Oh.Fun - Privacy Policy

Effective date: 7 October 2025

Who we are. Utility3 Ltd (company number 14000143), registered at 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN, operates Oh.Fun and OhChat. Contact: hello@oh.xyz. We are the controller of personal data described below, except where noted (e.g., identity/KYC vendors and payment processors act as separate controllers/processors for their own services).

Scope & Related Policies. This Policy explains how we collect, use, disclose and protect information when you use Oh.Fun (portal) and related distribution to OhChat and partner sites. It should be read together with our Cookie Policy, Acceptable Use Policy, IP/DMCA Policy, and Transparency & Notice Policy (each incorporated by reference). Separate policies/terms may apply to OhChat users and to API clients.

1. Data We Process

1.1 Account & Profile

• Identifiers: email, display name/username, country/region.
• Age‑check outcome: pass/fail and timestamp from our third‑party age/ID verification provider. We do not store your ID documents.

1.2 Creator/Digital Twin Onboarding

• Verification outcomes from third‑party provider (pass/fail, risk flags). We do not store your ID documents, biometrics or selfies; the provider processes them under its own policy.
• Training data you voluntarily upload (photos, videos, audio/voice samples, descriptions) to create and maintain your Digital Twin.

1.3 Character Owner (Fictional) Creation

• Character descriptions and any materials you choose to upload (you must not upload third‑party likenesses without rights).

1.4 Usage & Device

• Technical logs: IP address, device/browser type, operating system, timestamps, pages/features used, performance data.
• Event data: clicks, settings, generation metadata (e.g., model type, tokens/steps, safety triggers), crash reports.

1.5 Payments & Payouts

• End‑user payments are handled by third‑party processors; we receive tokenised transaction IDs and status only.
• Creator/Referrer payouts: limited payout details you provide (e.g., payee name, account/wallet identifiers) and payout history. We may use a payout service provider as a processor.

1.6 Safety & Moderation

• Reports submitted via Gleap or email; enforcement records (warnings, suspensions, bans); automated safety scores.

1.7 Support & Communications

• Messages you send to us; survey responses; marketing preferences.

2. Purposes & Legal Bases (UK/EU GDPR)

We process personal data for the following purposes and bases:

• Provide the service (create/manage Characters, publish to OhChat/partners, account management, payouts): Contract (Art. 6(1)(b)).
• Safety, abuse prevention, fraud and platform integrity (verification outcomes, automated flags, enforcement): Legitimate Interests (Art. 6(1)(f)) and/or Legal Obligation where applicable.
• Payments & taxes (charging fees, payouts, accounting): Contract and Legal Obligation.
• Model improvement (use of prompts/inputs, outputs and metadata to develop our models): Legitimate Interests with measures to de‑identify/anonymise where feasible and an opt‑out mechanism where required.
• Marketing communications (to admins/Creators/Character Owners): Consent (opt‑in) or soft opt‑in where permitted; you may opt out anytime.
• Analytics and product improvement: Legitimate Interests.
• Compliance & legal requests: Legal Obligation.

Special category data. We do not seek to process special categories. However, sexual content associated with Characters may, in context, be considered sensitive. We process such content only at your direction to provide the Services (Contract) and to maintain safety (Legitimate Interests). Identity/age checks (including any biometrics) are performed by our third‑party provider under its own policy; we receive outcomes only.

3. Model Improvement & Human Review

3.1 We may use inputs, outputs and interaction metadata to improve the performance and safety of our models and Services. Where feasible, we will aggregate or de‑identify such data.

3.2 If you are a Creator and your Creator/Digital Twin Agreement specifies particular data‑use permissions (e.g., training scope), those terms apply.

3.3 Limited human review may occur for trust & safety, debugging, or quality assurance.

3.4 Opt‑out. Where required by law or technically feasible without undermining safety, you may request to opt out of model‑improvement use of your content by contacting hello@oh.xyz. This does not affect our use for safety, security or legal compliance.

4. Sharing & Disclosures

We share personal data with:

• Service providers/processors (hosting, content delivery, analytics, payout services, support tooling including Gleap, safety tooling, age/ID verification, and payment processors).
• Distribution partners to host Characters created in Oh.Fun on OhChat and partner sites.
• Law enforcement/regulators when legally required.
• Corporate transactions (merger, acquisition) subject to safeguards.

We do not sell personal data.

5. International Transfers

We may transfer data outside the UK/EEA. Where we do so, we use appropriate transfer mechanisms such as UK IDTA, EU SCCs, and supplementary measures as needed. Hosting regions and major processors may include the UK, EEA and US.

6. Retention

We retain data only as long as necessary for the purposes set out in this Policy:

• Account data: for the life of your account and up to 24 months after closure.
• Verification outcomes: retained for up to 24 months from collection.
• Training data & outputs: retained while your Character is active and for up to 12 months after deletion to address disputes, fraud and backups, unless legal obligations require longer.
• Logs & analytics: typically 6–18 months.
• Enforcement records: typically up to 36 months from last incident.
• Backups: persist for limited cycles (usually 30–90 days).

We may retain data longer where required by law or to establish/defend legal claims.

7. Your Rights (UK/EU)

You have rights to access, rectify, erase, restrict, object (including to processing based on Legitimate Interests), and data portability. You may withdraw consent at any time where processing is based on consent. To exercise rights, contact hello@oh.xyz. We will verify your request and respond within legal timelines.

You also have the right to complain to the UK Information Commissioner’s Office (ICO) or your local EU authority. See ico.org.uk for contact details.

8. Children

Our Services are not for under‑18s. If we learn a user is under 18, we will delete their account and associated data.

9. Security

We implement appropriate technical and organisational measures, including encryption in transit and at rest, access controls, segmentation, least‑privilege access, monitoring, and incident response. No method is 100% secure, but we work to protect your data.

10. Cookies & Similar Technologies

We use cookies and similar technologies for essential functionality, analytics, and fraud prevention. Where required, we will display a consent banner and respect your choices. See our Cookie Policy (incorporated by reference) for details on categories, retention and vendors.

11. Marketing

We may send service and administrative emails. We send marketing emails only with consent or soft opt‑in where allowed. You can opt out via the unsubscribe link or by contacting us.

12. Automated Decision‑Making

We use automated tools to detect fraud, spam, and policy violations. You may contact us to request human review of decisions that significantly affect you, to express your point of view, and to contest the decision, subject to legal limits.

13. Data Deletion & Portability

You may request account deletion by contacting hello@oh.xyz. Upon verified request, we will delete your data from active systems, subject to legal retention and safety obligations and limited backup cycles. You may also request a copy of your data in a commonly used format.

14. Changes to this Policy

We may update this Policy occasionally. We will notify you by email and/or in‑product for material changes, indicating the effective date at the top.

Full legal entity disclosure: This website and the Services are provided by Utility3 Ltd (company number 14000143), registered address 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN. Contact hello@oh.xyz.