Privacy

Last updated: June 1, 2026

This policy describes how Tales of the Galaxy (the "Platform") collects, uses and protects users' personal data. It is drafted in compliance with the Swiss Federal Act on Data Protection (FADP, SR 235.1) and the General Data Protection Regulation (GDPR, EU 2016/679) for users located in the European Union.

1. Data controller

Aïssa Bovet, canton of Vaud, Switzerland — contact@talesofthegalaxy.com.

2. Personal data collected

The Platform collects the following categories of data:

  • Identification data: display name, username, email address, password (stored as an irreversible hash).
  • Connection data: IP address, user agent (browser), session timestamps, last-login date.
  • Declarative data: confirmation of adult status (adult_consent_at).
  • Published content: stories, series, illustrations, audio/video files, ratings, canon votes, favourites, reports.
  • Technical data: language preference (locale cookie).

3. Purposes and legal bases

PurposeLegal basis
Account creation and managementPerformance of the contract (Terms)
Publication and distribution of storiesPerformance of the contract
Moderation and reportingLegitimate interest (legal certainty, combating illegal content)
Adult-status verificationLegal obligation (protection of minors)
Anonymous internal statisticsLegitimate interest
Administrative communications (email verification, password reset)Performance of the contract

4. Data recipients

Data is processed exclusively by the publisher. No data is sold, rented or transferred to third parties for commercial purposes. The only technical recipients are:

  • Infomaniak Network SA (hosting, Geneva, Switzerland) — data storage.
  • Should a transactional-email provider be added later, its identity will be disclosed here before activation.

No data is transferred outside Switzerland / EU / EEA to recipients that do not provide an equivalent level of protection.

5. Cookies

The Platform only uses cookies essential to its operation, with no advertising or third-party analytical purpose:

  • laravel_session — technical session identifier (lifetime: 120 minutes).
  • XSRF-TOKEN — protection against request forgery (lifetime: session).
  • locale — selected-language memory (lifetime: 365 days).
  • adult_ok — memory of acceptance of the adult-content warning (lifetime: 365 days).

No third-party audience-measurement cookie (Google Analytics, Matomo, etc.) is set. Should such a tool be added in the future, this policy will be updated and explicit consent will be requested before any cookie is set.

6. Retention periods

  • Active account: retained while the account is not deleted.
  • Deleted account: immediate erasure of identification data; moderation logs and reports retained for 12 months for evidentiary purposes.
  • Published content: retained while the account is active; upon account deletion or erasure request, the user may obtain removal from the Platform and anonymisation of contributions that have not been integrated into a derivative work. Content already incorporated into a derivative work (game, publication, etc.) remains exploitable by the Publisher under the irrevocable licence granted in article 5 of the Terms, pursuant to article 17.3.e GDPR (exception to the right to erasure for the establishment, exercise or defence of legal claims).
  • Server logs: maximum 30 days.

7. Your rights

In accordance with the FADP and GDPR, you have at all times the following rights:

  • Right of access to your data and to obtain a copy;
  • Right to rectification of inaccurate or incomplete data;
  • Right to erasure ("right to be forgotten");
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object on legitimate grounds;
  • Right to withdraw consent at any time, without retroactive effect and without affecting the irrevocable licence granted over Content already exploited in a derivative work;
  • Right to lodge a complaint with a supervisory authority.

Limit applicable to several of these rights: in accordance with article 17.3.e GDPR, the right to erasure and the right to object do not apply to Content that has been integrated into a derivative work produced by the Publisher (video game, publication, etc.), for the duration necessary to exploit said derivative work, in order to ensure the legal certainty of works already commercialised. This limit is set out in article 5 of the Terms and accepted by the user upon registration.

To exercise these rights, contact contact@talesofthegalaxy.com specifying the object of your request. A response will be provided within a reasonable time, and at the latest within 30 days.

8. Supervisory authorities

Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch.
European Union: supervisory authority of your country of residence (in France, CNIL — www.cnil.fr).

9. Security

Passwords are stored as bcrypt hashes; sessions are protected against forgery (CSRF); communications are encrypted via HTTPS. No security measure can however be guaranteed infallible; users are encouraged to use a strong, unique password.

10. Changes

This policy may be modified at any time. The "Last updated" date at the top of the page is authoritative. Users are encouraged to consult it regularly.