Privacy Policy

Scribbla.com Ltd ("Scribbla", "we") is the controller of personal data processed through scribbla.com. Our privacy lead is reachable at admin@scribbla.com.

1. What we collect & why

2. Lawful bases (UK/EU GDPR Art. 6)

• Contract — providing the account, AI features and publishing pipeline you signed up for.
• Legitimate interests — security, fraud prevention, abuse detection, service improvement (assessed against your rights).
• Consent — analytics & session-replay cookies, marketing email, optional features.
• Legal obligation — tax, accounting, lawful requests, online-safety duties.
• Vital interests — responding to credible threats to life (rare).

3. AI providers & what leaves the platform

AI generation routes the relevant prompt and any context you supply (e.g. selected chapter, character notes) to a third-party model provider. We currently use Anthropic Claude, OpenAI ChatGPT and Google Gemini under their enterprise/API terms, which contractually prohibit using your prompts or outputs to train their models. We do not send your whole library — only what is needed for the requested generation. See our AI Usage Policy.

4. Processors & sub-processors

• Supabase — database, auth, storage (DPA in place)
• Stripe — payments, subscription billing, tax
• Cloudflare — hosting & edge runtime
• Anthropic, OpenAI, Google — AI generation (no training)
• Resend / our email provider — transactional email

A current processor list and DPA status is maintained on this page. Material additions are announced 30 days in advance.

5. International transfers

Where personal data is transferred outside the UK or EEA we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or an adequacy decision, supplemented by technical and organisational measures.

6. California / US privacy (CCPA & CPRA)

California residents have the right to know, delete, correct, and limit use of sensitive personal information, and to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioural advertising. To exercise rights, email admin@scribbla.com from your account address.

7. Children's data

Scribbla is not offered to under-16s. For 16–17 users we capture and record parental consent before publishing or purchase features unlock. See our Children's Policy for the full safeguards and withdrawal procedure.

8. Retention

Account & content: while your account is active and 30 days after deletion (then erased or anonymised). Payment records: 6 years (HMRC). Security logs: 90 days. Support correspondence: 2 years. Parental-consent records: 6 years from the end of the relevant child's account. Reasons: contractual delivery, statutory record-keeping, fraud and safety investigation windows.

9. Cookies

See the Cookie Policy for cookie categories, providers and retention. You can change consent at any time from the in-app preferences panel.

10. Security

TLS in transit, encryption at rest for content and backups, scoped access for staff, audit logs for privileged actions, role-based access control, regular dependency & security scans, and an incident-response runbook with named contacts.

11. Your rights

You can access, rectify, erase, restrict, port, or object to processing. Most rights are self-service from the Account page (Download my data / Delete my account / Cookie preferences). For anything else email admin@scribbla.com.

12. Complaints

UK residents can complain to the Information Commissioner's Office (ICO) at ico.org.uk. French residents can complain to the CNIL at cnil.fr. Other EEA residents may complain to their national data-protection authority. We would prefer the chance to put things right first — see Complaints.