Privacy Policy
Last updated: April 15, 2026
CharmWriter ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the CharmWriter platform ("Service").
We are based in the Czech Republic and comply with the General Data Protection Regulation (GDPR) and applicable Czech data protection laws.
1. Data Controller
CharmWriter is the data controller for your personal data. For privacy inquiries, contact us at privacy@charmwriter.com.
2. What Data We Collect
| Data Type | Examples | Purpose |
|---|---|---|
| Account data | Email address, password (hashed) | Authentication and account management |
| Creative content | Manuscripts, story bible, session transcripts, chat history | Core service delivery |
| Voice recordings | Audio input for speech-to-text | Transcription (processed, not stored) |
| Payment data | Payment method, transaction history | Payment processing (handled by Stripe) |
| Usage data | Pages visited, features used | Analytics and service improvement (no PII) |
| Technical data | Browser type, error logs | Debugging and service reliability |
3. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contractual necessity (Art. 6(1)(b)) |
| Storing and managing your creative writing | Contractual necessity |
| Sending text to AI providers for generation | Contractual necessity (core service) |
| Voice recording processing | Consent (Art. 6(1)(a)) |
| Payment processing via Stripe | Contractual necessity |
| Error monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Analytics (Plausible) | Legitimate interest (no personal data) |
| Financial record keeping | Legal obligation (Art. 6(1)(c)) |
4. How We Share Your Data
We share your data with the following sub-processors, each bound by a Data Processing Agreement:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database & authentication | All user data | EU |
| Anthropic (Claude) | AI text generation | Prompts, conversation context | EU / US |
| OpenAI (GPT, Whisper) | AI text generation, speech-to-text | Prompts, voice audio | EU / US |
| Stripe | Payment processing | Email, payment method | EU / US |
| Railway | Application hosting | All data in transit | EU |
| Sentry | Error monitoring | Error data, browser info | US |
| Plausible | Privacy-friendly analytics | No personal data | EU |
4.1 AI Provider Data Handling
Neither Anthropic nor OpenAI uses your API data to train their AI models. Your creative content is processed to generate responses and then deleted per their retention policies:
- Anthropic: retains API data for up to 7 days for abuse monitoring, then deletes
- OpenAI: retains API data for up to 30 days for abuse monitoring, then deletes
We do not use your content to train any AI models, and we do not share your content with anyone beyond the sub-processors listed above.
5. Cross-Border Data Transfers
Some of our sub-processors operate outside the EU. All cross-border transfers are protected by:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with each sub-processor
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of your account + 30 days after deletion |
| Creative content (projects) | Duration of your account |
| Voice recordings | Not stored, processed and discarded immediately |
| Payment records | 7 years (Czech tax law requirement) |
| Server & error logs | 30–90 days |
| Analytics | Indefinite (no personal data collected) |
7. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
- Right to access, request a copy of all your personal data
- Right to erasure, request deletion of your account and all data
- Right to data portability, export your data in a structured format (Markdown + JSON)
- Right to rectification, correct inaccurate personal data
- Right to restrict processing, limit how we process your data
- Right to object, object to processing based on legitimate interest
- Right to withdraw consent, withdraw consent for voice recording at any time
You can exercise most of these rights directly in the app through Settings → Privacy & Data (data export, account deletion, voice consent). For other requests, email privacy@charmwriter.com. We will respond within 30 days.
8. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Czech Data Protection Authority (ÚOOÚ):
Úřad pro ochranu osobních údajů (ÚOOÚ)
Plk. Sochora 27, 170 00 Prague 7, Czech Republic
uoou.gov.cz
9. Children
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn we have collected data from a child under 16, we will delete it promptly.
10. Cookies
We use only strictly necessary cookies for authentication and payment security. We do not use tracking cookies or advertising cookies. See our Cookie Policy for details.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
12. Contact
For privacy-related questions or to exercise your data rights:
Email: privacy@charmwriter.com