Your data, your control.

AniUniverse is restricted to users aged 16 and over. We pick the strictest threshold across the EU (NL, DE, FR, IT all draw the line at 16 under GDPR-K) so the same age rule applies everywhere. We collect your date of birth at signup to verify you meet the threshold; the date itself stays private — we don't show it on your profile.

AniUniverse is operated as a sole-proprietorship under Dutch law. For our full company details (KVK, address, contact), see our Imprint. Privacy questions go to privacy@aniuniverse.com.

When you sign up, we store your email, username, password (hashed — we never see your actual password), and date of birth (used solely to verify the 16+ minimum). As you use the platform, we store your posts, comments, reactions, watch-room activity, and XP progress. We use cookies for authentication only.

EU law requires us to name a legal basis for every type of processing. Here's the breakdown:

• Running your account (email, password hash, handle, date of birth, posts, comments) — basis: contract (Art. 6(1)(b)). Without this we can't provide the service.
• Keeping the platform safe (rate-limit logs, abuse signals, IP for moderation events) — basis: legitimate interest (Art. 6(1)(f)) in protecting users from spam, abuse, and account takeovers.
• Subscription billing (when you upgrade) — basis: contract (Art. 6(1)(b)). Stripe handles card data; we only see the subscription ID + plan.
• Email — verification + password reset — basis: legitimate interest (account security) and contract (delivering the service you signed up for).
• Email — product updates (if you opt in) — basis: consent (Art. 6(1)(a)). You can withdraw at any time from Settings.
• Aggregated, anonymized usage stats (e.g. "what % of users used X feature") — basis: legitimate interest in improving the platform. No individual is identified.

We use a small set of trusted infrastructure providers (sub-processors under GDPR Art. 28). All have signed Data Processing Agreements with us and are contractually bound by EU-grade safeguards (Standard Contractual Clauses where applicable):

• Vercel (hosting + edge functions) — USA-based, transfers covered by SCCs + EU-US Data Privacy Framework
• Upstash Redis (session + state store) — EU region
• Vercel Blob (image + file storage) — EU region
• Stripe (payments) — Stripe Payments Europe Ltd., Ireland
• Resend (transactional email — verification, password reset) — USA-based, transfers covered by SCCs
• Cloudflare (DNS + bot protection) — EU edge, transfers covered by SCCs

We do not sell your data. We do not share personal information with advertisers, data brokers, or any party outside this list without your consent or a legal obligation.

Some of our sub-processors (Vercel, Resend) have parent companies in the United States. Where data leaves the EU/EEA, transfers are governed by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. We process and store user-content data (your posts, profile, etc.) on EU-region infrastructure where the provider supports it.

You have the following rights regarding your personal data. Most are self-serve in your Settings; for anything that isn't, email privacy@aniuniverse.com. We respond within 30 days.

• Access — request a copy of all data we hold about you (one-click export in Settings → Data).
• Rectification — correct inaccurate data (edit your profile / settings).
• Erasure ("right to be forgotten") — delete your account from Settings → Account. Personal data is wiped within 30 days.
• Restriction of processing — ask us to pause certain uses while a dispute is resolved.
• Data portability — your export is a machine-readable JSON archive.
• Object — to processing based on legitimate interest.
• Withdraw consent — for anything where consent was the basis (e.g. marketing email opt-in).

If you believe we've mishandled your data and we haven't resolved it to your satisfaction, you have the right to lodge a complaint with the Dutch supervisory authority — the Autoriteit Persoonsgegevens — or with the supervisory authority in your EU country of residence.

We do not sell your data. We do not share your personal information with advertisers. We do not use your data for behavioral advertising. We do not track you across other websites. We do not read your private messages for marketing purposes. We do not run third-party analytics or tracking pixels on AniUniverse.

We use a single first-party authentication cookie to keep you signed in (httpOnly, SameSite=strict, secure). It is strictly necessary for the service to work and is therefore exempt from consent requirements under the EU ePrivacy Directive. We do not use tracking, analytics, or advertising cookies. Stripe's checkout page (on stripe.com) sets its own cookies under Stripe's privacy policy when you make a purchase.

Passwords are hashed with bcrypt (cost factor 12). Sessions use signed JWTs with httpOnly cookies and per-account session-version invalidation on password change. Optional two-factor authentication via TOTP. Rate- limits + account lockout on repeated failed sign-ins. Two-factor secrets are encrypted at rest with AES-GCM. Strict transport security (HSTS) on the production domain.

We'll update this page if our processing changes. The version stamp at the bottom moves whenever we make a material update; we'll also notify you in-product or by email when changes affect your rights.