Privacy Policy

1. Who We Are

Mythwrite is a trading name of Tian Digital Security Ltd. Tian Digital Security Ltd is the controller of personal data processed for the Mythwrite website, customer accounts, billing administration, product operations, support, and security. If you enter personal data about other people into your manuscript, planning files, or workspace content, you are responsible for ensuring you have an appropriate legal basis to do so.

• Registered company: Tian Digital Security Ltd
• Company number: 09278102
• Registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE
• Company website: tiandigitalsecurity.com

Privacy contact: [email protected].

2. Personal Data We Collect

• Account and identity data such as email address, display name, password hash, and session records.
• Workspace and project data such as manuscript text, planning material, Archivum entries, publishing settings, and related metadata.
• Support and communication data such as help requests, feedback, email verification requests, password reset requests, and unsubscribe preferences.
• Billing and subscription data such as customer email, selected plan, Stripe customer and subscription identifiers, and billing status metadata.
• Security and technical data such as IP address, user agent, login attempts, audit events, token timestamps, and download/export security records.
• AI configuration data such as provider selections, encrypted API keys, model preferences, and usage/cost metadata.
• Delivery preference data you configure for personal EPUB delivery, including your Kindle address or self-delivery email address stored in encrypted form.
• Website and waitlist form data such as your name, email address, requested package, and notes when you join the waitlist or register interest.
• Browser-side preference and recovery data stored on your device, such as theme, accessibility settings, certain workflow preferences, and local draft/session recovery data.

3. How We Collect It

• Directly from you when you create an account, use the app, contact support, join the waitlist, configure delivery settings, or start billing.
• Automatically from your use of the service through authentication, security, export/download, billing, and audit systems.
• From third parties involved in providing the service, such as Stripe for payment status events and Google when you choose Google sign-in.

4. Why We Use Personal Data

• To provide the Mythwrite service, authenticate users, maintain workspaces, and make features available under our contract with you.
• To operate AI features that you explicitly trigger, including sending the relevant prompt context and requested text to the provider you selected.
• To process billing, manage subscriptions, prevent payment abuse, and reconcile Stripe webhook events.
• To respond to support requests, service issues, feedback, and account-security events.
• To protect the service, prevent abuse, investigate incidents, maintain audit trails, and enforce our terms, based on our legitimate interests and legal obligations where applicable.
• To send service, onboarding, billing, and security communications, and where permitted to send launch or waitlist updates with an unsubscribe option.
• To generate and send EPUB files to your own configured delivery address when you use Email to Kindle or Email to Self.

4A. Lawful Bases

• Contract: where we need the data to provide the Mythwrite service you asked for, including account access, workspace operation, billing administration, and support tied to your account.
• Legitimate interests: where we need the data to secure, maintain, troubleshoot, improve, and defend the service, provided those interests are not overridden by your rights and freedoms.
• Legal obligation: where we must retain or disclose data for tax, accounting, fraud-prevention, regulatory, or law-enforcement reasons.
• Consent: where consent is the appropriate basis, for example for future non-essential cookies or certain optional communications, which you may withdraw at any time.

5. AI Processing

Mythwrite only sends content to AI providers when you use an AI feature. This may include prompt instructions, selected project context, manuscript excerpts, and related metadata needed to generate a response. Provider-side processing, retention, and international transfers are governed by the provider you choose and their own terms and privacy notices.

We encrypt stored AI provider API keys and do not intentionally expose decrypted keys back to the client application.

6. Payments and Billing

We use Stripe for subscription checkout, billing administration, and payment-status webhooks. In the current implementation, Mythwrite creates hosted Stripe checkout or portal sessions and stores billing identifiers and status metadata needed to manage access. We do not intentionally store full payment card details on Mythwrite servers.

7. Email Delivery and Publishing

If you enable personal EPUB delivery, Mythwrite stores your configured delivery addresses in encrypted form and records delivery events such as timestamp, recipient type, project title, and delivery outcome. EPUB files and related delivery operations are processed through our export and delivery systems so they can be sent to your own Kindle address or your own inbox.

8. Cookies, Local Storage, and Similar Technologies

We use essential cookies and similar technologies for authentication, security, billing, and core product functionality. We also use browser local storage for preferences and certain recovery/workflow features. More detail is available in our Cookie Policy.

As of the date of this policy, we do not intentionally use non-essential advertising cookies on the core app. If we introduce non-essential analytics or marketing cookies in the future, we will update this policy and seek consent where required.

9. Sharing Personal Data

We share personal data only where needed to run, secure, support, or improve Mythwrite, or where required by law. Categories of recipient include:

• Infrastructure, hosting, networking, and security providers, including Cloudflare for edge protection and access control.
• Payment providers, including Stripe, for checkout, subscription management, and fraud/security operations.
• Configured AI providers that process prompts and related context only when you use AI features.
• Support, help-intake, automation, and communications providers used to deliver customer service, account emails, and operational workflows.
• External security specialists and advisors, including Tian Digital Security, where engaged for security review, assessment, or penetration testing support.
• Professional advisers, law enforcement, regulators, or courts where disclosure is legally required or necessary to protect rights, users, or the service.

Current examples reflected in the codebase and repo documentation include Cloudflare for edge security and access control, Stripe for checkout and billing events, Google where you choose Google sign-in, and operational webhook/automation tooling used for account emails, help intake, waitlist handling, and some delivery workflows.

10. International Transfers

Some of our providers may process data outside the UK. Where that happens, we rely on appropriate safeguards such as contractual commitments, provider transfer mechanisms, and proportionate technical and organisational security measures.

11. Data Retention

We retain personal data for no longer than necessary for the purposes described in this policy, including providing the service, maintaining security records, resolving disputes, enforcing agreements, and meeting legal, tax, and accounting obligations.

• Account, workspace, and manuscript data are generally retained while your account remains active, subject to deletion requests and legitimate operational needs.
• Billing records and related identifiers may be retained for accounting, tax, and fraud-prevention purposes.
• Security, audit, and incident records may be retained for operational and compliance reasons.
• Cookies and browser storage remain until they expire, are overwritten, or you clear them from your device.

12. Security Measures

We use technical and organisational safeguards designed to reduce the risk of unauthorised access, misuse, alteration, or loss of personal data. These measures include, where relevant to the feature involved:

• HTTPS/TLS in normal service delivery and Cloudflare edge protection in production.
• HTTP-only refresh-token cookies with secure and SameSite settings, plus short-lived access tokens and server-side hashed refresh-token records.
• Strong password rules, password hashing, account lockout/backoff protections, rate limiting on sensitive auth endpoints, and session revocation controls.
• Encryption for stored AI provider API keys, encrypted delivery addresses, and encryption/access controls for export and file-delivery workflows where configured.
• Security headers, restrictive CORS configuration, audit logging, and sanitisation of secrets from audit metadata.
• Security assessment activity, which may include internal review and external testing support such as penetration testing.

No system can guarantee absolute security, but we work to keep our controls proportionate to the risks involved.

13. Your Rights

Depending on the circumstances, you may have rights to access, rectify, erase, restrict, or object to processing of your personal data, to request portability, and to withdraw consent where processing depends on consent.

• You can request account deletion or data-related help by contacting [email protected].
• You can unsubscribe from waitlist or customer emails using links included in those emails or via the unsubscribe page.
• You can complain to the UK Information Commissioner’s Office if you believe your personal data has been handled unlawfully.

We may need to verify your identity before completing certain privacy requests, especially where a request relates to account access, deletion, export, or security-sensitive changes.

14. Children

Mythwrite is not intended for children. We do not knowingly collect personal data from children in breach of applicable law. If you believe a child has provided personal data to us unlawfully, contact us and we will investigate.

15. Changes to This Policy

We may update this policy from time to time to reflect product, legal, security, or operational changes. The latest version will be posted on this page with the updated date.

Contact

For privacy requests or questions, contact: [email protected]. Cookie details are available in our Cookie Policy.

If you are unhappy with how we handle your personal data, you may also complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.