Privacy Policy
Effective Date: 2026-07-07
This Privacy Policy explains what information Sei collects when you use the desktop application, the cloud features, and this marketing website; how that information is used; and the choices you have. It supplements the Terms of Service.
1. What We Collect
Data Controller: [LEGAL ENTITY NAME — TBD, e.g., Sei Studio LLC, a [STATE] [llc / corp / sole-prop]], [MAILING ADDRESS — TBD], reachable at team@sei.gg.
EU Representative (GDPR Art. 27): [EU REPRESENTATIVE — TBD, recommended providers: Prighter, EDPO; typical cost ~€20-50/mo]. Until appointed, EU/EEA/UK residents may contact team@sei.gg for any data-protection request.
Data Protection Officer: Sei does not currently appoint a DPO under GDPR Art. 37(1) because we do not meet the qualifying thresholds (we are not a public authority and our core activities do not consist of large-scale systematic monitoring or large-scale processing of special-category data). If our scope changes, we will publish that change here.
- Account data - when you create a Sei account: your email address and a hashed password (handled by Supabase Auth), or, if you sign in with Google, the profile fields Google returns at sign-in (email, name, avatar). At signup we also collect a date of birth solely to verify you are at least 13 years old (COPPA compliance, see §7). The full date is not retained in our database — we keep only the derived fact that you self-attested to being 13+ at signup, plus a signup timestamp.
-
Session data - encrypted session tokens that the desktop app stores
locally on your machine using Electron's
safeStorage(OS keychain on macOS, DPAPI on Windows, libsecret/kwallet on Linux when available). These tokens never leave your device except to authenticate against Supabase. -
Character data (cloud) - when you are signed into Sei AND a character is
set to
shared = true, OR when you explicitly upload a character via the one-shot migration prompt: the character's name, persona text, system prompt, skin PNG file, and portrait image are uploaded to Sei's Supabase project (Postgres rows + Storage objects). When you publish a shared character, the persona text is also sent to OpenAI's Moderation endpoint and the portrait image is sent to SightEngine for image moderation (see §3). -
Cloud AI inference (paid tiers) - when you use a Sei paid tier, your
chat content and the active character's system prompt are forwarded through Sei's
Fly.io-hosted proxy to Anthropic's API to generate the model's reply. Sei's proxy stores
a per-request usage record (input/output token counts, model name, anonymised
anthropic_call_id) for billing and rate-limit accounting; the proxy does NOT persist the chat content itself. - Payment data (paid tiers) - Lemon Squeezy is Sei's Merchant of Record for all paid purchases. Lemon Squeezy collects and processes your payment details (card number, billing address, country, tax info). Sei never sees your full card number; Sei stores only an order identifier, the product purchased, and the renewal date.
-
Update-checker telemetry - on launch, the Sei desktop app contacts
https://sei.gg/version.jsonto check whether a newer version exists. This transmits your IP address, User-Agent, and the time of the request to our marketing-site host (Vercel — see §3). The request is best-effort and never blocks app startup. - Product analytics (desktop app) - to understand which features are used and where the app fails, the Sei desktop app sends anonymous product-analytics events to PostHog (see §3). Events record actions and counts only: the event name (for example app opened, character summoned, checkout opened), your app version, operating system and architecture, whether you use cloud or local (BYOK) mode, coarse durations, and error categories. Events are keyed to a random identifier generated on your device (not derived from your name, email, or Minecraft username); if you are signed in they are also associated with your account id so usage can be counted per account across devices. Product analytics NEVER include your chats, character definitions, world names, or other content. This uses a device-generated identifier sent from the app, not browser cookies or tracking pixels. Analytics are on by default; you can turn them off at any time in Settings under "Usage analytics", and we do not knowingly collect analytics from anyone under 13.
- Marketing-site server logs and analytics - when you visit sei.gg, our hosting provider (Vercel) records standard server log fields: IP address, User-Agent, Referer, request path, and response status. We also use PostHog (see §3) for cookieless website analytics: it records page views and coarse engagement events in memory only, sets no cookies, and stores no cross-site identifier. We do not run ad pixels or cross-site advertising tracking.
- Moderation reports - when you submit an in-app moderation report against a shared character, Sei records the report (reason category, optional free-text detail, your user id, the target character id, timestamp). Operator notifications about reports are sent via Discord webhook + email (Resend) to the moderation team (see §3).
- DMCA notices and counter-notices - when you file a DMCA notice or counter-notice under our Terms §7, we retain the notice, your contact details, the targeted character, and the resolution. DMCA strike records are retained for the duration of our repeat-infringer policy (see §6).
-
Local-only data - NEVER uploaded - Sei's runtime memory files
(
OWNER.md,DIARY.md), conversation history with characters, local-only characters (the default, before you toggle Share), and the application's logs all remain on your machine. Sei has no cloud collection path for these files in this release.
2. Why We Collect It
Account data lets you sign in and identify your cloud characters across devices. Character data (when uploaded) powers the cross-device sync of your character definitions and the public character library (Browse tab). Cloud inference data lets us route your chat to the model and enforce per-user usage limits. Payment data lets Lemon Squeezy process your purchase and Sei provision the corresponding credits. Update-checker telemetry tells the app whether a new release exists. Moderation data exists to keep the public library safe and to honour DMCA obligations. Session tokens keep you signed in between launches.
3. Third-Party Subprocessors
Sei relies on the following third-party processors. Each link points to the processor's own privacy notice. "DPF" = certified under the EU-US Data Privacy Framework at dataprivacyframework.gov (verify current status before relying — DPF certification is renewed annually).
| Processor | Role / Data Touched | Region | Transfer Safeguard |
|---|---|---|---|
| Anthropic (Anthropic PBC) | LLM inference. Receives your chat content + active character's system prompt on every paid-tier request. | United States | DPF |
| Supabase (Supabase, Inc.) | Backend, Auth, Postgres database, Storage buckets. Hosts account credentials, cloud character library, ledger, deletion queue. | AWS us-east-1 (United States) | DPF |
| Fly.io (Fly.io Inc.) | Hosts Sei's AI inference proxy. Receives request bodies (chat + system prompt) and Authorization JWT in transit; logs IP + User-Agent at the edge. | LAX region (Los Angeles, United States) | SCC |
| Lemon Squeezy (Lemon Squeezy) | Merchant of Record for paid purchases. Collects and processes card data, billing address, tax info. Sei does not store card data. | United States | DPF |
| OpenAI (OpenAI, L.L.C.) | Text moderation. Receives the persona text + character name when you publish a shared character. | United States | DPF |
| SightEngine (SightEngine SAS) | Image moderation. Receives the portrait image URL when you publish a shared character. | France / EU | GDPR-native (no transfer needed for EU users) |
| Resend (Resend, Inc.) | Transactional email. Sends signup-verification, moderation notifications, DMCA notices, renewal reminders, and account-deletion confirmations. | United States | DPF |
| Discord (Discord Inc.) | Operator moderation notifications via webhook. Sei posts a report summary (character id, reason category, report id); no end-user PII routed here beyond what's already in a moderation alert. | United States | SCC |
| Vercel (Vercel Inc.) | Marketing-site hosting (sei.gg). Records IP, User-Agent, Referer in standard server logs. Also receives update-checker telemetry from the desktop app. | United States | DPF |
| Mojang / Microsoft | Minecraft skin lookup. When a character uses a Mojang skin, the desktop app contacts api.mojang.com, sessionserver.mojang.com, and textures.minecraft.net with the requested username; the request carries your IP and User-Agent. |
United States | DPF (Microsoft) |
| Google (Google Fonts CDN) | Serves the Press Start 2P and Rajdhani web fonts for sei.gg pages. Receives your IP, User-Agent, and Referer on every page load. (Sei plans to self-host these fonts in a future marketing-site release; see HTML comment.) | United States | DPF |
| PostHog (PostHog, Inc.) | Product and website analytics. In the desktop app: anonymous usage events (event name, app version, OS/architecture, cloud/local mode, coarse durations, error categories) keyed to a device-generated identifier and, when you are signed in, your account id. On sei.gg: cookieless page-view and engagement analytics (in-memory, no cookie, no cross-site identifier). Never receives your chats, characters, world names, or other content. | United States (US Cloud) | SCC |
4. What We Don't Do
- We do not sell or share your personal information for cross-context behavioral advertising. See §10.
- We do not show advertising on the app or on this website.
- We do not embed third-party tracking pixels or advertising cookies.
- We use a single third-party product-analytics service (PostHog) in the desktop app, on an opt-out basis, to measure feature usage and errors. It never receives your chats, characters, world names, or other content, and it uses a device-generated identifier rather than browser cookies. See §1 ("Product analytics") and §3.
- We do not use your conversations or characters to train AI models. (Anthropic's own data-use policy governs what it does with prompts you send through its API on your behalf; we do not grant additional training rights on your behalf.)
- We do not retain the full date of birth you provide at signup — only the derived fact that you self-attested to being 13+. See §7.
5. Your Rights
Whether or not you reside in the EU/EEA/UK or California, Sei offers the following controls. California residents have additional rights — see §10.
- Access & portability. The in-app "Export My Data" feature produces a JSON download containing every cloud character definition associated with your account and your account profile fields.
- Deletion. The in-app "Delete Account" action enqueues a deletion job; all Supabase database rows and Storage objects associated with your account are purged within thirty (30) days. We send a confirmation email to the address on file at the moment of deletion.
- Correction. Edit any character at any time via the in-app GUI; the change syncs to the cloud copy. Change your email via account settings. For any other correction request (e.g. updating a misspelled name on a payment receipt), contact team@sei.gg.
- Right to object / restrict processing. Email team@sei.gg and we will action your request within 30 days.
- Withdrawal of consent. Where processing is based on consent (e.g. marketing emails — currently none sent), you may withdraw at any time without affecting the lawfulness of prior processing.
6. Data Retention
Retention varies by data category. Where a third-party processor governs retention, we link to their policy.
| Category | Retention |
|---|---|
| Account email + password hash | Until you delete + 30-day Storage purge window |
| Characters & personas (cloud-synced) | Until you delete or un-share |
Memories (OWNER.md, DIARY.md, conversation logs) |
Local-only; never reaches Sei servers. Governed entirely by you. |
| Payment records (Lemon Squeezy) | 7 years (US tax-law minimum). Governed by Lemon Squeezy. |
| Server access logs (Fly.io, Vercel, Supabase) | ~30 days per processor default (see processor links in §3). |
| Product & website analytics (PostHog) | Retained by PostHog per its default event retention. Turn analytics off any time in the app's Settings ("Usage analytics"). |
| Anthropic API request logs | Governed by Anthropic (currently ~30 days for accounts not enrolled in Zero Data Retention). |
| OpenAI moderation submissions | Governed by OpenAI (currently ~30 days). |
| SightEngine moderation submissions | Governed by SightEngine. |
| DMCA strike records | Duration of our repeat-infringer policy (currently indefinite, in order to enforce repeat-infringer termination under 17 U.S.C. § 512(i)). |
| Moderation reports | Until resolved, then retained as part of the moderation audit trail. |
| Session tokens | 1 hour for access tokens; 90 days for refresh tokens (Supabase defaults). |
| Cloud AI usage / ledger rows | Retained for the life of the account (billing audit trail). Purged on account deletion alongside the rest of your row data. |
| Date-of-birth attestation | We do not store the full date. We store only the derived fact that you self-attested to being 13+ at signup, plus a signup timestamp. |
7. Children (COPPA)
Sei is not directed at children under 13. At signup we collect a date of birth solely to verify you are at least 13 years old; we do not store the full date — we store only the derived boolean that you self-attested to being 13+ at signup, plus a signup timestamp. We do not knowingly collect personal data from children under 13.
If you are a parent or guardian and believe your child under 13 has registered for Sei, contact team@sei.gg (or privacy@sei.app once provisioned, see §12) and we will delete the account within 30 days.
8. International Transfers
Sei's Supabase project runs in AWS us-east-1 (United States). Sei's inference proxy runs on Fly.io in the LAX region (Los Angeles, United States). Anthropic processes inference requests in the United States. If you access Sei from outside these regions, your data will be transferred to and processed there.
For data leaving the EU/EEA/UK, Sei relies on the EU-US Data Privacy Framework where the processor is DPF-certified (currently Anthropic, Supabase, Lemon Squeezy, OpenAI, Resend, Vercel, and Microsoft — verify current DPF status at the link), and on the European Commission's Standard Contractual Clauses (Module 2 or Module 3, as applicable) otherwise. A current list of processors and their certifications is available on request.
9. Security
Account credentials are hashed by Supabase Auth. Session tokens on your machine are
encrypted via the OS-provided keystore through Electron's safeStorage
(macOS Keychain, Windows DPAPI, Linux libsecret/kwallet when available). Supabase Storage
is encrypted at rest by Supabase (AES-256). Network transport to Sei's proxy, Supabase,
Anthropic, and all subprocessors uses TLS. No system is perfectly secure; report suspected
vulnerabilities to team@sei.gg.
10. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") give you the following rights. The categories below use the statutory taxonomy in Cal. Civ. Code § 1798.140(v).
Categories of personal information we collect
- Identifiers — email, account id, IP address, User-Agent, and a device-generated product-analytics identifier.
- Customer records (Cal. Civ. Code § 1798.80(e)) — hashed password, derived age-13+ attestation, signup timestamp.
- Commercial information — purchase records, subscription status, credit-pack consumption.
- Internet or other electronic network activity — request paths and timestamps in server logs, and anonymous product-analytics events (feature usage counts, app version, OS, error categories; see §1).
- Professional or employment information — none, except a Minecraft username you choose to associate with a character.
- Inferences — none for advertising or automated decision-making. Product-analytics events (§1) are used only in aggregate to understand feature usage and reliability; we do not use them to profile, score, or build derived models about you.
Sensitive personal information (CPRA)
Two categories of sensitive personal information ("SPI") apply: (a) your account credentials, and (b) the contents of your communications with the AI model on the paid tiers (chat content). You have the right to limit our use of SPI under Cal. Civ. Code § 1798.121. Sei uses SPI only for the purposes described in §2 above — providing the service you requested, billing, security, and compliance — and never for advertising, profiling, or any secondary purpose. No "Limit the Use of My Sensitive Personal Information" opt-out is operationally required because we do not engage in any SPI use that triggers the right; you may nonetheless contact us at team@sei.gg to request additional restrictions.
Categories of sources
- Directly from you — signup, character creation, in-app actions, support emails.
- From your device — browser fields, IP, User-Agent.
- From payment processors — Lemon Squeezy returns the order metadata after you complete a checkout.
Categories of third parties we disclose to
See the §3 subprocessor table. We do not disclose personal information to any third party for the third party's own marketing purposes.
Retention
See the §6 retention table.
Your CCPA / CPRA rights
- Right to know what personal information we collect and how we use it.
- Right to delete personal information we have collected, subject to legal-retention exceptions (e.g., 7-year payment records).
- Right to correct inaccurate personal information.
- Right to portability (the in-app "Export My Data" JSON download).
- Right to opt out of sale or sharing — see "Do Not Sell or Share" below.
- Right to limit use of SPI — see above.
- Right to opt out of automated decisionmaking — Sei does not make solely-automated decisions that produce legal or similarly significant effects about you.
- Right to non-discrimination (Cal. Civ. Code § 1798.125) — we will not deny service, charge a different price, or provide a different level of quality because you exercised your CCPA rights.
"Do Not Sell or Share My Personal Information"
Sei does not sell or share your personal information, including for
cross-context behavioral advertising, as those terms are defined by the CPRA. There is
therefore no opt-out mechanism required, because there is no sale or sharing to opt out
of. We use the exact statutory phrase "Do Not Sell or Share My Personal Information" in
the footer of every page of our marketing site for clarity. If our practices change, we
will publish an opt-out mechanism here and notify users in-app via the
PRIVACY_VERSION blocking-modal mechanism (see §11).
How to exercise your rights
Email team@sei.gg (or privacy@sei.app once provisioned — see §12) from the address associated with your account. We will respond within 45 days as required by Cal. Civ. Code § 1798.130(a)(2). You may designate an authorized agent to make a request on your behalf; we will ask the agent to produce written authorization and may verify your identity directly. Sei is an online-only business; the Cal. Civ. Code § 1798.130(a)(1)(A) toll-free-number carve-out for businesses operating exclusively online applies.
11. Changes to This Policy
When this policy materially changes, the Effective Date will be updated and you will be
prompted to re-accept the new version inside the app before continuing to use cloud
features (the PRIVACY_VERSION mechanism).
12. Contact
Privacy questions or requests: team@sei.gg.
Alternate privacy mailbox (TBD): For California rights requests and
other privacy correspondence, you may also email
privacy@sei.app once provisioned. [Operator: either
provision privacy@sei.app as a forwarding alias to the primary inbox, or
delete this paragraph and direct all privacy correspondence to team@sei.gg.]
For DMCA copyright notices, see our Terms of Service §7.