Privacy Policy
Last updated: March 4, 2026
This privacy policy explains how Octapoint AB ("we," "us," or "Octapoint") collects, uses, and protects your personal data when you use Mad Gorilla ("the Service"). We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
1. Data controller
Octapoint AB
Org.nr: 559539-6234
Gothenburg, Sweden
Email: [email protected]
2. What data we collect
Account data
When you create an account, we collect your email address and a hashed password. If you sign up through a third-party provider (e.g., Google), we receive your email address and display name from that provider.
Chat data
We store the messages you send to AI characters and the AI-generated responses. This data is linked to your account and used to provide the Service, maintain conversation history, and calculate leaderboard scores.
Please note: Do not share sensitive personal information (such as health data, financial details, or government IDs) in conversations.
Usage data
We collect session timestamps, character selections, argument scores, and interaction patterns to operate the leaderboard and improve the Service.
Technical data
We automatically collect IP addresses, browser type, device information, and operating system for security, abuse prevention, and service stability.
Payment data
If you purchase credit packs, payment processing is handled entirely by our payment processor. We receive transaction IDs and purchase records but never see or store your full credit card details.
3. Why we process your data (legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Chat delivery and conversation history | Contract performance (Art. 6(1)(b)) |
| Leaderboard scoring and ranking | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Tax and accounting records | Legal obligation (Art. 6(1)(c)) — Bokföringslagen |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
4. How long we keep your data
We retain your account data and fight history for as long as your account is active. When you delete your account, all personal data is permanently erased after a 14-day grace period. Anonymized financial transaction records are retained for 7 years as required by Swedish law (Bokföringslagen, SFS 1999:1078).
5. Third-party services
We share personal data only with service providers bound by a Data Processing Agreement (DPA): Stripe (payments, Ireland/EU), Cloudflare (security/CDN), Mistral AI (AI processing fallback, France), Hetzner (AI inference hosting, Germany), Google (OAuth login, Ireland/EU).
We do not sell your personal data. We do not share data with advertisers.
6. AI processing disclosure
MadGorilla uses artificial intelligence to generate character responses. Your messages are processed by our AI system hosted on servers in Germany. In some cases, messages may be processed by Mistral AI (France) as a fallback service. We do not use your conversations to train AI models.
7. International data transfers
Where data is transferred outside the EU, we rely on the EU-US Data Privacy Framework (adequacy decision) or Standard Contractual Clauses (SCCs).
8. Your rights under GDPR
- Access (Art. 15): Request a copy of all personal data. Self-service: Settings → Download My Data.
- Rectification (Art. 16): Correct inaccurate personal data.
- Erasure (Art. 17): Request deletion. Self-service: Settings → Delete Account.
- Restriction (Art. 18): Limit processing of your data.
- Data portability (Art. 20): Receive your data in machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time.
To exercise any right, email [email protected] or use the self-service options in your account settings.
9. Minimum age
MadGorilla is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18.
10. Security
We use industry-standard security measures including encrypted connections (TLS/HTTPS), hashed passwords, and access controls.
11. Supervisory authority
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Email: [email protected]
Website: imy.se
12. Contact us
Octapoint AB
Email: [email protected]
Org.nr: 559539-6234
Gothenburg, Sweden