Your Privacy Is Our Architecture

Crevolve Infosoft Pvt Ltd, a company incorporated in India, trading as SceneCraft ("we," "our," or "us"), operates scenecraft.ink and all associated sub-domains, applications, and APIs (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, disclose, and protect information about you when you access or use the Service.

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

We are committed to protecting your personal data in compliance with applicable privacy laws globally, including but not limited to:

• European Union: General Data Protection Regulation (GDPR) and the UK GDPR.
• United States: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other applicable state laws.
• Brazil: Lei Geral de Proteção de Dados (LGPD).
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial equivalents.
• India: Digital Personal Data Protection Act (DPDPA) 2023.
• Australia: Privacy Act 1988 and the Australian Privacy Principles (APPs).
• Japan: Act on Protection of Personal Information (APPI).
• South Korea: Personal Information Protection Act (PIPA).
• Other jurisdictions: We endeavour to meet the highest applicable standard wherever our users are located.

2.1 Information You Provide Directly

• Account Registration: Name, email address, and password (stored as a one-way salted hash — we never store your plaintext password).
• Profile Data: Display name, studio name, and optional avatar URL.
• Payment Information: When you purchase a subscription or credit top-up, payment card details are collected and processed directly by Paddle, our Merchant of Record. We do not store or process raw card numbers on our servers; Paddle handles all payment card data under PCI-DSS compliance. We receive only a tokenised subscription reference and transaction status from Paddle.
• Communications: Messages you send us via support tickets, bug reports, or feature requests.
• Two-Factor Authentication: If you enable TOTP 2FA, we store your encrypted TOTP secret to validate authentication tokens. Your authenticator app seed is never transmitted in plaintext after initial setup.

2.2 Script Content & Creative Data

All screenplay content you create within SceneCraft — including scene descriptions, dialogue, character profiles, backstories, motivations, story beats, act structures, and loglines — is end-to-end encrypted with AES-256-GCM in your browser before being transmitted to or stored on our servers. We store only opaque ciphertext. Please refer to Section 03 (End-to-End Encryption) for full details.

2.3 Usage & Technical Data

• Log Data: IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps of access.
• Device Information: Hardware model, operating system version, unique device identifiers, and mobile network information.
• API Usage Metrics: We track which AI features are used (e.g., scene generation, script analysis), token consumption per operation, credit balances, and queue job statuses. These metrics are used for billing, abuse prevention, and product improvement.
• Session Data: Authentication tokens (JWT access tokens and refresh tokens) are stored securely; refresh tokens are stored server-side in a hashed form.

2.4 Collaboration Data

When you share a project with collaborators, we store the invite metadata (invited email, role, status, expiry) and collaborator relationships. The project encryption key shared with collaborators is cryptographically wrapped and never accessible to us in plaintext.

SceneCraft employs client-side AES-256-GCM encryption for all screenplay content. This means your creative work is encrypted inside your browser before it is transmitted to our servers. The encryption key is derived from your account credentials and never leaves your device in recoverable form.

What This Means in Practice

• We cannot read your scripts. Our servers store only ciphertext blobs. Without your encryption key — which only you possess — the data is mathematically indecipherable.
• Our employees cannot access your content. No staff member, engineer, or administrator can read your screenplay content, character bibles, dialogue, or beats.
• Law enforcement limitations. Because we do not hold the decryption keys, we are technically unable to produce plaintext content in response to law enforcement requests. We can only provide the encrypted ciphertext blobs and account metadata (email, name, timestamps).
• Collaboration key wrapping. When you share a project, a unique project encryption key is cryptographically wrapped using the invited collaborator's derived key and delivered via a secure invite token. We never see the plaintext project key.
• Key loss is permanent. If you lose access to your account credentials and cannot recover them, your encrypted content cannot be recovered. We strongly recommend using a password manager and enabling 2FA.

We use the information we collect for the following purposes, each grounded in a lawful basis under applicable law:

4.1 Service Delivery (Contractual Necessity)

• Creating and managing your account and authentication sessions.
• Processing AI generation requests, delivering streamed screenplay output, and managing job queues.
• Managing your credit wallet — tracking consumption, grants, and top-up vouchers.
• Processing subscription payments and maintaining billing records.
• Facilitating project collaboration and encrypted key distribution.
• Storing and serving your encrypted screenplay data.

4.2 Security & Fraud Prevention (Legitimate Interest / Legal Obligation)

• Detecting, investigating, and preventing unauthorized access, abuse, or malicious activity.
• Monitoring for patterns indicative of credential stuffing, API abuse, or credit fraud.
• Enforcing our Terms of Service, including account suspension when violations are detected.
• Complying with legal obligations, court orders, and requests from competent authorities.

4.3 Service Improvement (Legitimate Interest)

• Analysing aggregate, anonymised usage metrics to improve AI prompt quality, performance, and reliability.
• Debugging errors, crashes, and performance issues.
• Developing new features informed by usage patterns and user feedback.

4.4 Communications (Consent / Contractual)

• Sending transactional emails (account verification, password reset, invoice receipts, security alerts).
• Sending service-related announcements (material policy changes, planned downtime, new features).
• Marketing communications only where you have explicitly opted in.

4.5 Legal Compliance

• Meeting obligations under applicable tax, financial, and corporate laws.
• Responding to valid legal process from competent authorities.

We do not sell your personal data. We do not rent, trade, or share your personal data with third parties for their own marketing purposes. We may share information only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We engage carefully vetted third-party service providers who process data on our behalf under binding Data Processing Agreements (DPAs). These include:

• AI Model Providers: When you use AI generation features, decrypted prompt context (derived from your encrypted content, assembled client-side where possible) is transmitted to AI model providers. These providers are bound by data processing agreements that prohibit training on your content.
• Payment Processing — Paddle (Merchant of Record): All subscription and credit purchases are processed by Paddle.com Market Limited ("Paddle"), acting as the Merchant of Record. When you make a purchase, your payment details are collected and processed directly by Paddle under Paddle's Privacy Policy. Paddle handles payment card data, invoicing, sales tax collection, and chargeback disputes. We receive only a tokenised subscription reference and transaction status — we never see or store your raw card numbers. Paddle may process your personal data in countries outside your jurisdiction; please review Paddle's privacy policy for details of those transfers and your rights as a Paddle customer.
• Cloud Infrastructure: Hosting, database, and object storage providers that store our servers and encrypted ciphertext. They cannot access your plaintext content.
• Email Delivery: Transactional email providers for sending verification, invoice, and security notification emails.
• Analytics: Aggregate, anonymised product analytics. No personal identifiers are shared.

5.2 Legal Requirements

We may disclose account metadata (not encrypted content, which we cannot decrypt) when required by law, regulation, legal process, or governmental request, provided we are legally permitted to notify you in advance where possible.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. You will be notified via email or prominent in-app notice before your data is transferred and becomes subject to a different privacy policy.

5.4 Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.

SceneCraft operates globally and your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from the laws of your country.

6.1 Transfers from the European Economic Area (EEA), UK & Switzerland

Where we transfer personal data from the EEA, UK, or Switzerland to third countries, we rely on appropriate safeguards including:

• European Commission adequacy decisions.
• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO.
• Binding Corporate Rules where applicable.

6.2 Cross-Border Transfers Generally

For all international transfers, we implement contractual protections, technical safeguards (including end-to-end encryption), and organisational measures to protect your data to a standard at least equivalent to that required in your home jurisdiction.

By using the Service, you acknowledge that your data may be processed in countries outside your jurisdiction. If you have questions about international transfers, please contact us at [email protected].

Depending on your jurisdiction, you have a number of rights regarding your personal data. We honour all rights where required by applicable law, and we apply many of them universally as a matter of principle.

7.1 Universal Rights (Available to All Users)

• Right of Access: You may request a copy of the personal data we hold about you (account metadata, usage logs, billing records).
• Right to Rectification: You may correct inaccurate personal data via your account settings or by contacting us.
• Right to Erasure / Account Deletion: You may request deletion of your account. Upon account deletion, all encrypted ciphertext blobs associated with your account are permanently deleted from our servers within 30 days. Because we cannot decrypt this data, it becomes permanently irrecoverable. Billing records required for legal compliance (typically 7 years) are retained in anonymised or minimal form.
• Right to Portability: You may export your projects to PDF or Final Draft (.fdx) format at any time from within the application. This export happens client-side after decryption in your browser.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

7.2 EEA / UK / Swiss Residents (GDPR Rights)

• Right to Restriction of Processing: In certain circumstances, you may request that we limit the processing of your personal data.
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).
• Automated Decision-Making: We do not make decisions solely based on automated processing that produce legal or similarly significant effects on you.

7.3 California Residents (CCPA / CPRA Rights)

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell).
• Right to Delete: You may request deletion of your personal information, subject to legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal data for cross-context behavioural advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

7.4 How to Exercise Your Rights

To exercise any of these rights, please email [email protected] with "Privacy Request" in the subject line. We will respond within the timeframe required by applicable law (typically 30 days for GDPR; 45 days for CCPA). We may need to verify your identity before processing certain requests.

• Active Accounts: We retain your personal data for as long as your account is active or as needed to provide the Service.
• Deleted Accounts: Upon account deletion request, we begin a 30-day deletion process for all encrypted screenplay content and personal data not required for legal compliance.
• Billing & Transaction Records: Financial transaction records are retained for up to 7 years to comply with tax and accounting obligations.
• Suspended Accounts: Data for accounts suspended due to fraud, abuse, or Terms of Service violations may be retained longer to support ongoing investigations, legal proceedings, or chargeback/dispute resolution processes.
• Log Data: Server access logs and security logs are retained for up to 12 months, then deleted or anonymised.
• Marketing Preferences: Records of consent or opt-out for marketing communications are retained indefinitely to evidence compliance.

We use a minimal set of cookies and similar tracking technologies necessary to operate the Service:

9.1 Strictly Necessary Cookies

• Authentication Tokens: Short-lived JWT access tokens and longer-lived refresh tokens used to maintain your session. These are essential for the Service to function. They cannot be disabled.
• Security Cookies: CSRF protection tokens and other security headers.

9.2 Functional Cookies

• User preference cookies (e.g., editor settings, language preferences) stored locally.

9.3 Analytics (Where Enabled)

Where applicable, we may use privacy-preserving analytics that do not track individuals across sites, do not store IP addresses beyond aggregation, and do not build advertising profiles.

9.4 No Third-Party Advertising Cookies

We do not use advertising networks, tracking pixels, or cookies for cross-site behavioural advertising. We do not share data with social media platforms for retargeting purposes.

You can control cookies through your browser settings; however, disabling strictly necessary cookies will prevent the Service from functioning.

We implement a defence-in-depth approach to security, combining technical, administrative, and organisational safeguards:

• Client-Side AES-256-GCM Encryption: All screenplay content is encrypted in your browser before transmission.
• Transport Layer Security: All data in transit is protected by TLS 1.2 or higher.
• Password Security: Passwords are hashed using strong, salted one-way hashing algorithms (bcrypt / Argon2). We never store plaintext passwords.
• Two-Factor Authentication (TOTP): Users may enable TOTP 2FA for an additional layer of account protection.
• Access Controls: Internal access to production systems is restricted on a need-to-know basis with multi-factor authentication required for all privileged access.
• Secure Token Lifecycle: Authentication tokens have limited lifespans, refresh tokens are stored in hashed form server-side, and all active sessions can be invalidated on logout or security events.
• Rate Limiting & Anomaly Detection: APIs are rate-limited and monitored for abuse patterns. Accounts exhibiting suspicious behaviour may be automatically flagged for review.

Despite these measures, no security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities as required by applicable law.

The Service is intended for users who are at least 16 years of age (or 13 years of age in jurisdictions where a lower minimum age is permitted, provided parental or guardian consent is obtained). We do not knowingly collect personal information from children under the applicable minimum age.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at [email protected]. We will promptly delete such information upon verified request.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you via:

• Email notification to your registered email address at least 14 days before the changes take effect.
• A prominent in-app banner or modal upon your next login.
• An updated "Effective Date" at the top of this page.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy. If you do not agree with the changes, you may delete your account prior to the effective date.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-specific inquiries from EEA, UK, or Swiss residents, you may also contact us to request the identity and contact details of our Data Protection Officer (DPO). We will respond to all privacy-related inquiries within 72 hours to acknowledge receipt, and within the applicable statutory period for substantive responses.