This Privacy Policy explains how ScriptHouse collects, uses, stores, and protects your personal data when you use our platform at scripthouse.io and the related services we provide (the “Service”).
We are committed to handling your data carefully, transparently, and in line with the EU General Data Protection Regulation (GDPR) and Dutch data protection law (UAVG). This policy describes what data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have.
By using the Service, you agree to the processing of your personal data as described in this policy. If you do not agree, please do not use the Service.
The data controller responsible for your personal data is:
Joris Timmer, operating ScriptHouse as a sole proprietorship (eenmanszaak) registered in the Netherlands.
Email: info@scripthouse.io
ScriptHouse is a small business and does not have a designated Data Protection Officer. All privacy-related requests can be sent directly to info@scripthouse.io.
We collect the following categories of personal data:
Account information. When you sign up, we collect your email address and a hashed version of your password. You may also provide a display name and profile preferences.
Brand and business information. During onboarding and ongoing use, you provide information about your brand, business, audience, content goals, platforms, competitors, content style, and similar details. This may include names, descriptions, follower counts, view counts, and growth targets.
Content you create. Notes, scripts, ideas, calendar entries, workspace pages, monthly check-in answers, feedback inputs, and any other content you enter into the Service.
Generated content. Strategies, ideas, scripts, briefings, feedback reports, and other outputs that ScriptHouse generates for you.
Payment information. Payments are handled by Stripe. We do not store your full card details on our servers. We do store a Stripe customer identifier, your subscription status, plan tier, billing period, and a limited record of payment events (for example: payment succeeded, payment failed, subscription cancelled).
Communication data. Emails you send us, support requests, exit survey responses if you cancel your subscription, and any other communication you initiate with us.
Usage and technical data. Automatically collected information such as your IP address, browser type, device information, pages visited, features used, timestamps of activity, and error logs. This is collected to operate, secure, and improve the Service.
Cookies and session data. Authentication cookies and similar session storage used to keep you signed in. See the Cookies section below.
We process your personal data only when we have a valid legal basis under the GDPR. The legal bases we rely on are:
(a) Performance of a contract (GDPR Article 6(1)(b)). We process account, billing, brand, and content data to provide the Service you have subscribed to, to operate your account, to generate the AI outputs you request, to process payments, and to provide customer support.
(b) Legitimate interests (GDPR Article 6(1)(f)). We process limited technical and usage data to keep the Service secure, prevent fraud and abuse, debug issues, monitor performance, improve our product, and protect our business interests. Where we rely on legitimate interests, we balance our interests against your rights and freedoms.
(c) Legal obligation (GDPR Article 6(1)(c)). We retain certain billing and tax-related records for as long as required under Dutch tax law (typically seven years).
(d) Consent (GDPR Article 6(1)(a)). Where we rely on your consent for any specific processing activity, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
ScriptHouse uses third-party artificial intelligence providers to generate content for you. Specifically, we send your inputs to Anthropic via OpenRouter, which processes them using large language models and returns outputs to us.
When you submit information to the Service that triggers an AI generation (for example, completing the brand profile, requesting a script, asking for feedback), the relevant inputs are transmitted to these AI providers for the sole purpose of producing the output you requested.
We have agreements in place with these providers covering data protection. We do not consent to your inputs being used to train external AI models for the benefit of third parties.
However, you should not include highly sensitive personal data (such as government identification numbers, financial account numbers, health records, or login credentials) in your inputs. AI providers process inputs on their own infrastructure and may retain them for limited periods for abuse-prevention purposes.
We use trusted third-party service providers (“processors”) to operate the Service. These providers process personal data on our behalf, under contracts that require them to protect your data. The main processors we use are:
Each of these processors has its own privacy policy. We select providers that offer industry-standard security and data protection commitments. We may add, change, or remove processors over time and will update this policy accordingly.
We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.
Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place, such as:
By using the Service, you acknowledge that your personal data may be transferred to and processed in countries outside the EEA, subject to the safeguards described above.
We retain your personal data only for as long as necessary for the purposes for which it was collected:
Active accounts. While your account is active, we retain your account, brand profile, and generated content data to provide the Service to you.
Cancelled or deleted accounts. If you delete your account, we delete your personal data within a reasonable period after deletion (typically 30 days), subject to the retention requirements below. Some data may be retained in backups for a limited additional period before being overwritten.
Billing and tax records. Records of transactions, invoices, and related financial information are retained for at least seven (7) years, as required by Dutch tax law.
Legal and security records. Logs and records may be retained for longer where necessary to comply with legal obligations, resolve disputes, prevent fraud, or enforce our agreements.
Anonymised or aggregated data. We may retain anonymised or aggregated data indefinitely, as it no longer identifies you.
If you are located in the EEA, you have the following rights regarding your personal data:
To exercise any of these rights, contact us at info@scripthouse.io. We will respond within one month of receiving your request, as required by the GDPR. We may need to verify your identity before acting on a request. There is no fee for exercising your rights, unless requests are excessive or manifestly unfounded.
ScriptHouse uses cookies and similar technologies (such as browser local storage and session storage) to operate the Service. The main categories are:
Most browsers allow you to refuse or delete cookies. Disabling strictly necessary cookies may prevent you from using the Service.
ScriptHouse is intended for users who are 18 years of age or older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete that data.
If you are a parent or guardian and believe your child has provided us with personal data, please contact info@scripthouse.io and we will investigate.
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These measures include encryption in transit, secure password storage, role-based access controls, and regular security reviews of our infrastructure providers.
However, no system is fully secure. We cannot guarantee absolute security of your data. You are responsible for keeping your account credentials confidential and for notifying us immediately if you suspect unauthorised access to your account.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected users in accordance with applicable law.
The Service uses AI models to generate creative outputs based on inputs you provide. These outputs are creative suggestions, not automated decisions that produce legal effects or significantly affect you within the meaning of GDPR Article 22.
We do not use your personal data for automated decision-making that has legal or similarly significant effects on you.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email or by posting a notice within the Service.
The “Last updated” date at the top of this policy reflects the most recent revision. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.
If you have concerns about how we handle your personal data, please contact us first at info@scripthouse.io. We will do our best to resolve your concerns.
You also have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands, this is:
Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Postal address: Postbus 93374, 2509 AJ Den Haag, Netherlands
For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact:
Joris Timmer
Operating ScriptHouse as a sole proprietorship (eenmanszaak), registered in the Netherlands
Email: info@scripthouse.io