Privacy Policy

BookWeaverAI LLC ("BookWeaverAI," "we," "us," or "our") is a limited liability company organized under the laws of the State of Alabama. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website and services at bookweaverai.com (the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and profile information through our authentication provider, Clerk. If you sign in via a third-party service (such as Google), we receive the information you authorize that service to share with us.

1.2 Project & Creative Content

We collect the content you provide when using the Service, including your story premises, plot ideas, writing rules, world-building rules, supplementary materials, and any edits you make to AI-generated outputs. This content is stored in our database to provide and improve the Service.

1.3 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not receive, store, or have access to your full credit card number. Stripe may share with us limited information such as the last four digits of your card, the card brand, the expiration date, and your billing address for record-keeping and tax purposes.

1.4 Usage & Device Data

We automatically collect certain technical information when you use the Service, including your IP address, browser type and version, operating system, device identifiers, pages visited, referring URLs, and timestamps of interactions. This data is collected through server logs and, where applicable, analytics tools provided by our hosting provider (Vercel).

1.5 Cookies & Analytics

We use essential cookies required for authentication and session management. We also use PostHog, a product analytics platform, which sets cookies and uses local storage to track usage patterns, page views, and session recordings. This data helps us understand how users interact with the Service and improve the experience. PostHog data is not used for advertising. We do not use third-party advertising cookies.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including AI-powered story generation
• Process your subscription and payments
• Authenticate your identity and manage your account
• Respond to your inquiries and provide customer support
• Monitor usage patterns to improve the Service and fix bugs
• Detect, prevent, and address fraud, abuse, or security issues
• Comply with legal obligations
• Send you service-related communications (e.g., account confirmations, security alerts, policy updates)

We do not use your creative content (premises, rules, generated outputs) to train AI models, build datasets, or for any purpose other than providing the Service to you.

3. AI Processing & How Your Creative Content Is Handled

BookWeaverAI uses artificial intelligence to generate story content for your projects. When you initiate a generation step, your creative inputs (premises, rules, supplementary materials, and prior generated outputs) are transmitted to Anthropic, PBC via their commercial API for processing by their Claude language model.

3.1 What Anthropic Does (and Does Not Do) with Your Data

• No training on your content. Under Anthropic's Commercial Terms of Service, Anthropic is contractually prohibited from using API customer data (your inputs and the generated outputs) to train their AI models. This is a hard contractual restriction, not merely a default setting.
• Limited retention. Anthropic retains API request data (your inputs and the model's outputs) for up to 7 days for their standard API, and up to 29 days for requests processed through their Batch API, solely for abuse monitoring and safety purposes. After this period, the data is deleted from Anthropic's systems.
• Safety monitoring. Anthropic may review API traffic flagged by automated safety systems. In cases of suspected policy violations, flagged data may be retained for up to 2 years.

For more information, see Anthropic's Commercial Terms and Anthropic's Privacy Center.

4. Third-Party Service Providers

We share personal information with the following categories of third-party service providers, solely to the extent necessary to operate the Service:

Each provider operates under its own privacy policy and data handling practices. We do not authorize any provider to use your data for their own marketing or advertising purposes.

5. Data Retention

• Account data: Retained for as long as your account is active. When you delete your account, we delete your personal information and project data within 30 days, except where retention is required by law.
• Project content: Retained for as long as your account is active or until you delete the project. Deleted projects are permanently removed within 30 days.
• Payment records: Transaction records and billing information may be retained for up to 7 years to comply with tax and accounting obligations.
• Server logs: Automatically purged after 90 days.
• AI processing data: See Section 3. Anthropic retains API data for 7–29 days; we do not independently retain copies of data transmitted to Anthropic beyond what is stored in your project.

6. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption of data in transit via TLS/HTTPS
• Encryption of data at rest in our database (provided by Supabase)
• Authentication and session management handled by Clerk, a dedicated identity platform
• No direct storage of payment card details (handled entirely by Stripe, a PCI-DSS Level 1 certified processor)
• Access controls limiting employee and system access to personal data on a need-to-know basis

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights — United States

Depending on your state of residence, you may have specific rights regarding your personal information under state privacy laws, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act, and similar laws enacted in Colorado, Connecticut, Texas, Oregon, and other states.

7.1 Rights You May Have

• Right to Know: Request what personal information we have collected about you and how it has been used.
• Right to Delete: Request deletion of your personal information, subject to certain legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Portability: Request a copy of your data in a portable format.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

7.2 How to Exercise Your Rights

To exercise any of the rights described above, contact us at privacy@bookweaverai.com. We will verify your identity before processing your request and respond within 45 days (or as required by applicable law). We will not discriminate against you for exercising your privacy rights.

7.3 Do Not Sell or Share

We do not sell personal information as defined under the CCPA or any other state privacy law. We do not share personal information for targeted advertising purposes.

8. Your Rights — European Economic Area, United Kingdom & Switzerland (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent local laws.

8.1 Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you requested (account management, AI generation, payment processing).
• Legitimate interests: Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights.
• Legal obligation: Processing required to comply with applicable laws (e.g., tax record-keeping).
• Consent: Where required, such as for optional communications. You may withdraw consent at any time.

8.2 Your GDPR Rights

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with your local data protection supervisory authority

8.3 International Data Transfers

Your data is processed and stored in the United States by our service providers. When we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on applicable legal mechanisms such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework, where available. By using the Service, you acknowledge that your data will be transferred to and processed in the United States.

9. Children's Privacy

BookWeaverAI is not directed to children. You must be at least 13 years of age to use the Service. If you are located in the European Economic Area or the United Kingdom, you must be at least 16 years of age to use the Service.

We do not knowingly collect personal information from children under these age thresholds. If we learn that we have collected personal information from a child under the applicable minimum age, we will take steps to delete that information promptly. If you believe a child under the applicable age has provided us with personal information, please contact us at privacy@bookweaverai.com.

10. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users by email within 72 hours of confirming the breach, or as otherwise required by applicable law. Where required, we will also notify the relevant supervisory authority. Our notification will describe the nature of the breach, the data involved, the steps we are taking to address it, and what you can do to protect yourself.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: