The Lesser Key logo

The Lesser Key

Privacy Policy

Version 1.0.0|Last updated: May 23, 2026|Effective: May 23, 2026

Privacy Policy

Effective: 2026-05-23 (initial publication — re-issued at public launch) Last updated: 2026-05-23 Site: https://lesserkey.semag.app Operator: semag (a studio operated by Woojin Ahn, Republic of Korea), under Eodin — contact official@eodin.app. Registered business details (business name, registration number, address) will be disclosed on request to official@eodin.app and republished here once finalized.

> Draft status. This document is a working draft for review. Legal counsel review is recommended before launch. Bracketed [TBD] items still require concrete values from counsel.


1. Who we are

The Lesser Key (the "Site") is a serialized dark-fantasy light-novel website operated by the studio semag, a project under Eodin (the "Operator", "we", "us"). Content is authored by Woojin.

For questions about this policy or your personal data, contact official@eodin.app.

2. What this policy covers

This Policy describes what personal data the Site collects, how we use it, who we share it with, where it is stored, and what choices you have.

It does not cover third-party services you reach via outbound links (Royal Road, Scribble Hub, X/Twitter, RSS readers). Their privacy practices are their own.

3. Data we collect

3.1 Information you provide

  • Account profile, when you sign in with Google: your email address, display name, and profile picture URL as supplied by Google OAuth.
  • User content: comments you post. Comments include your display name, profile picture, and the body text you wrote.
  • Reactions: chapters you "like" or "save" (bookmark).

3.2 Information collected automatically

  • Session cookies for authentication (HTTP-only, Secure, SameSite=Lax). Without these, you cannot stay signed in.
  • Reading preferences, stored locally on your device only: font size, theme (dark/light), last-read chapter and scroll position, "first like" / "first chapter completed" flags, cookie consent state. These never leave your device.
  • Analytics events, if you grant analytics consent (see §6): event name, timestamp, anonymous device session id, page path, and a fixed safe-list of feature-specific properties. The safe-list is: chapter_slug, scroll_milestone (25 / 50 / 75 / 90 %), comment_id_hash (SHA-256 of the comment id), country_code (ISO-3166 alpha-2 inferred from the CDN geo header), font_size, theme, and lightbox_opened. We do not record email, display name, comment body, full image URLs, phone, precise location, or IP in analytics events.
  • Server logs (kept by our hosting provider Vercel and by Cloudflare's edge CDN): IP address, User-Agent, request path, and response status, retained briefly for security, abuse prevention, and operational debugging. We do not store IPs in our own database.

3.3 What we do NOT collect

  • Payment information. The Site does not currently process payments.
  • Phone numbers.
  • Precise geolocation. Country-level inference from IP may be made by the CDN for analytics enrichment, but raw IP is not retained by us.
  • Sensitive categories (health, biometric, sexual orientation, political/religious belief, etc.).

4. How we use your data

PurposeLegal basis (EEA/UK GDPR)Data used
Maintain your signed-in sessionContract / legitimate interestSession cookie, account row
Display your name & avatar next to your comments and likesContractAccount profile
Show comment counts, like counts, bookmarksContract / legitimate interestComment & like rows
Prevent abuse, spam, brute-forceLegitimate interestServer logs
Measure traffic, feature use, funnel completionConsent (see §6)Analytics events
Communicate operational notices about your account (if any)ContractEmail

We do not engage in automated decision-making that produces legal or similarly significant effects on you.

5. Who we share data with

We use a small set of sub-processors to operate the Site. Each receives only the data necessary for the function listed; none receive a full copy of all your data.

  • Google — Firebase Authentication (USA / global). Handles the Google sign-in flow and issues short-lived ID tokens that our server verifies. We receive your email address, display name, and profile picture URL; we never receive your Google password.
  • Google — Firebase Analytics / GA4 (USA / global). When you grant analytics consent (see §6), receives the analytics events listed in §3.2. Configured with IP anonymization and without Google Signals or advertising-personalization features.
  • Vercel Inc. (USA / global edge). Hosts the Site, runs the server-side API, and provides the managed database where your account record, your posted content (comments), and your engagement signals (likes, bookmarks) are stored. Retains short-lived server logs (IP, User-Agent, request path, response status). Vercel engages its own sub-processors as documented in its Data Processing Agreement.
  • Cloudflare, Inc. (global edge). Provides the CDN edge cache and the object storage that serves chapter and gallery images. Retains short-lived edge and object-access logs (IP, User-Agent, request path).
  • Eodin (internal studio analytics SDK, operated by the same Operator). When you grant analytics consent, receives a copy of the same safe-listed events sent to Firebase Analytics, used for cross-property studio analytics.
  • Law enforcement / legal compliance — only if we receive a valid, narrowly-scoped legal request. We will resist overbroad requests.

We do not sell your personal data, and we do not currently run third-party advertising on the Site.

6. Cookies & consent (GDPR / ePrivacy)

The Site uses three categories of storage:

  1. Strictly necessary — session cookie for sign-in, cookie consent state, CSRF token. Always active. Cannot be opted out.
  2. Preferences (localStorage on your device only) — font size, theme, last-read chapter. Always active. Never sent to our servers.
  3. Analytics — Firebase Analytics (GA4) + Eodin SDK. Active only after you grant consent via the cookie banner. Until then, no analytics scripts load and no events are emitted.

You can revoke analytics consent at any time from the cookie preferences link in the footer. Revocation takes effect on next page load and clears any locally cached consent flag.

Global Privacy Control. We honor the Sec-GPC: 1 signal sent by your browser as a valid opt-out of analytics tracking, treating it equivalently to an explicit "decline" on the cookie banner. The signal applies for the session in which it is sent and is re-evaluated on each request.

7. International transfers

The Site is operated from the Republic of Korea, but our sub-processors are global:

  • Vercel (USA) — Standard Contractual Clauses; EU-US Data Privacy Framework where applicable.
  • Google / Firebase (USA) — Standard Contractual Clauses; EU-US Data Privacy Framework; Google's published cross-border-transfer safeguards.
  • Cloudflare (global edge) — Standard Contractual Clauses; Cloudflare's published cross-border-transfer safeguards.

Sub-sub-processors engaged by the providers above are covered by those providers' processing agreements and inherit the same safeguards. Where you are located in the EEA, UK, Switzerland, or another jurisdiction with restrictions on international transfers, these safeguards form the legal basis for transferring your personal data to the providers above.

8. Retention

DataRetention
Account profileWhile your account exists; deleted on account deletion request
CommentsWhile your account exists; on deletion they may be retained as [deleted] placeholders to preserve thread structure, with author info removed (see Terms §5)
Likes / bookmarksWhile your account exists; deleted on account deletion
Audit log (admin / moderation actions)Up to 1 year. The audit log records who changed what content and is retained for security and dispute-resolution purposes even after an actor's account is deleted; in that case actor identifiers are reduced to a stable opaque id.
Server logs (Vercel + Cloudflare CDN)Typically days to weeks per Vercel and Cloudflare retention defaults
Analytics eventsPer Firebase Analytics (GA4) defaults — currently up to 14 months — and per Eodin SDK defaults

9. Your rights

If you are in the EEA, UK, Korea, California, or another jurisdiction with a personal data law, you have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Object to processing based on legitimate interest.
  • Withdraw consent for analytics at any time.
  • Lodge a complaint with your local supervisory authority.

To exercise any of these, email official@eodin.app from the email associated with your account. There is currently no self-service delete UI; requests are processed manually. Our default response window is 30 days, consistent with GDPR Art. 12 ③ and CCPA §1798.130. Where the law of your residence prescribes a shorter window (for example, 10 days under Korea's PIPA §35 ③), we will meet that shorter window. Where the law permits a reasoned extension (up to 60 or 90 days depending on regime), we will use it only with prior notice to you.

10. Children

The Site is not directed to children below the digital-consent age in their jurisdiction. The applicable age varies by country — for example, 13 in the United States (COPPA) and the United Kingdom, 14 in Korea (PIPA §22 ⑥), Italy, and Spain, 15 in France, and 16 in Germany, the Netherlands, and the EU baseline absent a member-state lowering. We do not knowingly collect personal data from children below the applicable threshold. If you believe a minor has provided personal data, contact us and we will remove it.

11. Security

We use industry-standard measures: HTTPS only, HTTP-only Secure cookies, server-side input validation, dual-token authentication for write endpoints, and access controls on our infrastructure. No system is completely secure; we cannot guarantee absolute security.

12. Changes to this Policy

We may update this Policy. Material changes will be announced on the Site at least 14 days before taking effect, and the "Last updated" date above will be revised. Continued use after the effective date is acceptance.

13. Contact & data-protection responsibility

The Operator acts as both data controller and the single point of contact for data-protection matters across jurisdictions:

  • Privacy contact: Woojin Ahn, Operator (semag) — official@eodin.app
  • Korea (PIPA §30): Woojin Ahn serves as the Personal Information Protection Officer.
  • EEA / UK: We have not appointed a separate representative under GDPR Art. 27 / UK-GDPR Art. 27. Contact the privacy address above directly.

You may also lodge a complaint with the data-protection authority of your residence — for example, the Personal Information Protection Commission (Korea), your national supervisory authority (EEA), the Information Commissioner's Office (UK), or the California Privacy Protection Agency (California).

14. Languages

This Policy is published in English. Translations may be added to assist readers in specific jurisdictions; in the event of any conflict between the English version and a translation, the English version controls except where local mandatory law requires otherwise.

15. Related documents

See the Terms of Service for the rules that govern your use of the Site, the licence you grant when posting comments, the moderation policy, and the notice-and-takedown procedure for rights-infringement claims.

Privacy Policy - The Lesser Key