yn
Your Novelfreshly baked

Privacy Policy

Information pursuant to Art. 13, 14 GDPR - Last updated: March 3, 2026

Convenience translation only. for the legally binding version.

1. Data controller

Teckit UG (haftungsbeschränkt)
Neuer Schulweg 1, 59494 Soest, Germany
Email: contact@your-novel.app

2. Collection and processing of personal data

When using Your Novel, the following personal data is processed:

  • Registration data: name, email address, password (stored as bcrypt hash)
  • User content: created projects, premises, novel chapters, story notes
  • Usage metadata: credit transactions, token consumption per generation, model selection
  • Payment data: processed by Polar.sh as Merchant of Record - we do not store credit card or bank details
  • Technical data: IP address (for rate limiting and security), browser type, access times
  • Communication: email address for transactional emails (verification, password reset)
  • Tax residency: country of tax residency (for tax-inclusive price display)
  • OAuth account data: when signing in via third-party providers (e.g. Google, GitHub), the provider ID and linked account are stored
  • Cover images: uploaded or generated book covers, stored on Cloudflare R2

3. Purposes and legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR): Registration, account management, credit system, AI text generation, email verification, payment processing via Polar.sh
  • Legitimate interests (Art. 6(1)(f) GDPR): Rate limiting, abuse prevention (Turnstile CAPTCHA), error and performance monitoring (Sentry), infrastructure security. The legitimate interest consists of ensuring system stability, early detection of technical errors, and protection against automated abuse.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention of payment and transaction data per tax regulations (§ 147 AO)

4. Disclosure to third parties and data processors

Personal data is shared with the following service providers:

  • Polar.sh (Polar Software Inc., USA) - Payment processing as Merchant of Record. Receives email address and user ID for customer mapping. Transfer on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
  • OpenRouter (OpenRouter Inc., USA) - AI text generation. Receives user inputs (premises, chapter instructions) and story context for generation. User inputs may be processed by downstream AI providers (Anthropic, Google, etc.). When the Zero Data Retention option is enabled (active by default), only providers are used that have contractually committed to OpenRouter not to store user inputs or use them for training purposes. Transfer on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
  • Cloudflare (Cloudflare Inc., USA) - (a) CDN and DDoS protection: processes IP addresses and request metadata. (b) Cloudflare R2: object storage for cover images, configured with EU jurisdiction restriction. (c) Turnstile CAPTCHA: bot detection on login and registration pages; processes IP addresses and browser interaction data. Classified as technically necessary for security under § 25(2) TDDDG. Cloudflare is certified under the EU-US Data Privacy Framework. Transfer additionally on the basis of Standard Contractual Clauses (SCCs).
  • Postmark (AC PM LLC / ActiveCampaign, USA) - Transactional emails (verification, password reset). Receives email address. AC PM LLC is certified under the EU-US Data Privacy Framework. Transfer additionally on the basis of Standard Contractual Clauses (SCCs).
  • Hetzner Online GmbH, Germany - Server hosting (VPS). All application data is stored on servers in Germany. No third-country transfer.
  • UpCloud Oy, Finland (EU) - Managed PostgreSQL database hosting. All data is stored on servers in the EU (Frankfurt). No third-country transfer.
  • Sentry (Functional Software Inc., USA) - Error and performance monitoring (frontend and backend). Data processed: error messages, stack traces, browser/OS information, page URLs, and performance metrics. IP addresses are not actively transmitted in the error payload (sendDefaultPii is disabled) but may be inferred server-side from the connection. Session Replay is not enabled. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system stability and error detection). Sentry is certified under the EU-US Data Privacy Framework. Transfer additionally on the basis of Standard Contractual Clauses (SCCs).
  • Proton AG, Switzerland - (a) Proton Mail: email service for contact inquiries (contact@your-novel.app). Processes email addresses, names, and message content of incoming inquiries. (b) Proton Drive: internal storage of business documents. Switzerland has an EU Commission adequacy decision. No third-country transfer.

5. Data transfers to third countries

Some of the service providers listed above are based outside the EU. Personal data is transferred on the basis of appropriate safeguards:

  • Cloudflare, Postmark (AC PM LLC), Sentry - USA, Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF-certified)
  • Polar.sh, OpenRouter - USA, Standard Contractual Clauses (SCCs)
  • Proton - Switzerland (adequacy decision, no third-country transfer in the strict sense)
  • Hetzner - Germany (no third-country transfer)
  • UpCloud - Finland/EU (no third-country transfer)

All US-based providers are bound by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR as the primary transfer mechanism. Where a provider is certified under the EU-US Data Privacy Framework (EU Commission adequacy decision of July 10, 2023), the protections of that framework apply additionally.

6. Cookies and tracking

This website uses only strictly necessary cookies:

  • better-auth.session_token - Authentication cookie (HTTP-only, signed). Set upon login and used solely for session management. Expires when the session ends.
  • cf_turnstile / cf_clearance - Functional cookies from Cloudflare Turnstile that may be set on pages with CAPTCHA protection (login, registration). Used for bot detection and classified as technically necessary for security.

No analytics, marketing, or tracking cookies are used. Consent is not required under § 25(2) TDDDG.

7. Data retention

  • Account data: until account deletion by the user
  • Projects and generated content: until project or account deletion
  • Credit transactions: until account deletion, but at least 8 years for accounting records (§ 147(1) no. 4 AO) or 10 years for books and records (§ 147(1) no. 1 AO)
  • Token usage data: until account deletion
  • Cover images: until project or account deletion
  • Sentry error data: 90 days; performance data: 30 days
  • Server logs (IP addresses): 14 days
  • Session cookies: expire with the browser session or on session timeout

8. Your rights

Under the GDPR you have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

You can export all data stored in your account (JSON format) and delete your account at any time in your account settings. For requests beyond the self-serve export (e.g. formal access requests under Art. 15 GDPR including data processed by third-party providers), please contact the email address below. We will respond within one month (Art. 12(3) GDPR).

Please direct requests to: contact@your-novel.app

You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
poststelle@ldi.nrw.de

9. Processing by AI services

To generate novel chapters, user inputs are transmitted to AI language models via the OpenRouter service. This includes:

  • Premises and story descriptions entered by the user
  • Chapter context (previous summaries, character descriptions, plot arcs)
  • Generation instructions (style, length, direction)

Your Novel offers a "Zero Data Retention" (ZDR) feature. When enabled (active by default for new users), only AI providers are used that have contractually committed to OpenRouter not to store user inputs or use them for training purposes. When disabled, providers without such commitments may also be used. Users can change the ZDR setting at any time in their account settings.

Downstream AI providers to which OpenRouter may forward requests include, among others: Anthropic (USA), Google (USA), and other providers depending on the selected model. Transfers are based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. The legal basis for transmitting user inputs is Art. 6(1)(b) GDPR (contract performance), as AI text generation constitutes the core purpose of the Service.

10. Account deletion

You can delete your account at any time in the settings. Upon deletion, all personal data is permanently removed, including: account data, projects, generated chapters, story notes, cover images (on Cloudflare R2), credit transactions, token usage data, and user settings. The linked customer profile at Polar.sh is also deleted.

Error data transmitted to Sentry before account deletion may remain stored there until its retention period (90 days) expires, but can no longer be associated with your account. Payment and transaction data may be retained beyond account deletion due to statutory tax retention obligations (§ 147 AO: 8 years for accounting records, 10 years for books and records) at Polar.sh.

11. Contact communication

When contacting us via email at contact@your-novel.app, your message, email address, and name (if provided) are processed. The email service is provided by Proton Mail (Proton AG, Switzerland). Switzerland has an EU Commission adequacy decision. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). Contact data is deleted after processing is complete, unless statutory retention obligations apply.