Privacy Policy

How we handle your data

1. Introduction

Nervejack ("we", "our", "the service") is an AI-powered text RPG operated by Threadlimit LLC. This policy explains what data we collect, why we collect it, and how we protect it.

By using Nervejack, you agree to the collection and use of information as described in this policy.

2. Data We Collect

Account Information

When you sign in via Google OAuth, we receive and store:

• Name — Your display name from your Google account
• Email address — Used as your unique account identifier
• Profile image URL — Your Google profile picture link

We do not receive or store your Google password. Authentication is handled entirely through Google's OAuth 2.0 protocol.

Session Data

When you sign in, we create a session that stores:

• Session token — A random identifier for your active session
• IP address — Recorded at sign-in time
• User agent — Your browser identification string
• Expiration time — Sessions expire automatically

Game Data

During gameplay, we store:

• Game state — Your character's HP, credits, inventory, quests, known NPCs, location, and key events
• Story history — Your recent actions and the AI's narrative responses (the last 50 messages)
• Turn count and usage — How many turns you have taken, tracked daily for free-tier limits
• Story summary — A condensed summary of your game session, generated periodically

All game data is tied to your account and is not shared with other users.

Billing Data

If you subscribe to a paid plan (Plus or Pro), payment processing is handled entirely by Stripe. We store:

• Stripe Customer ID — Links your account to your Stripe customer record
• Subscription status — Whether your subscription is active, canceled, etc.
• Billing period — Your current subscription period start and end dates

We do not store your credit card number, CVV, or full billing address. All payment details are handled securely by Stripe. See Stripe's Privacy Policy.

3. How We Use Your Data

• Authentication — To identify you and maintain your session
• Gameplay — To save and restore your game progress, and to provide context to the AI for narrative generation
• Usage limits — To enforce daily turn limits on the free tier
• Billing — To manage your subscription and process payments through Stripe
• Analytics — To understand how visitors find and use the site, in aggregate
• Advertising and measurement — To measure the effectiveness of our ads and to reach people who may be interested in Nervejack, using the advertising partners listed below. This processing happens only where it is permitted by law or where you have consented.

We do not sell your data for money. Some of our advertising cookies and conversion measurement (described below) may count as "sharing" or "sale" under certain US state privacy laws. You can opt out at any time using the controls in Section 7.

Legal Bases for Processing (EEA and UK)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases to process your personal data:

• Performance of a contract — to create and run your account, save and restore your game, and provide the service you signed up for.
• Consent — for analytics and advertising cookies and pixels. You can withdraw your consent at any time (see Section 7), without affecting processing carried out before withdrawal.
• Legitimate interests — to keep the service secure, prevent abuse and fraud, and understand aggregate usage, balanced against your rights and freedoms.
• Legal obligation — where we are required to retain or disclose data to comply with applicable law.

4. Third-Party Services

Nervejack uses the following third-party services that may process your data:

• Google OAuth — For authentication. Google receives a sign-in request when you log in. See Google's Privacy Policy.
• Cloudflare — Our hosting provider. All data is stored on Cloudflare's infrastructure (D1 database, Workers). Cloudflare may collect standard web traffic metadata. See Cloudflare's Privacy Policy.
• OpenRouter / Google Gemini — AI model providers. Your game actions and story context are sent to AI models to generate narrative responses. These requests do not include your email, name, or other personal identifying information, only game content.
• Stripe — Payment processing for Plus and Pro subscriptions. See Stripe's Privacy Policy.

Analytics partners

• Google Analytics (GA4) — Helps us understand how visitors use the site: which pages are visited, how long sessions last, and where traffic comes from. We load it only with your consent where consent is required. See Google's Privacy Policy and the Google Analytics opt-out.

Advertising partners

To measure conversions and run ads, we use the advertising and measurement tools below. These run only with your consent where consent is required, and can be turned off at any time (Section 7). Some receive a hashed (irreversible) version of your email and your IP address and user agent so a conversion (such as a sign-up or subscription) can be matched to an ad. We send some of these events from our server as well as from your browser.

• Meta (Facebook/Instagram) Pixel and Conversions API — See Meta's Privacy Policy.
• TikTok Pixel and Events API — See TikTok's Privacy Policy.
• Reddit Pixel — See Reddit's Privacy Policy.
• Google Ads (conversion tracking) — See Google's Privacy Policy.

International Data Transfers

Several of the providers above (including the analytics and advertising partners, and our hosting and payment providers) process data in the United States and other countries outside the European Economic Area (EEA) and the United Kingdom. Where your personal data is transferred outside the EEA or UK, that transfer is protected by legally recognized safeguards, such as the EU-US Data Privacy Framework or Standard Contractual Clauses provided by those providers. You can review each provider's privacy policy, linked above, for details of how they handle international transfers, or contact us using the details in Section 12 for more information.

5. Cookies and Similar Technologies

We group cookies and similar storage into three categories. You can change your choices anytime with the Manage cookie preferences button in Section 7.

Strictly necessary (always on)

• Session cookie — A random session token that keeps you signed in. Required for the service to function.
• Guest session and game save — Local storage that lets you keep playing as a guest and enforces fair daily turn limits.
• Interface settings — Local storage for your preferences (font size, text-to-speech, reduced motion, and similar).

Analytics (consent-based)

• Google Analytics (_ga, _ga_*) — Distinguishes visitors and counts page views in aggregate. Expires after up to 2 years.
• First-party funnel events — We record key steps (landing, starting the game, signing in, starting checkout) with a random session id and any campaign tags from the link you arrived on, to understand our funnel.

Advertising (consent-based)

• Meta (_fbp, _fbc), TikTok (_ttp, _ttclid), Reddit, and Google Ads cookies — Set by the advertising tools above to measure ad conversions and, in some cases, to show you relevant ads. These can persist for up to roughly 90 to 180 days depending on the provider.

Where the law requires consent (for example in the EU, EEA, UK, and Switzerland), analytics and advertising cookies are not set until you accept them. Where the law allows it (for example in the United States), they may be set by default, but you can opt out at any time, and we honor the Global Privacy Control (GPC) browser signal.

6. Data Retention

• Account data — Retained as long as your account exists
• Game saves — Retained as long as your account exists. You can delete your save at any time by starting a new game
• Session data — Automatically deleted when sessions expire
• Usage data — Daily turn counts are retained indefinitely for rate-limiting purposes

7. Your Privacy Rights and Choices

You are in control of analytics and advertising on Nervejack:

• Manage cookie preferences — Turn analytics and advertising on or off at any time: Manage cookie preferences
• Global Privacy Control — If your browser or an extension sends a GPC signal, we treat it as an opt-out of advertising "sale"/"sharing" automatically.
• EU, EEA, UK, and Switzerland — We ask for your consent before loading any analytics or advertising tools, and nothing non-essential runs until you accept. You may withdraw consent at any time using the button above.
• United States — Depending on your state, you may have the right to opt out of the "sale" or "sharing" of your personal information and of targeted advertising. Use the button above or the "Your Privacy Choices" link to opt out.
• Account data — You can request access to or deletion of your account data as described in the next section.

Your Rights Under the GDPR and Similar Laws

If you are in the EEA, the UK, or a jurisdiction with comparable laws, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Restrict or object to certain processing, including profiling for advertising
• Portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time, without affecting processing carried out before withdrawal
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us using the details in Section 12. We will respond within the timeframe required by applicable law, and we will not discriminate against you for exercising your rights.

8. Data Deletion

You can request deletion of your account and all associated data by contacting us at the email below. Upon request, we will delete:

• Your user account and profile information
• All game saves and story history
• Session records
• Usage records

Stripe records are managed through Stripe's systems. You may also contact Stripe directly regarding payment data.

9. Data Security

Your data is protected by:

• HTTPS encryption for all data in transit
• Cloudflare's edge network security
• OAuth 2.0 for authentication (no passwords stored)
• Session tokens for authorization (no credentials in cookies)

10. Children's Privacy

Nervejack is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data deletion requests, or concerns:

• Email: info@threadlimit.co

Last updated: June 21, 2026