Midnight Roses – Privacy Policy

Effective date: November 11, 2025

This Privacy Policy explains how we collect, use, disclose, and protect information when you use Midnight Roses and related services (the “Service”). Capitalized terms not defined here have the meanings in our Terms of Service.

18+ only. The Service contains adult romance/fantasy content and is intended only for persons 18 years of age or older. Do not use the Service if you are under 18 or if viewing adult content is unlawful where you live.

U.S. focus. We primarily target residents of the United States. If you access the Service from outside the U.S., you consent to the transfer and processing of your information in the United States and other countries that may have different data protection laws.

1. Notice at Collection — what we collect and why

We collect the following categories of personal information, for the business/commercial purposes noted below. Examples are illustrative, not exhaustive.

Sources. We collect information directly from you (account, prompts, choices), automatically via your browser/device and our Service (cookies/SDKs, logs), from processors (e.g., Stripe), and from partners (analytics/ads).

Sensitive data. Please do not submit sensitive personal information (e.g., government IDs, financial account numbers, health, precise geolocation, real-person data in prompts). To the extent any sensitive data is processed, we limit such use to necessary purposes permitted by law (e.g., security, legal, compliance) and will delete or restrict processing where feasible.

Precise location. We do not collect precise (GPS-level) location. We may infer approximate location (city/region) from your IP for gating, safety, and analytics.

2. Cookies, analytics, and ads

We use cookies and similar technologies for:

• Essential operations (sign-in, security, fraud prevention, session continuity).
• Analytics via Google Analytics and first-party telemetry to understand usage and improve features.
• Advertising measurement and partner insights via Google Ads/Display & Video 360 (and comparable partners we may add later) to measure campaigns, optimize reach, and understand audience performance.

Your choices. You can control cookies via your browser settings. We honor Global Privacy Control (GPC) signals for “sale/share” opt-outs where required by law (e.g., California). Some features may not function without certain cookies.

3. How we use information

We use information to:

• Provide, maintain, and secure the Service (including 18+ gating and state-specific restrictions).
• Operate AI features and generate interactive content and avatars.
• Moderate using automated systems (and limited human review where legally required).
• Train and improve our models and those of our service providers (e.g., LLM/API providers), including for safety systems and product improvement.
• Analyze and monetize through advertising measurement and partner insights.
• Personalize content and recommendations.
• Communicate with you (service/transactional messages and, where permitted, marketing).
• Comply with law, enforce our Terms, and protect users, our rights, and the Service.

4. How we disclose information

We may disclose information as follows:

• Service providers/Processors (hosting, storage/CDN, security/fraud, analytics, email delivery, customer support, and Stripe for payments; LLM/API providers for AI features).
• Advertising/Analytics partners (including Google Analytics and Google Ads/Display & Video 360) for ad measurement, optimization, and partner insights; this may be considered a “sale” or “share” of personal information under certain state laws.
• Affiliates within the ThinkChumba corporate family for operational purposes.
• Business transfers (e.g., merger, acquisition, financing, or sale of assets).
• Legal and safety (to comply with law, respond to lawful requests, or protect rights, property, and safety).
• Public content: Avatars are public by default and may be visible to others inside or outside the Service.
• With your direction or consent.

We may produce aggregate analytics and partner reports; such materials may be derived from personal information and usage data.

5. AI training and your opt-out

By default, we may use your prompts, choices, interactions, feedback, and in-Service outputs to train and improve our models and those of our service providers, and for safety and analytics.

Opt-out: Email support@thinkchumba.com with subject “Training Opt-Out.” Opt-out will be applied prospectively after a reasonable processing time and does not require retraining or deletion of models already trained. Opt-out does not prevent use of your information as necessary to operate the Service, ensure safety/security, or comply with law. Some personalization features may degrade after opt-out.

6. Your privacy choices & U.S. state rights

Depending on your state (e.g., CA, CO, CT, UT, VA, OR, TX), you may have rights to:

• Access/Know the categories and specific pieces of personal information we maintain about you.
• Delete personal information (subject to legal and operational exceptions).
• Correct inaccurate personal information.
• Opt out of (a) “sale” or “sharing” of personal information and (b) targeted advertising (cross-context behavioral advertising).
• Portability of certain data.
• Limit the use/disclosure of Sensitive Personal Information where applicable (we limit SPI to permitted purposes).
• Appeal our decision on a privacy request (where required by law).

How to exercise your rights.

• Email support@thinkchumba.com.
• We may require identity verification (e.g., email verification, account checks).
• Authorized agents may submit requests with required proof and user authorization.
• Appeals (e.g., VA/CO/CT): email support@thinkchumba.com with “Privacy Request Appeal” in the subject; we typically respond within 45 days (or as allowed by law).

We may deny or limit requests where permitted (e.g., conflicts with law or our ability to provide the Service).

Nevada residents: You may email support@thinkchumba.com with “Nevada Do Not Sell” to opt out of sale under Nevada law.

California “Shine the Light”: You may request information about our disclosure of personal information to third parties for their direct marketing by contacting support@thinkchumba.com.

7. CPRA “sale/share” disclosure (California)

We may sell or share the following categories of personal information to/with advertising and analytics partners (e.g., Google Ads/Display & Video 360, Google Analytics) for cross-context behavioral advertising (measurement, optimization, and reach):

• Identifiers (e.g., cookie IDs, IP address, device identifiers)
• Internet/Network Activity (e.g., page views, events, session metadata)

We do not knowingly sell or share personal information of minors (the Service is 18+ only).

We also disclose personal information to service providers for business purposes (e.g., hosting, payments, security, customer support, AI/API processing). Categories disclosed for business purposes may include Identifiers, Commercial/Billing, Internet/Network Activity, User Content, and Inferences.

8. Payments

Payments are processed by Stripe. We do not store full card numbers. Stripe provides us limited billing metadata and transaction status to manage your subscription, detect fraud, and comply with legal obligations.

9. Children’s privacy (18+)

We do not knowingly collect personal information from anyone under 18. If you believe a minor has used the Service, contact support@thinkchumba.com and we will take appropriate action (including deletion and access controls).

10. Security

We employ reasonable and appropriate administrative, technical, and physical safeguards designed to protect personal information (e.g., encryption in transit, access controls, logging). No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.

11. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy, including operating and securing the Service, analytics, model training/improvement, legal compliance (e.g., tax, accounting), and dispute resolution. When no longer needed, we may delete the data or maintain it in a form no longer reasonably associated with an identifiable individual, subject to legal holds and our legitimate interests.

12. Do Not Track; Global Privacy Control

We do not respond to Do Not Track (DNT) signals. We honor Global Privacy Control (GPC) signals as an opt-out of “sale/share” where required by law (e.g., California).

13. Third-party links and services

The Service may link to or integrate with third-party sites or services. Their privacy practices are not our responsibility. Review their policies before engaging with them.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice (e.g., in-Service notice or email). The “Effective Date” above reflects the latest version. Your continued use after the effective date means you accept the updated Policy.

15. Contact us