Privacy Policy

1. Introduction and Scope

IndieChapters ("we," "us," or "our") is a web-based writing tool designed for indie book authors. We help you write, organize, and export your manuscripts. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website and web application (collectively, the "Service").

This policy applies to all users of the Service, regardless of location. Where specific regulations grant additional rights (such as the GDPR for EU/EEA/UK residents or the CCPA/CPRA for California residents), those rights are described in the relevant sections below.

Our core commitments are simple: we do not sell your personal data, we do not use your creative content to train AI or machine learning models, and we believe your manuscripts belong to you and you alone.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account using Google OAuth, we receive your name, email address, and profile photo from Google. When you create an account using email and password (credential login), we collect your name, email address, and password. Your password is cryptographically hashed using bcrypt before storage. We never store plaintext passwords and have no ability to view or retrieve your original password.

2.2 Your Content

We store the creative content you produce while using the Service, including:

• Manuscripts and chapters (text content, formatting, and metadata)
• Notes and annotations
• Writing goals and progress data (word counts, session data)
• Voice recordings (audio files you record for transcription)
• Transcriptions generated from your voice recordings

2.3 Usage Data

We collect information about how you interact with the Service, including:

• Feature usage patterns (which tools you use and how often)
• Pages visited within the application
• Session duration and frequency
• Writing session timestamps (when you start and stop writing)
• Export activity (formats used, frequency)

2.4 Device and Technical Data

When you access the Service, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Screen resolution
• Referring URL (the page that linked you to us)

2.5 Payment Information

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, process, or store your full credit card number, CVV, or complete billing details. From Stripe, we receive only: the last four digits of your card number, the card brand (e.g., Visa, Mastercard), your billing address, and your transaction history for invoicing and support purposes.

2.6 Communications

When you contact us for support, send feedback, or communicate with us in any way, we collect the content of those communications along with your email address and any attachments you include.

2.7 What We Do NOT Collect

We want to be explicit about what we do not collect:

• Location data (GPS, geolocation)
• Contacts or address book information
• Social media profiles or activity (beyond OAuth login)
• Advertising identifiers
• Biometric data — while we store voice recordings as audio files for transcription, we do not create biometric templates, voiceprints, or any biometric identifiers from those recordings

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide and operate the Service: This includes authenticating your identity, storing and syncing your content across sessions, generating exports in PDF, EPUB, and DOCX formats, and tracking your writing progress and goals.
• To process voice recordings: When you use the voice-to-chapter feature, your audio recording is sent to OpenAI's Whisper API for transcription. The resulting transcription is returned to you and stored in your account. The audio file itself is stored in Cloudflare R2 object storage.
• To provide AI-assisted writing features: When you choose to use AI text processing features, the specific text you select is sent to OpenAI's GPT-4o API for processing. Only the text you explicitly choose to process is sent — we never send your entire manuscript or any content you have not selected.
• To process payments: We use Stripe to manage subscriptions, process payments, and handle billing-related operations.
• To send transactional emails: We use Resend to deliver account confirmations, password reset emails, export notifications, and other service-related communications.
• To improve the Service: We analyze aggregated, anonymized usage data to understand how features are used, identify bugs, and prioritize improvements. This analysis never involves reading or reviewing individual users' creative content.
• To ensure security and prevent abuse: We use technical data to detect and prevent unauthorized access, fraud, and other malicious activity.
• To comply with legal obligations: We may process your data as required by applicable law, regulation, or legal process.

4. Your Content and Intellectual Property

Ownership

You own all content you create using IndieChapters. We claim no ownership, license, or intellectual property rights over your manuscripts, chapters, notes, voice recordings, transcriptions, or any other creative works you produce through the Service. Your words are yours.

AI and Your Content

Your content is NOT used to train any AI or machine learning models — not ours, not anyone else's. Voice recordings processed by OpenAI's Whisper API are used solely for the purpose of transcription and are not retained by OpenAI for training purposes, in accordance with OpenAI's API data usage policy. Text sent to GPT-4o for AI-assisted features is similarly not used for model training. We have opted out of any data-sharing arrangements that would allow your content to be used for model training.

Content Access

We access your content only to provide the Service (e.g., storing it in our database, rendering it in the editor, generating exports), to perform necessary maintenance and backups, to respond to support requests that you initiate, or to comply with legal obligations. We do not read, review, analyze, or editorially evaluate your manuscripts.

Content Deletion

When you delete content or close your account, your manuscripts and all associated data (chapters, notes, recordings, transcriptions, progress data) are permanently deleted within 30 days from our active systems and within 90 days from backups.

5. Legal Basis for Processing (GDPR)

For users in the European Union, European Economic Area, and the United Kingdom, we process personal data on the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you signed up for, including account creation, content storage, syncing, export generation, payment processing, and transactional communications.
• Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate interests, including service security, fraud prevention, and service improvement using aggregated and anonymized usage data. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): Processing based on your explicit consent, including marketing emails and the use of optional AI-powered features such as voice transcription and AI text processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including retention of tax and financial records, and responding to lawful requests from courts, regulators, or law enforcement authorities.

6. How We Share Your Information

We share your information only in the following limited circumstances:

• Service Providers (Sub-Processors): We share data with the third-party service providers listed in Section 14, solely for the purpose of operating the Service. Each provider is contractually bound to protect your data and process it only as we instruct.
• Legal Requirements: We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity. We will provide you with advance notice of any such transfer and the choices available to you.
• With Your Consent: We may share your information with third parties when you explicitly request or agree to such sharing.

What we never do: We never sell your personal data to any party, for any reason. We never share your creative content with advertisers. We never provide your manuscripts, chapters, or writing to third parties for their own purposes.

7. International Data Transfers

Your data is processed in the United States and other countries where our service providers operate. Specifically:

• Vercel (application hosting): United States and global edge locations
• Neon (database): United States
• Cloudflare R2 (object storage): configurable regions
• OpenAI (AI processing): United States
• Stripe (payments): United States
• Resend (email): United States

For users in the EU, EEA, and UK, transfers of personal data to countries outside your jurisdiction are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent transfer mechanisms as required by the GDPR and UK GDPR. These safeguards ensure that your data receives an adequate level of protection regardless of where it is processed.

8. Data Retention

• Active Accounts: Your personal data and content are retained for as long as your account is active and you continue to use the Service.
• Deleted Content: When you delete individual content (chapters, projects, recordings), it is permanently removed from our active systems within 30 days and from backups within 90 days.
• Closed Accounts: When you close your account, all personal data and content is deleted within 30 days from active systems, except where retention is required by law (see Payment Records below).
• Payment Records: Transaction records and billing information are retained for 7 years as required by applicable tax and financial regulations.
• Voice Recordings: Audio files are retained in Cloudflare R2 until you delete them or close your account. Recordings are not retained by OpenAI after transcription processing is complete.
• Server Logs: Technical logs containing IP addresses and request data are automatically purged after 90 days.
• Backups: Deletion requests are propagated to all backup systems within 90 days of the deletion event.

9. Data Security

We implement technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. All API calls to third-party services are similarly encrypted.
• Encryption at rest: Database encryption is provided by Neon (our PostgreSQL hosting provider). Object storage encryption is provided by Cloudflare R2.
• Authentication security: OAuth 2.0 protocol for Google login, bcrypt password hashing with salting for credential-based accounts, and secure HTTP-only session management via NextAuth.
• Access controls: We operate on the principle of least privilege. There is no bulk access mechanism for user content. Administrative access to production systems is restricted and audited.
• Infrastructure security: Our application is hosted on Vercel's enterprise-grade infrastructure. Our database is hosted on Neon, which maintains SOC 2 Type II compliance.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using the best practices available to us and to responding promptly to any security incidents.

10. Data Breach Notification

We maintain incident response procedures to detect, investigate, and respond to personal data breaches. In the event of a data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, where the breach is likely to result in a risk to rights and freedoms of individuals.
• We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Breach notifications will include: the nature and scope of the breach, the categories and approximate number of individuals and data records affected, the measures we have taken or propose to take to address the breach, and how to contact us for further information.
• For users in jurisdictions with additional breach notification requirements (such as California), we will comply with all applicable notification timelines and requirements.

11. Cookies and Tracking Technologies

Essential Cookies

We use cookies that are strictly necessary for the Service to function. These include authentication session tokens (to keep you logged in) and CSRF protection tokens (to prevent cross-site request forgery attacks). These cookies cannot be disabled without breaking core functionality.

Functional Cookies

We use functional cookies to remember your preferences, such as editor settings, theme selection (light or dark mode), and other user interface preferences. These cookies improve your experience but are not strictly necessary for the Service to operate.

What We Do Not Use

We do NOT use advertising cookies, cross-site tracking pixels, browser fingerprinting, or third-party marketing cookies. We do not participate in any advertising networks or retargeting programs.

Cookie Management

You can control and manage cookies through your browser settings. Most browsers allow you to view, delete, and block cookies from specific or all websites. Please note that disabling essential cookies will prevent you from logging into and using the Service.

12. Your Privacy Rights

12.1 Rights for All Users

Regardless of where you are located, you have the right to:

• Access a copy of the personal data we hold about you
• Correct inaccurate or incomplete personal data
• Delete your account and all associated data
• Export your content in PDF, EPUB, and DOCX formats at any time
• Object to certain types of data processing

12.2 Additional Rights for EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or the United Kingdom, you additionally have the right to:

• Data portability — receive your personal data in a structured, commonly used, and machine-readable format
• Restrict the processing of your personal data
• Withdraw consent at any time for processing activities based on consent, without affecting the lawfulness of processing before withdrawal
• Lodge a complaint with your local data protection authority (a list of EU DPAs is available at edpb.europa.eu)

For data protection inquiries, contact us at privacy@indiechapters.com.

12.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know what personal information is collected, used, disclosed, and sold
• Right to delete your personal information
• Right to opt out of the sale of personal information — we do not sell your personal information, so there is nothing to opt out of
• Right to non-discrimination for exercising your privacy rights — we will not deny you service, charge different prices, or provide a different quality of service because you exercised your rights

Categories of personal information we collect (as defined by the CCPA):

• Identifiers (name, email address, IP address)
• Commercial information (transaction history, subscription status)
• Internet or other electronic network activity information (usage data, feature interactions)
• Professional or employment-related information (only if you voluntarily provide it in your writing or account profile)

"Do Not Sell or Share My Personal Information": We do not sell or share personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months and have no plans to do so.

12.4 How to Exercise Your Rights

You can exercise your privacy rights in several ways:

• Email us at privacy@indiechapters.com with your request
• Use the in-app account settings to export your data or delete your account

We will respond to verifiable requests within 30 days for GDPR requests or 45 days for CCPA requests. In some cases, we may need to verify your identity before processing your request to protect your account security. If we need additional time, we will notify you of the extension and the reason for it.

13. Children's Privacy

IndieChapters is not directed at children under the age of 13, or under the age of 16 for users in the European Union, European Economic Area, and the United Kingdom. We do not knowingly collect, solicit, or maintain personal information from children under these applicable ages.

If we learn that we have collected personal data from a child under the applicable minimum age, we will take steps to delete that information as promptly as possible.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@indiechapters.com so we can take appropriate action.

14. Sub-Processors and Third-Party Services

We use the following third-party service providers (sub-processors) to operate the Service. Each is contractually bound to protect your data and to process it only as we instruct:

15. Third-Party Links

Our Service may contain links to third-party websites, services, or resources that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We are not responsible for the content, privacy practices, or policies of any third-party websites or services.

We encourage you to review the privacy policy of every website you visit. Our inclusion of a link does not imply endorsement of the linked site or its practices.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes: We will notify you of material changes (such as changes to what data we collect, how we use it, or who we share it with) via email and/or in-app notification at least 30 days before they take effect.
• Non-material changes: Minor updates such as clarifications, formatting adjustments, or corrections of typographical errors may be made without prior notice.
• Acceptance: Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and delete your account.
• Previous versions: Previous versions of this Privacy Policy are available upon request by contacting us at privacy@indiechapters.com.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

• General privacy inquiries: privacy@indiechapters.com
• Data protection inquiries: privacy@indiechapters.com
• General support: support@indiechapters.com

We aim to acknowledge all privacy-related inquiries within 5 business days and to resolve them within 30 days. If your inquiry requires additional time, we will notify you of the expected timeline.