Privacy Policy

Last updated: 2026-06-14

1. Our Privacy Promise

NovelAide is built around a local-first desktop workspace. Your project files and manuscripts are stored on your device by default, and NovelAide does not provide first-party manuscript cloud sync or use your manuscripts to train models.

When you choose cloud AI features, the selected text, story context, retrieved evidence, prompts, and generated responses needed for that task may be transmitted through NovelAide’s gateway and third-party AI providers. The data that reaches our servers is limited to what is necessary to operate your account, process payments, route AI requests, secure the service, and support the retention periods described below.

2. Data We Collect

Account data

  • Email address (for email-code sign-in and essential notifications)
  • Email verification code metadata (short-lived, stored only long enough to complete sign-in)
  • Display name (optional)
  • Locale preference

Billing data

  • Purchase history and prepaid balance
  • Payment metadata returned by our payment provider (last four digits of card, country, etc.)
  • We do not store full payment card numbers — those are held by Lemon Squeezy and its payment infrastructure.

AI request metadata

For every AI request:

  • The model you used
  • Token counts (input + output)
  • Cost in USD-denominated usage units
  • Timestamp
  • Request ID

Prompt and response content may include manuscript snippets or story-bible context when you invoke AI features. NovelAide may process that content to route the request, return the response, calculate usage, secure the service, and investigate abuse or reliability issues. Third-party AI providers may also process or retain prompts and responses under their own policies — see Section 9.

Diagnostic data (opt-in only)

  • Anonymous crash reports and basic usage metrics (e.g. feature open counts) — only if you opt in during onboarding.

Information we do not use or provide

  • Your manuscripts for model training
  • First-party cloud sync or hosted manuscript storage
  • Long-term IP address records — your IP appears only in server logs, retained no longer than the window described in Section 8

3. Cookies and Similar Technologies

We use a minimal set of cookies and similar storage to operate the marketing website and the Services:

  • Strictly necessary cookies: a small set of bot-mitigation and load-balancing cookies set by our infrastructure provider (for example, __cf_bm and similar). These cannot be disabled without breaking the site.
  • Authentication / session storage: set by the desktop application and (if applicable) the account web pages to keep you logged in.
  • Preference storage: language and theme selections stored in localStorage on your device.

We do not use third-party advertising cookies or cross-site tracking pixels. Most browsers allow you to control cookies via settings; blocking strictly-necessary cookies may impair the Services.

4. How We Use Your Data

  • Provide and improve the Services
  • Process payments and prevent fraud
  • Send essential transactional emails (account verification, billing, security)
  • Comply with legal obligations
  • Anonymized aggregate analytics (counts of active users, feature usage trends, error rates) — derived from data already collected and irreversibly de-identified so that no individual can be re-identified

We do not sell your personal information. We do not use your data for advertising. We do not use your manuscripts to train AI models.

5. Automated Decision-Making

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (within the meaning of GDPR Article 22).

The AI features in the Software generate creative-writing output in response to your prompts. This output is informational only; it is reviewed by you before any use and does not constitute a decision about you.

Fraud-detection and rate-limiting systems may apply consequential automated actions (e.g. temporary account suspension when our systems detect signals consistent with abuse). Such actions are subject to human review on appeal — contact [email protected] to dispute an automated decision. We will respond within 30 days, consistent with Section 7.

6. Legal Bases (GDPR / EEA Users)

We process your personal data under the following legal bases:

  • Contract performance — to provide the Services you signed up for
  • Legitimate interests — to secure our infrastructure and prevent abuse
  • Consent — for optional diagnostic data and marketing emails
  • Legal obligation — when required by law

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to certain processing
  • Withdraw consent at any time
  • Lodge a complaint with your local data protection authority

To exercise these rights, contact [email protected]. We will respond within 30 days.

California (CCPA / CPRA) residents have additional rights, including the right to know and the right to delete. We do not sell or share personal information for cross-context behavioral advertising.

Do Not Track (DNT): There is currently no industry consensus on how to respond to “Do Not Track” browser signals. Accordingly, we do not respond to DNT signals at this time, but you remain free to exercise any of the rights above.

8. Data Retention

  • Account data: retained while your account is active; deleted within 30 days of account closure
  • Billing records: retained for 7 years for tax and accounting purposes
  • AI request metadata: retained for 90 days for billing audit, then aggregated
  • Server logs: retained for 30 days

9. Third-Party Processors

We rely on third-party service providers to operate the Services. The table below describes data flows by category; specific providers may evolve as our infrastructure changes.

CategoryPurposeLocation
Cloud infrastructure providerHosting, database, key-value store, object storageUnited States
Transactional email providerAccount verification, security and billing notificationsUS / EU
Third-party AI service providersAI model inferencePrimarily US
Lemon SqueezyPayment processing, tax handling, receipts, refunds, fraud preventionUS / EU / global as needed for payment processing

When you use AI features, your prompts are transmitted to the selected AI provider. Their privacy policies apply. We pass through their retention defaults; we do not opt your data into their training datasets.

To request the current list of specific providers (including names and contact information), please contact [email protected].

10. International Transfers

Your personal data is primarily stored and processed in the United States, using our infrastructure provider’s US data centers. AI inference requests are transmitted to AI service providers also located primarily in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States — a country whose data protection laws may differ from those in your jurisdiction.

Where required (for example, transfers from the European Economic Area, the United Kingdom, or other regions with adequacy or transfer-mechanism requirements), we rely on the data processing agreements provided by our processors, which include applicable Standard Contractual Clauses (SCCs) or equivalent safeguards.

11. Children

The Services are not intended for users under the age permitted by Section 2 of the Terms of Service. If we learn that we have collected data from a child, we will delete it promptly.

12. Security

We use industry-standard measures including TLS in transit, encryption at rest for credentials, and least-privilege access controls. No system is perfectly secure; report vulnerabilities to [email protected] (please include reproduction steps and refrain from public disclosure until we have had reasonable time to investigate).

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, as required by GDPR Article 33 (and analogous obligations under CCPA, LGPD, PIPL, and similar laws in your jurisdiction).
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed.
  • Maintain an internal log of all data breaches, regardless of notification thresholds, for accountability.

Notifications will be sent to the email address on file. If you suspect a data breach affecting your account, contact [email protected] immediately.

14. Changes to This Policy

We will notify you of material changes via email or in-app at least 14 days before they take effect.

15. Contact