Privacy Policy

1. Introduction

StoryNotes ("we," "our," or "us") operates a screenplay analysis service that provides AI-powered feedback on creative writing. This Privacy Policy explains how we collect, use, protect, and share information when you use our service at storynotes.app (the "Service").

We are committed to protecting your privacy and the confidentiality of your creative work. This policy describes our data practices in detail and your rights regarding your personal information.

2. Information We Collect

2.1 Account Information

• Email address (for account creation and notifications)
• Authentication tokens (for secure login)
• Account preferences and settings
• Payment information (processed securely through Stripe — we do not store credit card numbers)

2.2 Screenplay Content

• Uploaded screenplay files (PDF, FDX, Fountain, TXT formats)
• File metadata (title, author, page count, file size)
• Analysis results and generated reports

2.3 Technical Information

• IP addresses and device information
• Browser type and version
• Usage analytics and service performance metrics
• Error logs and debugging information (no screenplay content stored)

2.4 Other Collected Data

• Customer Support Communications: Emails, chat messages, or other communications you send us, which may include personal information or excerpts from your screenplay
• Cookies & Tracking Technologies: Minimal cookies for authentication and service performance monitoring, manageable via your browser settings

3. How We Use Your Information

3.1 Service Provision

• Analyzing your screenplays using AI technology
• Generating personalized feedback and reports
• Managing your account and preferences
• Processing payments for premium features

3.2 Communication

• Sending analysis completion notifications
• Providing customer support
• Sending important service updates (required for account operation)
• Sending marketing communications (only with your consent, where required)

3.3 Service Improvement

• Analyzing usage patterns to improve our service
• Debugging technical issues
• Ensuring security and preventing abuse

4. Screenplay Content Protection

4.1 AI Processing Privacy

• No Training Data: Your screenplay content is never used to train AI models
• API-Only Processing: We use OpenAI's enterprise API service with privacy protections
• Temporary Processing: Content exists in memory during the 5–10 minute analysis window
• OpenAI Data Handling: As of this policy's date, OpenAI deletes all submitted API data within 30 days and does not use it for training. If OpenAI's policy changes, we will update ours accordingly.
• No Routine Human Review: Your content is not viewed by OpenAI staff unless required to investigate suspected abuse

4.2 Our Storage Practices

• Post-Analysis Deletion: Original files are removed from active systems after analysis completion, and from processing caches within [X] hours. Residual encrypted traces in backups are purged within [Y] days.
• Encrypted Storage: All retained data is encrypted at rest using AES-256
• Secure Transmission: All data transfers use HTTPS/TLS 1.3
• No Content Logging: Screenplay content is never stored in logs or application backups
• Analysis Results Only: We keep only the generated analysis/feedback, not the original screenplay file

5. Data Sharing and Third Parties

5.1 Third-Party Services

We use trusted providers:

• OpenAI — AI analysis processing
• Stripe — Payment processing
• AWS — Secure cloud infrastructure and temporary file storage
• Vercel — Application hosting and deployment
• Resend — Email delivery service
• Upstash — Redis caching for performance optimization

5.2 Data Sharing Limitations

We do not sell, rent, or trade your personal information. We may share it:

• With your explicit consent
• To comply with valid and binding legal requests (see Section 5.3)
• To protect our rights, property, or safety
• In connection with a business transfer (with privacy protections maintained)

5.3 Law Enforcement Requests

We only respond to valid legal requests that are binding under applicable law, and require them to be specific and narrowly tailored. Unless prohibited by law, we will notify you before disclosing your information.

6. Data Retention

6.1 Retention Periods

• Screenplay Files: Deleted from active systems after analysis; removed from caches/backups within [Y] days
• Analysis Results: Retained until you delete them or close your account
• Account Information: Retained while your account is active
• Payment Records: Retained for 7 years for tax/legal compliance
• Technical Logs: Retained for up to 90 days
• Abuse Investigations: Content flagged for abuse may be retained securely for up to [X] days for investigation

6.2 Data Deletion

You may delete your data at any time by deleting your account. We will remove personal information and analysis results from our systems within 30 days, except where retention is required by law.

7. Security Measures

7.1 Technical Safeguards

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Intrusion detection and monitoring systems

7.2 Operational Safeguards

• Limited, logged access to systems on a need-to-know basis
• No staff access to screenplay content except in rare, logged, supervised cases (e.g., abuse investigation, with consent if legally permitted)
• Employee background checks and confidentiality agreements
• Regular staff security training
• Incident response procedures

8. Your Rights and Choices

8.1 Access and Control

You can:

• View your personal information and analysis results
• Correct your account information
• Delete specific analyses or your account entirely
• Export your analysis results in PDF format
• Opt out of marketing communications

8.2 Regional Rights

If you are located in the EU, California, or other regions with privacy laws, you may have additional rights:

• Right to object to processing
• Right to restrict processing
• Right to lodge a complaint with supervisory authorities
• Right to know what personal information is sold or disclosed

9. International Data Transfers

We primarily store and process data in [AWS Region(s)], with occasional processing in other jurisdictions as necessary. All international transfers use Standard Contractual Clauses or equivalent safeguards.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13, and will delete any such data if discovered.

11. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes by:

• Email to your registered address
• Prominent notice on our site
• In-app notification upon next login

Your continued use after the effective date means you accept the updated policy.

12. Contact Information

For questions:

13. Legal Basis for Processing

We process your personal information based on:

• Contract Performance: Providing the screenplay analysis service
• Legitimate Interest: Improving service and ensuring security
• Consent: Marketing communications (where required)
• Legal Obligation: Compliance with applicable laws