Privacy Policy

1. Introduction

NovelCraft ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at fictioncraftai.com (the "Site") and use our services (collectively, the "Services").

We are a data controller under the General Data Protection Regulation (GDPR) and comply with the California Consumer Privacy Act (CCPA) as amended by the CPRA. By using our Services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Data

We may collect the following categories of personal information:

• Account Information: Email address, display name, and password (stored securely as a salted hash).
• Profile Data: Your chosen username and account preferences.
• Content Data: The novel text, chapters, project outlines, and other creative content you create and store on our platform.
• Payment Information: If you subscribe to a paid plan, payment processing is handled entirely by our third-party payment processor (Creem.io). We do not store full credit card numbers or banking details.

2.2 Automatically Collected Data

When you access our Services, we automatically collect:

• Usage Data: Pages visited, features used, time spent, writing statistics, and interaction patterns.
• Device Data: IP address, browser type, operating system, and device identifiers.
• Analytics Data: We use Vercel Analytics, which collects anonymized aggregated data about page views and visitor interactions. No personal data is shared with Vercel for analytics purposes.

2.3 AI-Generated Content

When you use our AI writing assistant, the prompts you provide and the context you submit are sent to our third-party AI provider (via Shiyun API) solely for the purpose of generating the requested content. We do not use your content to train AI models, and your writing data remains private to your account.

3. How We Use Your Information

We process your personal data for the following purposes:

• To create and maintain your account
• To provide, personalize, and improve our Services
• To process subscriptions and payments
• To communicate with you about your account, updates, and support
• To detect, prevent, and address technical issues and fraud
• To comply with legal obligations

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contractual Necessity: Processing is necessary to perform our contract with you (e.g., creating your account, providing the Services).
• Legitimate Interests: We have a legitimate interest in improving our Services, ensuring security, and communicating with users.
• Consent: Where required by law, we process data based on your consent, which you may withdraw at any time.

5. Data Sharing and Disclosure

We may share your information with the following categories of third parties:

• Service Providers: Supabase (database hosting), Vercel (web hosting), Shiyun API (AI processing), Stripe/Creem.io (payment processing). All service providers are contractually bound to process data only for specified purposes and in compliance with applicable data protection laws.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal requests.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We do not sell your personal information to third parties.

6. International Data Transfers

Your information is stored on servers located in Singapore (Supabase) and the United States (Vercel). If you are located in the EEA, UK, or other regions with data transfer restrictions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission, to protect your data when transferred internationally.

7. Data Retention

We retain your personal data only as long as necessary to provide you with our Services and for legitimate business purposes. Specifically:

• Account data: Retained until you delete your account
• Content data: Retained until you delete your projects or account
• Usage analytics: Retained for 12 months
• Billing records: Retained for 7 years as required by tax law

Upon account deletion, your content and personal data are permanently deleted within 30 days.

8. Your Rights

8.1 GDPR Rights (EEA Users)

You have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Restriction: Request restriction of processing of your data.
• Data Portability: Request transfer of your data to another service provider.
• Objection: Object to processing based on legitimate interests.

8.2 CCPA/CPRA Rights (California Users)

California residents have the right to:

• Know: Request disclosure of categories and specific pieces of personal information collected.
• Delete: Request deletion of personal information.
• Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data).
• Correct: Request correction of inaccurate personal information.
• Non-Discrimination: Exercise your rights without receiving discriminatory treatment.

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@fictioncraftai.com. We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

9. Cookies and Tracking Technologies

We use essential cookies necessary for the operation of our Services (e.g., session cookies for authentication). We do not use tracking cookies for advertising purposes. Vercel Analytics uses anonymized, privacy-preserving analytics that do not require cookie consent under GDPR.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit via TLS/SSL
• Encrypted database storage
• Row-Level Security (RLS) in Supabase ensuring data isolation between users
• Regular security audits and updates
• Access controls and authentication requirements

11. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information. If you believe we have collected data from a child, please contact us immediately.

12. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for the privacy practices or content of such third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and, where appropriate, by email notification. Your continued use of the Services after changes constitutes acceptance of the updated policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@fictioncraftai.com
• Data Protection Officer: support@fictioncraftai.com

For GDPR matters, you also have the right to lodge a complaint with your local data protection supervisory authority.