Privacy Policy

Overview

This Privacy Policy explains how Scriptlyfy ("we", "our", "us") collects, uses, discloses, safeguards, and enables control over information relating to an identified or identifiable person ("Personal Data"). By accessing or using the platform you acknowledge this Policy. If you do not agree, discontinue use.

Design Principles: (i) Purpose limitation, (ii) Data minimization, (iii) Layered access controls, (iv) Transparency & user choice, (v) Security by configuration not secrecy.

This Policy is written for global relevance. Specific rights may vary depending on your jurisdiction (e.g., EEA / UK / certain U.S. states). We implement a "highest common denominator" operational baseline rather than maintaining fragmented rule sets.

Information We Collect

We differentiate between raw ingestion materials, transformed/derived intelligence, operational telemetry, and voluntary user-supplied inputs.

• Account & Contact: Email, display name (optional), organization / role labels, authentication identifiers.
• Usage & Diagnostics: Feature invocation events, request timing, coarse region (for latency routing + abuse mitigation), error fingerprints.
• Research Inputs: Public profile identifiers, media references, extracted transcripts, structural segmentation metadata, candidate hook snippets.
• Derived Intelligence: Pattern embeddings, statistical frequency surfaces, anonymized topic clusters, scoring heuristics.
• Support Communications: Messages sent to our support email; meta (timestamps, resolution state).
• Consent & Preference Signals: Email opt-in, analytics opt-out flags, cookie preferences (where applicable).

We do not intentionally collect: government ID numbers, precise geolocation, biometric templates, or payment card PAN directly (payment processors handle sensitive financial instruments).

Legal Bases

Where data protection law (e.g. GDPR / UK GDPR) applies, our processing relies on one or more of:

• Contract Necessity: To deliver core platform functionality you request.
• Legitimate Interests: Product security, fraud detection, service improvement, aggregated analytics (balanced against user rights).
• Consent: Optional communications (e.g., product updates) and any non-essential cookies or tracking (if/when implemented).
• Legal Obligations: Responding to valid law enforcement or regulatory requests; maintaining audit or tax records.
• Protection of Vital / Public Interest: Rare; only if required to prevent serious harm or comply with public interest mandates.

How We Use Data

• Provision of Service: Authenticate sessions, process ingestion jobs, generate enriched outputs.
• Quality & Relevance: Tune extraction heuristics, reduce error rates, improve ranking / classification strategies.
• Security & Abuse Mitigation: Detect anomalous request patterns, throttle abusive automations, preserve platform integrity.
• Analytics (Aggregated): Non-identifying usage metrics to guide roadmap prioritization.
• Communication: Transactional notices (material changes, security advisories), optional product updates (with opt-out/opt-in controls).
• Research & Development: Evaluate anonymized pattern performance to refine models.

We do not sell Personal Data. We do not permit third parties to use platform-level behavioral data for their independent advertising networks.

Cookies & Tracking Technologies

As of the latest update we operate with a minimal tracking posture. Any cookies or local storage values are restricted to strictly necessary functions (session continuity, fraud prevention, preference persistence) unless a future optional analytics module is explicitly consented to.

• Essential: Maintain authenticated state, implement rate shaping, record consent preferences.
• Performance / Diagnostics (Optional): May be introduced to understand feature latency & error ratios—disabled by default where consent is required.

If expanded categories are added we will surface a granular consent interface prior to activation (regionally adaptive for applicable jurisdictions).

Data Minimization

Collection pipelines are engineered to strip non-essential tokens early, discard transient intermediary buffers after transformation, and store only artifacts required for reproducibility or iterative improvement. Internal access to raw ingestion assets is time-bound & audit logged.

Data Retention

Retention aligns with functional necessity, user expectations, and defensible legal bases. When a retention horizon expires we either delete, aggregate, or irreversibly de-identify data.

• Account Credentials / Core Profile: Stored until account deletion request or 24 months of inactivity.
• Transcripts & Enrichment Outputs: Active while associated project remains active; purgeable upon verified request. Aggregated statistics may persist.
• Operational Logs: 30–180 days (rotating window) except security anomaly excerpts retained longer for forensics.
• Support Tickets: Up to 24 months for continuity & dispute mediation.
• Backups: Encrypted backups roll on a fixed rotation; deletion requests propagate on next cycle.

Security

Security controls emphasize layered isolation, least privilege, and rapid patch cadence:

• Encryption in transit (TLS) & encryption at rest for primary data stores.
• Principle of least privilege role segmentation across service components.
• Access logging & anomaly detection around administrative and data export operations.
• Dependency surface review & automated vulnerability advisories.
• Segregated environments for test vs. production pipelines.

No system can guarantee absolute security; we commit to continuous improvement and transparent notification of material incidents.

Incident Response

We maintain an internal lightweight incident playbook:

1. Detection: Alert triggers (anomaly metrics, integrity checks, external reports).
2. Containment: Isolate affected components, revoke compromised credentials, apply compensating controls.
3. Assessment: Classify impact scope (confidentiality / integrity / availability) & affected data categories.
4. Notification: If legally required or materially impactful, we will notify affected users without undue delay while preserving investigative efficacy.
5. Remediation & Postmortem: Root cause analysis, corrective actions, control hardening, documentation.

International Transfers

Infrastructure may process data in jurisdictions different from the user’s location. Where transfers from the EEA / UK / Switzerland occur we rely on: (i) adequacy determinations where available, and/or (ii) Standard Contractual Clauses (SCCs) with supplemental technical & organizational safeguards (encryption, access minimization, logging). We periodically reassess risk factors (government access, legal landscape changes).

Automated Decisions

We employ algorithmic scoring to rank pattern relevance and generate hook candidates. These processes do not produce legal or similarly significant effects on individuals. No fully automated adverse eligibility determinations are performed. Human oversight governs material platform enforcement actions.

Your Rights

Depending on jurisdiction you may have rights to: (i) access, (ii) rectification, (iii) erasure, (iv) restriction, (v) objection to certain processing, (vi) portability, (vii) withdraw consent, (viii) lodge a complaint with a supervisory authority. We extend a baseline set of these capabilities globally where technically feasible.

Submit requests via emma@scriptlyfy.com. We will verify identity proportional to request sensitivity before fulfilling.

DSAR Workflow (Access / Deletion Requests)

1. Initiation: User emails request specifying scope (e.g., export vs. deletion).
2. Verification: We confirm control of the account email or request additional non-sensitive correlating metadata.
3. Scoping: Identify datasets & derived artifacts; separate anonymized aggregates.
4. Fulfillment: Export provided in a machine-readable format (JSON/CSV). Deletions cascade to active stores & will roll off backups on next scheduled rotation.
5. Confirmation: User receives completion notice or explanation if an exemption applies.

Processors Overview

We engage service providers ("Processors") to perform limited tasks on our behalf: infrastructure, email delivery, analytics (if enabled), error & performance monitoring. Each Processor is bound by contractual terms restricting use of Personal Data to our documented instructions.

Subprocessor Categories

• Hosting & Compute: Cloud infrastructure for storage & execution of workloads.
• Authentication / Identity (if applicable): Managed auth or email link providers.
• Email & Communication: Transactional email dispatch + inbound support triage.
• Error & Performance Monitoring: Event aggregation & alerting.
• Analytics (Optional): High-level usage metrics; excludes raw personal content.

We will update this section upon material changes and (where required) provide advance notice for opportunity to object when mandated by regulation or contract.

Children's Data

The service is not directed to individuals under the age of 16 (or equivalent minimum age in relevant jurisdiction). We do not knowingly collect Personal Data from children. If you believe a child provided data, contact us for prompt removal.

Changes

We may revise this Policy to reflect platform evolution, regulatory updates, or security hardening measures. Material changes will be announced via in-app banner or email (where contact permissions exist) with updated effective date posted at the top. Continued use after effective date constitutes acceptance.

Contact

Privacy & data governance inquiries: emma@scriptlyfy.com. We aim to respond within 7 business days (expedited for security-impacting matters).