Privacy Policy | The Friendly AI

This Privacy Policy explains what information @casper.ai ltd. (“Casper,” “we,” “us,” “our”) collects when you use askcasper.ai and related products, how we use that information, who we share it with, and your rights. Casper is designed to be used by people aged 13 and older.

Quick Summary

• We collect what you tell Casper (conversation messages), account basics (email, display name), and device metadata (IP address, browser type, approximate country).
• We do not sell your personal information.
• We do not use your conversations to train AI models.
• You can delete your account and all associated data at any time by emailing [email protected].
• This service is not for children under 13. We comply with COPPA in the United States, LGPD and ECA in Brazil, GDPR in the European Economic Area and UK, CCPA in California, and the DPDP Act in India.

Information We Collect

You give us

• Email address (for account creation, login, billing receipts)
• Display name (optional — you choose)
• Age confirmation (you must confirm you are 13+)
• Conversation messages (text and voice transcripts)
• Payment information (processed directly by Stripe or Razorpay — we never see your card number)
• Parent Portal linking data (Ghost Key, when a parent links to a child's account)

Collected automatically

• IP address and approximate country (for legal compliance and appropriate pricing)
• Device type, browser, operating system (for debugging)
• Usage patterns — message counts, session duration, feature usage — in aggregated form
• Cookies and local storage tokens (for keeping you logged in)

From third parties

• Payment confirmation from Stripe and Razorpay (charge success/failure only — no card data)
• Fraud-prevention signals from Cloudflare (blocked bot traffic, abusive IPs)

How We Use Information

• To generate Casper's responses (your message is sent to our moderation layer and then to the language model)
• To provide safety features — real-time content screening, crisis resource insertion, usage-cap enforcement
• To provide the Parent Portal (transcripts and safety alerts to linked parent accounts)
• To process payments through Stripe (most countries) and Razorpay (India)
• To debug, improve performance, prevent abuse, and comply with legal obligations

Legal Bases (GDPR / UK GDPR)

We rely on the following legal bases to process your data: (a) contract — to deliver the service you signed up for; (b) legitimate interest — for safety, moderation, fraud prevention; (c) consent — where we request it, such as for optional marketing (which we currently do not send); (d) legal obligation — to respond to lawful requests.

Children's Privacy (COPPA / LGPD / ECA / DPDP)

Casper is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. In Brazil, we comply with the Estatuto da Criança e do Adolescente (ECA) and the LGPD requirement for verifiable parental consent for users under 18. In India, the Digital Personal Data Protection Act requires verifiable parental consent for users under 18; we meet this through the Parent Portal linking flow. If you are a parent or guardian and believe a child under 13 has signed up, email [email protected] and we will delete the account within 7 days.

Who We Share Data With

We share limited information with service providers that help us operate Casper. All of them are bound by contractual confidentiality and data-protection obligations:

• OpenAI — language model inference and voice synthesis (conversation messages)
• Cloudflare — hosting, edge storage (D1, R2, KV), DDoS protection
• Stripe — payment processing (US, UK, EU, Brazil, Mexico, rest of world)
• Razorpay — payment processing in India
• Resend / SendGrid — transactional email (account verification, billing receipts)
• Google Analytics — aggregated web traffic (IP-anonymized)

We will also disclose information when required by law — for example, in response to a valid subpoena, court order, or government request — and we will notify you unless prohibited.

Data Retention

• Active account messages: retained while your account is active.
• Deleted accounts: removed from primary databases within 30 days; backup retention up to 90 days.
• Billing records: retained 7 years for tax and audit purposes (legal obligation).
• Safety incident logs: retained 12 months for trend analysis and moderation improvement.

International Transfers

Casper is operated globally. Data may be processed in the United States and other countries. We rely on Standard Contractual Clauses (SCCs) with our processors for transfers out of the EEA/UK, and on Razorpay's India-resident processing where applicable for Indian users.

Your Rights

Depending on your jurisdiction, you have the right to access, correct, export (portability), delete, restrict, or object to our processing of your personal data. To exercise any right, email [email protected] from your account email. We verify the request and respond within 30 days. You have the right to lodge a complaint with your local data protection authority: the UK ICO, your EU member-state DPA, the Brazilian ANPD, or the Indian Data Protection Board.

Security

We protect data in transit with TLS 1.2+ and at rest with AES-256 encryption. Access to production systems is limited to a small number of authorized personnel with multi-factor authentication. We run automated monitoring for anomalous access and have an incident-response procedure. No system is perfectly secure — if we become aware of a breach that affects your personal data, we will notify you within 72 hours where required by law.

Changes to This Policy

We may update this policy from time to time. The effective date at the top of the page reflects the latest version. Material changes will be announced in-product and by email where we have one.