Privacy Policy

Last updated: March 28, 2026

Ombaverse (“we,” “us,” “our”) operates the platform at ombaverse.com. This Privacy Policy explains how we collect, use, share, and protect your personal data. We comply with the Uganda Data Protection and Privacy Act 2019, the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

1. Data We Collect

Information you provide:

• Account data: username, email address, password (hashed)
• Profile data: display name, bio, avatar, language preference
• Content: stories, chapters, art, comments, reactions you create
• Payment data: processed by third-party providers (Stripe, MTN Mobile Money, Airtel Money). We do not store card numbers or mobile money PINs.
• Communications: messages you send through the platform, support requests

Information collected automatically:

• Usage data: reading history, reading progress, pages viewed, time spent reading
• Device data: browser type, operating system, screen size
• Network data: IP address (hashed for abuse prevention), connection type
• Cookies: essential cookies for authentication and preferences. See Section 7.

2. How We Use Your Data

• Provide and operate the Service
• Process payments and distribute creator earnings
• Send notifications about content you follow
• Personalize recommendations based on reading history
• Ensure platform safety (content moderation, abuse prevention)
• Improve the Service through analytics
• Comply with legal obligations

Lawful basis (GDPR): Contract performance (providing the Service), legitimate interests (safety, improvement), and consent (marketing, cookies).

3. How We Share Your Data

We do not sell your personal data. We share data only with:

• Service providers: hosting (Vercel, Supabase), payment processing (Stripe, MTN, Airtel), email (Resend), storage (Cloudflare R2)
• Legal requirements: when required by law, court order, or to protect safety
• Business transfers: in connection with a merger, acquisition, or asset sale (you will be notified)
• With your consent: when you explicitly authorize sharing
• Aggregated/anonymized data: we may share non-identifying aggregate data for research or analytics

4. Your Rights

Depending on your location, you have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (“right to be forgotten”)
• Portability: Receive your data in a structured, machine-readable format (JSON)
• Object: Object to processing based on legitimate interests
• Restrict: Request restriction of processing
• Withdraw consent: Withdraw consent at any time for consent-based processing

To exercise these rights, contact privacy@ombaverse.com. We will respond within 30 days.

5. Data Retention

• Account data: retained while your account is active. Deleted within 30 days of account deletion.
• Content: retained while on the platform. Removed when you delete it.
• Reading history: retained for up to 2 years for recommendations. You can request earlier deletion.
• Payment records: retained for 7 years as required by tax and financial regulations.
• Moderation logs: retained for 3 years for safety and compliance.

6. International Data Transfers

Ombaverse is based in Uganda. Your data may be processed in other countries through our service providers (e.g., cloud hosting in the US/EU). We ensure adequate protection through:

• Standard Contractual Clauses (for EU data)
• Consent for cross-border transfer (as required by Uganda DPA 2019)
• Using providers with equivalent data protection standards

7. Cookies

Essential cookies: required for authentication and basic functionality. Cannot be disabled.

Preference cookies: store your settings (theme, language, reading mode).

Analytics cookies: help us understand how the Service is used. You can opt out in your settings.

We do not use third-party advertising tracking cookies unless you opt in to ad-supported reading.

8. Children's Privacy

Ombaverse is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us and we will delete it.

9. Uganda Data Protection Compliance

In accordance with the Uganda Data Protection and Privacy Act 2019:

• We will register with the Personal Data Protection Office (PDPO) before processing personal data of Ugandan residents
• We will designate a Data Protection Officer prior to launch
• We obtain explicit consent for cross-border data transfers
• You may lodge complaints with the PDPO at pdpo.go.ug

10. Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest (AES-256), row-level security policies, rate limiting, and regular security audits. No system is 100% secure — if you discover a vulnerability, contact security@ombaverse.com.

11. Changes

We will notify you of material changes at least 30 days in advance. Continued use after the effective date constitutes acceptance.

12. Contact

Data Protection Officer: privacy@ombaverse.com

Ombaverse, Kampala, Uganda