Privacy

Privacy policy.

This policy describes the personal data and workspace data StoryHQ processes to provide private workspaces, subscriptions, AI-assisted analysis, reports, notes, exports, messaging, support, and security.

Last updated 1 June 2026

01

Information we collect

StoryHQ collects account information such as name, email address, authentication provider, password state, workspace membership, role, company name where provided, and notification preferences.

StoryHQ stores workspace data including workspace names, projects, project metadata, uploaded materials, generated reports, development notes, draft comparisons, project Q chat, workspace messages, activity events, pinned projects, groups, and usage information.

StoryHQ processes billing identifiers and subscription state through Stripe. We do not store full card numbers in StoryHQ.

  • Uploaded material may include scripts, treatments, outlines, books, articles, decks, notes, and other creative or business material.
  • Operational data may include IP-derived rate-limit data, authentication events, audit events, storage paths, job status, model-call metadata, cost metadata, errors, and logs.
  • Support and sales data may include contact form submissions, account-help requests, Studio enquiries, email correspondence, and any material you choose to provide in those requests.

02

How we use information

We use information to create and secure accounts, provide workspaces, process uploads, run extraction and analysis pipelines, generate reports and notes, compare drafts, answer project questions, manage billing, send transactional emails, provide support, improve reliability, and investigate abuse or security issues.

AI providers are used to process uploaded material, prompts, responses, and derived project context for the features the user requests. StoryHQ does not use your uploaded creative material in public marketing examples without permission, and does not sell workspace content.

03

Cookies and local state

StoryHQ uses strictly necessary cookies and browser state for authentication, workspace selection, idle-session timeout, theme preference, and cookie-consent state.

A cookie preferences control is available in the footer. At present, the product is configured so non-essential browser analytics cookies are not required for the service to function.

Server-side product events, audit events, security events, and operational logs may still be recorded for reliability, abuse prevention, billing, support, and security even if optional browser analytics are not enabled.

04

Sharing and subprocessors

StoryHQ shares data with subprocessors only as needed to provide the service, operate infrastructure, process AI requests, send email, manage billing, authenticate users, monitor reliability, and provide support. The current subprocessor list is published on the Subprocessors page.

The exact data shared depends on the feature used. For example, AI analysis requires sending uploaded material or extracted text to model providers; billing uses Stripe; email OTP and transactional notices use the configured email provider; and error monitoring may receive diagnostic metadata.

Provider-specific retention, security, and compliance terms may apply to the data they process for StoryHQ.

Workspace owners and invited team members may see workspace content according to their role and workspace access. Exports or downloaded files may be shared by users outside StoryHQ; users are responsible for their own sharing decisions.

05

Security

StoryHQ uses private workspaces, Supabase row-level security, private storage buckets, signed upload flows, server-side access checks, per-session second-factor gating, idle-session expiry, forensic watermarking for served PDFs, authentication controls, rate limiting, audit events, and security response headers.

No system can guarantee absolute security. StoryHQ is not zero-knowledge because the server-side AI pipeline must read uploaded material in order to analyze it.

06

Retention and deletion

Workspace owners can delete projects and related material. Account and workspace deletion controls are available in Settings where supported. Deletion may not immediately remove all copies from backups, logs, billing records, security records, or provider systems.

We retain operational records for reliability, security, billing, legal compliance, abuse prevention, and support. Retention periods may vary by data type and provider.

07

International processing

StoryHQ and its providers may process data in the United States, United Kingdom, European Union, and other locations where our providers operate. Subprocessors may transfer data internationally under their own compliance frameworks, data-processing terms, and contractual transfer mechanisms.

08

Your choices

You can update profile information, notification preferences, theme preference, security settings, and certain billing settings in the app. You may request help with account access or deletion through the account-help and support channels.

You can unsubscribe from optional product emails where supported. Transactional messages such as security, billing, invitation, authentication, and service emails may still be sent.

09

Children

StoryHQ is intended for professional users and is not directed to children. Users should not create accounts for children or upload children’s personal data unless they have appropriate authority and a lawful basis to do so.