Back to Home

Privacy Policy

Last updated: March 2026PIPEDA & BC PIPA Compliant

1. Introduction

Welcome to Enchanted Reads ("we," "our," or "us"). Enchanted Reads is a book reading and library management application operated from British Columbia, Canada. We are committed to protecting your privacy and handling your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Act (PIPA) of British Columbia.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our services, including:

  • The Enchanted Reads web application (accessible via web browser)
  • The Enchanted Reads iOS mobile application (available on the Apple App Store)
  • All related features, tools, and services provided through these platforms

By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. If you do not agree with any part of this policy, please do not use our services.

2. Information We Collect

We collect information in several ways to provide and improve our services. Below is a detailed overview of the categories of personal information we collect.

2.1 Account & Authentication Data

  • Email address, username, and encrypted password
  • OAuth authentication tokens if you sign in via Google or Apple
  • JWT (JSON Web Token) session information for secure authentication

2.2 Profile Information

  • Display name, nickname, and biography
  • Avatar preferences (selected from our library or uploaded custom images)
  • Privacy and visibility settings for your profile and bookcases
  • Language, currency, and notification preferences

2.3 Reading & Library Data

  • Books you add to your library, including metadata (title, author, genre, series, format)
  • Reading progress, sessions, and tracking data (To-Be-Read lists, Currently Reading, Did Not Finish, Rereads)
  • Reviews, ratings (star and content ratings), annotations, and notes
  • Character entries (main and secondary) with optional appearance descriptions
  • Quotes, tropes, review images, and review gallery content
  • Bookshelf arrangements, bookcase collections, and series organization
  • Reading streaks, goals, challenges, and achievement progress

2.4 AI Interaction Data

  • Character appearance descriptions submitted for Soul Portrait generation
  • Text prompts and inputs for AI-assisted book spine generation
  • Conversations with the Enchanted Oracle Chat (AI chatbot)
  • Requests made to AI Assist for book detail suggestions and review help
  • AI generation usage counts and daily limits for your subscription tier

2.5 Payment & Billing Data

  • Subscription tier, billing cycle, and payment history
  • For web payments: Stripe processes your payment card information directly; we do not store your full credit card numbers
  • For iOS payments: Apple processes transactions via StoreKit 2; we receive only transaction confirmations
  • Promo code usage and referral information
  • Cancellation survey responses (if you choose to provide them)

2.6 Social & Community Data

  • Friend requests, connections, blocks, and follow relationships
  • Social notifications, review reactions, and comments
  • Public profile content visible to other users
  • Book club memberships, discussions, and buddy read participation
  • Leaderboard rankings and showcase selections
  • Telegram account linking data (if you choose to connect your Telegram account)

2.7 Device & Technical Data

  • IP address, browser type, and operating system
  • Device identifiers (for iOS app users)
  • Access times, referring URLs, and pages visited
  • WebSocket connection data for real-time notification delivery

2.8 Analytics Data

  • Usage patterns and feature interaction data collected via Google Analytics (Measurement ID: G-5X68N2HC0R)
  • Performance metrics and error logs
  • Session duration and navigation flow data

3. How We Use Your Information

We use the personal information we collect for the following purposes, each supported by a lawful basis under PIPEDA:

3.1 Service Delivery & Operations

  • Providing, maintaining, and operating the Enchanted Reads platform
  • Processing account registration, authentication, and session management
  • Managing your book library, reading progress, reviews, and organizational features
  • Processing subscription payments and managing billing
  • Delivering real-time notifications via WebSocket and Telegram (if connected)

3.2 Personalization & Features

  • Personalizing your experience, including reading recommendations and streaks
  • Processing AI features such as Soul Portraits, book spine generation, Oracle Chat, and AI Assist
  • Tracking and displaying achievements, titles, and leaderboard rankings
  • Enabling social features (friends, follows, public profiles, book clubs)

3.3 Analytics & Improvement

  • Analyzing usage patterns to improve features and user experience
  • Generating reading reports, insights, and year-in-review summaries for you
  • Monitoring application performance and diagnosing technical issues

3.4 Communication

  • Sending service-related communications (account verification, security alerts, billing notifications)
  • Delivering engagement reminders via Telegram (with configurable quiet hours and per-type toggles)
  • Providing weekly and monthly reading digest summaries (if opted in)

3.5 Security & Legal

  • Detecting, preventing, and addressing fraud, security threats, and abuse
  • Enforcing our Terms of Service and other policies
  • Complying with applicable Canadian laws and legal obligations

4. AI Data Processing

Enchanted Reads uses artificial intelligence to power several features. We believe in transparency about how your data is processed by AI systems.

4.1 AI Service Provider

We use OpenAI's GPT-4o and GPT-4o-mini models to provide AI-powered features. When you use these features, relevant data is transmitted to OpenAI's servers for processing. OpenAI processes this data in accordance with their own privacy policy and data processing agreements.

4.2 AI Features & Data Sent

FeatureModelData Transmitted
Soul PortraitsGPT-4o-mini (text) + GPT-4o (image)Character name, book title, appearance descriptions (age, hair, eyes, skin, build, clothing, features), genre
Book Spine GenerationGPT-4oBook title, author, genre, and visual style preferences
Enchanted Oracle ChatGPT-4o-miniYour chat messages and conversation context within the selected mode
AI AssistGPT-4o-miniBook details or review content you submit for suggestions

4.3 Character Appearance Cache

To improve service quality and reduce redundant processing, we maintain a global character appearance cache. When a Soul Portrait is first generated for a specific character in a specific book, the resulting character description may be cached. Subsequent users requesting a portrait for the same character may reuse this cached description rather than generating a new one. This cache contains only the AI-generated character description text, not personal user data.

4.4 AI Usage Limits

AI feature usage is subject to daily limits that vary by subscription tier (Apprentice, Mage, Archmage, Grand Wizard). We track generation counts to enforce these limits. This tracking data includes the number and type of generations performed, not the content of your requests.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share your data only with the following categories of third-party service providers, and only to the extent necessary to deliver our services:

Stripe

Purpose: Payment processing for web subscriptions. Stripe handles all credit card data directly and is PCI DSS Level 1 certified. We receive only confirmation of payment status.

Apple (StoreKit 2)

Purpose: In-app purchase processing for iOS subscriptions. Apple manages payment details; we receive transaction receipts and subscription status.

OpenAI

Purpose: AI feature processing (Soul Portraits, spine generation, Oracle Chat, AI Assist). See Section 4 for details on data transmitted.

Google Analytics

Purpose: Website usage analytics (Measurement ID: G-5X68N2HC0R). Collects anonymized usage data to help us understand how users interact with our platform.

DigitalOcean Spaces

Purpose: S3-compatible cloud storage for user-uploaded images, book covers, AI-generated portraits, and other media files.

Google & Apple OAuth

Purpose: Authentication services. If you choose to sign in with Google or Apple, we receive limited profile information (email, name) as authorized by you during the OAuth flow.

Telegram Bot API

Purpose: Optional notification delivery. If you link your Telegram account, we send reading reminders, achievement notifications, digests, and engagement messages via the Telegram Bot API. You control which notification types you receive.

5.1 Other Disclosure Circumstances

We may also disclose your information in the following limited circumstances:

  • Legal Requirements: When required by law, subpoena, court order, or governmental regulation applicable in Canada
  • Protection of Rights: To protect the rights, property, or safety of Enchanted Reads, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your data would remain subject to applicable privacy protections
  • With Your Consent: When you explicitly authorize additional sharing beyond what is described in this policy

6. Data Security

We implement comprehensive technical and organizational security measures to protect your personal information, including:

  • Authentication: JWT-based secure token authentication with refresh token rotation
  • Password Protection: All passwords are hashed using bcrypt with industry-standard salt rounds; we never store plaintext passwords
  • Encryption: Data in transit is encrypted via TLS/SSL (HTTPS)
  • Access Controls: Role-based access control for administrative functions
  • API Security: CORS protection, input validation via Pydantic schemas, and rate limiting
  • WebSocket Security: JWT authentication required for real-time connections
  • Infrastructure: Containerized deployment with security monitoring via Prometheus metrics

While we strive to use commercially acceptable means to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard safeguards and promptly addressing any identified vulnerabilities.

7. International Data Transfers

Enchanted Reads is operated from British Columbia, Canada. However, your personal information may be transferred to, stored, or processed in countries outside of Canada through our third-party service providers, including:

  • The United States (OpenAI, Stripe, Google, Apple, DigitalOcean)
  • Other jurisdictions where our service providers maintain infrastructure

When your information is transferred outside of Canada, we ensure that appropriate safeguards are in place in accordance with PIPEDA requirements. These safeguards include contractual obligations with our service providers requiring them to protect your information to a standard comparable to Canadian privacy law.

Please be aware that the privacy laws of other jurisdictions may differ from those of Canada. By using our services, you consent to the transfer of your information as described in this section.

8. Data Retention

We retain your personal information for as long as your account is active and as needed to provide you with our services. Specifically:

  • Active Accounts: All account data, library data, reviews, and settings are retained for the duration of your account
  • Account Deletion: Upon your request to delete your account, we will delete or anonymize your personal information within 30 calendar days
  • AI-Generated Content: AI character images and spine images stored in DigitalOcean Spaces are deleted when you remove them or delete your account
  • Chat History: Oracle Chat conversations are retained while your account is active and deleted upon account closure
  • Payment Records: Billing and transaction records may be retained for up to 7 years after the transaction date to comply with Canadian tax and financial reporting obligations
  • Legal Obligations: We may retain certain information beyond the standard retention period where required by law, regulation, or legal proceedings

Anonymous or aggregated data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

9. Your Rights Under Canadian Law

Under PIPEDA and BC PIPA, you have the following rights regarding your personal information:

  • Right of Access: You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days.
  • Right of Correction: You have the right to request correction of any inaccurate or incomplete personal information. You can update most information directly in your account settings.
  • Right of Deletion: You have the right to request the deletion of your personal information. You may delete your account at any time through your profile settings, and we will process the deletion within 30 days.
  • Right to Withdraw Consent: You may withdraw your consent for certain data processing activities at any time. Note that withdrawing consent may affect your ability to use some features of the service.
  • Right to Data Portability: You may request a copy of your personal data in a structured, commonly used format.
  • Right to Opt-Out of Communications: You may opt out of non-essential communications, including Telegram notifications, engagement reminders, and digest emails, through your notification settings at any time.

9.1 How to Exercise Your Rights

To exercise any of these rights, you may:

  • Use the relevant settings within your Enchanted Reads account (profile settings, notification preferences, privacy controls)
  • Contact us at [email protected] with your request

We will verify your identity before processing any request and respond within the timeframes required by applicable law.

9.2 Complaints

If you are unsatisfied with how we handle your personal information or your privacy rights request, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or the Office of the Information and Privacy Commissioner for British Columbia at www.oipc.bc.ca.

10. Data Breach Notification

In accordance with PIPEDA's mandatory breach notification requirements, if we become aware of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:

  • Notify you as soon as feasible, providing details about the nature of the breach, the information involved, and the steps we are taking to mitigate harm
  • Report the breach to the Office of the Privacy Commissioner of Canada
  • Maintain records of all breaches of security safeguards, whether or not notification is required
  • Take immediate steps to contain the breach and prevent further unauthorized access

Breach notifications will be delivered via email to the address associated with your account. We recommend keeping your contact information up to date to ensure you receive any important security communications.

11. Age Requirement

Enchanted Reads is intended for users who are 16 years of age or older. We do not knowingly collect, use, or disclose personal information from individuals under the age of 16.

If we become aware that we have inadvertently collected personal information from a user under the age of 16, we will promptly delete such information and terminate the associated account. If you believe that a child under 16 has provided us with personal information, please contact us immediately at [email protected].

12. Cookies & Tracking Technologies

Enchanted Reads uses cookies and similar tracking technologies to operate our web application, remember your preferences, and analyze usage patterns. These include:

  • Essential Cookies: Required for authentication, session management, and core platform functionality
  • Preference Cookies: Store your language, theme, and display settings
  • Analytics Cookies: Google Analytics cookies to understand usage patterns and improve the service

For comprehensive information about the specific cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For material changes, we will provide prominent notice within the application or via email
  • We will obtain your renewed consent where required by PIPEDA for significant changes in how we process your information

Your continued use of Enchanted Reads after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Enchanted Reads

Email: [email protected]

Location: British Columbia, Canada

We will respond to all privacy-related inquiries within 30 days.

15. Lore — The Bookshop Oracle

This Privacy Policy also applies to Lore — The Bookshop Oracle, a companion app developed by Enchanted Reads. Lore collects: user ID, email (via Sign in with Apple), gameplay content, purchase history, and crash data — used solely for app functionality and anonymous analytics. No data is sold or used for advertising.

Related Legal Documents

Terms of Service

Rules governing your use of Enchanted Reads

Cookie Policy

How we use cookies and tracking technologies