Privacy Policy

1. Introduction & Data Controller

Screenplay Studio ("we", "us", "our", "the Company") is developed and operated by Northem Development, a Norwegian software development company. We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use our website at screenplaystudio.fun, our web application, APIs, and any related services (collectively, "the Service").

The data controller responsible for your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven) is:

This Privacy Policy should be read in conjunction with our Terms of Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we process your data, please do not use the Service.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

Data provided during account registration and management:

• Email address — used for authentication, account recovery, and communications.
• Display name / username — used for identification within the Service.
• Password hash — securely hashed using industry-standard algorithms (bcrypt/argon2). We never store passwords in plain text and cannot access your actual password.
• Authentication provider data — if you sign in via a third-party provider (e.g., Google, GitHub), we receive your name, email, and profile picture URL from that provider.

2.2 Profile Data

Optional information you choose to add to your public profile:

• Biography / about text — your self-description visible on your profile.
• Avatar / profile picture — uploaded image or Gravatar.
• External links — links to your website, IMDb, social media, or portfolio.
• Location — optional self-reported location (city, country).
• Professional role / title — e.g., screenwriter, director, producer.

2.3 Project & Creative Data

Content you create, upload, or store within the Service:

• Screenplays and scripts — full text of your scripts, including dialogue, action lines, scene headings, and all formatting elements.
• Scenes and scene metadata — scene breakdowns, scene numbers, locations, times of day, and scene notes.
• Characters — character names, descriptions, backstories, relationships, and arcs.
• Storyboard shots — shot descriptions, camera angles, visual references, and annotations.
• Budgets — production budget items, estimates, and financial planning data.
• Schedules — shooting schedules, production calendars, and timeline data.
• Project metadata — project titles, loglines, genres, tags, creation dates, and modification history.
• Comments and annotations — notes, feedback, and comments within projects.

Important: You retain 100% ownership of all creative content. We never access your creative content for any purpose other than providing the Service to you. See Section 7 (AI & Machine Learning Policy) for our commitment regarding AI.

2.4 Usage Data

Data automatically collected about how you interact with the Service:

• Page views and navigation — which pages and features you visit.
• Feature usage — which tools and features you use, frequency, and duration.
• Session duration — how long you use the Service per session.
• Referral source — how you arrived at the Service (e.g., search engine, direct link).
• Interaction events — clicks, scrolls, and UI interactions (anonymized and aggregated).

2.5 Technical Data

Data automatically collected from your device and connection:

• IP address — used for security, fraud prevention, and approximate geolocation.
• Browser type and version — e.g., Chrome 120, Firefox 121, Safari 17.
• Device type and operating system — e.g., desktop/macOS, mobile/iOS.
• Screen resolution — used for responsive design optimization.
• Language and timezone — browser language preference and timezone setting.
• User agent string — technical browser identification string.

2.6 Communication Data

Data arising from your communications with us and other users:

• Support requests — messages, tickets, and attachments sent to our support team.
• Direct messages — messages sent to other users through the Service's messaging features.
• Community posts — content posted in community forums, showcase comments, and discussion threads.
• @Mentions — when another user mentions you by username in a community comment or post, we record the mention (your user ID, the post ID, the comment ID, and the mentioning user's ID) solely to deliver a notification to you. Mention records are deleted when the originating post or comment is deleted.
• Collaborator credits — when a post author credits you as a collaborator on their community post, we store the association (your user ID and the post ID) to display your collaborator credit. You may remove yourself as a collaborator at any time.
• Feedback and surveys — responses to feedback requests or surveys.

2.7 Payment Data

Data related to paid subscriptions and transactions:

• PayPal email address — the email associated with your PayPal account used for payment.
• Transaction IDs — PayPal transaction reference numbers for record-keeping.
• Subscription plan and status — which plan you subscribe to and whether it is active, cancelled, or expired.
• Billing dates — subscription start date, renewal date, and cancellation date.
• Transaction amounts — payment amounts and currency.

We never collect, store, or have access to your credit card numbers, debit card numbers, bank account numbers, or other direct financial instrument data. All payment processing is handled entirely by PayPal.

2.8 Cookies & Similar Technologies

We use cookies and similar technologies to operate the Service. For complete details, see Section 14 (Cookies & Tracking Technologies) and our Cookie Policy.

3. Legal Basis for Processing

Under the GDPR and Norwegian data protection law, we process your personal data on the following legal bases:

3.1 Performance of Contract (Article 6(1)(b) GDPR)

Processing necessary to perform our contract with you (the Terms of Service), including:

• Creating and managing your account.
• Storing and displaying your projects and creative content.
• Enabling collaboration features with users you invite.
• Processing subscription payments and managing billing.
• Providing customer support.
• Enabling data export and portability.

3.2 Consent (Article 6(1)(a) GDPR)

Processing based on your freely given, specific, informed, and unambiguous consent, including:

• Sending marketing emails and newsletters (opt-in only).
• Setting non-essential cookies and analytics tracking.
• Publishing your content on community showcase pages.
• Processing your data for any optional AI-powered features (if introduced).

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3.3 Legitimate Interest (Article 6(1)(f) GDPR)

Processing necessary for our legitimate interests, provided these are not overridden by your fundamental rights and freedoms, including:

• Analysing anonymized and aggregated usage patterns to improve the Service.
• Detecting, preventing, and investigating fraud, abuse, and security incidents.
• Enforcing our Terms of Service and Community Guidelines.
• Maintaining service stability and performance monitoring.
• Internal record-keeping and administration.

3.4 Legal Obligation (Article 6(1)(c) GDPR)

Processing necessary to comply with legal obligations to which we are subject, including:

• Retaining financial and transaction records as required by Norwegian tax and accounting laws.
• Responding to lawful requests from law enforcement or regulatory authorities.
• Complying with data protection laws (GDPR, Personopplysningsloven) regarding data subject rights.
• Reporting personal data breaches to the Norwegian Data Protection Authority (Datatilsynet) where required.

4. How We Use Your Data

We use your personal data for the following specific purposes:

1. Account Management: Creating, authenticating, and maintaining your user account, including password recovery and two-factor authentication.
2. Service Delivery: Providing core Service functionality, including script editing, formatting, project management, and storage.
3. Collaboration: Enabling real-time and asynchronous collaboration between users you invite to your projects, including notifications, presence indicators, and change tracking.
4. Community Features: Operating community showcase pages, forums, messaging, user profiles, and social features — including sending @mention notifications when you are tagged in a comment, and displaying collaborator credits on posts where you have been credited by the post author.
5. Payment Processing: Processing subscription purchases, renewals, cancellations, and refunds through PayPal.
6. Customer Support: Responding to support requests, troubleshooting issues, and providing technical assistance.
7. Service Improvement: Analysing anonymized and aggregated usage data to identify bugs, improve features, optimize performance, and develop new functionality.
8. Personalization: Adapting the Service interface to your preferences, such as timezone, language, and display settings.
9. Security: Detecting, preventing, and investigating unauthorized access, fraud, abuse, and other security threats.
10. Compliance: Meeting our legal obligations under GDPR, Norwegian law, tax regulations, and other applicable legislation.
11. Communications: Sending transactional emails (account verification, password resets, subscription confirmations, collaboration invitations) and, with your consent, marketing emails.
12. Data Export: Generating downloadable exports of your projects and personal data upon request.
13. Moderation: Enforcing our Terms of Service and Community Guidelines to maintain a safe and professional environment.
14. Analytics: Producing anonymized, aggregated statistical reports about Service usage (these reports never contain personally identifiable information or creative content).
15. Legal Proceedings: Establishing, exercising, or defending legal claims where necessary.

5. Third-Party Processors

We use the following third-party service providers (data processors) to operate the Service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR-compliant data handling:

We regularly review our third-party processors to ensure they maintain adequate data protection standards. We do not engage processors in countries without adequate data protection safeguards unless appropriate supplementary measures (such as Standard Contractual Clauses) are in place.

6. Data Sharing

We share your personal data only in the following limited circumstances:

6.1 With Your Collaborators

When you invite users to collaborate on a project, they will have access to the project content and your profile information (display name, avatar) within the context of that project, in accordance with the permission levels you set.

6.2 Community & Showcase Viewers

If you choose to publish content to community showcase pages, that content and your associated public profile information will be visible to other registered users and, for public showcases, to the general public.

6.3 Service Providers

We share data with the third-party processors listed in Section 5, solely for the purposes of operating and providing the Service.

6.4 Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any such change in ownership and any choices you may have regarding your personal data.

We NEVER sell your personal data to third parties. We NEVER share your creative content with advertisers, data brokers, or marketing companies. This is an absolute, unconditional commitment.

7. AI & Machine Learning Policy

Screenplay Studio does NOT use your scripts, screenplays, or creative content to train, develop, or improve any artificial intelligence or machine learning models. This is an unconditional, irrevocable commitment.

Specifically, your data is never:

• Used as training data for large language models (LLMs), generative AI, or any other machine learning system.
• Fed into AI training pipelines, fine-tuning processes, or reinforcement learning systems.
• Used for prompt engineering, model evaluation, or AI benchmarking.
• Shared with or sold to any third party for AI or ML training purposes.
• Analysed by AI systems for content understanding, pattern recognition, or style analysis, except as explicitly described below.
• Used to generate synthetic training data or data augmentation datasets.
• Included in any anonymized or aggregated datasets used for machine learning.

If we introduce optional AI-powered features in the future (such as formatting assistance, structural analysis, or writing tools):

• All AI processing will occur locally within your user session only. No creative content will be stored, cached, or retained by any AI system after your session ends.
• Any AI features will be strictly opt-in. You will never be enrolled in AI features without explicit, informed consent.
• We will publish a separate, detailed AI Usage Policy before launching any AI features, clearly explaining what data is processed, how, and by whom.
• You will have the ability to opt out of all AI features at any time, with immediate effect and no loss of other Service functionality.
• No user content will be transmitted to external AI providers (e.g., OpenAI, Anthropic, Google) without your explicit, per-instance consent.

8. International Transfers

As a Norway-based company, we primarily store and process your data within the European Economic Area (EEA). However, some of our third-party processors operate in or have infrastructure in countries outside the EEA, including the United States.

When your personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Adequacy Decisions: Where the European Commission has determined that the recipient country provides an adequate level of data protection (e.g., EU-US Data Privacy Framework for certified organisations).
• Standard Contractual Clauses (SCCs): We require processors outside the EEA to execute the European Commission's Standard Contractual Clauses, providing contractual safeguards for your data.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures, such as encryption in transit and at rest, to supplement SCCs and ensure an adequate level of protection.

You may obtain a copy of the safeguards we use for international transfers by contacting our DPO at dpo@screenplaystudio.fun.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to resolve disputes. The specific retention periods are:

After the retention period expires, data is permanently deleted or irreversibly anonymized. Backups containing expired data are purged within 30 days of the retention period ending. When you delete your account, we initiate a 30-day grace period during which you may recover your account. After 30 days, all data is permanently and irreversibly deleted, except for payment records retained under legal obligation.

10. Your GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Norway, you have the following rights under the GDPR and applicable national data protection law. You may exercise these rights at any time by contacting us at dpo@screenplaystudio.fun or through the relevant functionality in your account settings.

10.1 Right of Access (Article 15 GDPR)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights. We will respond to access requests within one (1) month, extendable by two additional months for complex requests.

10.2 Right to Rectification (Article 16 GDPR)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most account and profile data directly through your account settings. For data you cannot correct yourself, contact our DPO.

10.3 Right to Erasure / Right to Be Forgotten (Article 17 GDPR)

You have the right to request deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, you withdraw consent, the data was processed unlawfully, or erasure is required to comply with a legal obligation. You can delete your account through account settings, which will trigger deletion of all associated data (subject to legal retention requirements). Note that we cannot erase payment records we are legally obligated to retain.

10.4 Right to Restrict Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, the processing is unlawful but you oppose erasure, or we no longer need the data but you require it for legal claims.

10.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON, Fountain, FDX), and to transmit that data to another controller. This right applies to data processed based on consent or contract performance and carried out by automated means. Our export features allow you to exercise this right directly from your account.

10.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes.

10.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You can withdraw consent through account settings, email preferences, or by contacting our DPO.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. For users in Norway, the relevant authority is:

We kindly request that you contact us first at dpo@screenplaystudio.fun to give us the opportunity to address your concern before filing a complaint.

11. CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., data necessary to complete a transaction, detect security incidents, or comply with legal obligations).
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need for an opt-out mechanism for sale or sharing.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your CCPA rights, contact us at dpo@screenplaystudio.fun. We will verify your identity before processing your request. We will respond to verifiable consumer requests within forty-five (45) days.

12. Children's Privacy

The Service is not intended for use by children under the age of sixteen (16). We do not knowingly collect, solicit, or maintain personal data from anyone under 16 years of age. If we become aware that we have collected personal data from a child under 16, we will promptly delete that data and terminate the associated account.

If you are a parent or guardian and believe that your child under 16 has provided us with personal data, please contact us immediately at dpo@screenplaystudio.fun, and we will take steps to remove the data from our systems.

This age requirement complies with Article 8 of the GDPR regarding conditions applicable to a child's consent in relation to information society services and the relevant provisions of the Norwegian Personal Data Act.

13. Security

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at Rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
• Password Hashing: User passwords are hashed using bcrypt with appropriate work factors, making them computationally infeasible to reverse.
• Row-Level Security (RLS): Our database implements row-level security policies ensuring that users can only access data they are authorized to view. This means that even in the event of an application-level vulnerability, database queries are restricted to authorized data only.
• Secure Authentication: We use industry-standard authentication protocols including secure session tokens, CSRF protection, and support for two-factor authentication.
• Content Security Policy (CSP): We implement strict CSP headers to mitigate cross-site scripting (XSS) and other injection attacks.
• Regular Updates: All software dependencies and infrastructure components are regularly updated to patch known vulnerabilities.

Organizational Measures

• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls.
• Security Audits: We conduct periodic security assessments and code reviews to identify and remediate vulnerabilities.
• Incident Response: We maintain a documented incident response plan for detecting, responding to, and recovering from security incidents.
• Data Minimization: We collect and retain only the data necessary for the specified purposes, in accordance with the GDPR principle of data minimization.

While we take security seriously and implement industry best practices, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security vulnerabilities that are discovered and notifying affected users in accordance with applicable law.

14. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and understand how you interact with the Service. A cookie is a small text file stored on your device by your web browser.

We use the following categories of cookies:

• Strictly Necessary Cookies: Essential for the Service to function, including authentication session cookies, CSRF tokens, and security cookies. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings (e.g., theme, language, editor preferences). Set with your consent.
• Analytics Cookies: Help us understand how users interact with the Service by collecting anonymized usage data. Set with your consent.

We do not use advertising cookies, tracking pixels, or any third-party advertising or retargeting technologies. We do not engage in cross-site tracking.

14.1 Vercel Analytics

We use Vercel Analytics, a privacy-friendly, cookieless web analytics service provided by Vercel Inc. (340 Pine Street, Suite 801, San Francisco, CA 94104, USA). Vercel Analytics helps us understand aggregate traffic patterns and page popularity so we can improve the Service.

Vercel Analytics does not use cookies and does not track individual users across sessions or websites. The data collected is aggregated and anonymised. Specifically, Vercel Analytics records:

• Page URL visited
• HTTP referrer (the page you came from)
• Browser and operating system (user-agent string)
• Country-level geographic region (derived from IP address — IP is not stored)
• Device type (desktop, mobile, tablet)

No personally identifiable information (PII) is stored by Vercel Analytics. Your IP address is used only to derive a country-level location and is immediately discarded. This data is processed on Vercel infrastructure under their Privacy Policy. The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR) in operating and improving the Service.

Because Vercel Analytics does not use cookies or persistent identifiers, it does not require cookie consent under the ePrivacy Directive. If you prefer not to be counted, you may enable a "Do Not Track" browser signal or use a content-blocking browser extension.

For complete details about our cookie practices, including how to manage or disable cookies, please see our Cookie Policy.

15. Marketing Communications

We will only send you marketing communications (newsletters, product updates, feature announcements, promotional offers) if you have explicitly opted in to receive them. Marketing consent is:

• Opt-in only: You will never be enrolled in marketing communications by default. You must actively choose to subscribe.
• Separate from account creation: Creating an account does not subscribe you to marketing emails.
• Easily revocable: Every marketing email includes a one-click unsubscribe link. You can also manage marketing preferences in your account settings.
• Immediately effective: Unsubscribe requests are processed immediately, though previously scheduled emails may take up to 48 hours to cease.

Transactional emails (account verification, password resets, billing confirmations, security alerts, collaboration invitations, critical service notifications) are not marketing communications and will be sent as necessary regardless of your marketing preferences, as they are essential to the operation of your account.

16. Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

• Notify the supervisory authority (Datatilsynet) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 of the GDPR. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address and mitigate the breach.
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR. Notification will be made via email to the address associated with your account and, where appropriate, via a prominent notice on the Service.

Our notification to affected users will clearly describe, in plain language:

• The nature of the breach and what data was affected.
• What we are doing to address and mitigate the breach.
• What steps you can take to protect yourself (e.g., changing passwords).
• Contact details for our DPO for further questions.

We maintain an internal breach register documenting all personal data breaches, regardless of whether they are reportable to the supervisory authority or affected individuals.

17. Automated Decision-Making

We do not engage in automated individual decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR.

Our Service may use automated processes for:

• Spam detection in community features — flagging potentially spam content for human review.
• Rate limiting and abuse prevention — automatically throttling requests that exceed normal usage patterns. IP addresses that exceed rate limits receive a temporary block (typically 60 seconds); no permanent record of blocked IPs is retained beyond the active window.
• Basic personalization — displaying recently used features or projects.
• @mention detection — when a comment or post is submitted, our system parses the text for @username patterns to identify mentioned users and generate notifications. This is a rule-based string-matching process with no AI or machine learning. No content analysis beyond username extraction is performed.
• Bot and scraper detection — automated analysis of request patterns, user agent strings, and request frequency to identify and block AI training crawlers and abusive scrapers. No personal data is stored as a result of this process beyond what is already captured in standard server request logs.

None of these automated processes make decisions that have legal or similarly significant effects on you. Moderation actions affecting your account are always subject to human review.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• General Changes: We will post the updated Privacy Policy on the Service and update the "Last updated" date at the top of this page. We will provide at least thirty (30) days' notice before changes take effect.
• Material Changes: For changes that materially affect how we collect, use, or share your personal data, we will notify you via email to the address associated with your account at least thirty (30) days before the changes take effect. We will clearly describe the material changes in our notification and, where required by law, obtain your consent before the changes apply.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the revised policy, except where your consent is required for specific changes.

19. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. You may contact our DPO for any questions or concerns regarding this Privacy Policy, how we process your personal data, or to exercise your data protection rights:

Our DPO will acknowledge receipt of your inquiry within two (2) business days and provide a substantive response within one (1) month, extendable by two additional months for complex matters with prior notification.

20. Contact

For general inquiries about this Privacy Policy or our data practices that are not specifically related to data protection rights (which should be directed to the DPO), you may contact us: