Privacy Policy
Last updated: June 12, 2026
At Fluxio Apps (hereinafter "we", "our" or "Scriptum"), we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and protect your personal information when you use our website (scriptumwriterstudio.com) and our Scriptum software, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).
1. Data controller
| Controller | Juan Manuel Cuenca Navarro |
|---|---|
| Trading name | Fluxio Apps |
| Address | Calle la Cruz, 26 — 12590 Almenara (Castellón), Spain |
| contacto@scriptumwriterstudio.com |
For any question related to data protection, you may contact us at the email address above.
2. Data we collect
2.1 Data you provide directly
- Registration data: email address and password (stored only as a secure hash, never in plain text).
- Billing data: full name, address, country, postal code. Payment data (credit/debit card) is processed directly by Lemon Squeezy (our Merchant of Record) and never passes through our servers.
- Support data: information you provide when contacting us (email, description of the issue).
2.2 Data we collect automatically
- Server technical data: IP address and access logs, necessary for security and the operation of the service.
- Website usage statistics (only with your consent): if you accept analytical cookies, Google Analytics 4 collects pages visited, visit duration, browser type, operating system, language and interaction data, associated with a random identifier (not your identity). With IP anonymisation. See the Cookie Policy.
2.3 Data we do NOT collect
- We do NOT read or store the content of your novels, chapters or writing projects on our servers: your manuscript is saved locally on your device.
- We do NOT use your creative content to train AI models, either our own or third-party ones.
- We do NOT store credit card data on our servers.
- The writing application does NOT contain analytics or advertising tools: your writing activity is not measured or tracked.
3. Legal basis for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account and subscription management | Performance of a contract (Art. 6.1.b) |
| Payment processing | Performance of a contract (Art. 6.1.b) |
| Operation of the AI assistant (Aura AI) | Performance of a contract (Art. 6.1.b) |
| Website analytics (Google Analytics 4) | Consent (Art. 6.1.a), granted via the cookie banner and revocable at any time |
| Compliance with tax obligations | Legal obligation (Art. 6.1.c) |
| Customer service and support | Legitimate interest (Art. 6.1.f) |
| Platform security and fraud prevention | Legitimate interest (Art. 6.1.f) |
We do not send commercial communications or newsletters. Should we ever do so in the future, it would only be with your prior and express consent (Art. 6.1.a GDPR and Art. 21 of the Spanish LSSI-CE), with the option to unsubscribe at any time.
4. Purposes of processing
- Create and manage your Scriptum user account.
- Process and manage your subscription and associated payments.
- Provide you with access to the software and its features, including the AI assistant.
- Send you operational communications about your account (confirmations, receipts, password resets, service changes).
- Respond to your enquiries and support requests.
- Improve our website through aggregated statistics (only if you consent to analytical cookies).
- Comply with applicable legal and tax obligations.
- Prevent fraud and ensure platform security.
5. Sharing data with third parties
We share your personal data only with the following recipients and solely for the purposes indicated:
| Third party | Purpose | Country and safeguard |
|---|---|---|
| Lemon Squeezy, LLC | Merchant of Record: payment processing, invoicing and tax management | USA — EU-U.S. Data Privacy Framework (DPF) |
| Hostinger International Ltd. | Web hosting and database | Lithuania (European Union) |
| Google LLC (Google Analytics 4) | Website usage statistics — only if you accept analytical cookies | USA — DPF |
| Anthropic PBC (Claude) | Generative AI service (Aura AI) | USA — DPF |
| OpenAI, LLC | Generative AI service (Aura AI) | USA — DPF |
| Google LLC (Gemini) | Generative AI service (Aura AI) | USA — DPF |
| Groq, Inc. | AI service for assistance and correction (Aura AI) | USA — Standard Contractual Clauses (SCCs) |
Important note on Aura AI: when you use the AI assistant, the text you submit (and only that text) is transmitted to the relevant AI provider to generate a response. This text is NOT stored on our servers nor used to train models. The providers process it as processors under their API terms, which exclude the use of data for training.
If you configure your own API key (BYOK): in that case your AI requests go directly from the software to the provider you choose, under the contract you hold with that provider; we are not involved in that processing.
We do NOT sell, rent or otherwise transfer your personal data to third parties for commercial or marketing purposes.
6. International data transfers
Some of our providers are located in the United States. These transfers are protected by:
- EU-U.S. Data Privacy Framework (DPF): Lemon Squeezy, Google LLC, Anthropic PBC and OpenAI are certified under the DPF, recognised by the European Commission's Adequacy Decision of 10 July 2023.
- Standard Contractual Clauses (SCCs): for providers not certified under the DPF (e.g. Groq), the Standard Contractual Clauses approved by the European Commission apply.
Hostinger operates within the European Union (Lithuania).
7. Data retention
| Data type | Retention period |
|---|---|
| Account data | While the account is active + 30 days after cancellation |
| Billing data | 6 years (Spanish commercial and tax obligation) |
| Support data | 2 years from the last communication |
| Website analytics data | 14 months in Google Analytics; analytical cookies with a maximum expiry of 13 months |
| Cookie consent record | 12 months (scriptum_consent cookie) and internal record as proof |
Once these periods have elapsed, data will be securely deleted or irreversibly anonymised.
8. Your rights
8.1 Rights under the GDPR (European Union / EEA)
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request the deletion of your data ("right to be forgotten").
- Restriction: restrict the processing of your data in certain circumstances.
- Portability: receive your data in a structured and commonly used format (JSON or CSV).
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: withdraw at any time the consent previously given (e.g. analytical cookies, via the "🍪 Cookies" button or the settings panel), without affecting the lawfulness of prior processing.
8.2 Rights under the CCPA/CPRA (California, USA)
- Know: what personal data we collect, use and share.
- Delete: request the deletion of your personal data.
- Correct: request the correction of inaccurate data.
- Non-discrimination: not be discriminated against for exercising your privacy rights.
- Opt-out of sale or sharing: we do not sell or share your personal data within the meaning of the CCPA/CPRA. If this were to change, we would provide an opt-out mechanism.
8.3 Rights under the LGPD (Brazil)
If you reside in Brazil, you have rights similar to those under the GDPR, including confirmation of processing, access, correction, anonymisation, portability and deletion.
8.4 How to exercise your rights
Send an email to contacto@scriptumwriterstudio.com with the subject "Privacy Rights" stating:
- Your full name and the email address associated with the account.
- The right you wish to exercise.
- Sufficient information to verify your identity (we will only request additional documentation if there is reasonable doubt about your identity).
We will respond to your request within a maximum of one month of receipt (extendable by two further months in complex cases, in which case we will notify you), in accordance with Art. 12.3 GDPR.
9. Protection of minors
Scriptum is not directed at persons under 16 years of age (or the minimum age established by local legislation; in Spain, 14 years for consent to data processing). We do not intentionally collect data from minors. If we discover that we have collected data from a minor without their legal guardian's consent, we will delete such data immediately. Subscribing requires legal capacity to enter into a contract.
10. Data security
- Encryption in transit (TLS/HTTPS) for all communications.
- Passwords stored with a high-cost secure hash (bcrypt), never in plain text.
- Session cookie with HttpOnly, Secure and SameSite attributes (not accessible from JavaScript).
- Restricted access to personal data (principle of least privilege).
- Payment processing delegated to Lemon Squeezy (Merchant of Record with PCI DSS compliance).
- Encrypted backups.
However, no electronic transmission or storage system is 100% secure. We cannot guarantee the absolute security of your data.
11. Security breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours of becoming aware of it (Art. 33 GDPR) and, when the risk is high, we will inform you directly and without undue delay (Art. 34 GDPR), indicating the measures taken.
12. Changes to this policy
We reserve the right to amend this Privacy Policy. Changes will be published on this page with the corresponding update date. For significant changes, we will notify you by email.
13. Supervisory authority
If you consider that the processing of your personal data infringes applicable law, you have the right to lodge a complaint with the competent supervisory authority:
- Spain: Spanish Data Protection Agency (AEPD): www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid.
- Other EU countries: the data protection authority of your country of residence.
14. Contact
For any enquiry about this Privacy Policy:
Email: contacto@scriptumwriterstudio.com
Subject: Privacy: Scriptum
Postal address: Calle la Cruz, 26 — 12590 Almenara (Castellón), Spain