-EU processors are protected by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) as adopted by the European Commission.
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Obtain a copy of your personal data
- Right to rectification (Art. 16): Correct inaccurate or incomplete data
- Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Right to restrict processing (Art. 18): Limit how we process your data
- Right to data portability (Art. 20): Receive your data in a machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): Revoke previously given consent at any time
- Right to lodge a complaint: File a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI) at https://vdai.lrv.lt/
To exercise any of these rights, contact us at info@aegisbrightsmark.com. We will respond within 30 days.
7. Children's Privacy
The Service is rated 12+ and not directed at children under 13. We do not knowingly collect personal data from children under 13.
Users aged 13-17 in the European Union may require parental consent depending on their country of residence (GDPR Article 8). If you believe we have collected data from a child without proper consent, please contact us immediately at info@aegisbrightsmark.com and we will delete the data.
8. Security
We implement industry-standard security measures to protect your personal data:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for sensitive data
- Regular security audits
- Access controls and authentication
- Rate limiting and abuse prevention
- Automated backup procedures
- Incident response plan
No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users and the Lithuanian State Data Protection Inspectorate within 72 hours, as required by GDPR Article 33.
9. AI-Generated Content Notice
The Living Chronicle generates story content using AI models (Anthropic Claude and Google Gemini). To generate chapters, these models process anonymized aggregate data about player votes, investigations, and faction operations. No individual personal data is sent to the AI models. For full details on AI usage, see our AI Disclosure.
10. Cookies and Tracking (Web Only)
Our website (thelivingchronicle.com) uses cookies. We ask for your consent before using non-essential cookies. See our Cookie Policy for details.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and email. The "Last updated" date at the top of this document reflects the most recent version.
12. Contact Us
Data Controller: Aegis Brightsmark Capital MB Company Code: 307576279 Address: Sembu 6, Buivydiskes, LT-14166, Vilniaus raj., Lithuania Email: info@aegisbrightsmark.com
Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI) L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania Website: https://vdai.lrv.lt/