1. Information we collect
Depending on how you use Reverie Memories, we may collect:
- account information such as email address, optional display name, session state, and invite status;
- authentication information such as password credentials, TOTP factor metadata, passkey public credential metadata, OAuth profile identifiers, and security timestamps;
- uploaded moment photos and person photos;
- prompts, relationship selections, saved notes, moment metadata, generated result metadata, and private generated images;
- support and report information such as category, short non-sensitive context, report IDs, lookup codes, status, and optional follow-up email;
- limited operational metadata needed to serve requests, protect accounts, debug failures, prevent abuse, and maintain deletion/audit records.
2. How we use information
We use information to:
- create and secure your account;
- store private uploads and generated results in your account;
- queue and process imagined-image generation;
- show, download, delete, and review your moments;
- operate invite, waitlist, passkey, password, TOTP, and OAuth flows;
- investigate reports, takedown requests, abuse attempts, security events, and product failures;
- maintain aggregate launch-health analytics without private content.
3. What we do not do
- We do not sell your photos, prompts, generated results, or account information.
- We do not use third-party ad pixels, session replay, heatmaps, or behavioral ad tracking in the current launch surface.
- We do not store payment card details because live billing is not enabled in the current MVP.
- We do not intentionally put prompts, image bytes, R2 object keys, account secrets, OAuth tokens, provider payloads, or payment identifiers into ordinary analytics, GitHub, Linear, screenshots, or public support channels.
4. Storage and processors
Reverie Memories is Cloudflare-first. Account metadata, auth state,
moment metadata, and aggregate analytics are stored in D1/KV where
applicable. Private uploads and generated images are stored in R2.
Generation jobs use a Cloudflare Queue and a generator Worker.
Future provider-bound reference-image generation must be reviewed
before broader rollout. Provider retention, logging, deletion,
training, support, and abuse-handling assumptions must be disclosed
before public likeness-preservation claims or paid provider-backed
launch.
5. Cookies and authentication
Reverie Memories uses an HttpOnly `cg_session` cookie to keep you
signed in. OAuth state and one-time login state are short-lived.
Passwords are stored as derived password hashes, not plaintext
passwords. TOTP secrets are encrypted before storage.
6. Analytics
The current analytics path records only aggregate daily counts for
allowlisted events such as landing views, signup starts, signup
completions, report submissions, and generation status counts. It
does not store emails, prompts, filenames, upload IDs, moment IDs,
object keys, image bytes, session IDs, IP addresses, user agents, or
per-user timelines.
7. Reports, takedowns, and safety
Reports should begin with the minimum information needed to
investigate: a category, a link or ID if you have one, and a short
non-sensitive description. Do not send private photos, prompts,
account secrets, payment details, session cookies, invite codes, or
deeply personal grief details unless a trained process requires it.
Severe reports involving suspected CSAM, sexualized minors,
non-consensual intimate imagery, threats, extortion, or imminent
safety issues may be escalated and may require preserving limited
records needed for legal or safety handling.
8. Deletion and retention
You can delete moments where product deletion controls are
available. Deletion removes account-visible access and follows the
implemented D1/R2 deletion workflow for generated results and
associated unreferenced uploads. Some limited records may remain for
security, abuse review, legal compliance, duplicate-removal
analysis, deletion audit, or service integrity.
We retain personal information only as long as needed for the
purposes described here, unless a longer period is required for
security, abuse review, legal process, or operational records.
9. Your choices and rights
You may ask to access, correct, delete, export, or review personal
information associated with your account. Depending on where you
live and which laws apply, you may also have rights to know what is
collected, withdraw consent, object to certain uses, limit certain
sensitive uses, or avoid discrimination for exercising privacy
rights.
Start through the report form. We may
need enough information to verify the account or content involved,
and we will not ask for more sensitive information than the request
reasonably requires.
10. Children and minors
Reverie Memories is not directed to children under 13, and account
creation is intended for adults. If you believe a child provided
personal information without proper consent, or if a generated image
raises a child-safety concern, report it immediately through the
report form.
11. Security
We use account-scoped access checks, private R2 object keys,
HttpOnly session cookies, password hashing, encrypted TOTP secrets,
and privacy-limited analytics. No internet service can guarantee
perfect security, so please do not include private photos, prompts,
account secrets, or object keys in support messages unless a trained
process specifically asks for them.
12. Changes
We may update this Privacy Notice as Reverie Memories changes.
Material changes to privacy practices should be presented before
they apply to new uses that depend on those changes.