Privacy Policy
Last updated: 2026-06-10. Draft — pending legal review before public launch.
Short version: AI usage is metered for billing only — we log request metadata (token counts, latency, model), never your prose. Your library is encrypted at rest with per-user keys, and our staff do not read your manuscripts; access is limited to the automated operations you initiate (sync, AI requests you make, export).
What we collect
Account data
- Email address (required for sign-in + transactional emails)
- Display name (optional)
- Stripe customer ID (for billing only)
- License records (which tier, status, period end)
AI request metadata
- Request ID (for tracing)
- Model used (e.g. claude-sonnet-4-6)
- Input + output token counts
- Latency, status code, timestamp
- Cap-weighted token debit amount
- Our cost from the upstream provider
What we do NOT log: prose content, generated content, document titles, character names, world notes, or anything book-specific. AI proxy logs auto-expire after 90 days.
Device data (for sync)
- Device type (e.g., web)
- Display name you give it (e.g., "Surface Book")
- Browser version, OS version
- Last seen timestamp
Your library (manuscripts, series records, Author Directives, notes)
Stored encrypted at rest (AES-256-GCM) with a per-user key. Keys are managed by our service so your account stays recoverable with a standard email-based password reset — the same trust model as Google Docs or Notion. Our staff do not read your manuscripts; decryption happens only for the automated operations you initiate (sync, AI requests you make, beta-reader shares you create, export).
What we don't collect
- Browser history, cookies from other sites, system fingerprints
- Behavioral analytics inside the app (no third-party tracking SDKs)
- Your IP address beyond what's needed for the immediate request (no IP logging in DB)
How we use it
- Provide the service (billing, sync, AI proxy)
- Send transactional emails (license keys, payment failures, weekly usage summary)
- Detect abuse (per-user QPS limits, daily cost ceiling)
- Aggregate margin telemetry (anonymous tier-level totals — no per-user details)
We do not use your data for: ad targeting, lookalike audiences, training ML models, or selling to data brokers.
Third parties we share with (operational only)
- Supabase — database hosting, auth, edge functions
- Stripe — payment processing (they see card details; we don't)
- Upstream AI model vendors — cloud AI inference (the relevant passage is sent to fulfill the request you make, under contractual no-training agreements)
- Replicate / fal.ai — image generation (Publishing add-on; your prompt is sent to the model you select)
- Resend — transactional email delivery
- Backblaze B2 / Vercel / Railway — infrastructure hosting
Your rights
- Export: download all your data anytime from the account portal (manuscripts ship as ZIP)
- Delete: delete your account anytime from the account portal. Soft-deleted for 30 days (in case of accident), then purged
- Correct: update profile fields anytime; update DB records via support
- EU users (GDPR): right to access, rectify, erase, restrict, port, object
- California (CCPA): right to know, delete, opt-out of "sale" (we don't sell)
Data residency
At launch: US-only. EU region will be added when demand justifies (Supabase + Backblaze both offer EU regions; we'll route EU users to EU infrastructure when enabled).
Cookies (marketing site only)
We use Plausible Analytics — privacy-friendly, no cookies, no cross-site tracking, no personal data collected. The app itself uses zero third-party analytics SDKs.
Contact
Privacy questions: privacy@scribegrove.com
