Caleo Chat Privacy Policy

This Privacy Policy explains how BrassNode LLC, doing business as Caleo Chat ("Caleo," "we," "us"), collects, uses, shares, and protects personal data when you use the Caleo Chat website or Android app (the "Service"). Where privacy laws apply, Caleo is responsible for the data we collect. Terms we do not define here have the meaning given in our Terms of Service, which this Policy is part of and should be read with.

Who we are and what this Policy covers

BrassNode LLC operates Caleo Chat. You can reach our privacy team at privacy@caleo.chat or by writing to BrassNode LLC, d/b/a Caleo Chat, 1835 E Edgewood Dr, Suite 105, Unit 736, Appleton, WI 54913. Users in the EU, EEA, or UK can use the same contacts.

The Service is for adults. You must be 18 or older to use it.

The data we collect

Identity and profile.

  • Your email, which is required for password sign-up.
  • Your display name, which is required, and your public handle, which is required and must be 3 to 30 URL-safe characters.
  • An optional bio of up to 500 characters, and an optional avatar image URL.
  • Your password, which we keep only as a salted, one-way hash. We never store it in plain text.
  • An optional linked Discord identity (your Discord user ID and avatar) if you connect Discord.
  • Optional passkeys and an optional second factor (a one-time-password seed and backup codes) if you turn them on.

Sign-in and session data.

  • Session tokens, stored as httpOnly cookies on the web and as bearer tokens in secure device storage on mobile.
  • Your IP address, used for rate limiting, security, and monitoring, and your browser's User-Agent string.
  • An approximate, country-level location derived from your IP address, used for product analytics and security. We resolve this on our own servers and do not collect precise or GPS location.
  • Anti-abuse signals, such as hashed or derived browser, device, IP, and signup-risk signals.

The content you create. This stays private to you until you choose to share it.

  • Character cards, including every text field you write: the description, scenario, example dialogs, and lorebook entries.
  • Chat messages, both what you send and what the AI replies, stored as written.
  • Tags, favorites, follows, and the characters you view. These are visible only to you, but they feed into public popularity scores that do not identify you.

Subscription and usage data.

  • Your billing and subscription identifiers, plan tier, and billing cadence, held by our payment processors.
  • Your monthly token usage as a count only. This number does not store the content of your messages.

Performance, crash, and abuse-prevention data. We collect this when needed to operate, secure, and improve the Service.

  • Technical logs, traces, timing data, error reports, page or route information, browser details, plan tier, and internal identifiers.
  • Aggregated metrics used to debug and improve reliability.

We do not set out to collect special-category data. Because the Service lets you write free-form characters and chats, you may type sensitive information into your content. Please avoid entering anything you do not want handled as this Policy describes.

How we use data and our legal bases

We use data to create and secure your account; to run roleplay chat, including routing your messages to AI providers; to power discovery through feeds, search, and tag filtering, and to run the scene tracker; to process subscriptions and serve free-tier ads; to provide support; to keep the Service secure, prevent fraud and abuse, and enforce our Terms; to debug and improve reliability and performance; and to comply with the law.

Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract, when we provide the Service you signed up for, including routing your messages to AI providers so a character can reply; legitimate interests, for security, abuse prevention, fraud prevention, debugging, product improvement, and aggregate popularity metrics, weighed against your rights; consent, for example for optional Discord linking and for certain cookies; and legal obligation, for example to respond to lawful requests. Where we rely on consent, you can withdraw it at any time.

How your data moves to third parties

AI providers. To generate a character's reply, every message you send and the character's system prompt are sent to third-party AI providers, which produce the reply. A small scene-tracker process also sends content to a third-party AI provider after each turn. These providers handle the content under their own terms.

  • We do not train AI models on your content. The next section says more.
  • Whether a provider keeps your prompts, and for how long, depends on that provider's own policy and on the settings we apply, and it varies. Where a provider offers a route that does not retain prompts, we prefer it, but we cannot guarantee it.

Other service providers. We share limited data with providers that help operate the Service, including payment, hosting, infrastructure, bot-mitigation, anti-abuse, monitoring, AI, storage, email, and advertising providers. For free-tier Android users, an advertising provider serves ads and may use an advertising identifier. We also share data with Discord if you link it, and with Google Play for Android payments.

We do not sell personal information for money. Free-tier advertising may count as a "sale" or "share" under some privacy laws. You can use your device's advertising controls, in-app controls where available, or write to privacy@caleo.chat about privacy requests.

AI training: what we do and do not do

Caleo does not build, train, or fine-tune AI models, and we do not use your content for that purpose. We have no models of our own. To generate a character's reply, we send your messages and the character's setup to third-party AI providers. What those providers do with that content is governed by their own terms and by the settings we apply, and we cannot fully control or guarantee it. Where a provider offers a route that does not retain prompts, we prefer it, but that option is not available everywhere and we cannot promise it. If a piece of writing is something you would not want a third-party AI service to process, do not send it through the Service.

Your privacy rights and how to use them

Depending on where you live, you have some or all of the rights below, and we honor them wherever you live to the extent we reasonably can.

  • In the EU, EEA, and UK, under the GDPR and UK GDPR, you have the rights of access, rectification, erasure, restriction, data portability, and objection, including objecting to processing based on our legitimate interests and to direct marketing (GDPR Articles 15 to 22). We do not make decisions about you with legal or similarly significant effects by solely automated means.
  • In California, if the CCPA as amended by the CPRA applies to us, you may have rights to know and access, to delete, to correct, to opt out of the "sale" or "sharing" of personal information, and to limit the use of sensitive personal information (Cal. Civ. Code § 1798.100 et seq.).
  • In Brazil, under the LGPD (Law No. 13.709/2018, Article 18), you have rights including confirmation that we process your data, access, correction, anonymization or deletion, portability, information about sharing, and deletion of data we process based on your consent.

How to make a request. Email privacy@caleo.chat or use the privacy controls in your account. We will verify your request and respond within the time the law requires. That is generally one month under the GDPR and UK GDPR, which we may extend by two months for complex requests, and 45 days under California law, which we may extend once. Where the law gives you a right to appeal a refusal, you may appeal, and you may complain to your data-protection authority: in the EU, your national authority; in the UK, the Information Commissioner's Office; in California, the California Privacy Protection Agency.

Editing your profile. You can correct most profile data, including your display name, bio, avatar, and, subject to availability, your handle, directly in your account settings.

Deletion and how long we keep data. When you delete your account, we first deactivate and hide it and your content, then permanently remove it after a 90-day window. Three things are exceptions: content others have already forked, which continues to exist as their content under our Terms; data we must keep for legal, tax, security, or fraud-prevention reasons; and routine encrypted backups, which are overwritten on our normal backup cycle within 35 days. The 90-day window lets you recover an account you deleted by mistake and lets us deal with abuse.

Portability. You can download a copy of your account data from your account settings. You can also write to privacy@caleo.chat. We respond within the legal window that applies to your request.

Sending data across borders

Caleo is based in the United States, and your data is processed in the United States and in other countries where our providers operate. Routing chat content to AI providers necessarily moves data across borders.

  • From the EU, EEA, and UK, where we or our providers move personal data out of the region, we rely on a valid transfer mechanism. For transfers to the United States, we and our U.S. providers rely on the EU-U.S. Data Privacy Framework where the recipient is certified, and on the European Commission's Standard Contractual Clauses as our primary and backup mechanism, carrying out transfer-impact assessments where they are needed.
  • From the UK, we use the UK International Data Transfer Agreement or the UK Addendum to the Standard Contractual Clauses, as appropriate.
  • From Brazil, we rely on the standard contractual clauses issued by the national data-protection authority under its 2024 resolution, or on another lawful basis under the LGPD.

You can ask for a copy of the safeguards we use by writing to privacy@caleo.chat.

Cookies, advertising, and tracking

We use strictly necessary cookies and tokens for sign-in and security, including httpOnly session cookies on the web. We use anti-abuse signals and performance and error monitoring as described above. On the free tier on Android, a third-party advertising provider serves interstitial ads and may use an advertising identifier. Where the law requires it, we ask for consent before using non-essential cookies or SDKs and give you controls. To limit ad tracking, use your device's advertising controls, in-app controls where available, or write to privacy@caleo.chat.

How we protect data

We protect data with measures that include storing passwords only as salted, one-way hashes; using httpOnly session cookies on the web and secure device storage for mobile tokens; encrypting our main database at rest and encrypting data in transit with HTTPS and TLS; rate limiting and bot mitigation; and access controls and monitoring. No system is perfectly secure. If a personal-data breach is likely to create a risk to your rights, we will notify the relevant authority and, where required, you, within the timeframes the law sets, for example within 72 hours of becoming aware, as the GDPR requires.

Children's privacy

The Service is for adults only. You must be 18 or older to use it. We do not direct the Service to children or minors, and we do not knowingly collect personal information from anyone under 18. This includes the protections of the U.S. Children's Online Privacy Protection Act for children under 13 (15 U.S.C. §§ 6501 to 6506; 16 C.F.R. Part 312). If we learn that someone under 18 has created an account or given us personal information, we will close the account and delete the information. A parent or guardian who believes a minor has given us data can write to privacy@caleo.chat, and we will act on the request.

How long we keep data

We keep personal data only as long as we need it for the purposes in this Policy or as the law requires. We keep account and profile data for the life of your account and through the 90-day window after deletion. We keep chat and character content on the same deletion schedule, subject to forks and any legal holds. We keep subscription and billing records as long as tax and accounting law requires. We keep performance, error, and anti-abuse logs for limited operational periods, and we overwrite backups within 35 days.

Changes to this Policy

We may update this Policy. For material changes, we will give reasonable notice by email or in the app and update the dates below. If you keep using the Service after the effective date, you accept the updated Policy, except where the law requires fresh consent.

How to contact us

For privacy questions or requests, email privacy@caleo.chat or write to BrassNode LLC, d/b/a Caleo Chat, 1835 E Edgewood Dr, Suite 105, Unit 736, Appleton, WI 54913. This Policy is part of, and should be read with, our Terms of Service.

Effective date: June 16, 2026 Last updated: June 16, 2026

enes