Mythra
← Back to Mythra

Effective date: May 12, 2026  ·  Last updated: May 23, 2026

Privacy Policy

Mythra (“we,” “us,” or “our”) is a worldbuilding and manuscript writing tool operated by an independent developer. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. It is intended to satisfy our obligations under the EU and UK General Data Protection Regulation (the “GDPR”) and similar privacy laws.

1. Who we are (the data controller)

Mythra is operated by an independent developer based in the United States. For the purposes of the GDPR, we are the “controller” of the personal data we process about you. Our service is hosted at mythra.ink.

You can contact us about anything in this policy at hello@mythra.ink.

We are a small operation and do not currently have a Data Protection Officer or an appointed representative in the EU/UK, as we are not required to under Article 27 GDPR. We will appoint one promptly if the law begins to require it of us.

2. The personal data we process

Data you provide directly:

  • Account credentials — email address and password
  • Profile information — display name, optional bio, avatar image, website, social handles
  • Content you create — wiki entries, manuscript text, plot notes, world data, uploaded images, language definitions, and any other content you save in the app
  • Communications — anything you send us by email or in support requests

Data we collect automatically:

  • Session cookies and authentication tokens set by Supabase Auth (strictly necessary for keeping you signed in)
  • Server logs from our hosting provider Vercel, which may include IP address, browser user-agent, requested URL, response status, and timestamps — retained for a short period for security, debugging, and abuse prevention
  • Basic operational data from Supabase such as database query timings, again retained briefly for reliability and security
  • Usage activity — records of content you create (such as worlds, wiki entries, and manuscripts) and session activity (such as sign-in timestamps and writing streak data). This is stored as part of your account and used internally to operate the service, understand how features are being used, and provide support.

We do not use advertising or analytics cookies, fingerprinting, or third-party trackers. We do not sell your data. We do not use your content to train AI models.

3. Why we process your data, and the lawful basis

Under Article 6 GDPR we may only process your personal data if we have a lawful basis. The lawful basis we rely on depends on what we’re doing:

  • Performance of a contract (Art. 6(1)(b)): creating and maintaining your account, storing the content you save, sharing worlds with people you invite, sending essential service emails such as password resets and email-change confirmations.
  • Our legitimate interests (Art. 6(1)(f)): keeping the service secure and operational, preventing abuse and fraud, debugging errors, and improving reliability. We have balanced these interests against your rights and concluded that the impact on you is minimal because we use the least data necessary and retain it briefly.
  • Consent (Art. 6(1)(a)): any non-essential processing where we ask for your permission separately (for example, opt-in product update emails if we offer them in future). You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): retaining or disclosing data when required by applicable law (for example, responding to a valid legal request).

4. How long we keep your data

We keep your personal data only as long as is necessary for the purposes described above:

  • Account and content data — for as long as your account remains active
  • After you delete your account — your profile, content, and associated data are permanently deleted within 30 days, except where we are legally required to retain certain records (e.g. tax or fraud-investigation records, if applicable)
  • Server logs — typically retained by Vercel for up to 30 days
  • Support emails — kept for up to 24 months so we can refer back to past conversations

5. Who we share your data with (processors and sub-processors)

We share your personal data only with the service providers we need in order to run Mythra. Each of them acts as a “processor” on our behalf and is contractually bound to protect your data:

  • Supabase (supabase.com) — database, authentication, and private file storage
  • Vercel (vercel.com) — application hosting, edge delivery, and server logs
  • Resend (resend.com) — transactional email delivery (e.g. password reset, email change confirmation)
  • ImprovMX (improvmx.com) — inbound email forwarding for our contact addresses

We do not share your data with advertisers, data brokers, or any party that would use it for their own marketing.

We may disclose data when required to do so by law, by a valid court order or law-enforcement request, or to protect the rights, property, or safety of users or others. When we receive such a request, we will assess it carefully and challenge it where appropriate.

6. International transfers

Mythra is operated from the United States, and our processors (Supabase, Vercel, Resend, ImprovMX) also operate primarily from the United States. When you use the service from the EU, UK, or other jurisdictions, your personal data is transferred to and stored in the United States.

We rely on the European Commission’s Standard Contractual Clauses (SCCs), and, where applicable, the UK International Data Transfer Addendum, as the legal mechanism for these transfers. Each of our processors offers SCCs or an equivalent safeguard in their standard data processing terms, which we have entered into.

7. Your rights

If you are in the EU, EEA, or UK, you have the following rights over the personal data we hold about you. You can exercise any of them free of charge:

  • Access — get a copy of the data we hold about you
  • Rectification — correct data that is inaccurate or incomplete
  • Erasure (“right to be forgotten”) — ask us to delete your data
  • Restriction — ask us to stop processing your data in certain situations
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing we carry out on the basis of legitimate interests
  • Withdraw consent — for any processing we do on the basis of consent
  • Not be subject to automated decisions — we do not make any decisions about you using solely automated processing

You can exercise most of these rights directly inside the app: you can update your profile in Settings, delete your account in Settings → Account, and export your content using the Export feature. For anything else, write to hello@mythra.ink and we will respond within one month. We may ask you to verify your identity before acting on a request, to protect your account.

You also have the right to lodge a complaint with a supervisory authority. In the EU this is the data protection authority of the country where you live, work, or where the alleged infringement took place; in the UK it is the Information Commissioner’s Office (ico.org.uk). We’d appreciate the chance to address your concern directly first, but you are not required to contact us before going to a supervisory authority.

8. Cookies and similar technologies

Mythra uses only strictly necessary cookies — that is, cookies that are essential to providing the service you requested. Specifically:

  • Session and authentication cookies set by Supabase Auth, used to keep you signed in
  • A small set of preference keys in your browser’s localStorage (such as the ID of the world you last opened, theme preference, and cookie-banner acknowledgement) — these stay on your device and are not transmitted to us

Because these cookies are strictly necessary for the service to work, under the EU ePrivacy Directive we do not need your consent to set them. We do not use any cookies for advertising, analytics, or behavioural profiling, so there is nothing to opt into or out of beyond using the service itself. You can clear cookies and localStorage from your browser at any time, which will sign you out. For a full list of the cookies and storage keys we use, see our Cookie Policy.

9. Security

We use a number of measures to protect your data, including encryption in transit (HTTPS), encryption at rest in the database, row-level security policies that limit data access to you and the collaborators you explicitly invite, signed URLs for image storage, and password hashing performed by Supabase Auth. No service can guarantee absolute security, but we take this seriously and review our practices regularly.

If we ever experience a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and we will notify affected users without undue delay when the risk is high.

10. Children's data

Mythra is not directed at children. You must be at least 16 years old to create an account. If you live in a country where the minimum age of digital consent under Article 8 GDPR is higher than 16, that higher age applies to you. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time — for example, to reflect changes to the service or to legal requirements. When we make material changes we will notify you by email or by a notice within the app before the change takes effect. The “Last updated” date at the top of this page will always reflect the latest version.

12. Contact

If you have any questions about this Privacy Policy, or you would like to exercise any of the rights described above, please contact us at: hello@mythra.ink

← Back to Mythra·Terms of Service