Privacy Policy

Last updated: January 2026

1. Introduction

Pythia (“we”, “our”, or “us”) is committed to protecting the privacy of screenwriters who use our platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use pythia.ink (the “Service”).

By using Pythia, you agree to the collection and use of information in accordance with this policy. We encourage you to read this policy carefully and contact us at privacy@pythia.ink if you have any questions.

2. Information We Collect

Account Information

  • Email address (required for account creation)
  • Display name (optional)
  • Authentication data (password hash or OAuth tokens)

Script Content

  • Screenplay files you upload (.fountain, .fdx, .fadein formats)
  • Analysis results generated from your scripts
  • Chat conversations about your scripts
  • Version history and script metadata

Usage Data

  • Feature usage and interaction patterns
  • Writing metrics (pages written, word counts, streaks)
  • Device type and browser information
  • IP address (for security and analytics)

Payment Information

  • Subscription status and billing history
  • Payment card details are processed directly by Stripe and never stored on our servers

API Keys

  • AI provider API keys you provide (encrypted with user-specific keys)
  • We never have access to your decrypted API keys outside of processing your requests

3. How We Use Your Information

  • Provide the Service: Process your scripts, run analyses, and enable chat features
  • Process Payments: Manage your subscription through Stripe
  • Send Notifications: Streak reminders, achievement alerts, and service updates (with your consent)
  • Improve the Service: Analyse usage patterns to enhance features (aggregated, non-personal data only)
  • Security: Detect and prevent fraud, abuse, and security threats
  • Legal Compliance: Meet regulatory obligations and respond to lawful requests

4. Data Storage and Security

We take the security of your data seriously, especially given the sensitive nature of creative work.

  • Hosting: Our service is hosted on Vercel (US and EU regions)
  • Database: User data is stored in Supabase (PostgreSQL with row-level security)
  • Encryption in Transit: All connections use TLS/HTTPS encryption
  • Encryption at Rest: Database data and file storage are encrypted
  • API Key Security: Your API keys are encrypted using AES-256 with user-specific encryption keys
  • Access Controls: Row-level security ensures you can only access your own data

5. Your Scripts: Our Commitment

Your scripts are your intellectual property. We understand that screenplays represent significant creative investment and often contain commercially sensitive ideas.

  • No AI Training: Your scripts are NEVER used to train any AI models, including those of our AI providers
  • No Sharing: We never sell, share, or expose your script content to any third party
  • No Logging: Script content is excluded from our application logs
  • BYOK Model: When you use AI features, your own API key is used, and data flows directly to your chosen provider under their terms
  • Complete Deletion: When you delete a project or your account, all associated script data is permanently deleted

6. Third-Party Services

We use the following third-party services to operate Pythia:

  • Stripe: Payment processing (Privacy Policy)
  • Supabase: Database and authentication (Privacy Policy)
  • Vercel: Hosting and deployment (Privacy Policy)
  • Vercel Analytics: Privacy-focused web analytics (no cookies, GDPR compliant)
  • Resend: Transactional emails (Privacy Policy)
  • AI Providers: When you provide your own API key, your scripts are processed by your chosen provider (OpenRouter, Anthropic, OpenAI, etc.) under their respective privacy policies

7. Your Rights (GDPR and UK Data Protection)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data (“right to be forgotten”)
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data for certain purposes
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@pythia.ink. We will respond to your request within 30 days.

Legal Basis for Processing: We process your data based on: (a) performance of our contract with you (providing the service), (b) your consent (marketing communications), (c) our legitimate interests (security, fraud prevention), and (d) legal obligations.

8. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do NOT sell personal information to third parties
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your rights

To exercise your CCPA rights, contact us at privacy@pythia.ink.

9. Cookies and Tracking

We use minimal cookies that are essential for the service to function:

  • Authentication Cookies: Required to keep you logged in
  • Session Cookies: Required for security and CSRF protection

We use Vercel Analytics for privacy-focused web analytics. Vercel Analytics does not use cookies and does not collect personally identifiable information. It is fully GDPR compliant.

We do NOT use third-party advertising cookies or tracking pixels.

10. Data Retention

  • Account Data: Retained until you delete your account
  • Script Data: Retained until you delete the project or your account
  • Analytics Data: Aggregated data retained for 90 days
  • Security Logs: Retained for 90 days for security purposes
  • Payment Records: Retained as required by law (typically 7 years for tax purposes)

When you delete your account, all personal data and script content is permanently deleted within 30 days, except where retention is required by law.

11. International Data Transfers

Your data may be processed in countries outside your residence, including the United States and European Union, by our hosting and service providers. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or UK Information Commissioner's Office.

12. Children's Privacy

Pythia is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. For significant changes, we will also send an email notification to the address associated with your account.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: