Privacy Policy
Effective Date: April 15, 2026 · Last Updated: April 15, 2026
1. Who We Are
Creader ("we," "us," "our") operates the world expression platform at creader.io (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.
For questions about this policy, contact us at privacy@creader.io.
2. Information We Collect
2.1 Information You Provide
- Account data: email address, username, display name, password (stored as a bcrypt hash, never in plain text).
- Profile data: bio, avatar image, writing genres, experience level, writing goals.
- Content: books, chapters, characters, locations, timeline events, notes, worldbuilding entries, relationship maps, and other creative writing you create in the editor.
- Chat messages: conversations with the AI assistant, including your prompts and the AI responses.
- Payment data: when you subscribe or purchase tokens, Stripe (our payment processor) collects your payment card details. We store your Stripe customer ID and subscription status but never your card number.
- Communications: emails you send us, support requests, feedback.
- Newsletter signup: email address only, if you opt in.
2.2 Information Collected Automatically
- Usage events: page views, feature usage, editor session duration, AI request counts. All analytics are first-party (stored in our own database). We do not use Google Analytics, Mixpanel, or similar third-party tracking services.
- Vercel Analytics: our hosting provider (Vercel) collects anonymized page view data. This uses no cookies and no fingerprinting.
- Device information: browser type and version, operating system, screen resolution (collected via standard HTTP headers).
- IP address: used for rate limiting and security. Not stored long-term.
2.3 Information from Third Parties
- Google OAuth: if you sign in with Google, we receive your email address, display name, and profile image from Google.
3. How We Use Your Information
- Provide the Service: store and display your creative content, manage your account, process payments.
- AI features: send your content to AI providers (see Section 6) to generate writing assistance, consistency checks, and entity extraction.
- Semantic search: convert your content into vector embeddings (via OpenAI) to enable context-aware AI responses. Vectors are stored in our own database.
- Improve the Service: analyze usage patterns, fix bugs, develop new features. We may review AI interaction logs (your prompt, AI output, and any edits you made) to improve AI quality.
- Communications: send transactional emails (verification, password reset) via Resend. We do not send marketing emails unless you opt in.
- Security: rate limiting, fraud prevention, abuse detection.
- Legal compliance: respond to legal requests, enforce our Terms of Service.
4. Legal Basis for Processing (EU/UK Users)
If you are in the EU or UK, we process your data under these legal bases:
- Contract performance: providing the Service you signed up for (account, content storage, AI features).
- Legitimate interests: improving the Service, analytics, security, fraud prevention.
- Consent: optional features like newsletter signup, publishing your content publicly, or using AI models with less restrictive data policies (e.g., DeepSeek).
- Legal obligation: tax records, responding to lawful requests.
5. AI Providers and Data Sharing
When you use AI features, your writing content and chat messages are sent to third-party AI providers. You choose which model to use; each provider has different data policies:
| Provider | Models | Training Policy |
|---|---|---|
| OpenAI | GPT-4o Mini, GPT-5.3 | API data not used for training |
| Anthropic | Claude 3.5 Haiku, Claude Sonnet 4.6, Claude Opus 4.6 | 30-day safety retention only; not used for training |
| Gemini 2.5 Flash | Paid API data not used for training | |
| DeepSeek | DeepSeek V3 | Data may be used for model improvement |
| MiniMax | MiniMax M2.5 | Per provider terms |
Privacy Mode: you can enable Privacy Mode in settings, which restricts available models to only those with strict no-training policies (OpenAI, Anthropic, Google).
Embeddings: your content is sent to OpenAI to generate vector embeddings for semantic search. These embeddings are stored in our own database, not in any third-party vector service.
6. Other Third-Party Services
| Service | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, payment details | Subscription billing and token purchases |
| Resend | Email address | Transactional emails (verification, password reset) |
| Vercel | Anonymized page views | Hosting and analytics |
| Vercel Blob | Uploaded images and audio | File storage |
| Supabase | All application data | PostgreSQL database hosting |
| Upstash | Rate limit counters (user ID + timestamp) | Rate limiting |
| Google OAuth | OAuth tokens | Authentication |
We do not sell your personal data to anyone.
7. International Data Transfers
Our servers are hosted by Vercel and Supabase, primarily in the United States. If you are located outside the US, your data is transferred to and processed in the US. We rely on standard contractual clauses and provider certifications for EU/UK data transfers.
8. Data Retention
- Account and content data: retained as long as your account is active. When you delete your account, we delete your personal data and content within 30 days.
- AI interaction logs: retained for up to 12 months for quality improvement, then deleted.
- Analytics events: retained for up to 24 months, then aggregated or deleted.
- Payment records: retained for 7 years as required by tax law.
- Published content: if you published content publicly, cached copies may persist in search engines after deletion. We cannot control third-party caches.
9. Your Rights
Depending on your location, you may have the following rights:
- Access: request a copy of your personal data.
- Correction: update inaccurate data via your profile settings or by contacting us.
- Deletion: delete your account and all associated data from your profile settings.
- Export: export your books and knowledge base from the editor.
- Restrict processing: request we limit how we use your data.
- Object: object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, you can withdraw at any time.
EU/UK users: you have additional rights under GDPR including data portability and the right to lodge a complaint with your local supervisory authority.
California users: under the CCPA/CPRA, you have the right to know what data we collect, request deletion, and opt out of the sale of personal information. We do not sell your personal information.
To exercise any right, email privacy@creader.io. We respond within 30 days.
10. Cookies
We use minimal cookies, all strictly necessary for the Service:
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Keeps you logged in | 30 days |
| CSRF token | Security (prevents cross-site attacks) | Session |
| NEXT_LOCALE | Remembers your language preference | 1 year |
We do not use advertising cookies, tracking pixels, or fingerprinting.
11. Security
- Passwords are hashed with bcrypt (never stored in plain text).
- All data in transit is encrypted via HTTPS/TLS.
- Database access is restricted to authenticated application connections.
- API rate limiting prevents abuse.
- OAuth tokens are stored securely and never exposed to the client.
No system is 100% secure. If we discover a data breach affecting your personal data, we will notify you and any applicable regulatory authority as required by law.
12. Children's Privacy
Creader is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@creader.io and we will delete it.
13. Publishing and Public Content
Publishing is opt-in. If you choose to publish content, the following becomes publicly visible: your display name, bio, avatar, writing genres, and any book content you set to "Public." Your email address, subscription status, and private content are never exposed.
14. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact
For privacy-related questions or to exercise your data rights:
- Email: privacy@creader.io