LEGAL DOCUMENT

Privacy Policy

Last updated: 1 April 2026

This Privacy Policy explains how CHRONOS ("we", "us", "our") collects, uses, stores and protects your personal data when you use the CHRONOS application and website. We are committed to protecting your privacy and handling your data in an open and transparent manner in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

CHRONOS is operated as an independent application. For the purposes of data protection law, we are the data controller of your personal data. If you have any questions about this policy or how we handle your data, please contact us at [email protected].

2. What Data We Collect

We collect the following categories of personal data when you use CHRONOS:

• Account data: Your email address and authentication credentials when you create an account.
• Device data: Device type, operating system version, device identifier, and IP address. We use a device fingerprint to enforce our free tier and prevent abuse.
• Usage data: The number of generations used, sessions initiated, journeys taken, CHECK requests made, and timestamp data associated with your activity.
• Voice input data: Audio captured when you speak to CHRONOS is processed in real time to generate your responses. We do not permanently store raw audio recordings.
• Payment data: Payment transactions are processed by Stripe. We do not store your card details. We receive confirmation of successful payments and the amount paid.
• Communications data: If you contact us for support, we retain records of that correspondence.

3. How We Use Your Data

We use your personal data for the following purposes and on the following legal bases under UK GDPR:

• To provide the CHRONOS service — processing necessary to perform our contract with you (Article 6(1)(b)).
• To manage your account and credit balance — necessary for the performance of our contract (Article 6(1)(b)).
• To process payments and prevent fraud — necessary for the performance of our contract and our legitimate interests in protecting the business (Article 6(1)(b) and 6(1)(f)).
• To enforce our free tier limits and prevent abuse — our legitimate interest in operating a sustainable service (Article 6(1)(f)).
• To monitor service performance and costs — our legitimate interest in operating and improving the service (Article 6(1)(f)).
• To comply with legal obligations — where required by law (Article 6(1)(c)).
• To communicate with you about your account — our legitimate interest in providing customer service (Article 6(1)(f)).

4. Third-Party Services

CHRONOS uses the following third-party services to operate. Each processes your data as a data processor on our behalf or as an independent data controller:

• Anthropic (Claude API): Your voice input is converted to text and sent to Anthropic's API to generate character and narrator responses. Anthropic processes this data in accordance with their privacy policy and API data usage policies. Input and output text is not used by Anthropic to train their models under our API agreement. View Anthropic's Privacy Policy →
• ElevenLabs: Generated text responses are sent to ElevenLabs to produce voice audio. ElevenLabs processes character text in accordance with their privacy policy. View ElevenLabs' Privacy Policy →
• Supabase: We use Supabase to store your account data, credit balance, and usage records. Data is stored in the EU (EU West 1 region). View Supabase's Privacy Policy →
• Stripe: Payment processing is handled by Stripe, Inc. Stripe is an independent data controller for payment data. Please refer to Stripe's privacy policy for details of how they handle your payment information. View Stripe's Privacy Policy →
• Apple: The CHRONOS app is distributed via the Apple App Store. Apple may collect data in accordance with their own privacy policy. View Apple's Privacy Policy →

We do not sell your personal data to any third party under any circumstances.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account data: Retained for the duration of your account plus 12 months following deletion.
• Usage and session data: Retained for 24 months for fraud prevention and cost monitoring purposes.
• Payment records: Retained for 7 years to comply with UK financial record-keeping obligations.
• Voice input: Not retained beyond the immediate processing of your request.
• Support correspondence: Retained for 2 years from the date of the last communication.

6. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures including:

• Encrypted data transmission using TLS for all API communications.
• Row-level security policies on our database ensuring users can only access their own data.
• API keys and secrets stored as environment variables, never in application code.
• Rate limiting and abuse prevention systems to protect against unauthorised access.
• Regular monitoring of API spend and usage patterns to detect anomalies.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

7. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may ask us to correct inaccurate or incomplete data.
• Right to erasure: You may ask us to delete your personal data where there is no legitimate reason for us to continue processing it.
• Right to restrict processing: You may ask us to suspend processing of your data in certain circumstances.
• Right to data portability: You may request a copy of your data in a structured, machine-readable format.
• Right to object: You may object to processing based on our legitimate interests.
• Rights related to automated decision-making: We do not make automated decisions about you that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.

8. International Transfers

Some of our third-party service providers operate outside the UK and European Economic Area. Where we transfer data internationally, we ensure appropriate safeguards are in place including Standard Contractual Clauses approved by the relevant data protection authority. Anthropic and ElevenLabs are US-based companies operating under appropriate data transfer mechanisms.

9. Children's Privacy

CHRONOS is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will take steps to delete that information.

10. Cookies and Tracking

Our website uses only essential cookies required for the website to function. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites. We do not display advertisements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the date at the top of this page. Your continued use of CHRONOS after any changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us at: