Privacy Policy

1. Information We Collect

We only collect information necessary to provide and optimize our services (no excessive data collection), including but not limited to:

• Basic Account Information: If you register an account, we collect your email address and username (you may use a pseudonym; real name is not required — complying with GDPR's "data minimization" principle).
• Browsing & Usage Data: We collect non-identifiable data such as your IP address (for geolocation to optimize Silicon Valley server speed), browser type, pages visited (e.g., novel detail pages), and reading duration (to recommend personalized novels). This data is anonymized within 90 days.
• Comment Data: If you post comments, we collect your comment content and submission time (linked only to your username, not your real identity).
• Cookie Data: We use essential cookies to remember your login status and reading progress (e.g., "last read chapter"). Non-essential cookies (e.g., analytics) require your explicit consent (see Section 5).
• Payment-Related Data (if applicable): If you purchase premium content, we use Stripe (a PCI DSS-compliant processor) to handle transactions. We never store your credit card details, CVV, or billing address — all payment data is encrypted and processed directly by Stripe.
• Biometric Information: We do not collect, store, or process any biometric information (e.g., fingerprints, facial recognition, voiceprints) — complying with U.S. NBIPA and Illinois Biometric Information Privacy Act (BIPA).

Data Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes stated in this Policy: (1) Account data (e.g., email, username) is retained until you delete your account; (2) Usage data (e.g., reading history) is retained for 2 years after your last active use (to improve recommendations); (3) Payment data (processed via Stripe) is retained only as required by PCI DSS (typically 7 years for financial record-keeping). After these periods, data is anonymized or securely deleted.

1.1 Security Measures & Cross-Border Data Transfer

We implement industry-standard security measures to protect your data, complying with GDPR Article 32 and PCI DSS:

• Data Transmission Security: All data (e.g., account registration, payment) is encrypted using SSL/TLS 1.2+ protocols.
• Access Control: Only authorized personnel with role-based permissions can access personal data; regular security training is required.
• Data Storage Security: Personal data is stored on secure servers in Silicon Valley, U.S., protected by firewalls and intrusion detection systems.
• Regular Audits: We conduct quarterly security audits and vulnerability scans to address risks.

Data Breach Notification

If a data breach risks your rights, we will notify you within 72 hours of discovery via your registered email (GDPR Article 33) and relevant authorities (e.g., EU DPAs, California AG) if required by law (CCPA).

U.S. Government Data Access Limitations

Consistent with U.S. federal court rulings (e.g., Microsoft v. United States, 2016), the U.S. government may only request access to personal data stored on our Silicon Valley servers in compliance with the Stored Communications Act (SCA) and EU-U.S. DPF — we will not comply with requests that exceed the scope of applicable U.S. law or violate user privacy rights.

Cross-Border Data Transfer (Silicon Valley Servers)

For EU/UK users, we rely on the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the EU-U.S. DPF to ensure "adequate protection" for your data transferred to the U.S. Our company and third-party providers (e.g., Stripe, Google Analytics) are DPF-registered.

For U.S. users, your personal data is stored exclusively on secure servers in Silicon Valley, U.S., and we comply with the U.S. Foreign Investment Risk Review Modernization Act (FIRRMA) of 2019 — we do not allow unauthorized collection or transfer of U.S. citizens' sensitive personal data to non-U.S. entities, and our data practices are subject to review by the Committee on Foreign Investment in the United States (CFIUS) as required by law.

Specifically, we do not engage in activities subject to FIRRMA's enhanced review: (1) We do not collect "sensitive personal data" as defined by FIRRMA (e.g., government employee security clearance data, genetic data, or biometric data beyond basic account information); (2) The volume of user identifiable data we collect does not exceed 1 million individuals (the threshold for FIRRMA scrutiny); (3) We are not a "U.S. TID Business" (Critical Technologies, Critical Infrastructure, Sensitive Personal Data), so non-controlling investments in our platform are not subject to FIRRMA's mandatory review.

2. How We Use Your Information

We use your data only for the following purposes (GDPR Article 6 legal bases included):

• Performance of a Contract: To provide core services (e.g., account login, chapter reading).
• Legitimate Interests: To optimize user experience (e.g., novel recommendations, reading progress tracking) — without overriding your privacy rights.
• Consent: To use non-essential cookies (e.g., analytics) — you may withdraw consent at any time.
• Legal Obligations: To respond to DMCA copyright complaints or legal requests from EU/US authorities.

2.1 Content Review Compliance (U.S. State Laws)

To comply with U.S. state-level content regulations (e.g., Florida HB 1069, Iowa SF 496) and avoid prohibited content, we implement a strict review process for all novels:

• We prohibit content involving child sexual abuse, non-consensual violence, hate speech, or explicit sexual content (consistent with PEN America guidelines).
• Sensitive themes (e.g., mental health, gender identity) are presented in a non-exploitative manner and align with educational/literary value standards.
• Valid content objections from users/authorities are reviewed within 5 business days; non-compliant content is removed/modified promptly.

3. Retention Period of Your Information

We retain data only for the period necessary to fulfill stated purposes:

• Account information (email, username): Retained for 30 days after voluntary account deletion (for accidental recovery).
• Browsing/reading data: Retained for 90 days (then anonymized for service optimization, no link to your identity).
• Comment data: Retained as long as the corresponding novel is available (you may request deletion via Section 8).

3.1 Protection of Minors' Personal Data

We comply with GDPR Article 8 and U.S. child privacy principles: We do not intentionally collect data from individuals under 16 without verifiable parent/guardian consent.

• If you are a parent/guardian and discover your child provided data without consent, contact us at ruilangao5@gmail.com to request deletion.
• Minors' data is deleted promptly upon valid parent/guardian request; no use/share for any purpose.

4. Your Rights Under GDPR/CCPA

You may exercise the following rights within 30 days of submitting a request (email: ruilangao5@gmail.com, subject line: "Data Rights Request"):

• Right to Access: Request a copy of your personal data we hold.
• Right to Correction: Request correction of inaccurate/incomplete data (e.g., update email).
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data (except legal retention requirements).
• Right to Restriction of Processing: Request we stop using your data (e.g., pause recommendations).
• Right to Data Portability: Request your data in a structured format (e.g., CSV) for transfer to another platform.
• Right to Opt-Out of Information Sale (CCPA): For California users — we do not sell your personal data; contact us to confirm anytime.
• Do Not Track (DNT) Right: For U.S. users — we respect browser DNT signals (disable non-essential tracking if DNT is enabled).

5. Cookie Policy

We use two types of cookies; only essential cookies are enabled by default:

• Essential Cookies: Required for core functions (e.g., login status, reading progress) — cannot be disabled without breaking services.
• Non-Essential Cookies: For analytics (e.g., popular novel categories) — require your explicit consent via a pop-up (EU users) or browser settings (U.S. users).

To disable non-essential cookies:

• Chrome: Settings > Privacy and security > Cookies and other site data > Block third-party cookies.
• Firefox: Settings > Privacy & Security > Cookies > Manage Exceptions.
• Safari: Preferences > Privacy > Block all cookies (note: may disable essential functions).

Do Not Track (DNT) Support

Enable DNT in your browser (e.g., Chrome: Settings > Privacy and security > Do Not Track) to disable non-essential tracking — complying with California CCPA and Virginia CDPA.

6. Sharing with Third Parties

We never sell or rent your personal data to third parties. We only share data in limited cases:

• Google TTS API: Temporarily transmit chapter text (no personal data) to generate audio; Google does not store the text.
• Legal Authorities: Share data if required by EU/US law (e.g., court orders, DMCA complaints).
• Service Providers: Share anonymized data with DPF-registered providers (e.g., Google Analytics) to optimize services — bound by confidentiality agreements.
• Stripe (Payment Processor): Share non-identifiable transaction data (e.g., your email for confirmation, amount) — Stripe complies with GDPR/CCPA/PCI DSS.

7. Changes to This Policy

Material changes (e.g., expanded data collection) will be notified via:

• A new "Effective Date" on this page;
• Email notification to registered users (7 days before生效);
• Homepage pop-up reminder (14 days).

Your continued use after changes take effect constitutes acceptance of the updated policy.

8. Contact Us

For questions, data rights requests, or DMCA copyright notices, contact us via:

• Email: ruilangao5@gmail.com (general inquiries, data rights, DMCA complaints).