Back to EmberScripts

Privacy Policy

Last updated: May 5, 2026

This Privacy Policy describes how EmberScripts ("we", "us", "our") collects, uses, and protects your personal data when you use our creative writing platform ("the Service") and our public website at emberscripts.com. This policy complies with the Swiss Federal Act on Data Protection (nFADP), effective September 1, 2023.

1. Controller

The data controller responsible for processing your personal data is:

Osei Interactive (operator of EmberScripts)
Brunnenwiesenstrasse 42, 8610 Uster, Switzerland
[email protected]

2. Data We Collect

2.1 Account Data

When you create an account via Google OAuth, we receive and store:

  • Your name and email address (from your Google account).
  • Your profile picture URL (from your Google account).
  • A unique user identifier.

2.2 Content Data

Content you create within the Service, including:

  • Stories, chapters, scenes, and their text content.
  • Characters, world entities, and timeline beats.
  • Writer profile information and writing style preferences.
  • Voice recordings processed for speech-to-text transcription (audio is processed in real time and not permanently stored).

2.3 Usage Data

Technical data collected during your use of the Service:

  • IP address and approximate geolocation.
  • Browser type and version.
  • Pages visited and features used within the Service.
  • Timestamps of access and interactions.

2.4 AI Interaction Data

When you use AI features (story generation, coaching, completions), your prompts and the AI responses are processed to provide the feature. Conversation context is retained during active sessions and may be used to improve the quality of AI responses within your story. We do not use your creative content to train AI models.

2.5 Billing Data

When you purchase credits, we receive and store:

  • Your billing country and, where required for tax purposes, your billing address.
  • Payment-method metadata from Stripe — the last four digits of the card, card brand, and expiry month/year — for receipt display and fraud prevention. We do not store full card numbers, CVCs, or bank account numbers; those are handled directly by Stripe.
  • Transaction records: amount, currency, tax amount, Stripe payment identifiers, purchase and refund timestamps, and the credits granted.

3. Purposes and Legal Basis

We process your personal data for the following purposes, each with a corresponding legal basis under Article 31 nFADP:

  • Providing the Service — processing your content, running AI features, and enabling collaboration. Legal basis: performance of our contract with you.
  • Account management — authentication, authorization, and user support. Legal basis: performance of contract.
  • Content moderation — reviewing reported content to enforce our Terms of Service and comply with legal obligations. Legal basis: legitimate interest and legal obligation.
  • Service improvement — analyzing aggregated, anonymized usage patterns to improve features and performance. Legal basis: legitimate interest.
  • Communication — sending essential service notifications (security alerts, Terms changes). Legal basis: legitimate interest. Marketing communications require your explicit consent.

4. Data Sharing and International Transfers

4.1 Service Providers

We use the following third-party services to operate EmberScripts:

  • Supabase (database and authentication) — data hosted in the United States.
  • Anthropic (Claude AI for story generation and coaching) — data processed in the United States.
  • Google (OAuth authentication, Gemini text-to-speech) — data processed in the United States.
  • Deepgram (speech-to-text transcription) — data processed in the United States.
  • ElevenLabs (text-to-speech narration) — data processed in the United States.
  • OpenAI (content moderation screening) — data processed in the United States.
  • Stripe (payment processing and tax calculation) — billing and transaction data processed in Ireland by Stripe Payments Europe, Ltd. for customers in the EU/EEA and in the United States by Stripe, Inc. for customers elsewhere.
  • PostHog (first-party website analytics) — page views and product-usage events processed by PostHog Inc. on the PostHog EU Cloud, hosted in Frankfurt, Germany. Configured with IP anonymization, no session recording, and Do-Not-Track respect. PostHog acts as our processor under their published Data Processing Agreement.

4.2 International Transfers

Your data is transferred to and processed in the United States by most of the service providers listed above. These transfers are made in accordance with Article 16 nFADP, using standard contractual clauses and relying on the adequacy assessments published by the Swiss Federal Data Protection and Information Commissioner (FDPIC). We ensure that all service providers maintain appropriate technical and organizational security measures.

PostHog analytics data is hosted on PostHog's EU Cloud in Frankfurt, Germany, and is not transferred outside the EU/EEA.

4.3 No Sale of Data

We do not sell, rent, or trade your personal data to third parties.

5. Data Retention

  • Account and content data — retained for as long as your account is active. Upon account deletion, your data is removed from active systems within 30 days. Backups may retain data for up to 90 days before automatic expiration.
  • Usage data — retained in aggregated, anonymized form indefinitely. Identifiable usage logs are retained for up to 12 months.
  • Voice recordings — processed in real time for transcription and not stored.
  • Content reports — retained for as long as necessary for moderation purposes, and for a minimum of 1 year for legal compliance.
  • Billing records — retained for 10 years from the end of the financial year in which the transaction occurred, as required by Swiss bookkeeping law (Article 958f of the Swiss Code of Obligations, OR). This retention applies independently of account deletion.

6. Your Rights

Under the nFADP, you have the following rights regarding your personal data:

  • Right of access (Art. 25 nFADP) — you may request information about what personal data we hold about you.
  • Right to rectification — you may request correction of inaccurate personal data.
  • Right to deletion — you may request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability (Art. 28 nFADP) — you may request a copy of your data in a commonly used, machine-readable format.
  • Right to object — you may object to processing based on legitimate interest.

To exercise these rights, contact us at the address listed in Section 1. We will respond within 30 days.

7. Automated Decision-Making

EmberScripts uses AI to generate story content, provide writing suggestions, and screen publicly shared content for policy violations. These automated processes assist your creative work and help maintain community safety. No solely automated decisions are made that produce legal effects or similarly significantly affect you. Content moderation flags are always reviewed by a human before any action is taken.

8. Cookies and Local Storage

The Service uses two categories of cookies and local storage:

  • Strictly necessary — authentication session management, CSRF protection, and user preferences (e.g., age verification status for mature content). These do not require consent under Article 31 nFADP.
  • First-party analytics (PostHog) — PostHog sets cookies prefixed with ph_ to recognize returning visitors and attribute multi-page sessions. We host this data in the EU, anonymize IP addresses, do not record sessions, and honor the Do-Not-Track browser signal. We rely on Article 31(2)(d) nFADP (legitimate interest) for this processing; you may object at any time by enabling Do-Not-Track in your browser or by contacting us at the address in Section 1.

We do not use third-party advertising cookies or marketing tracking pixels.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS) and at rest.
  • Row-level security in our database ensuring users can only access their own data.
  • Regular security testing and code review.
  • Rate limiting and abuse prevention on all API endpoints.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email or through the Service. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact and Complaints

For privacy inquiries or to exercise your rights, contact:

Osei Interactive (operator of EmberScripts)
Brunnenwiesenstrasse 42, 8610 Uster, Switzerland
[email protected]

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.