Scribegrove

Privacy Policy

Last updated: 2026-05-13. Draft — pending legal review before public launch.

Short version: Local AI runs on your machine. Cloud AI is metered for billing only — we log request metadata (token counts, latency, model), never your prose. Sync is encrypted client-side; we can't read your manuscripts even if we wanted to.

What we collect

Account data

  • Email address (required for sign-in + transactional emails)
  • Display name (optional)
  • Stripe customer ID (for billing only)
  • License records (which tier, status, period end)

AI request metadata (Online tier only)

  • Request ID (for tracing)
  • Model used (e.g. claude-sonnet-4-6)
  • Input + output token counts
  • Latency, status code, timestamp
  • Cap-weighted token debit amount
  • Our cost from the upstream provider

What we do NOT log: prose content, generated content, document titles, character names, world notes, or anything book-specific. AI proxy logs auto-expire after 90 days.

Device data (for sync)

  • Device type (desktop_win / desktop_mac / web)
  • Display name you give it (e.g., "Surface Book")
  • Optional hardware fingerprint hash (for Author license single-device binding)
  • App version, OS version
  • Last seen timestamp

Cloud sync payloads (Hybrid + Online tiers, opt-in)

Workspace snapshots, series records, and Author Directives are encrypted client-side with a key derived from your password (PBKDF2-SHA512, 310,000 iterations). We store only the encrypted payload, IV, and auth tag. We do not hold the decryption key.

What we don't collect

  • Your manuscript content (even in encrypted form, we can't read it)
  • Browser history, cookies from other sites, system fingerprints
  • Analytics from the desktop app (no telemetry beacons; we use no third-party SDKs in the renderer)
  • Your IP address beyond what's needed for the immediate request (no IP logging in DB)

How we use it

  1. Provide the service (billing, sync, AI proxy)
  2. Send transactional emails (license keys, payment failures, weekly usage summary)
  3. Detect abuse (per-user QPS limits, daily cost ceiling)
  4. Aggregate margin telemetry (anonymous tier-level totals — no per-user details)

We do not use your data for: ad targeting, lookalike audiences, training ML models, or selling to data brokers.

Third parties we share with (operational only)

  • Supabase — database hosting, auth, edge functions
  • Stripe — payment processing (they see card details; we don't)
  • Anthropic / OpenAI / Google — cloud AI inference (Online tier only; your prose is sent to the model you select to fulfill your request, governed by their privacy policies)
  • Replicate / fal.ai — image generation (Publishing add-on; your prompt is sent to the model you select)
  • Resend — transactional email delivery
  • Backblaze B2 / Vercel / Railway — infrastructure hosting

Your rights

  • Export: download all your data anytime from the account portal (manuscripts ship as ZIP)
  • Delete: delete your account anytime from the account portal. Soft-deleted for 30 days (in case of accident), then purged
  • Correct: update profile fields anytime; update DB records via support
  • EU users (GDPR): right to access, rectify, erase, restrict, port, object
  • California (CCPA): right to know, delete, opt-out of "sale" (we don't sell)

Data residency

At launch: US-only. EU region will be added when demand justifies (Supabase + Backblaze both offer EU regions; we'll route EU users to EU infrastructure when enabled).

Cookies (marketing site only)

We use Plausible Analytics — privacy-friendly, no cookies, no cross-site tracking, no personal data collected. The desktop app uses zero analytics SDKs.

Contact

Privacy questions: privacy@scribegrove.com