Privacy Policy

This Privacy Policy explains what data Scriptorian collects, why, how it is protected, and your rights over it. This policy applies to all users of scriptorian.ai and complies with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Data Controller

The data controller is Scriptorian (support@scriptorian.ai). For any privacy-related requests, contact this address.

2. What Data We Collect

Data Category	What We Collect	Why	Legal Basis (GDPR)
Account	Email address (from Google OAuth)	Authentication	Contract (Art. 6.1.b)
Login metadata	Browser type, OS, device type, anonymized IP (last octet zeroed)	Security & analytics	Legitimate interest (Art. 6.1.f)
Search queries	Text entered in the search bar	Improve search quality	Consent (Art. 6.1.a)
AI chat queries	Your full conversation with the Study Companion (questions, responses, and tool calls)	Improve AI responses and service quality	Consent (Art. 6.1.a)
Feature usage	Which features you use (footnotes, talks, translations, etc.)	Understand usage patterns	Consent (Art. 6.1.a)
Consent records	Timestamp and version when you accepted ToS/Privacy Policy	Legal compliance	Legal obligation (Art. 6.1.c)

3. IP Address Anonymization

IP addresses are anonymized before storage by zeroing the last octet (e.g., 192.168.1.42 becomes 192.168.1.0). Full IP addresses are never stored in our database.

4. Data Retention

• Analytics events (searches, interactions): automatically deleted after 90 days
• Account data (email, login metadata): retained until you delete your account
• Consent records: retained for the duration required by applicable law (typically 3–6 years)

5. Data Sharing

We do not sell your personal data. We do not share your data with third parties except:

• Google — for OAuth authentication (subject to Google's privacy policy). We receive only your email address and public profile from Google.
• Anthropic — your AI chat questions are sent to the Anthropic Claude API for processing. Anthropic's data processing terms apply. Anthropic does not use API inputs to train models by default.
• Railway.app — our hosting provider. Data is stored on Railway's infrastructure.

Data is stored on servers in the United States. If you are located in the EU, your data is transferred to the US under standard contractual clauses.

6. Cookies and Local Storage

Scriptorian uses:

• A session cookie (signed, HTTP-only) to maintain your login state. This cookie is strictly necessary and does not require consent.
• localStorage on your browser to remember your analytics consent preference.

We do not use advertising cookies or third-party tracking cookies.

7. Your Rights

Under GDPR (EU users) and CCPA (California users), you have the following rights:

• Access: Request a copy of all data we hold about you
• Portability: Export your data in machine-readable JSON format
• Erasure ("right to be forgotten"): Delete all your data permanently
• Rectification: Correct inaccurate data
• Withdraw consent: Withdraw analytics consent at any time (does not affect past processing)
• Lodge a complaint: File a complaint with your national data protection authority

8. Security

We use HTTPS for all data in transit. Session cookies are signed with a server-side secret key. The database is hosted on Railway's infrastructure with access restricted to the application. IP addresses are anonymized before storage.

9. Children's Privacy

Scriptorian is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us data, contact us immediately.

10. Changes to This Policy

We may update this policy. Material changes will require re-acceptance via the consent screen. The current version and effective date are shown at the top of this page.

11. Contact

Privacy questions or requests: support@scriptorian.ai

← Back to Terms of Service