Privacy Policy

Story Master Technologies Private Limited ("Company," "we," "us," or "our") operates The Story Maker platform (the "Service"). This Privacy Policy describes how we collect, use, store, and protect your information when you access or use our Service. By using the Service, you consent to the practices described herein.

1.0   Definitions

1.1   User Materials

"User Materials" means any content you create, upload, or input into the Service, including but not limited to screenplays, story beats, character profiles, dialogue, plot outlines, scene descriptions, production notes, and any other creative works.

1.2   AI-Generated Outputs

"AI-Generated Outputs" means any content produced by our AI engines (the "Cinema Context Engine") in response to your prompts, inputs, and User Materials.

1.3   Personal Data

"Personal Data" means information that identifies, relates to, or could reasonably be linked to you as an individual, as defined under the EU General Data Protection Regulation ("GDPR"), California Consumer Privacy Act as amended by CPRA ("CCPA"), and India's Digital Personal Data Protection Act, 2023 ("DPDPA").

2.0   Information We Collect

2.1   Account Information

When you register, we collect:

• Full name and email address
• Authentication credentials (hashed; we never store plaintext passwords)
• OAuth profile data (name, avatar URL) if you sign in via Google
• Referral or promotional code, if provided at signup

2.2   Usage & Telemetry Data

We automatically collect:

• Browser type, operating system, device identifiers, and screen resolution
• IP address, approximate geolocation (country/region level only)
• Session duration, page views, feature usage frequency
• Credit consumption logs, AI tier selections (Fast, Standard, Premium), and feature usage across 39+ production tools
• Error reports and performance metrics (via Sentry)

2.3   Creative Metadata & Cinema Context Engine

To power our AI features, we collect and process scene metadata (scene headings, locations, time-of-day tags), character relationship tags, genre classifications, budget estimates, scheduling data, and prompt history. This metadata enables the Cinema Context Engine to provide contextually relevant suggestions across your project.

2.3.1   Scope of Metadata Processing

Metadata is derived exclusively from your User Materials and is processed solely within the scope of your individual project workspace. We do not aggregate metadata across different users' projects.

3.0   AI Data Usage & Model Training

3.1   No Foundation Model Training

Your User Materials are NOT used to train, fine-tune, or improve any foundation AI model. We process your inputs only to generate outputs for you in real time. Prompts and outputs are transmitted to third-party AI providers via OpenRouter under data processing agreements that prohibit the use of your data for model training.

3.2   Opt-In Only for Research

We will never use your User Materials or AI-Generated Outputs for research, benchmarking, or product improvement purposes without your explicit, informed, and revocable opt-in consent. Any such program will be presented separately and will not be a condition of Service access.

3.3   Prompt & Output Retention

AI prompts and outputs are cached for up to 72 hours to enable regeneration and error recovery. After this window, they are permanently deleted from our processing infrastructure. Project-level content you explicitly save is retained according to Section 7.0.

4.0   How We Use Your Information

4.1   Service Delivery

• Authenticate your identity and maintain account security
• Process AI generation requests and deliver outputs
• Manage credit balances, payment processing, and subscription billing
• Provide customer support and respond to inquiries

4.2   Service Improvement (Aggregated Only)

• Analyze aggregated, anonymized usage patterns to improve feature design
• Monitor system performance, uptime, and error rates
• Detect and prevent fraud, abuse, and security incidents

4.3   Communications

• Send transactional emails (verification, payment receipts, credit alerts)
• Send product announcements and feature updates (opt-out available)
• Respond to support tickets and contact form submissions

5.0   Data Sharing & Third-Party Processors

5.1   Sub-Processors

We share data only with the following categories of processors, under binding DPAs:

5.2   No Sale of Personal Data

We do not sell, rent, or trade your Personal Data to any third party for advertising, marketing, or any other commercial purpose. This commitment applies under all applicable privacy laws, including CCPA's definition of "sale."

6.0   Data Subject Rights

6.1   Universal Rights

Regardless of your jurisdiction, you may:

• Access a copy of the Personal Data we hold about you
• Rectify inaccurate or incomplete data
• Delete your account and associated data ("Right to Erasure")
• Export your User Materials in standard formats (PDF, DOCX, Fountain, Final Draft FDX, TXT)
• Withdraw consent for optional data processing at any time

6.2   Additional GDPR Rights (EEA Residents)

• Right to restriction of processing
• Right to data portability in machine-readable format
• Right to object to processing based on legitimate interests
• Right not to be subject to automated decision-making with legal effects
• Right to lodge a complaint with your supervisory authority

6.3   Additional CCPA/CPRA Rights (California Residents)

• Right to know what Personal Data is collected, used, and disclosed
• Right to opt-out of the "sale" or "sharing" of Personal Data (N/A — we do not sell)
• Right to limit use of sensitive Personal Data
• Right to non-discrimination for exercising privacy rights

6.4   Rights Regarding AI-Generated Outputs

You may request deletion of all AI-Generated Outputs associated with your account. Upon deletion, cached prompts and outputs will be purged within 72 hours, and project-saved content will be deleted immediately. Note that outputs already exported or downloaded to your local device are outside our control.

6.5   How to Exercise Your Rights

Submit requests to contact@thestorymaker.app or use the "Delete Account" feature in your account settings. We will respond within 30 days (GDPR) or 45 days (CCPA), with extensions as permitted by law.

7.0   Data Retention

8.0   Security Measures

We implement industry-standard security controls including:

• TLS 1.3 encryption in transit for all API and web traffic
• AES-256 encryption at rest for database storage (via Supabase)
• Bcrypt password hashing with per-user salts
• Row Level Security (RLS) policies ensuring strict data isolation
• CSRF protection, rate limiting, and Content Security Policy headers
• Regular dependency audits and security patch management

9.0   International Data Transfers

Your data may be processed in the United States, European Union, or India. Where transfers occur outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards recognized under applicable law.

10.0   Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we learn that we have collected data from a child, we will delete it promptly.

11.0   Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12.0   Contact Information

For privacy-related inquiries, data subject requests, or complaints:

• Email: contact@thestorymaker.app
• Postal Address: Story Master Technologies Private Limited, India