Date of Revision: May 9, 2026
Allura ("Allura", "we", "us", or "our") is the Controller for the processing implemented through this website accessible at https://allurastudio.net/ and any affiliated website to which visitors or users may be redirected (the "Services").
The Services are an online narrative-companion application that uses artificial intelligence ("AI") algorithms to generate fictional characters (the "AI Characters" or "AI Companions"), with whom you as a user of the Services ("you") can chat, exchange messages, listen to AI-generated voice messages, view AI-generated images and videos, and create custom AI Characters by selecting attributes via the in-product creation tools. Parts of the Services may require you to create a user account and/or become a paid subscriber.
This Privacy Notice details how Allura collects, uses, discloses, and handles your Personal Data for the Services and, as applicable, your rights under:
collectively referred to as "Applicable Data Protection Law".
By using the Services, you agree that you have read and understood our Privacy Notice, as well as our Cookies Notice, which is incorporated here by reference.
All capitalized terms not otherwise defined in this Privacy Notice or in the GDPR shall have the following meanings:
We are committed to respecting your privacy. Such Services will always be provided in accordance with the most relevant legal basis. If you do not or cannot provide us with the required data, we may not be able to provide the Services to you.
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Managing your registration to our Services | • Email address (mandatory) • Encrypted password (mandatory) • First and last name (as disclosed by you or by third-party login providers, e.g., Google sign-in) • Creation date and time and signup provider (e.g., Email / Google) (generated based on your selection) • Age confirmation ( age_confirmed_at, age_confirmation_version, age_confirmation_ip, age_confirmation_region) — recorded once at the first 18+ Warning Gate confirmation, retained for legal compliance | Consent; necessity for the performance of a contract; compliance with legal obligations. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Account state, currency selection, balance, sign-in tracking | • Country and/or city (detected based on IP address) • Petals balance (generated by us based on your purchases, grants, or in-product spending) • VIP Subscription status (active / expired / cancelled, tier, monthly quota usage) • Last User account update date and time (generated by us) • Current and last sign-in date and time (generated by us) • Current and last sign-in IP (generated by us) • Sign-in count (generated by us) | Our legitimate interest in addressing your queries and operating the Services. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Customizing the AI Character interactions to match your stated preferences (in-character addressing, tone, recommendation ranking) | • Nickname (nickname, used by AI Characters to address you in conversation)• Gender ( gender: Male / Female / Non-binary / Prefer not to say) — please note: this data, in connection with your preferences regarding AI Characters, may constitute sensitive personal data under applicable data protection law. Where applicable, we will ask for your consent.• Interests / story preferences ( interests[]: Romance / Fantasy / Slow Burn / etc.)• Personalization timestamps ( personalized_at, personalize_skipped) | Consent; necessity for the performance of a contract. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Customization of AI Characters or specific Service features Generation of images and videos User preferences regarding AI Character attributes Interactive chat with AI Characters Voice messages (TTS playback) (v1.6 NEW) Custom AI Character creation (v1.8 NEW) | Content data including: • Pre-made AI Character interactions (selected character, message exchanges) • Custom AI Character creation parameters (style, ethnicity, age, hair, eyes, body type, vibe, personality, relationship, occupation, voice, narrative hook) — none of these relate to a living natural person • User prompts voluntarily entered to generate Content (text, images, videos, voice playback requests), to the extent these contain Personal Data (as provided by you) • Output generated in response to your input, to the extent these contain Personal Data | Consent; necessity for the performance of a contract. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Service support to inform you and to answer your request (technical support, customer service, etc.) | • Supporting data entered in the free field through the "Contact us" window or sent by email to Allura • Email address (as provided by you) • Possible answer (generated by us) • Device information (mobile/desktop), browser type (e.g., Chrome, Firefox) • Content as needed when technical issues need to be investigated • Cookies (as detected by us) | Our legitimate interest in addressing your queries and technical issues. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Improve and develop our services Conduct internal research Perform quality assurance and data analysis | Information associated with you, including exchanges with AI Characters (prompts, requests, generated outputs, voice playback events, image/video generations), may be aggregated, anonymized, and/or de-identified to perform the processing purposes explained herein. We may aggregate de-identified information (e.g., aggregated trends about general use of our Services) to analyze and share with third parties. | Our legitimate interest in providing the best Service possible and improving our Services. The legitimate interests of Data Subjects to practice data minimization and privacy-by-design with respect to their information. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Train and develop our AI models and content moderation technologies Prepare datasets for further training (which may include human review of de-identified or anonymized interactions with AI Characters) Conduct internal research, e.g., to develop new product features | Information associated with you, including exchanges with AI Characters (prompts, requests, generated outputs), may be aggregated, anonymized, and/or de-identified for these purposes. For internal research: additionally, users' interactions with the platform. In connection with user surveys: Account, usage, or other data that you have specifically consented to having reviewed in connection with voluntary participation. | Our legitimate interest in providing the best Service possible and improving our Services. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Querying data for QA purposes (e.g., ensuring that content generation tools are working as intended) Analyzing de-identified or aggregated data (e.g., monitoring usage trends) | Content data are randomly queried in order to perform quality assurance and to analyze trends. | Our legitimate interest in providing the best Service possible and detecting errors or misuse. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Monitoring use of the platform to detect anomalies or security vulnerabilities | Log files that include users' interactions with the platform, user IDs, and timestamps. Log files are automatically deleted after 30 days. | Our legitimate interest in improving our Service, debugging, detecting and responding to errors, misuse, and security threats. |
We use multiple payment service providers and payment orchestrators to process payments for VIP Subscriptions, Petals purchases, and refunds. Different processors may apply depending on your country and chosen payment method.
| Provider (Allura uses) | Categories of Personal Data | Legal Basis |
|---|---|---|
| CCBill (primary, card payments) | First and last name; email address; card brand; last 4 digits of payment card number; payment transaction date and time; type; amount; currency; bin country; IP address; recurring billing type; response code (issuer); type of refund (full or partial). | Necessity for the performance of a contract. |
| Segpay (secondary, card payments) | Same as above. | Necessity for the performance of a contract. |
| NowPayments (cryptocurrency: USDT / BTC / etc.) | Shopper email; crypto wallet address; IP address; country; unique order reference; transaction date and time; amount and currency required to make payment; type of refund (full or partial). | Necessity for the performance of a contract. |
| (Additional payment processors may be added from time to time) | (Varies by processor) | Necessity for the performance of a contract. |
We may add or change payment processors from time to time. For payment orchestration purposes, we have a legitimate interest in optimizing payment processing.
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Deliver marketing emails to users who have opted in, to inform them of updates, offers, and features through our newsletter; enable affiliate marketing program | • Email address (as disclosed by you) • First and last name (as disclosed by you or via third-party authentication) • Account number • Website or traffic source URL • Whether email was opened or not • Data linked to the affiliate marketing program questionnaire | Our legitimate interest in improving our Services (direct marketing for similar products and Services) or consent (third-party marketing). |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Customer surveys, marketing campaigns, market analysis | • Account number • Email address (as disclosed by you) • Answer provided by the User | Consent. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Moderation of the Services (problematic behavior, abuse reports, action taken) Human review of content and users flagged by our moderation controls and/or reported by you Ensuring compliance with and enforcing our Policies Reporting to law enforcement in appropriate cases (including but not limited to CSAM reporting to NCMEC) | • Requests and prompts to the AI models • Users and/or Content that is reviewed by human moderators • Action taken in response to flagged Content • Metadata regarding your Content (time/date sent, originating IP address) • Account data and history • In appropriate cases, information required by local authorities or to facilitate the investigation of individuals who use the Services to conduct unlawful activity, including specifically but not limited to CSAM creation or distribution attempts. | Necessity for compliance with legal obligations (e.g., detecting and reporting illegal behavior); necessity for the performance of a contract (e.g., responding to breaches of our Policies); legitimate interest in preventing misuse of our Services. |
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Record keeping; invoice recovery; compliance with court orders; management of Data Subject requests; complying with lawful requests from authorities; exercising and defending legal rights | • Supporting data such as contact data, payment data, or credentials • Any data relating to an apparent potential legal dispute • Any information within the scope of lawful legal requests or processes | Necessity for compliance with legal obligations; our legitimate interest in defending our rights. |
We may send you marketing about our Services, other information in the form of alerts, newsletters, and invitations to events or functions which we believe might be of interest to you, or in order to update you with information which we believe may be relevant to you (such as commercial news). We may communicate this to you according to the contact channels you provided and your stated preferences, including by email or other digital channels.
If you do not wish to receive marketing information from us, you can unsubscribe by:
a. clicking on the "Unsubscribe" or subscription preferences link in a direct marketing email that you have received from us; or
b. contacting us using the contact details specified in Section 11 below.
Please note that opting out of marketing communications will not affect the sending of communications related to the Services themselves (e.g., transactional emails, billing receipts, security notices, ToS update notifications).
We will get your express opt-in Consent before we share your Personal Data with any company outside Allura for marketing purposes.
You can ask us or third parties to stop sending you direct marketing messages by electronic means at any time by logging into the Services or third parties' websites and adjusting your marketing preferences, or by following the opt-out links on any marketing message sent to you by such third parties.
We generally only disclose your Personal Data to third parties:
We work with and rely on third-party service providers to operate and provide our Services and operate our business. We may share your information with the following categories of recipients. (Unless otherwise noted, sharing your information may entail transferring your data outside the European Union, including but not limited to the United States.)
a. Service providers to deliver the Services as follows:
b. Professional advisers where necessary to obtain advice or assistance, including lawyers, accountants, IT advisers, or public-relations advisers.
c. Legal and regulatory authorities, as required by applicable laws and regulations.
d. Our staff, as needed for them to carry out their work.
e. In the event of a restructuring, sale, or change of control, your data may be transferred to any successor, acquirer, or purchaser as part of that transaction.
f. Analytics: We may share aggregated, de-identified information (for example, aggregated trends about the general use of our Services) publicly and with our affiliates, subsidiaries, and partners.
We will not disclose, sell, trade, or otherwise transfer your Personal Data to any third parties without your Consent (where required) or unless otherwise stated in this Privacy Notice.
If Allura merges with, or is acquired by, another company or organization, or sells all or a portion of its assets, your Personal Data may be disclosed to our advisers, any prospective purchaser or any prospective purchaser's adviser, and may be among the assets transferred. However, Personal Data will always remain subject to this Privacy Notice, as updated in accordance with Section 13.
We retain your Personal Data for as long as your account is in existence or as necessary to fulfil the purposes for which we collected it or to provide you with the Services, except if required otherwise by law.
When you terminate your account, we will still retain your Personal Data for a period of time. Usually, we will store your Personal Data for a period after you cease being a User of our Services, beginning at the date your account is closed.
We generally retain:
a. Personal Data relating to your Account (for which there is no legally mandated retention period):
b. Financial and transactional data: ten (10) years from their date of issuance (in accordance with our obligations under applicable tax and accounting laws).
c. Marketing data: until you withdraw your Consent, or for a maximum period of two (2) years after your last platform interaction.
d. Age-confirmation records (age_confirmed_at, age_confirmation_version, age_confirmation_ip): retained for the lifetime of your Account plus three (3) years, for legal compliance and audit purposes.
e. Log files: automatically deleted after thirty (30) days (see Section 2.9).
f. Personal Data subject to a mandated retention period or relevant to legal disputes:
Retention periods may be changed from time to time based on business or regulatory requirements. In such cases, we will update this Privacy Notice accordingly.
Allura does not provide Services or collect Personal Data from anyone under 18 years of age, or the equivalent minimum age depending on jurisdiction. Our Services are intended for use only by adults who are at least 18 years of age, or the age of majority in the jurisdiction in which they reside and/or access the Services.
If we learn that our Services have been improperly accessed by an underage individual in violation of our Policies, we will take steps to delete the information as soon as possible and block such User. Please also refer to our Underage Policy.
The Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the Privacy Notice of every website that can be accessed through the Services.
You have the right to request a copy of your Personal Data that we hold in accordance with Article 15 GDPR. You have the right to be informed of:
a. the purposes of the Processing; b. the categories of your Personal Data; c. the recipients or categories of recipients to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations; d. the envisaged period for which your Personal Data will be stored, or, if not possible to specify, the criteria used to determine that period; e. the existence of the right to request rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing; f. the right to lodge a complaint with a supervisory authority; g. where the Personal Data are not collected from the Data Subject, any available information as to their source; h. the existence of automated decision-making, including profiling.
To submit such a request, please see the "Contact Us" section below.
You have the duty to maintain your Personal Data up to date. To do so, you have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the Personal Data you provide to us.
You can rectify many fields directly via your Account settings (e.g., email, nickname, gender, interests).
You can request that we erase your Personal Data in limited circumstances where:
a. it is no longer needed for the purposes for which it was collected; or b. (where applicable) you have withdrawn your Consent, and where there is no other legal ground for the Processing; or c. following a successful right to object (see below); or d. it has been processed unlawfully; or e. to comply with a legal obligation to which Allura is subject.
We are not required to comply with your request to erase Personal Data if the Processing of your Personal Data is necessary:
a. for compliance with a legal obligation; or b. for the establishment, exercise, or defense of legal claims; or c. for the performance of a contract.
Note on AI training data: where your Personal Data has been used to train AI models in an aggregated, anonymized, or de-identified form, erasure of model weights is not technically practicable. We will however delete the underlying source records and cease further use of your raw data.
You may request that we suspend the Processing of your Personal Data in the following scenarios:
a. if you want us to establish the Personal Data's accuracy; b. where our Processing of Personal Data is unlawful, you do not want us to erase it, and you request us to suspend the Processing instead; c. where it is no longer needed for the purposes for which it was collected, but you need us to hold the Data to establish, exercise, or defend legal claims; or d. you have objected to our Processing of your Personal Data and we need to verify whether we have overriding legitimate grounds to use it.
We can continue to use your Personal Data following a request for restriction where:
a. we have your Consent; or b. we need to:
You can ask us to provide you with the Personal Data you provided in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another Controller, where the Processing is:
a. based on your Consent or on the performance of a contract with you; and b. carried out by automated means.
We are committed to making it as easy to withdraw as it is to give Consent.
You have the right to withdraw your Consent at any time and free of charge. The withdrawal of Consent shall not affect the lawfulness of Processing of your Personal Data based on Consent before its withdrawal.
If you withdraw your Consent, we may not be able to provide our Services to you to their full extent.
You can object to any Processing of your Personal Data based on our legitimate interests, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms, or for the establishment, exercise, or defense of legal claims.
You can request that we change the manner in which we contact you for marketing purposes. You can withdraw your Consent to the transfer of your Personal Data to third parties for the purposes of direct marketing at any time and free of charge, either by clicking on the "Unsubscribe" or subscription preferences link in a direct marketing email that you have received from us, or by contacting us using the contact details specified in Section 11 below.
You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Data is transferred outside of the European Union, the United Kingdom, or Switzerland, as applicable, redacted of any terms unrelated to data protection.
We rely on Standard Contractual Clauses (SCCs) and other Article 46 GDPR transfer mechanisms when transferring data outside the EEA / UK / Switzerland.
You have a right to lodge a complaint with your local supervisory authority. A list of European Union national data protection authorities can be found at the European Data Protection Board, and the United Kingdom's Information Commissioner Office's contact details may be found at ico.org.uk.
If you have concerns about how we are Processing your Personal Data, we ask that you please attempt to resolve any issues with us first. If you have any questions, concerns, or complaints regarding this Privacy Notice, or if you wish to exercise your rights related to your Personal Data, you can reach us at the following contact details:
Privacy Team Email: [privacy@allurastudio.net] (or [support@allurastudio.net]) Mailing Address: Available upon request
Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We try to respond to all legitimate requests within one (1) month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We have appointed a Data Protection Officer under Art. 37 GDPR, who may be reached at [dpo@allurastudio.net].
We have also appointed a UK Representative under Art. 27 UK GDPR, whose contact details are as follows:
To be appointed
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These measures include but are not limited to:
Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you without undue delay.
We may revise this Privacy Notice from time to time to take account of changes in our practices or in applicable data protection law. If we modify our Privacy Notice, we will post the revised version on the Services with an updated revision date. Where such changes are substantial, we will also notify you by other means prior to the changes taking effect, such as by sending you an email notification or through the Service.
By continuing to use our Services thirty (30) days after such revisions are in effect, you will be deemed to accept and agree to the revisions and to abide by them.
| Right | Where to exercise |
|---|---|
| Access your data | Email [privacy@allurastudio.net] |
| Rectify your data | Account → Edit Profile (or email Privacy Team) |
| Erase your account & data | Account → Settings → Delete Account (or email Privacy Team) |
| Restrict processing | Email [privacy@allurastudio.net] |
| Portability (download data) | Email [privacy@allurastudio.net] |
| Withdraw consent | Account → Settings → Privacy preferences |
| Object to processing | Email [privacy@allurastudio.net] |
| Opt out of marketing | Click "Unsubscribe" in any marketing email |
| Lodge a complaint with DPA | Your local data protection authority |
| Reach our DPO | [dpo@allurastudio.net] |