Infinite Verse Privacy Policy
Effective 2026-06-08
Infinite Verse is built by people who love manga and anime as much as you do, and we treat your data with the same care we put into the worlds we create. This policy explains, in plain language and with full legal precision, exactly what personal information we collect when you read, create, follow, chat with a companion, or make a purchase on Infinite Verse, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It is published openly and can be read in full without signing in. Infinite Verse is operated by Anime Universe Global Holding Inc. (AUGH), a corporation organized under the laws of the State of Texas, USA, founded and chaired by inventor Sebastien Bilodeau. Throughout this policy, AUGH is the controller of your personal data: when we say "we", "us", "Infinite Verse", or "AUGH", we mean that company. We wrote this to be honest about how the platform actually works today, including the parts that send your text, images, or audio to outside services so that features like translation and voice can exist. Where a feature is still being built, we say so rather than describe something that is not yet live. If anything here is unclear, write to us at privacy@animeuniverse.com and a real person will answer.
1. Who We Are and How to Reach Us
Infinite Verse is owned and operated by Anime Universe Global Holding Inc. (AUGH), incorporated in the State of Texas, United States. AUGH is the data controller for the personal information described in this policy, which means we decide why and how your data is processed and we are accountable for protecting it. Some payment-related processing is carried out through our affiliated U.S. payments entity acting strictly on our behalf as a processor; in every case AUGH remains the controller you can hold responsible, and any request you make to us covers data handled through that affiliate as well.
For privacy questions, data requests, or anything about this policy, the fastest route is privacy@animeuniverse.com. If you believe you have found a security vulnerability, please write to security@animeuniverse.com so the right team sees it quickly. We aim to acknowledge security reports within 72 hours and to respond substantively to privacy and data-rights requests within 30 days, extending only where the law allows and only after telling you why.
If you are in the European Economic Area, the United Kingdom, or another region that requires a local point of contact, you may also direct your request to privacy@animeuniverse.com marked for the attention of our data protection contact, and we will route it to the appropriate representative. We are in the process of formally designating our EU and UK Article 27 representatives and will name them in this section as that designation is completed; until then, all rights requests are honored through the contacts above without any disadvantage to you.
2. A Quick Map of This Policy
To respect your time, here is the shape of what follows. Sections 3 and 4 cover what we collect and, just as importantly, what we deliberately do not collect. Section 5 explains how we use your data and, for our European and UK readers, the legal basis for each use. Sections 6 and 7 cover Google Sign-In specifically and the outside services that help run Infinite Verse, including the AI services that some features depend on. Section 8 addresses payments and creator payouts, which involve our most sensitive data. Sections 9 through 11 cover cookies and similar technology, where your data lives, and how long we keep it. Sections 12 and 13 cover security and what happens in the unlikely event of a breach. Sections 14 through 17 set out your rights under GDPR, CCPA and other U.S. state laws, our approach to children and younger users, and international data transfers. Sections 18 through 20 close with governing law, how we handle changes, and how to contact us. You can read any section on its own without logging in.
3. The Data We Collect and Why
We collect only what a manga platform genuinely needs to work, and we tie each category to a clear purpose. The categories below describe what we hold, grouped the way the product itself is organized.
Account and identity. When you join, we collect your email address and, through Firebase Authentication, a Firebase user identifier and the sign-in method you used (for example, an emailed magic-link code or, where offered, Google Sign-In). From this we derive a stable internal account identifier (in the form au_usr_ followed by a hashed value) so that your data can travel with you across the platform without exposing the underlying Firebase ID everywhere. We use this to create and secure your account, sign you in, and keep your session valid. When you sign in with a magic link, we generate a six-digit verification code tied to your email that lives only briefly (about ten minutes) before it expires.
Profile and presence. If you build out a profile, we store your display name, optional username or handle (sometimes suggested from your email prefix and always editable), avatar and banner images, short bio, region and locale, any verified-creator status, your fan tier, and your privacy settings (such as whether your recent reads or taste fingerprint are visible to others). We use this to render your public or private profile exactly the way you have chosen to present yourself.
Reading life. As you read, we save your progress (which series, which chapter and page, how far through) so you can pick up on any device. We also keep reading streaks, totals such as chapters read and series completed, the genres you have explored, and your wishlist of series you want to follow. Some of this is also cached on your own device so the app feels instant offline. We use this to sync your library, power your streaks, and surface what you might love next. A small number of progress-related fields are still being rolled out across all surfaces; where that is the case the data is collected only once the feature is live for you.
Community and the social graph. If you follow other readers or creators, we store those follow relationships and the resulting follower and following counts. We use this to build your feed and connect you to the creators and friends you choose.
Wallet, purchases, and unlocks. Infinite Verse uses in-app currencies (AU Coin, Ink, and Koi). We keep your balances and a transaction ledger for each, recording the type of each entry, the amount, a reference to what it relates to, and related metadata, so your spending and rewards are accurate and auditable. We also record chapter unlocks, themes you own, badges in your collection vault, your subscription state (such as a Vortex Pass, an AI Sage Pass, or a subscription to a specific creator), and purchase receipts. Receipts include the payment provider, the amount in the smallest unit of the currency, the currency, what you bought, and, for card purchases, the underlying provider event record. We use this to deliver exactly what you paid for, prevent double-charges, and keep honest financial records.
AI feature usage. When you use features powered by AI (translation, text-to-speech, voice cloning, page inpainting, or chatting with a NIMA companion), we keep a per-user usage ledger noting the feature, the provider involved, a cost measure, and whether the result came from cache. The content you send into these features is described in Sections 6 and 7. We use this to meter usage fairly, manage cost, and improve reliability.
Network and abuse-prevention data. We collect the IP address of requests to protect the platform from abuse, enforce rate limits, and keep secure delivery logs for our content network. In several of our logging paths your IP address and email are passed through a one-way transformation before they are written to long-term logs, so the stored audit record does not expose them in the clear.
Creator payout details. If you earn on Infinite Verse and set up payouts, we collect the banking information needed to pay you. For U.S. payouts this is a payout-rail recipient identifier. For Canadian payouts this is the account holder name, transit number, institution number, and account number, with the account number encrypted at the application layer and stored alongside a verification hash rather than in plain text. This is the most sensitive data we hold, and we treat it accordingly.
4. What We Deliberately Do Not Collect
What we choose not to collect matters as much as what we do. We do not store your full card number or security code: when you pay, your card details go directly to our payment processor and we never see or keep the raw card data. We do not collect your precise location or GPS coordinates. We do not use advertising identifiers, and we do not build cross-app advertising profiles or track you across other companies' apps and websites. We do not access your contacts or photo library, and we do not record from your microphone in the background. Any audio used for voice features is something you knowingly upload for that purpose, as described in Section 7.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. There are no ad networks embedded in Infinite Verse. This is a deliberate, standing commitment, not a temporary state, and it is one of the clearest ways we keep faith with a community that includes a lot of younger fans.
5. How We Use Your Data, and Our Legal Bases
We use your personal information to do the things you would expect: to create and secure your account, to deliver the reading, creator, social, and wallet features you ask for, to process payments and pay creators, to operate AI-powered features when you invoke them, to keep the platform safe and reliable, to respond to you, and to comply with our legal obligations such as financial recordkeeping.
For readers in the European Economic Area and the United Kingdom, we are required to name a legal basis for each kind of processing, and we map them honestly. We rely on performance of a contract to run your account, sync your reading, operate the wallet, and deliver purchases and subscriptions, because these are the service you signed up for. We rely on your consent for features that go beyond core service and depend on your active choice, most importantly voice cloning and the processing of any audio you upload for it, which we treat as special-category biometric data under Article 9 of the GDPR and never enable silently. We rely on legal obligation to retain payment, tax, and transaction records for the periods the law requires. We rely on our legitimate interests, balanced against your rights, for security, fraud and abuse prevention, rate limiting, and measured improvement of the service; where a use rests on legitimate interests you have the right to object, and Section 14 explains how. We never bury consent-based processing inside a general acceptance, and for any feature that depends on your consent you can withdraw that consent at any time without losing access to the rest of the platform.
We do not use your personal information to make decisions that produce legal or similarly significant effects about you through solely automated means. Our AI features translate text, read text aloud, generate or repair imagery, and hold companion conversations at your request; they do not score you, gate your rights, or decide your standing on the platform on their own.
6. How We Use Data From Google Sign-In
Where Google Sign-In is offered, you can use your Google account to create or access your Infinite Verse account instead of setting up a separate password. This policy is published openly and can be read in full without an account, precisely so that anyone deciding whether to connect their Google account can see first exactly what we receive and what we do with it. Trust in this flow is the whole point of it, so we are completely clear here.
When you sign in with Google, we receive a limited set of basic profile information that you authorize through Google's consent screen: your email address, your name as it appears on your Google account, your profile photo, and a stable Google account identifier. We receive this through Firebase Authentication, which verifies the sign-in on our servers. We use this information for one purpose: to authenticate you and to set up or recognize your Infinite Verse account, including creating your internal account identifier, signing you in, and pre-filling your display name and avatar so you do not have to. That is the full extent of it.
We do not use Google Sign-In data for advertising. We do not sell it, and we do not share it for cross-context behavioral advertising. We do not use it to build a marketing profile, and we do not transfer it to third parties except the infrastructure and security providers that help us run authentication, and only so they can perform that function for us. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements: we use this data only to provide and improve the sign-in and account features you can see in the product, we do not transfer it except as needed to provide those features or as required by law, we do not use it for advertising, and we do not allow humans to read it except with your consent, for security, to comply with the law, or where the data is aggregated and anonymized. If you ever want to disconnect Google from your Infinite Verse account or have the data we obtained through it deleted, you can revoke Infinite Verse's access from your Google Account security settings and contact us at privacy@animeuniverse.com to complete the cleanup on our side.
7. The Outside Services That Help Run Infinite Verse
Building a sovereign platform is a long road, and along the way some features rely on trusted outside services acting as our processors. We are transparent about who they are, what they do, and what data reaches them, because several of these services receive content you create or upload. We bind these providers by contract to handle data only as we instruct.
Identity and infrastructure. Google Firebase Authentication verifies sign-ins and holds the basic identity data described above (our Firebase project is gen-lang-client-0630315147). Google Cloud Run hosts the application, and Google Cloud Logging stores operational and audit logs, with IP addresses and emails passed through a one-way transformation before they are written. We send magic-link and transactional emails through a Gmail SMTP relay. A third-party object storage service currently backs delivery of certain manga page and cover images and some email image assets; we are migrating this onto our own infrastructure, and until that is complete, images you view may be served through that provider.
Payments and payouts. Stripe processes card payments, checkout, subscriptions, and related webhooks. Mercury provides U.S. creator payout rails, and Canadian bank rails handle Canadian creator deposits. Apple and Google in-app billing handle purchases made through their stores where applicable. Section 8 covers these in more detail.
AI features and the content that reaches them. This is the part that most affects your privacy, so we spell it out. When you translate manga, the source text (and limited surrounding dialogue context for accuracy) is sent to Anthropic's Claude API for dialogue and titles, and to DeepL for captions, sound effects, and descriptive text. When you use text-to-speech, the text you want spoken is sent to ElevenLabs or Cartesia. When you use voice cloning, the audio samples you upload are sent to ElevenLabs or Cartesia to build a voice; this audio is biometric data and we process it only with your consent. When you use AI inpainting to remove text from a manga page, the page image and a mask are sent to Replicate (running an SDXL inpainting model), with Google Vertex AI Imagen available as an alternative. When you chat with a NIMA companion, your messages (capped in length) along with limited context such as your handle, the companion bond level, mood, and a short memory of recent topics are sent to an OpenAI-compatible language model endpoint to generate a reply.
We characterize these providers honestly: your text, images, and audio leave Infinite Verse infrastructure and are processed on these providers' systems to produce the result you asked for. We do not direct these providers to use your content to train their models, and we select and configure them with that intent; their own published terms govern any residual handling, and we encourage you to review the terms of any AI feature you rely on heavily. Translation and inpainting results, along with their source inputs, may be cached on our own database so that repeated requests are faster and cheaper, and these caches expire as described in Section 11. If you would prefer not to send a particular piece of content to an AI service, the simplest control is not to invoke that AI feature on it.
8. Payments, Wallet, and Creator Payouts
When you buy AU Coin, Koi, a theme, a chapter unlock, or a subscription, payment is handled by Stripe through its hosted checkout and payment flows. Your card details are entered directly into Stripe's secure fields; we receive back only tokens and identifiers such as a customer reference and a payment or subscription identifier, keyed to your internal account ID. Because the raw card data never touches our servers, our card-handling environment is designed to fall within the lightest PCI DSS validation scope (commonly known as SAQ-A). We state this as our design intent and operating practice rather than an unconditional guarantee, and we re-verify it as the product changes.
For creators, payouts use Mercury in the United States and standard bank deposit details in Canada. Canadian account numbers are encrypted at the application layer before storage and held with a verification hash rather than in readable form. We keep payment and payout records for the period required by financial and tax law, which is why these records persist longer than most other data, as Section 11 explains. Purchases made through Apple's App Store or Google Play are governed additionally by those stores' own terms and privacy practices for the billing portion of the transaction.
9. Cookies, Local Storage, and Similar Technology
We keep our use of cookies and device storage minimal and functional. The central one is au-user-session, a secure session token that keeps you signed in. It is set as HttpOnly and SameSite=Lax, scoped to the whole site, marked Secure in production, and expires after about 48 hours. Its contents identify your account, handle, email, display name, role, and sign-in provider so that protected pages can confirm it is really you on each request. This cookie is strictly necessary for the platform to function.
Our Firebase client configuration includes a Google Analytics measurement identifier (G-NV4K5PXWKN). Where Firebase Analytics is initialized, Google may set analytics cookies or use similar identifiers to provide aggregate usage measurement. We use this only to understand how the platform performs in aggregate, never to sell data or to target advertising. We also use ordinary browser local storage on your own device for conveniences such as an offline copy of your wishlist and your recent reading position; this stays on your device and is not a tracking mechanism.
We are building a clear in-product consent control for non-essential cookies and analytics, and we will surface it before relying on analytics that requires consent in your region. Because we do not engage in cross-site tracking or targeted advertising, we honor Global Privacy Control and Do Not Track signals to the extent they apply, and there is no behavioral advertising for them to switch off.
10. Where Your Data Lives
Our core records, including accounts, profiles, reading progress, wallet ledgers, subscriptions, and AI usage and caches, are stored in a managed PostgreSQL database (AlloyDB) hosted in Google Cloud in the United States (US-Central region). Profile and wishlist data is held by a dedicated profile service. Operational logs are stored in Google Cloud Logging. Certain images are currently served through a third-party storage provider as noted in Section 7 while we migrate that function in-house. Session codes and rate-limit counters are kept briefly in an in-memory store (Redis) shared across our servers.
Because our infrastructure and several processors are based in the United States and elsewhere, your data may be processed outside your home country. Section 17 explains the safeguards we use when data moves across borders.
11. How Long We Keep Your Data
We keep personal information only as long as it serves the purpose we collected it for, and then we remove or anonymize it. Your account and profile data is retained for the life of your account; when you delete your account, we delete or anonymize this data except where we must keep specific records to meet a legal obligation. Your reading progress, streaks, wishlist, follows, and similar activity persist until you delete them or close your account.
Wallet ledgers, payment records, purchase receipts, and creator payout records are kept for up to seven years to satisfy financial, tax, and audit obligations; the legal basis for this retention is compliance with those legal obligations rather than our preference. AI feature caches (such as cached translations and inpainting results) expire after about 30 days. IP addresses collected for rate limiting are retained only briefly (on the order of 24 hours) before being discarded, and where IPs appear in longer-lived audit logs they are stored in transformed, non-clear form. Short-lived items such as magic-link codes expire within minutes. The short version: identity and activity data lasts as long as your account, financial records last up to seven years because the law requires it, and everything operational is kept only as briefly as it is useful. If you ask us to delete your data, we will honor it across these categories except for the records a law requires us to retain, and we will tell you which, if any, those are.
12. How We Protect Your Data
We design Infinite Verse to keep your information safe in transit and at rest. Connections are encrypted with TLS. Secrets and keys are held in a managed secrets system rather than in code. Card data is tokenized by our payment processor so we never store it. Sensitive payout fields, such as Canadian bank account numbers, are encrypted at the application layer. Sign-in uses passwordless verification through Firebase, which removes a whole class of password-reuse risk. We apply rate limiting and abuse controls on authenticated endpoints, and we transform IP addresses and emails before they enter long-term logs.
We describe these as the protections we have built and operate, not as a promise that any system is impervious, because no honest company can promise that. What we can promise is that security is treated as a continuous responsibility: we monitor, we patch, we review, and we improve. If you spot something, security@animeuniverse.com reaches the people who can act on it, and we aim to acknowledge reports within 72 hours.
13. If a Data Breach Ever Happens
In the event of a personal data breach that affects you, we will act quickly and openly. Where the law requires it, we will notify the relevant supervisory authority without undue delay and, under the GDPR, within 72 hours of becoming aware of a qualifying breach where feasible. Where a breach is likely to result in a high risk to your rights, or where U.S. state breach-notification laws require it, we will notify you directly and without undue delay, explaining what happened, what data was involved, what we are doing about it, and what steps you can take to protect yourself. We will never quietly absorb a serious incident; transparency in a hard moment is part of how we keep your trust.
14. Your Rights in Europe and the United Kingdom (GDPR)
If you are in the European Economic Area or the United Kingdom, the GDPR and UK GDPR give you strong, enforceable rights over your personal data, and we honor all of them. You have the right to access the personal data we hold about you and to receive a copy. You have the right to rectification, so we correct anything inaccurate or incomplete. You have the right to erasure (the right to be forgotten), subject only to data we must retain by law. You have the right to restrict or to object to processing, including any processing we base on legitimate interests, and where you object on those grounds we will stop unless we have compelling legitimate grounds that override your interests. You have the right to data portability, to receive the data you provided to us in a structured, commonly used, machine-readable format and to have it sent to another controller where technically feasible. Where our processing rests on your consent, such as voice cloning, you have the right to withdraw that consent at any time, and withdrawal does not affect the lawfulness of what came before. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and as Section 5 explains, we do not make such decisions about you.
To exercise any of these rights, write to privacy@animeuniverse.com. We will not charge you for a reasonable request, we will verify your identity to protect your account, and we will respond within 30 days, extending only where the law allows and only after telling you why. You also have the right to lodge a complaint with your local data protection authority (for example, your national supervisory authority in the EEA or the Information Commissioner's Office in the UK), though we hope you will give us the chance to put things right first. We are completing the formal designation of our EU and UK Article 27 representatives and will name them in Section 1; in the meantime your rights are fully available through the contacts above.
15. Your Rights in California and Other U.S. States
If you are a California resident, the CCPA as amended by the CPRA gives you specific rights, and this section serves as your Notice at Collection. In the past twelve months we have collected the categories of personal information described in Section 3, which map to the statutory categories of identifiers (such as email and account identifiers), internet and network activity (such as reading activity and IP address), commercial information (such as purchases and wallet history), audio information (where you upload audio for voice features), and financial information (such as payout details for creators). We collect this from you directly, from your device as you use the service, and from Firebase Authentication when you sign in. We use it for the business and commercial purposes described in Section 5, and we disclose it only to the service providers listed in Section 7, each acting on our behalf.
You have the right to know what we collect and why, the right to access and delete your personal information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell your personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of, but you may still tell us your preference and we will record it. Under California's Shine the Light law, you may also ask whether we disclose personal information to third parties for their own direct marketing; we do not. We do not offer financial incentives in exchange for your personal information, so no notice of financial incentive applies. You also have the right to limit the use of sensitive personal information; we use the limited sensitive information we hold (such as account credentials and any uploaded voice audio) only to provide the features you requested and never for inferring characteristics about you. We will not discriminate or retaliate against you for exercising any of these rights: your access, pricing, and experience stay the same. You may use an authorized agent to make a request on your behalf, and we will ask for proof of that authorization.
If you live in another U.S. state with a comprehensive privacy law, including Virginia, Colorado, Connecticut, Utah, Texas, and a growing list of others, you have comparable rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, sale, and certain profiling. Because we do not sell data, do not run targeted advertising, and do not profile you for significant automated decisions, the opt-out rights largely do not arise; the access, correction, deletion, and portability rights are fully available. To exercise any U.S. state right, contact privacy@animeuniverse.com, and where a law provides an appeal of our decision, we will tell you how to appeal and will respond to that appeal within the time the law allows.
16. Children and Younger Fans
Anime and manga are loved across every age, and we take seriously that younger fans are part of this community. Infinite Verse is not directed to children under 13, you must be at least 13 to create an account in the United States, and we do not knowingly collect personal information from a child under 13 in the United States in a manner that would require verifiable parental consent under the Children's Online Privacy Protection Act (COPPA). In the European Economic Area and the United Kingdom, the minimum age to use the service without parental involvement matches the age of digital consent in your country, which is 16 unless your country has set it lower (no lower than 13); below that age, processing must rest on consent given or authorized by a parent or guardian under Article 8 of the GDPR. We respect the spirit and substance of the UK Age Appropriate Design Code in how we build for younger users.
We are honest that our current sign-up flow verifies an email but does not yet collect a date of birth or operate an age gate, and that some features send user-typed messages, uploaded audio, or images to outside services. We are actively building age assurance, age-appropriate defaults, and a parental-consent path so that these protections are enforced in the product and not only stated here. In the meantime, if you are a parent or guardian and believe your child has provided us personal information without the consent the law requires, contact privacy@animeuniverse.com and we will verify, delete that information, and close the account promptly. We will not knowingly use a child's data for any purpose beyond what is strictly necessary, and never for advertising.
17. International Data Transfers
Infinite Verse operates globally, and our infrastructure and several of our processors are located in the United States and other countries. This means that when you use the platform from the European Economic Area, the United Kingdom, Switzerland, or another region with cross-border transfer rules, your personal data is transferred to and processed in countries that may not provide the same level of legal protection as your home country, including the United States.
When we make these transfers, we put a recognized safeguard in place. For transfers out of the EEA we rely on the European Commission's Standard Contractual Clauses, and for transfers out of the United Kingdom we rely on the UK International Data Transfer Addendum to those clauses (or the standalone IDTA), together with any supplementary measures the circumstances require. Where a provider is certified under an applicable adequacy framework, such as the EU-U.S. Data Privacy Framework, we may rely on that as well. You can ask us for more detail about the safeguard applying to a particular transfer by writing to privacy@animeuniverse.com, and we will provide it.
18. Governing Law and Disputes
Anime Universe Global Holding Inc. is organized under the laws of the State of Texas, USA. Except where the mandatory law of your country of residence provides otherwise, this Privacy Policy and any dispute arising from it are governed by the laws of the State of Texas, without regard to its conflict-of-laws rules, and the state and federal courts located in Texas will have jurisdiction. Nothing in this section removes any right you have under the data protection law of your own country, including your right to bring a complaint before your local supervisory authority or, where the law allows, your local courts. Your statutory privacy rights always stand alongside this clause, never beneath it.
19. Changes to This Policy
We will update this policy as Infinite Verse grows and as the law evolves, and we will always keep the current version published openly with its effective date at the top. When we make a material change, we will give you clear notice through the platform or by email before it takes effect, and we will keep a record of past versions so you can see what changed. For routine clarifications, continued use of the platform after the updated policy takes effect means you accept the revised terms. For any change that affects a feature you use under consent, such as voice cloning, we will ask for your fresh, affirmative consent rather than treating silence or continued use as agreement, because consent-based features deserve a real choice every time.
20. How to Contact Us
We would genuinely rather hear from you than have you wonder. For any question about your privacy, to exercise a data right, to disconnect Google Sign-In, or simply to understand something in this policy better, email privacy@animeuniverse.com and a person will respond. For security concerns, email security@animeuniverse.com. You can reach Anime Universe Global Holding Inc. as the data controller through these addresses, and we will route your request to the right team, including our regional representatives where applicable.
Thank you for trusting us with the part of your story that lives on Infinite Verse. Protecting it is not a legal afterthought for us; it is part of building a universe worth belonging to. Anime Universe Global Holding Inc., Inventor: Sebastien Bilodeau.
Questions about this document? Contact privacy@animeuniverse.com.
Anime Universe Global Holding Inc. All rights reserved.