Privacy Policy

1. Introduction

StoryNotes ("we," "our," or "us") operates a screenplay analysis service that provides AI-powered feedback on creative writing. This Privacy Policy explains how we collect, use, protect, and share information when you use our service at storynotes.app (the "Service").

We are committed to protecting your privacy and the confidentiality of your creative work. This policy describes our data practices in detail and your rights regarding your personal information.

2. Information We Collect

2.1 Account Information

• Email address (for account creation and notifications)
• Authentication tokens (for secure login)
• Account preferences and settings
• Payment information (processed securely through Stripe — we do not store credit card numbers)

2.2 Screenplay Content

• Uploaded screenplay files (PDF, FDX, Fountain, TXT formats)
• File metadata (title, author, page count, file size)
• Analysis results and generated reports

2.3 Technical Information

• IP addresses and device information
• Browser type and version
• Usage analytics and service performance metrics
• Error logs and debugging information (no screenplay content stored)

2.4 Other Collected Data

• Customer Support Communications: Emails, chat messages, or other communications you send us, which may include personal information or excerpts from your screenplay
• Cookies & Tracking Technologies: Minimal cookies for authentication and service performance monitoring, manageable via your browser settings

3. How We Use Your Information

3.1 Service Provision

• Analyzing your screenplays using AI technology
• Generating personalized feedback and reports
• Managing your account and preferences
• Processing payments for premium features

3.2 Communication

• Sending analysis completion notifications
• Providing customer support
• Sending important service updates (required for account operation)
• Sending marketing communications (only with your consent, where required)

3.3 Service Improvement

• Analyzing usage patterns to improve our service
• Debugging technical issues
• Ensuring security and preventing abuse

4. Screenplay Content Protection

4.1 AI Processing Privacy

• No Training Data: We use OpenAI's commercial API, which by policy does not use submitted data for training AI models. Your screenplay never enters OpenAI's training pipeline.
• 30-Day Retention by OpenAI: OpenAI retains API requests for 30 days for abuse and misuse monitoring only, then permanently deletes them. Full details at openai.com/enterprise-privacy
• API-Only Processing: We use OpenAI's enterprise API service (not ChatGPT), which has stricter privacy protections
• Temporary Processing: Content exists in memory only during the 3-5 minute analysis window
• No Human Review: Your content is not viewed by OpenAI staff unless flagged for abuse investigation
• Zero Training Risk: Your plot points, dialogue, and creative ideas will never appear in future AI model outputs

4.2 Our Storage Practices

• Immediate Deletion: Original PDF files are automatically deleted from our servers the moment analysis completes (typically 3-5 minutes after upload)
• No File Persistence: We do not store, cache, or back up your screenplay files
• Analysis Results Only: We retain only the generated feedback and scores, not the original screenplay content
• Encrypted Storage: All retained data (analysis results, metadata) is encrypted at rest using AES-256
• Secure Transmission: All data transfers use HTTPS/TLS 1.3 encryption
• No Content Logging: Screenplay content is never stored in application logs or error reports
• Memory-Only Processing: During analysis, content exists only in ephemeral processing memory, never written to disk

4.3 Processing Infrastructure

• Secure Queue System: We use Upstash QStash for job processing, which provides encrypted, reliable job delivery without storing screenplay content
• Isolated Processing: Each analysis runs in an isolated serverless environment that is destroyed after completion
• AWS Infrastructure: Temporary file storage uses AWS S3 with server-side encryption, access logging, and automated deletion policies

5. Data Sharing and Third Parties

5.1 Third-Party Services

We use trusted providers:

• OpenAI — AI analysis processing (30-day data retention for abuse monitoring only, no training use)
• Stripe — Payment processing (we never see your credit card details)
• AWS S3 — Temporary encrypted file storage during analysis (files deleted immediately after)
• Vercel — Application hosting and serverless function execution
• Resend — Transactional email delivery (analysis completion notifications)
• Upstash QStash — Secure job queue processing (no screenplay content stored)
• Upstash Redis — Temporary caching for performance optimization

5.2 Data Sharing Limitations

We do not sell, rent, or trade your personal information. We may share it:

• With your explicit consent
• To comply with valid and binding legal requests (see Section 5.3)
• To protect our rights, property, or safety
• In connection with a business transfer (with privacy protections maintained)

5.3 Law Enforcement Requests

We only respond to valid legal requests that are binding under applicable law, and require them to be specific and narrowly tailored. Unless prohibited by law, we will notify you before disclosing your information.

6. Data Retention

6.1 Retention Periods

• Screenplay PDF Files: Deleted immediately after analysis completes (3-5 minutes)
• OpenAI Processing: Retained by OpenAI for 30 days for abuse monitoring, then permanently deleted
• Analysis Results: Retained indefinitely until you delete them or close your account
• Account Information: Retained while your account is active
• Payment Records: Retained for 7 years for tax and legal compliance
• Technical Logs: Retained for up to 90 days (no screenplay content included)

6.2 Data Deletion

You may delete individual analysis results or your entire account at any time. We will remove personal information and analysis results from our active systems within 30 days, except where retention is required by law (e.g., payment records for tax compliance).

7. Security Measures

7.1 Technical Safeguards

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Intrusion detection and monitoring systems

7.2 Operational Safeguards

• Limited, logged access to systems on a need-to-know basis
• No staff access to screenplay content except in rare, logged, supervised cases (e.g., abuse investigation, with consent if legally permitted)
• Employee background checks and confidentiality agreements
• Regular staff security training
• Incident response procedures

8. Your Rights and Choices

8.1 Access and Control

You can:

• View your personal information and analysis results
• Correct your account information
• Delete specific analyses or your account entirely
• Export your analysis results in PDF format
• Opt out of marketing communications

8.2 Regional Rights

If you are located in the EU, California, or other regions with privacy laws, you may have additional rights:

• Right to object to processing
• Right to restrict processing
• Right to lodge a complaint with supervisory authorities
• Right to know what personal information is sold or disclosed

9. International Data Transfers

We primarily store and process data in [AWS Region(s)], with occasional processing in other jurisdictions as necessary. All international transfers use Standard Contractual Clauses or equivalent safeguards.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13, and will delete any such data if discovered.

11. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes by:

• Email to your registered address
• Prominent notice on our site
• In-app notification upon next login

Your continued use after the effective date means you accept the updated policy.

12. Legal Basis for Processing

We process your personal information based on:

• Contract Performance: Providing the screenplay analysis service
• Legitimate Interest: Improving service and ensuring security
• Consent: Marketing communications (where required)
• Legal Obligation: Compliance with applicable laws