1. Who We Are
ScribeMaster is an AI-powered session chronicle tool for tabletop roleplaying groups, operated by an independent developer. When this policy says "we," "us," or "our," it means the operator of ScribeMaster. Our contact address for privacy matters is choule@gmail.com.
For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we act as the data controller for the personal data described in this policy.
2. Data We Collect
We collect the following categories of personal data when you use ScribeMaster:
Account data — your email address, display name, and (if you sign in with Google) your Google profile picture URL and Google account identifier. We store a hashed version of your password; we never store your password in plain text.
Audio and video files — recordings you upload or link to (e.g. YouTube URLs) for transcription and analysis. These are stored on our servers for as long as your account is active or until you delete the session.
Transcripts — text generated by automated speech recognition from your audio files. Transcripts are stored alongside the session data and deleted when you delete the session or your account.
AI analysis output — session summaries, scene descriptions, character and location entities, and recaps generated by Anthropic's Claude API from your transcripts. This content is stored in your account and deleted when you choose.
Usage and billing data — your subscription tier, transcription minutes used per billing period, total storage used, and (if you subscribe) your Stripe customer identifier. We do not store full payment card details; those are handled directly by Stripe.
Technical data — server logs including IP addresses, request timestamps, HTTP method and status codes, and user-agent strings. These are retained for up to 90 days for security and debugging purposes.
Session data — an authentication token stored in your browser's localStorage to keep you logged in. See Section 7 (Cookies) for details.
3. Why We Collect It (Legal Basis)
Contract performance — account data, uploaded files, transcripts, and AI output are processed to provide the Service you signed up for. Without this data we cannot operate ScribeMaster.
Legitimate interests — server logs and usage counters are processed to maintain security, diagnose bugs, enforce fair-use limits, and improve the Service. These interests do not override your privacy rights.
Legal obligation — we may retain certain records where required by applicable law.
Consent — where we ask for your consent (e.g. the cookie notice for non-essential cookies), you can withdraw it at any time. We currently use only essential session cookies; no consent is required for those.
4. How Long We Keep It
Account data, uploaded files, transcripts, and AI output are retained for as long as your account is active. When you delete a session or campaign, the associated files are removed from our active storage immediately. When you delete your account, a 30-day grace period begins during which you can restore your account by logging in again. After 30 days, all your data is permanently and irreversibly deleted by an automated process.
Server logs are retained for up to 90 days and then deleted automatically.
Backup copies may persist in encrypted off-site backups for up to 30 days after active deletion before being purged.
5. Who We Share It With
Anthropic (Claude API) — transcript text is sent to Anthropic's Claude API for analysis, entity extraction, and summarization. Anthropic processes this data as a data processor on our behalf under their API terms. Anthropic may be located in the United States. By using ScribeMaster you acknowledge and consent to this transfer.
Stripe — if you subscribe to a paid plan, your payment is processed by Stripe. Stripe receives your email address and billing information. We do not share your audio files or transcripts with Stripe.
Hosting infrastructure — our servers are hosted on cloud infrastructure (VPS / dedicated server). The operator has physical and logical access to server resources but is contractually bound by data processing obligations.
No advertising or data brokers — we do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for marketing purposes, ever.
Legal requirements — we may disclose data if required by law, court order, or to protect the rights, property, or safety of ScribeMaster, our users, or the public.
6. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data. To exercise any of them, email us at choule@gmail.com. We will respond within 30 days.
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Art. 15) | Receive a copy of all personal data we hold about you. | Use the Download My Data button in Settings, or email us. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. | Update your name and email in Settings, or email us. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"). | Use the Delete My Account button in Settings. Data is permanently erased after a 30-day grace period. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format. | Use the Download My Data button in Settings to download a ZIP containing JSON and text files. |
| Restriction (Art. 18) | Ask us to pause processing of your data while a dispute is resolved. | Email us at choule@gmail.com. |
| Objection (Art. 21) | Object to processing based on legitimate interests (e.g. server logs). | Email us. We will assess whether our legitimate interests override your objection. |
| Withdraw consent | Withdraw any previously given consent at any time without affecting prior processing. | Email us or update your cookie preference in your browser. |
You also have the right to lodge a complaint with your national data protection authority. For EU residents, a list of supervisory authorities is available at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ICO).
7. Cookies
ScribeMaster uses one essential cookie mechanism: an authentication token stored in your browser's localStorage. This token identifies your logged-in session and is required for the Service to function. It contains no personal data beyond your anonymous user ID, and it expires after 30 days or when you log out.
We do not use tracking cookies, advertising cookies, analytics cookies (e.g. Google Analytics), or any third-party cookies. We do not fingerprint your device or track your behaviour across other websites.
We also store a single cookie_ok flag in localStorage to remember that you dismissed the cookie notice. This is not a cookie and contains no personal data.
8. Data Security
We take reasonable technical and organisational measures to protect your data, including:
— All data in transit is encrypted using TLS 1.2 or higher.
— Passwords are hashed using bcrypt before storage; plaintext passwords are never stored or logged.
— Access to production systems is restricted to the operator and protected by SSH key authentication.
— Audio files, transcripts, and generated content are stored on server-local storage accessible only through the authenticated API.
No security measure is perfect. If you discover a vulnerability, please report it responsibly to choule@gmail.com.
9. International Data Transfers
ScribeMaster is operated from the United States. If you access the Service from the EEA, UK, or another jurisdiction with data transfer restrictions, your data (including transcripts sent to the Claude API) may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home jurisdiction.
Where required, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent transfer mechanisms, to legitimise such transfers.
10. Data Processing Agreement (DPA)
If you are a business customer who requires a Data Processing Agreement (DPA) for GDPR compliance — for example, because your users' data passes through ScribeMaster — please contact us at choule@gmail.com and we will work with you to put appropriate contractual arrangements in place.
11. Children's Privacy
ScribeMaster is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you by email or by displaying a prominent notice in the app at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
For any privacy questions, data subject requests, or concerns, contact us at choule@gmail.com. We aim to respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with your national data protection authority.
ScribeMaster is operated by an independent developer. This document does not constitute legal advice. If you have specific legal concerns, consult a qualified attorney or data protection specialist.