Privacy Policy

Last updated: 6th December 2025

This Privacy Policy describes how Scriptor.uk ("we", "us", or "our") collects, uses, and protects your personal information when you use our screenwriting software platform (the "Service"). This policy complies with UK GDPR.

We are committed to protecting your privacy and intellectual property rights. Your files and creative content are your property, and we never use your data for AI training, advertising, or sharing with third parties except as necessary to provide the Service.

1. Data Controller

Data Controller: Scriptor.uk
Address: Manchester, United Kingdom
Contact Email: support@scriptor.uk

Scriptor.uk is the data controller responsible for your personal data. For privacy and data protection inquiries, please contact us at the email address above.

2. What We Collect

We collect the following personal data:

Sign-up Data (Provided by You)

  • Email address: Required for account creation and authentication
  • Password hash: Stored securely for authentication
  • Name: Optional, collected if you sign in with Google OAuth or provide it during account setup
  • Profile image: Optional, collected if you sign in with Google OAuth
  • Optional profile fields: Writer type and genre preferences (if provided)

User Content (Provided by You)

We store your screenplays, files, projects, and other creative content that you create using our Service. This content is stored securely and is accessible only to you (and any collaborators you explicitly share with).

Important: Your files are NEVER used for AI training, advertising, or shared with third parties except as necessary to provide AI features (see Section 5).

Usage Logs (Collected Automatically)

We automatically collect basic usage information:

  • Internet Protocol (IP) address
  • Browser type and version
  • Device information (type, operating system)
  • Pages visited and time spent on pages
  • Diagnostic and performance data

Security Audit Logs (Collected Automatically)

For security purposes, we maintain logs of authentication requests and other security events. These logs are processed in Axiom and retained for 30 days to detect abuse and protect accounts.

  • Timestamp of the event
  • Path, HTTP method, and status
  • IP address
  • User agent
  • User ID and email (when authenticated)
  • Request identifier (when provided by the platform)

3. Why We Collect It & Lawful Basis

We process your personal data based on the following legal grounds under UK GDPR:

  • Contract (Article 6(1)(b)): To provide the service and manage your account. This includes authentication, storing your content, processing payments, and sending service-related communications.
  • Legitimate Interests (Article 6(1)(f)): For security and fraud prevention, and to improve our Service. This includes security audit logging and analyzing usage patterns (with your consent for analytics).
  • Consent (Article 6(1)(a)): For analytics tracking (Google Analytics, PostHog) and email marketing/updates. You can withdraw consent at any time.

4. Cookies

We use cookies and similar technologies. Analytics tracking is opt-in only - we do not track you until you explicitly consent.

Essential Cookies

Required for the Service to function (authentication, session management). These do not require consent.

Analytics Cookies (Opt-in Only)

  • Google Analytics (GA4): Uses Google Consent Mode v2, IP anonymization enabled, ad storage disabled. Tracks page views and user interactions. Only collected with your explicit consent.
  • PostHog: EU-hosted product analytics. Tracks feature usage and engagement. Only collected with your explicit consent.

A cookie banner appears after 4 seconds when you first visit. You can manage your cookie preferences at any time in your Settings page or by declining the cookie banner.

5. Third-Party Processors

We use the following third-party services to provide our Service. We do NOT sell, rent, or share your personal data or content with third parties for advertising, marketing, or any other purpose except as described below.

Hosting & Data Storage

  • Database: PostgreSQL database for user accounts and content
  • File Storage: Supabase for PDF file storage

AI Service Provider

Purpose: Powers our Scriptor Assistant AI features.

Data Shared: When you use Scriptor Assistant, your files and prompts are sent to generate responses. Files are used only for context in that specific request.

Intellectual Property Protection:

  • Your files are NOT used to train AI models
  • Your content is processed only for the immediate request and is not stored for training purposes
  • You retain all intellectual property rights to your content

Location: Outside the UK/EU. Data transfers are subject to appropriate safeguards (see Section 6).

Payment Processing

Stripe: Processes subscription payments and manages billing. We share email address, name, and payment information (processed securely by Stripe - we do not store card details). Stripe is US-based but GDPR-compliant.

Analytics (Opt-in Only)

  • Google Analytics: US-based. Tracks website usage with your consent. IP anonymization enabled.
  • PostHog: EU-hosted. Product analytics with your consent.

Authentication

Google OAuth: Allows you to sign in with your Google account. We receive name, email address, and profile image (if you choose to sign in with Google).

Email Delivery

Email service provider for sending verification emails and service-related communications. We share your email address for this purpose.

6. International Transfers

Some of our third-party service providers are located outside the UK/EU:

  • AI service providers (United States)
  • Payment processors (United States)
  • Analytics providers (United States)
  • Authentication providers (United States)

When we transfer your data outside the UK/EU, we ensure appropriate safeguards are in place, including:

  • UK Addendum to Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the UK government

Important: Despite these transfers, your files are NEVER used for AI training, regardless of where they are processed.

7. Data Retention

We retain your data only for as long as necessary:

  • Account data and user content: Retained while your account is active. When you delete your account, all account data and user content (including all files) are deleted immediately.
  • Logs: Any logs relating to you are retained for 30 days (including security logs processed in Axiom), then deleted.
  • Legal obligations: We may retain certain data to comply with legal obligations, resolve disputes, or enforce our agreements.

You can delete your account and all associated data at any time from your account settings page.

8. Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Secure authentication and session management
  • Access controls and security audit logging

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Under UK GDPR, you have the following rights:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data and content. You can delete your account and all associated data at any time from your account settings.
  • Right to Restrict Processing: Request that we limit how we process your personal data in certain circumstances
  • Right to Data Portability: Receive your personal data in a structured, commonly used format and transmit it to another service
  • Right to Object: Object to processing of your personal data based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for analytics or marketing at any time. This does not affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@scriptor.uk. We will respond to your request within one month (or inform you if we need more time).

Right to Lodge a Complaint

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

10. Children's Privacy

Our Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

If we become aware that we have collected personal data from a child under 13, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@scriptor.uk.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending you an email notification (for significant changes)

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: support@scriptor.uk
Address: Manchester, United Kingdom