Privacy Policy

StoryWith AI ("we", "us", "the service") provides a writing studio for novelists and non-fiction authors. This policy explains what information we collect, why, and what control you have over it.

1. Information we collect

Account information

When you sign up we collect your email address, display name, and authentication identifiers from your sign-in provider (e.g., Google). We do not store passwords — authentication is handled by Supabase, our identity provider.

Manuscript content

Your manuscripts, characters, world entries, scenes, comments, sources, citations, argument maps, and any other content you create or import is stored in our database. You own this content. We process it only to provide the service to you and your invited collaborators. We treat unpublished manuscripts as confidential and do not access them outside of explicit support requests you initiate.

Usage analytics

We log basic usage metrics (page visits, AI feature invocations, error events) to understand how the product is used and to detect abuse. These are aggregated and not tied to identifying information beyond the minimum needed to attribute usage to your account for billing purposes.

Payment information

Subscription billing is processed by Stripe, our payment processor. Stripe handles your payment details directly; we never see or store your full credit card number. We receive your subscription tier, status, and renewal date from Stripe.

Cookies and local storage

We use cookies and browser local storage strictly for service operation: authentication sessions, your active book selection, focus mode preference, and similar UI state. We do not use third-party advertising cookies. We do not require a cookie consent banner because we use only strictly-necessary cookies under the ePrivacy Directive.

2. How we use your information

• To provide the service: render your books, run analyzers, store your work.
• To run AI features on your explicit action: send manuscript excerpts and prompts to our AI provider.
• To process payments and manage your subscription via Stripe.
• To send transactional notifications (reader feedback events, password resets, billing receipts).
• To improve the product through aggregate analytics — never tied to identified individuals or specific manuscript content.
• To detect and prevent abuse (illegal content, spam, security threats).

3. AI processing in detail

AI features (outline generation, scene insights, continuity scans, fact-check, etc.) send relevant excerpts of your content to the Lovable AI Gateway, which routes requests to the underlying model providers (currently Google Gemini and OpenAI GPT). Specifically:

• What we send: the smallest necessary slice of your content for the feature you invoked — an active scene, a chapter synopsis, a citation excerpt. Never your entire manuscript unless you trigger a book-wide scan.
• Training data — never: we do not use your content to train AI models. Our AI provider (Lovable AI Gateway) operates under a no-training agreement with its model upstreams. We will publicly notify users at least 30 days in advance of any change to this stance, and you will have the option to opt out and export your data before any such change takes effect.
• Retention at the AI provider: AI requests are retained by our providers for short-term abuse prevention and quality monitoring (typically <30 days), then deleted from their systems.
• Output ownership: AI-generated content (covers, blurbs, query letters, suggestions) is yours to use, modify, or discard, subject to the model provider's terms which prohibit illegal or infringing uses. See our Terms of Service for details on AI output ownership.
• No automatic AI runs: AI features only execute when you click a button. We don't analyze your work in the background.

4. Who we share information with

We share data only with the service providers required to operate StoryWith AI:

• Supabase — database hosting, authentication, file storage. (sub-processor)
• Lovable AI Gateway — AI request routing. (sub-processor)
• Stripe — payment processing and subscription management. (payment processor)
• Cloudflare — content delivery and DDoS protection. (sub-processor)

Each provider operates under their own privacy terms and data processing agreements. We do not sell your personal data. We do not share your manuscripts with third parties for any purpose other than serving your explicit requests through these providers.

Collaborators you invite

When you invite a collaborator (co-author, editor, reviewer) to a book, they will be able to read and — depending on the role you grant — edit and comment on that book's content. They cannot see your other books, account information, or billing details. Roles are: editor (full read/write/comment), commenter (read + comment), viewer (read-only).

Reader feedback sessions

When you create a reader feedback session and share its link, the readers you invite see only the excerpts you've explicitly added to the session. They cannot see your full manuscript, your other books, or any other personal information beyond what you choose to display in the session.

Legal compliance

We may disclose information when required by law, valid legal process, or to protect our rights, property, or safety. We will notify affected users where legally permitted to do so.

5. Storage, security, and retention

Data is stored in Supabase's managed Postgres database with row-level security (RLS) policies enforcing access control at the database layer — your manuscripts are programmatically inaccessible to other users. Data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted by Supabase using AES-256.

We retain your account and content for as long as your account is active. If you delete a book, it is permanently removed from our active database within 30 days; backup copies in our disaster-recovery system are overwritten within 90 days.

In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the incident, in accordance with applicable law (e.g., GDPR Article 33).

6. Your rights

You have the right to:

• Access the personal data we hold about you. Request via the contact email below.
• Export your manuscripts and other content. Markdown export is available from any book in your account; bibliography export is available from the Sources page (non-fiction).
• Correct inaccurate information by editing your account settings.
• Delete your account and associated content. Email privacy@storywith.ai to initiate deletion. Confirmed deletions complete within 30 days.
• Object or restrict processing where applicable.
• Lodge a complaint with your local data protection authority (e.g., a supervisory authority in the EU under GDPR, the California Attorney General under CCPA).
• Withdraw consent for any processing based on consent, at any time.

7. International data transfers

StoryWith AI's infrastructure is global. Your data may be processed in regions other than your country of residence — primarily the United States and the European Union. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards where required by law for cross-border transfers.

8. Children

StoryWith AI is not directed to individuals under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy as the service evolves. The "Last updated" date at the top of this page reflects the most recent revision. Material changes — particularly any change to our AI training stance — will be communicated via email or in-app notice at least 30 days before they take effect, with a clear option to export your data and close your account before the change applies.

10. Contact us

Questions about this policy or about your data? Email privacy@storywith.ai.