Privacy Policy
Last Updated: May 29, 2026
1. Introduction
This Privacy Policy explains how GhzLab, Inc. ("GhzLab," "we," "us") collects, uses, shares, and protects personal information in connection with the Orbismo platform, website, applications, MCP server, APIs, and related services (the "Service").
This Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.
If you do not agree with this Policy, do not use the Service.
2. Who We Are (Controller)
For the purposes of the EU/UK General Data Protection Regulation ("GDPR") and similar laws, the data controller is:
GhzLab, Inc.A Delaware corporation
1309 W Poinsett St Ste B, Greer, South Carolina 29650
Email: privacy@ghzlab.com
Contact: Legal Department
3. Information We Collect
We collect information in three ways: (a) information you provide, (b) information collected automatically, and (c) information from third parties.
3.1 Information You Provide
| Category | Examples |
|---|---|
| Account data | Name, email, password hash, display name, profile image |
| Billing data | Billing address and tax ID (where required). Payment-card data and billing personal information are collected directly by Lemon Squeezy (our Merchant of Record) at checkout. GhzLab does not receive or store full payment-card numbers. Lemon Squeezy is an independent data controller for the billing data it collects; their Privacy Policy governs their handling of that data. |
| User Content | Worlds, entities, lore, templates, media, notes, and anything else you upload or generate through the Service |
| Support / communications | Messages you send to our support, sales, or legal teams |
| Surveys / feedback | Optional survey responses, beta feedback, testimonials |
3.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Device / technical data | IP address, browser type, OS, device identifiers, language, time zone |
| Usage data | Pages viewed, features used, clicks, session duration, error logs |
| Cookies & similar technologies | See our Cookie Policy |
| MCP / API telemetry | API call metadata (endpoint, latency, status), not the content payload unless needed for debugging an issue you report |
3.3 Information from Third Parties
| Source | Data |
|---|---|
| SSO / OAuth providers (Google, GitHub) | The minimum profile attributes needed to authenticate you — typically email and display name |
| Payment processor (e.g., Stripe) | Payment status, billing country, tax information |
| Fraud-prevention services | Risk signals |
| Analytics providers | Aggregated usage insights |
3.4 We Do Not Knowingly Collect Children's Data
The Service is not directed to children. We enforce region-specific minimum ages at sign-up — 13 in the United States and most regions, and 16 in the European Union, European Economic Area, United Kingdom, and Switzerland (see Section 11). We do not knowingly collect personal information from anyone below the applicable minimum age for their region. If we learn we have collected such information, we will delete it promptly.
4. How We Use Information
We use personal information to:
- Provide the Service — create and manage accounts, host your User Content, process MCP requests, deliver features.
- Billing and payments — process subscriptions, invoices, refunds, and tax compliance.
- Communications — send transactional emails (service notices, security alerts, receipts), respond to support, and — with your consent where required — marketing.
- Product improvement — derive anonymized, de-identified aggregate statistics from usage patterns (e.g., feature adoption rates, entity-type distributions, performance benchmarks) to improve the Service. These statistics contain no personal information and no User Content. We do not use your User Content to train AI models — see Section 6. The aggregate-statistics carve-out in ToS §5.4 applies here.
- Security and fraud prevention — detect, investigate, and prevent abuse, unauthorized access, or violations of our Acceptable Use Policy.
- Legal compliance — comply with laws, enforce our Terms, respond to lawful requests, protect our rights and the rights of others.
5. Legal Bases for Processing (GDPR / UK GDPR)
Where GDPR applies, we rely on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service, billing, account management | Contractual necessity (Art. 6(1)(b)) |
| Security, fraud prevention, product improvement | Legitimate interests (Art. 6(1)(f)) — balanced against your rights |
| Marketing communications (where consent is required) | Consent (Art. 6(1)(a)), withdrawable at any time |
| Legal / regulatory compliance | Legal obligation (Art. 6(1)(c)) |
| Cookies classified as non-essential | Consent (ePrivacy / Art. 6(1)(a)) |
You have the right to object to processing based on legitimate interests — see Section 9.
6. Data Storage and MCP Integrations
6.1 Strictly Infrastructure. GhzLab acts as a data storage and transport layer. We do not generate content, run AI safety filters, or use third-party AI model providers to process your User Content. You and the third-party AI agents you choose to connect via MCP are solely responsible for the generation and processing of your data.
6.2 No AI Training on Your Data. We do not use your User Content to train, fine-tune, or improve any AI, ML, or large language model, nor do we share your data with any third-party AI providers for such purposes.
6.3 MCP Integrations. When you connect an AI assistant to Orbismo via MCP, the assistant reads from and writes to your world database at your direction. The contents of those reads/writes pass through our infrastructure and the MCP client you have chosen.
7. Cookies and Similar Technologies
See our Cookie Policy for details on cookies, the categories we use (strictly necessary, analytics, marketing), and how to manage your preferences. Where required, we will ask for your consent before setting non-essential cookies.
8. Sharing and Sub-processors
We do not sell your personal information. We share it only as described below.
8.1 Service Providers (Sub-Processors)
GhzLab currently uses the following third-party providers:
| Provider | Role | Purpose | Privacy Policy |
|---|---|---|---|
| Lemon Squeezy (a Stripe company) | Merchant of Record (independent data controller for billing data) | Subscription billing, payment processing, tax collection | lemonsqueezy.com/privacy |
| Intuit Mailchimp | Processor | Email marketing campaigns, newsletters, and transactional email delivery | mailchimp.com/legal/privacy |
| Google Analytics (Google LLC) | Processor | Website and product usage analytics and measurement | policies.google.com/privacy |
Note on Lemon Squeezy's role. Because Lemon Squeezy acts as Merchant of Record — not just a payment processor — they are an independent data controller for the personal information (name, email, payment method, billing address) they collect during checkout and billing. GhzLab does not receive or store your full payment-card data. For rights requests related to your billing and payment data, contact Lemon Squeezy directly at their privacy contact.
As the Service grows, we anticipate engaging additional third parties for functions such as cloud infrastructure, transactional email, analytics, and diagnostics. Before engaging any new sub-processor, we will:
- Update this Policy and the live sub-processor list at orbismo.com/sub-processors with the provider's name, category, and purpose.
- Execute a written data-protection agreement (where the provider acts as a processor, not an independent controller).
- Provide at least thirty (30) days' advance notice to users via email and in-Service notice before the sub-processor begins processing personal data.
8.2 Business Transfers
If GhzLab is involved in a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users and the new controller will be bound to equivalent protections.
8.3 Legal and Safety
We may disclose information when we reasonably believe it is necessary to: (a) comply with law, regulation, legal process, or lawful government request; (b) enforce our Terms or investigate violations; (c) detect, prevent, or address fraud or security issues; or (d) protect the rights, property, or safety of GhzLab, our users, or the public.
8.4 With Your Direction
We share data with third parties when you direct us to — for example, inviting a collaborator or connecting an external AI assistant via MCP.
9. Your Rights
9.1 GDPR / UK GDPR Rights (EU / EEA / UK residents)
You have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten"), subject to legal exceptions.
- Restriction of processing.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interests, including direct marketing.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint with your local data-protection authority.
To exercise these rights, email privacy@ghzlab.com or use the in-app data request tool in account settings. We will respond within thirty (30) days (extendable by two months for complex requests, per GDPR Art. 12).
9.2 California Rights (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell.
- Delete personal information we have collected.
- Correct inaccurate personal information.
- Opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising.
- Limit use of sensitive personal information — we do not use sensitive PI for purposes that would trigger this right.
- Non-discrimination — we will not discriminate against you for exercising CCPA rights.
GhzLab's role. For personal information you provide about yourself (account data, billing data, support interactions), GhzLab acts as a "Business" under the CCPA. For any personal information of third parties that you choose to include within your User Content — for example, names, likenesses, or contact details of real people referenced in your world-building notes or campaign materials — GhzLab acts as a "Service Provider" processing that information solely on your behalf under our written terms, and we will not retain, use, or disclose it for any purpose other than providing the Service to you (see Cal. Civ. Code § 1798.140(ag) and § 1798.140(ah)). You are responsible for ensuring you have a lawful basis to include any such third-party personal information in your User Content.
To exercise these rights, email privacy@ghzlab.com or use the in-app form. We may need to verify your identity before fulfilling the request.
9.3 Other U.S. State Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws may have similar rights. Contact privacy@ghzlab.com.
9.4 Authorized Agents
You may authorize an agent to submit requests on your behalf. We may require written permission and verification.
9.5 Marketing Communications
You may opt out of marketing emails at any time by:
- Clicking the "unsubscribe" link in any promotional email; or
- Updating your communication preferences in your account settings.
Regardless of your marketing preferences, we will continue to send administrative and transactional messages — for example, security alerts, billing receipts, service status notices, and material updates to this Policy or the Terms of Service. These messages are necessary to operate the Service and cannot be opted out of separately from closing your account.
10. International Data Transfers
GhzLab is based in the United States, and our primary infrastructure is in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and potentially other countries where our sub-processors operate.
Where personal data is transferred out of the EEA, UK, or Switzerland to a country not deemed to provide adequate protection, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures. A copy is available on request at privacy@ghzlab.com.
GhzLab's primary infrastructure is located in the United States.
11. Children's Privacy
The Service is not directed to children. GhzLab does not operate verifiable parental-consent infrastructure, so we enforce the following region-specific minimum ages at sign-up:
- United States and other regions (except EU/EEA/UK/Switzerland): minimum age 13.
- European Union, European Economic Area, United Kingdom, and Switzerland: minimum age 16. This is set at the upper end of the GDPR Art. 8(1) digital-consent range and is the threshold across these regions so that we do not rely on parental-consent flows.
We do not knowingly collect personal information from anyone below the applicable minimum age for their region. If you believe someone below the applicable minimum age has provided us personal information, contact privacy@ghzlab.com and we will delete it.
12. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy, to provide the Service, to comply with legal obligations, to resolve disputes, and to enforce our agreements.
| Data | Retention |
|---|---|
| Account data — voluntary account closure | For the life of the account. Following voluntary cancellation, we retain account data and User Content during a 90-day export window so you can download your data, then delete it from live production systems |
| Account data — verified erasure request (GDPR Art. 17, CCPA § 1798.105, or comparable law) | Deleted from live production systems within thirty (30) days of a verified request, subject to legal-retention exceptions (e.g., billing records below). The export window does not apply to erasure requests; our response to an erasure request is deletion, not export |
| User Content | Same as account data, on the applicable closure or erasure timeline above |
| Billing records | Seven (7) years for tax and audit purposes (statutory retention exception to erasure rights) |
| Support tickets | Up to three (3) years after ticket close |
| Security logs / audit logs | Up to twelve (12) months |
| Backups | Personal data persists in encrypted, immutable backups for up to thirty (30) additional days after deletion from live systems, then ages out through backup rotation. During this window the data is not actively used or accessible except for disaster recovery |
| Marketing data | Until you withdraw consent / opt out |
13. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
- Role-based access controls and principle of least privilege
- Multi-factor authentication for internal access
- Regular security testing, vulnerability scanning, and code review
- Audit logging and monitoring
- Incident response and breach-notification procedures
No system is perfectly secure. If you suspect unauthorized access to your account, contact security@ghzlab.com immediately.
Breach Notification. We will notify affected users and applicable regulators of a personal-data breach as required by law (e.g., within 72 hours under GDPR Art. 33 where feasible).
14. Do-Not-Track and Global Privacy Control
Some browsers send a "Do Not Track" (DNT) signal. There is no industry consensus on DNT, and we do not currently respond to DNT signals. We do, however, honor the Global Privacy Control (GPC) signal where required by applicable law, treating it as an opt-out of sale/sharing.
15. Third-Party Links and Integrations
The Service may contain links to third-party sites or integrations (e.g., SSO providers, AI assistants connected via MCP). We are not responsible for those third parties' privacy practices. Review their policies before engaging.
16. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated by email and/or in-Service notice at least thirty (30) days before taking effect. The "Last Updated" date above reflects the most recent revision.
17. Contact Us
Privacy inquiries: privacy@ghzlab.com
General legal: legal@ghzlab.com
Security: security@ghzlab.com
Mailing address:
GhzLab, Inc.Attn: Privacy
1309 W Poinsett St Ste B
Greer, South Carolina 29650