Privacy Policy

Last updated: April 24, 2026

1. Who is the data controller?

Plumora is an AI-assisted editing service for fiction writers. The data controller is the operator of Plumora, reachable at contact@ma-plumora.app.

2. What data do we collect?

• Account data: email, hashed password, signup date.
• Project content: manuscripts, chapters, characters, annotations — stored privately and encrypted.
• Usage data: pages visited, features used, timestamps (via Vercel Analytics, cookie-free).
• Payment data: handled by Stripe. We never see your card details.

3. How do we use it?

• Provide the service (AI analysis of your manuscript, corrections, Codex…).
• Process one-time purchases (audit) and subscriptions.
• Improve the product via aggregated, anonymous statistics.
• Send transactional emails (purchase confirmation, alerts).

We never use your manuscript to train AI models. Requests to AI providers (Anthropic, OpenAI) are sent with no-retention / no-training parameters.

4. Who do we share data with?

• Supabase (EU, Frankfurt): database hosting and authentication.
• Vercel (US, with GDPR DPA): application hosting.
• Stripe (Ireland/US): payment processing.
• Resend (US, with GDPR DPA): transactional email delivery.
• Anthropic, OpenAI: AI providers, under no-retention and no-training contractual clauses.

5. How long do we keep your data?

As long as your account is active. When you delete your account, all associated data (manuscripts, Codex, corrections) is erased within 30 days. Billing records are kept for 10 years for legal obligations.

6. Your rights (GDPR)

You may at any time: access, rectify, erase your data, request portability, object to processing, or restrict usage. Send your request to contact@ma-plumora.app. Reply within 30 days. You may also lodge a complaint with your data protection authority.

7. Cookies and trackers

Plumora uses no advertising cookies. The only cookies set are strictly necessary (authentication session, UI preferences). Vercel Analytics runs without cookies.

8. Security

Encrypted authentication (Supabase Auth), HTTPS transport, Row-Level Security on the entire database: only the project owner can access their data. Backups are encrypted at rest.

9. Changes

Any material change to this policy will be notified to you by email at least 30 days before it takes effect.

10. Contact

Any questions: contact@ma-plumora.app.