yumefumiBeta

Legal

Privacy Policy.

Effective date: April 27, 2026 Last updated: April 27, 2026

This Privacy Policy explains what data Yumefumi collects, how we use it, how we share it, and the choices you have. It covers yumefumi.com and any related services run by ContentCrepe LLC ("Yumefumi", "we", "us"), a Delaware limited liability company based in Dover, Delaware.

1. What we collect

Account data.

  • Email address, username, display name, password (hashed via Supabase Auth - we never see the plaintext)
  • Subscription tier and billing status (we don't store full payment details; Stripe handles those)
  • Avatar and banner images you upload
  • Optional profile fields you fill in (bio, accent color, handle history, etc.)

Content you create.

  • Reviews, ratings, lists, route progress, reading-status changes, drop reasons, private notes, reactions, follows, threads, replies
  • Curator submissions and editorial edits if you're a curator

Reading-activity data.

  • Which VNs you've marked as planned, reading, finished, paused, or dropped
  • When you started and finished a VN
  • Session timer entries (Pro)
  • Velocity and heatmap stats derived from the above (Pro)

Technical data.

  • IP address, kept short-term for rate-limiting and abuse detection (pruned after 30 days)
  • Browser user-agent and page-view counts (used to show "currently reading" indicators and aggregate trends)
  • An opaque, HTTPOnly view-tracking cookie (random per browser session, no IP, no fingerprint, expires after 30 days)
  • Errors and performance traces via Sentry (our error monitoring service)

Communications.

  • Support emails you send us
  • Email-confirmation and password-reset events (delivered via Resend)

2. How we use it

  • To provide the Service. Show your reviews to people who follow you, populate your reading log, gate access to paid tiers, deliver notifications, run the search index.
  • To run the recommendation engine. Your finished-and-rated VNs and other reading signals feed Pro recommendations. Aggregated patterns also inform the engine's general behavior.
  • To moderate. Detect abuse, enforce community standards, investigate reports.
  • To communicate. Account messages (verification, password reset, billing receipts), product announcements you opt into, and operational notices (security incidents, policy changes).
  • To improve. Aggregate, anonymized analysis of how readers use the site, plus a transparency report each year.

No AI training, internal or external. Yumefumi's recommendation engine is rule-based, not an LLM and not a learned model. We don't train any AI on your reviews, your reading log, your ratings, or anything else you write here. Not internally, not via a third-party vendor, not aggregated, not anonymized.

3. Legal bases (GDPR / UK GDPR)

If you're in the EU, UK, or another GDPR-aligned jurisdiction, our legal bases for processing are:

  • Contract. Most processing (running your account, billing, the recommendation engine) is necessary to deliver the service you signed up for.
  • Legitimate interest. Abuse detection, error monitoring, basic site analytics. We balance these against your rights and interests.
  • Consent. Optional analytics processing (the aggregate-analytics opt-in toggle), marketing emails when you opt into them, age confirmation for adult content.
  • Legal obligation. Tax records on subscription revenue, responding to lawful requests from authorities.

You can withdraw consent at any time without affecting the lawfulness of processing before the withdrawal.

4. Sharing

We don't sell your personal data. Period.

We share data with the following service providers, who process it on our behalf under contract:

  • Supabase (database, authentication, file storage) - hosts your account and content data in the United States
  • Stripe (payments) - handles subscription billing; we never see your full card number
  • Resend (email delivery) - sends transactional emails (confirmation, password reset, receipts)
  • Sentry (error monitoring) - collects error reports and performance traces
  • Vercel (hosting) - runs the site
  • Cloudflare (CDN, security) - handles network-level security and asset delivery

We may share data when required by law, to enforce our Terms, to protect rights or safety, or in connection with a corporate transaction (merger, acquisition, sale of assets). If a transaction would change who controls your data, we'll notify you and give you the option to delete your account before the change takes effect.

5. Aggregate analytics + ContentCrepe

Yumefumi is owned by ContentCrepe LLC, which also makes visual novels.

We use aggregated, anonymized reading data on this platform - length-finish curves, tag-affinity clusters, route-engagement patterns - to inform ContentCrepe's own VN development.

  • We never share individual user data with anyone, including the ContentCrepe game-development team
  • We never use platform data to give ContentCrepe games preferential placement on Yumefumi (the editorial surface is structurally walled off from publisher relationships, ContentCrepe included)
  • We publish an annual transparency report summarizing what we learn so the broader VN community benefits

You can opt out of aggregate analytics at any time at /settings → Privacy. Opting out removes your reading-activity data from future aggregation. Your reading history stays yours regardless.

6. International transfers

Your data is primarily stored in the United States. If you're in the EU, UK, or another jurisdiction with cross-border data rules, your data is transferred to and processed in the U.S. We rely on Standard Contractual Clauses with our service providers to cover those transfers, and we keep a copy of the SCCs on file.

7. Retention

  • Active accounts. We keep your data as long as your account is active.
  • Deleted accounts. When you delete your account, we delete your reviews, ratings, lists, follow graph, sessions, notes, and reactions. Some data persists in encrypted backups for up to 30 days before falling out of rotation.
  • Aggregate analytics. Anonymized aggregates that can't be traced back to you may persist indefinitely for trend analysis.
  • Tax records. Subscription billing records are kept for 7 years to comply with tax law.
  • Audit logs. Moderation events, security incidents, and admin actions are retained for at least 2 years for accountability.

8. Your rights

Wherever you live, you can:

  • Access the data we hold about you
  • Correct inaccurate data
  • Export your data in a portable format
  • Delete your account and associated data (subject to retention exceptions in §7)

If you're in the EU, UK, California, or another jurisdiction with comparable rights, you also have the right to:

  • Restrict or object to processing under specific circumstances
  • Withdraw consent at any time
  • Lodge a complaint with your local data-protection authority (we'd appreciate hearing about it first so we can fix what's wrong)

To exercise any of these rights, write to support@yumefumi.com. We aim to respond within 30 days.

California (CCPA / CPRA). California residents have specific rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We don't sell or share personal information as defined by the CCPA. To submit a request, email the address above.

Other U.S. states. If you live in Virginia, Colorado, Connecticut, Utah, or another state with a comprehensive privacy law, your rights are similar to those above and the same email is the way to exercise them.

9. Cookies and similar technologies

Yumefumi uses a small set of essential cookies and tokens:

  • Authentication session cookie (Supabase Auth). Required to keep you signed in. Encrypted, HTTPOnly.
  • View-tracking session token. Random per browser session. Used to count VN page-views without inflating the count when you refresh. Opaque, HTTPOnly, no IP, no fingerprint, expires after 30 days.
  • CSP nonce cookie. Per-request, used for content-security policy. Doesn't carry user data.

We don't use third-party analytics or advertising trackers. We don't have a Facebook pixel, a Google Analytics tag, or anything that follows you to other sites.

10. Children

Yumefumi is not directed at children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child under 13 has signed up, contact support@yumefumi.com and we will delete the account.

Some catalog entries are rated for adult audiences (18+) and gated behind an age confirmation. Bypassing the age gate is a violation of the Terms.

11. Adult content

The catalog includes visual novels rated for adult audiences. Access to those entries requires an explicit age confirmation. We don't store or use age-confirmation data beyond the binary "user has confirmed they are 18+" flag and an audit log entry of when the confirmation happened.

12. Security

We take security seriously:

  • All traffic is HTTPS, with HSTS enforced
  • Passwords are hashed by Supabase Auth (we never see plaintext)
  • Service-role database keys are restricted to server-side code paths
  • Rate-limiting is applied to login, signup, password reset, and other sensitive endpoints
  • We monitor for compromised credentials and unusual sign-in patterns
  • A subset of admin actions (curator suspensions, content removals, etc.) are append-only audit logs

If we discover a security incident affecting your data, we'll notify affected users without undue delay (and within 72 hours where required by law).

Security questions or vulnerability reports go to support@yumefumi.com with the subject line "security disclosure". We don't currently run a paid bug bounty, but we credit responsible disclosures publicly with permission.

13. Updates to this policy

We may update this Privacy Policy. When we do, we'll post the new version with an updated "Last updated" date and, for material changes, notify you by email. Continued use of the Service after a material change goes into effect counts as acceptance.

14. Contact

ContentCrepe LLC, Dover, Delaware, United States.