Privacy Policy

CinematicTale ("we", "us", or "our") operates https://www.cinematictale.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Service.

This policy is aligned with the Indian Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and the SPDI Rules, 2011. For users in the EEA / UK, the principles of the GDPR / UK GDPR are followed where applicable. By using the Service, you consent to the processing described here as a lawful basis under the DPDP Act.

• Passwordless sign-in is now primary. We authenticate using secure email links and OAuth flows.
• No password storage by default. Most users no longer create or manage passwords in-app.
• Session handling improved. Server-side session cookies, CSRF protections, and logout invalidation were strengthened.
• Policy wording clarified. This page now clearly separates authentication cookies from analytics cookies.

• Authenticate users and protect accounts.
• Generate stories, images, and related media based on your prompts.
• Process subscriptions, top-ups, invoices, and payment reconciliation.
• Send transactional emails (sign-in links, billing, verification, support replies).
• Prevent abuse, enforce rate limits, and monitor platform reliability.
• Comply with legal and regulatory obligations.

We use third-party providers that may process your data only for required service functions.

• TLS/HTTPS encryption for traffic in transit.
• Server-side session cookies and CSRF checks for authenticated API actions.
• Role-appropriate Firestore access controls and server-side validation.
• Rate limiting and webhook signature verification on sensitive endpoints.

No transmission method is fully risk-free. We continuously improve controls, monitoring, and incident response.

We retain account and story data while your account is active. On account deletion, user data is removed from active systems within a reasonable operational window, except where legal obligations require retention (for example, payment/tax records).

Under the DPDP Act, GDPR, and similar laws, you have rights with respect to your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: update profile fields from account settings, or ask us to correct inaccuracies.
• Erasure ("right to be forgotten"): delete your account and associated data. Use the Delete Account flow in settings, or email us.
• Portability: request export of your story data in a structured, machine-readable format where feasible.
• Grievance redressal: for any rights request or unresolved concern, email our Grievance Officer (see Section 12).
• Withdrawal of consent: you may withdraw consent at any time by deleting your account; some processing for legal/tax compliance may continue.

We respond to verified rights requests within 30 days, in line with DPDP Act timelines. For any rights request, email saurabhjadhav.devstudio@gmail.com.

• Authentication cookies: keep signed-in sessions secure.
• CSRF token cookie: protects state-changing requests from forgery attacks.
• Preference storage: theme and experience settings.
• Analytics cookies: aggregated usage metrics.

CSRF cookies are security tokens and can exist even when you are signed out; they are not proof of an active login.

CinematicTale is not intended for children under 13 years of age. Under the DPDP Act, processing personal data of children (under 18 in India) requires verifiable parental consent. Users between 13 and 18 should use the Service only with parental or guardian consent. If you believe a child has provided personal data without consent, contact us and we will investigate and delete the data promptly.

We may revise this policy periodically. Material changes will be communicated through updates on this page and, when appropriate, account-level notices.

For any privacy concerns, rights requests, or grievances under the DPDP Act, contact our Grievance Officer. We aim to acknowledge within 48 hours and resolve within 30 days.