Privacy Policy
Effective: 2026-05-23 (initial publication — re-issued at public launch)
Last updated: 2026-05-23
Site: https://lesserkey.semag.app
Operator: semag (a studio operated by Woojin Ahn, Republic of Korea), under Eodin — contact official@eodin.app. Registered business details (business name, registration number, address) will be disclosed on request to official@eodin.app and republished here once finalized.
> Draft status. This document is a working draft for review. Legal counsel review is recommended before launch. Bracketed [TBD] items still require concrete values from counsel.
1. Who we are
The Lesser Key (the "Site") is a serialized dark-fantasy light-novel website operated by the studio semag, a project under Eodin (the "Operator", "we", "us"). Content is authored by Woojin.
For questions about this policy or your personal data, contact official@eodin.app.
2. What this policy covers
This Policy describes what personal data the Site collects, how we use it, who we share it with, where it is stored, and what choices you have.
It does not cover third-party services you reach via outbound links (Royal Road, Scribble Hub, X/Twitter, RSS readers). Their privacy practices are their own.
3. Data we collect
3.1 Information you provide
- Account profile, when you sign in with Google: your email address, display name, and profile picture URL as supplied by Google OAuth.
- User content: comments you post. Comments include your display name, profile picture, and the body text you wrote.
- Reactions: chapters you "like" or "save" (bookmark).
3.2 Information collected automatically
- Session cookies for authentication (HTTP-only, Secure, SameSite=Lax). Without these, you cannot stay signed in.
- Reading preferences, stored locally on your device only: font size, theme (dark/light), last-read chapter and scroll position, "first like" / "first chapter completed" flags, cookie consent state. These never leave your device.
- Analytics events, if you grant analytics consent (see §6): event name, timestamp, anonymous device session id, page path, and a fixed safe-list of feature-specific properties. The safe-list is:
chapter_slug,scroll_milestone(25 / 50 / 75 / 90 %),comment_id_hash(SHA-256 of the comment id),country_code(ISO-3166 alpha-2 inferred from the CDN geo header),font_size,theme, andlightbox_opened. We do not record email, display name, comment body, full image URLs, phone, precise location, or IP in analytics events. - Server logs (kept by our hosting provider Vercel and by Cloudflare's edge CDN): IP address, User-Agent, request path, and response status, retained briefly for security, abuse prevention, and operational debugging. We do not store IPs in our own database.
3.3 What we do NOT collect
- Payment information. The Site does not currently process payments.
- Phone numbers.
- Precise geolocation. Country-level inference from IP may be made by the CDN for analytics enrichment, but raw IP is not retained by us.
- Sensitive categories (health, biometric, sexual orientation, political/religious belief, etc.).
4. How we use your data
| Purpose | Legal basis (EEA/UK GDPR) | Data used |
|---|---|---|
| Maintain your signed-in session | Contract / legitimate interest | Session cookie, account row |
| Display your name & avatar next to your comments and likes | Contract | Account profile |
| Show comment counts, like counts, bookmarks | Contract / legitimate interest | Comment & like rows |
| Prevent abuse, spam, brute-force | Legitimate interest | Server logs |
| Measure traffic, feature use, funnel completion | Consent (see §6) | Analytics events |
| Communicate operational notices about your account (if any) | Contract |
We do not engage in automated decision-making that produces legal or similarly significant effects on you.
5. Who we share data with
We use a small set of sub-processors to operate the Site. Each receives only the data necessary for the function listed; none receive a full copy of all your data.
- Google — Firebase Authentication (USA / global). Handles the Google sign-in flow and issues short-lived ID tokens that our server verifies. We receive your email address, display name, and profile picture URL; we never receive your Google password.
- Google — Firebase Analytics / GA4 (USA / global). When you grant analytics consent (see §6), receives the analytics events listed in §3.2. Configured with IP anonymization and without Google Signals or advertising-personalization features.
- Vercel Inc. (USA / global edge). Hosts the Site, runs the server-side API, and provides the managed database where your account record, your posted content (comments), and your engagement signals (likes, bookmarks) are stored. Retains short-lived server logs (IP, User-Agent, request path, response status). Vercel engages its own sub-processors as documented in its Data Processing Agreement.
- Cloudflare, Inc. (global edge). Provides the CDN edge cache and the object storage that serves chapter and gallery images. Retains short-lived edge and object-access logs (IP, User-Agent, request path).
- Eodin (internal studio analytics SDK, operated by the same Operator). When you grant analytics consent, receives a copy of the same safe-listed events sent to Firebase Analytics, used for cross-property studio analytics.
- Law enforcement / legal compliance — only if we receive a valid, narrowly-scoped legal request. We will resist overbroad requests.
We do not sell your personal data, and we do not currently run third-party advertising on the Site.
6. Cookies & consent (GDPR / ePrivacy)
The Site uses three categories of storage:
- Strictly necessary — session cookie for sign-in, cookie consent state, CSRF token. Always active. Cannot be opted out.
- Preferences (localStorage on your device only) — font size, theme, last-read chapter. Always active. Never sent to our servers.
- Analytics — Firebase Analytics (GA4) + Eodin SDK. Active only after you grant consent via the cookie banner. Until then, no analytics scripts load and no events are emitted.
You can revoke analytics consent at any time from the cookie preferences link in the footer. Revocation takes effect on next page load and clears any locally cached consent flag.
Global Privacy Control. We honor the Sec-GPC: 1 signal sent by your browser as a valid opt-out of analytics tracking, treating it equivalently to an explicit "decline" on the cookie banner. The signal applies for the session in which it is sent and is re-evaluated on each request.
7. International transfers
The Site is operated from the Republic of Korea, but our sub-processors are global:
- Vercel (USA) — Standard Contractual Clauses; EU-US Data Privacy Framework where applicable.
- Google / Firebase (USA) — Standard Contractual Clauses; EU-US Data Privacy Framework; Google's published cross-border-transfer safeguards.
- Cloudflare (global edge) — Standard Contractual Clauses; Cloudflare's published cross-border-transfer safeguards.
Sub-sub-processors engaged by the providers above are covered by those providers' processing agreements and inherit the same safeguards. Where you are located in the EEA, UK, Switzerland, or another jurisdiction with restrictions on international transfers, these safeguards form the legal basis for transferring your personal data to the providers above.
8. Retention
| Data | Retention |
|---|---|
| Account profile | While your account exists; deleted on account deletion request |
| Comments | While your account exists; on deletion they may be retained as [deleted] placeholders to preserve thread structure, with author info removed (see Terms §5) |
| Likes / bookmarks | While your account exists; deleted on account deletion |
| Audit log (admin / moderation actions) | Up to 1 year. The audit log records who changed what content and is retained for security and dispute-resolution purposes even after an actor's account is deleted; in that case actor identifiers are reduced to a stable opaque id. |
| Server logs (Vercel + Cloudflare CDN) | Typically days to weeks per Vercel and Cloudflare retention defaults |
| Analytics events | Per Firebase Analytics (GA4) defaults — currently up to 14 months — and per Eodin SDK defaults |
9. Your rights
If you are in the EEA, UK, Korea, California, or another jurisdiction with a personal data law, you have rights to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data.
- Object to processing based on legitimate interest.
- Withdraw consent for analytics at any time.
- Lodge a complaint with your local supervisory authority.
To exercise any of these, email official@eodin.app from the email associated with your account. There is currently no self-service delete UI; requests are processed manually. Our default response window is 30 days, consistent with GDPR Art. 12 ③ and CCPA §1798.130. Where the law of your residence prescribes a shorter window (for example, 10 days under Korea's PIPA §35 ③), we will meet that shorter window. Where the law permits a reasoned extension (up to 60 or 90 days depending on regime), we will use it only with prior notice to you.
10. Children
The Site is not directed to children below the digital-consent age in their jurisdiction. The applicable age varies by country — for example, 13 in the United States (COPPA) and the United Kingdom, 14 in Korea (PIPA §22 ⑥), Italy, and Spain, 15 in France, and 16 in Germany, the Netherlands, and the EU baseline absent a member-state lowering. We do not knowingly collect personal data from children below the applicable threshold. If you believe a minor has provided personal data, contact us and we will remove it.
11. Security
We use industry-standard measures: HTTPS only, HTTP-only Secure cookies, server-side input validation, dual-token authentication for write endpoints, and access controls on our infrastructure. No system is completely secure; we cannot guarantee absolute security.
12. Changes to this Policy
We may update this Policy. Material changes will be announced on the Site at least 14 days before taking effect, and the "Last updated" date above will be revised. Continued use after the effective date is acceptance.
13. Contact & data-protection responsibility
The Operator acts as both data controller and the single point of contact for data-protection matters across jurisdictions:
- Privacy contact: Woojin Ahn, Operator (semag) —
official@eodin.app - Korea (PIPA §30): Woojin Ahn serves as the Personal Information Protection Officer.
- EEA / UK: We have not appointed a separate representative under GDPR Art. 27 / UK-GDPR Art. 27. Contact the privacy address above directly.
You may also lodge a complaint with the data-protection authority of your residence — for example, the Personal Information Protection Commission (Korea), your national supervisory authority (EEA), the Information Commissioner's Office (UK), or the California Privacy Protection Agency (California).
14. Languages
This Policy is published in English. Translations may be added to assist readers in specific jurisdictions; in the event of any conflict between the English version and a translation, the English version controls except where local mandatory law requires otherwise.
15. Related documents
See the Terms of Service for the rules that govern your use of the Site, the licence you grant when posting comments, the moderation policy, and the notice-and-takedown procedure for rights-infringement claims.
