Política de privacidad

PLOTWELL, S.L. (NIF B26924068), located at Calle Princesa 31, 2-2, 28008 Madrid, Spain, is the data controller for personal data processed through plotwell. This policy is governed by the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and applicable Spanish law (LOPDGDD). Contact: privacy@plotwell.co.

Account data: Name, email address, and encrypted password provided at registration. We use bcrypt hashing; we never store plaintext passwords.

Creative content: Scripts, treatments, characters, storyboards, beat sheets, documents, and any other content you create or upload in the Service.

Usage metrics: Pages visited, features used, session duration, button clicks, and interaction patterns — collected to understand how users engage with the Service and improve it.

Device and technical information: IP address, browser type and version, operating system, screen resolution, referrer URL, and device identifiers.

Billing details: Processed entirely via Stripe (PCI-DSS Level 1 certified). We never store your full card number, CVV, or banking credentials — only Stripe customer IDs, transaction identifiers, and billing status.

Subscription and add-on information: Plan type, billing cycle, active add-ons, and AI credit balance.

Collaboration data: Names and email addresses of collaborators you invite to your projects, and the access roles you assign them.

Support communications: Messages you send to our support team, including any attachments or screenshots.

We process personal data only for specific, explicit, and legitimate purposes. For each purpose we identify the applicable legal basis under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Providing, maintaining, and improving the Service you subscribed to; processing payments and managing your subscription; enabling collaboration features you activate; sending transactional emails (account confirmation, password reset, billing receipts).

Legitimate interest (Art. 6(1)(f)): Security monitoring and fraud prevention; debugging and service reliability; product analytics to understand usage patterns and prioritise features; enforcing our Terms of Service.

Legal obligation (Art. 6(1)(c)): Compliance with Spanish tax law (invoice retention); responding to lawful requests from authorities; complying with GDPR data subject request obligations.

Consent (Art. 6(1)(a)): Sending marketing or newsletter communications (only where you have explicitly opted in); placing analytics and advertising cookies beyond the essential set.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

When you use AI features, relevant portions of your project content — including prompts, scene text, character descriptions, and instructions you provide — are transmitted to third-party AI inference providers for processing. Current providers include Replicate, OpenAI, OpenRouter, and xAI. The specific provider used may vary depending on the model selected.

We apply data minimisation: only the content necessary for the requested AI operation is sent. We do not transmit your personal account information (email, name, payment details, or device identifiers) to AI providers.

We request that our AI providers do not use your content for model training. However, each provider's data retention and training practices are governed by their own policies, which we cannot fully control. We recommend reviewing the privacy policies of Replicate, OpenAI, OpenRouter, and xAI for their specific commitments.

AI-processed content is not used by plotwell itself to train models or improve our systems beyond the scope of delivering the requested feature to you.

All payment transactions are handled exclusively by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We never store, transmit, or have access to your full card number, CVV, or bank account details.

We retain only: Stripe customer and payment intent identifiers; subscription status and billing cycle; invoice amounts and dates; and refund records. This data is retained for the periods described in the Data Retention section.

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

Service providers: With vetted processors acting on our behalf under data processing agreements — including Supabase (database hosting), Stripe (payments), Vercel (frontend hosting), Render (backend hosting), Amplitude (analytics), and AI inference providers listed in Section 4.

Collaborators you invite: When you add a collaborator to a project, their name and email become visible to other project members. You control who has access.

Legal compliance: Where required by applicable law, court order, or regulatory authority (e.g., the AEPD or a Spanish court).

Protection of rights: To investigate or prevent fraud, abuse, security incidents, or violations of our Terms of Service.

Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, which will be bound by this Privacy Policy or an equivalent one. We will notify you before such a transfer takes effect.

Some of our service providers are based in the United States. This means your data may be transferred to and processed in a country outside the European Economic Area (EEA) that does not have an equivalent level of data protection under EU law.

We mitigate this risk through the following safeguards:

Standard Contractual Clauses (SCCs): We enter into EU Commission-approved SCCs with all processors that receive EEA personal data.

EU-US Data Privacy Framework: Where processors are certified under the EU-US DPF, we rely on that framework as an additional transfer mechanism.

Providers subject to international transfer include: Stripe (payments), Supabase (database), Vercel (hosting), Render (backend), Amplitude (analytics), and AI inference providers (Replicate, OpenAI, OpenRouter, xAI).

plotwell is not intended for users under the age of 18. We do not knowingly collect, process, or store personal data from minors. If you believe that a child has created an account or that we have inadvertently collected data from a child, please contact us immediately at privacy@plotwell.co and we will delete that data promptly.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure:

Encryption: Data in transit is protected by TLS 1.2+. Data at rest is encrypted at the storage layer by Supabase/PostgreSQL.

Access control: Row-level security (RLS) enforced at the database layer ensures users can only access their own data. Administrative access is restricted and audited.

Authentication: Passwords are hashed with bcrypt. We support secure session tokens with short expiry and automatic renewal.

Infrastructure: We rely on established cloud providers (Vercel, Render, Supabase) that maintain their own security certifications (SOC 2, ISO 27001).

No system is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in any case within 72 hours of becoming aware, as required by GDPR Article 33.

All creative work you produce on plotwell — scripts, storyboards, beat sheets, documents, and characters — remains your intellectual property. We do not claim ownership of your content, and we do not use it for any purpose other than delivering the Service to you.

We recommend maintaining independent backups of important work by using the built-in export features (PDF, Fountain, FDX). plotwell is not liable for data loss resulting from circumstances beyond our reasonable control.

Following account deletion, your creative content is retained for 30 days to allow you to export it. After that window, it is permanently and irreversibly deleted from our systems.

Account and creative content: Retained while your account is active. Deleted within 30 days of a verified account deletion request.

Billing records and invoices: Retained for 5 years from the invoice date, as required by Spanish tax law (Real Decreto 1619/2012).

Analytics data: Aggregated and anonymised usage data retained for up to 24 months. Raw event data may be deleted sooner.

Support communications: Retained for 3 years from the date of the last message in the conversation.

Legal hold: In the event of a legal dispute or regulatory investigation, relevant data may be retained beyond the standard periods above until the matter is resolved.

As a data subject under the GDPR, you have the following rights. To exercise any of them, email privacy@plotwell.co with your request. We will verify your identity before processing.

Right of access (Art. 15): You may request a copy of the personal data we hold about you and information about how it is processed.

Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete personal data without undue delay.

Right to erasure (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to legal retention obligations (e.g., billing records).

Right to restriction of processing (Art. 18): You may request that we limit how we process your data in certain circumstances, for example while we verify a rectification request.

Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) where processing is based on consent or contract and carried out by automated means.

Right to object (Art. 21): You may object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right not to be subject to automated decisions (Art. 22): We do not use your personal data for automated individual decision-making that produces legal or similarly significant effects. AI content suggestions are tools you control, not automated decisions about you.

Response timeframe: We will respond within one month. For complex or multiple requests, we may extend this by a further two months and will notify you within the first month.

Complaint: You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at aepd.es, or with the supervisory authority in your EU country of residence.

We do not use your personal data for automated decision-making that produces legal effects or similarly significantly affects you. AI features in the Service generate creative suggestions based on content you provide — they are assistive tools under your full control and do not constitute profiling or automated decision-making in the GDPR sense.

Usage analytics are used in aggregate to understand product performance; they are not used to make individual decisions about your account or access.

Essential cookies (no consent required — necessary for the Service to function):

sb-*-auth-token — Supabase authentication session
plotwell-auth — plotwell session token
plotwell-consent — stores your cookie consent preference
__stripe_* — Stripe fraud prevention

Analytics cookies (require your consent):

AMP_* — Amplitude product analytics (session behaviour, feature usage)

Advertising cookies (require your consent):

_gcl_*, _gac_* — Google Ads conversion tracking

We use Google Consent Mode v2 to respect your choices. Analytics and advertising cookies are not placed until you explicitly accept them. You can change your preferences at any time via the cookie settings link in the footer, or by adjusting your browser settings.

The Service may contain links to external websites or services (for example, the ODR platform or AI provider documentation). This Privacy Policy does not apply to those third-party sites. We are not responsible for their privacy practices and encourage you to review their policies before providing any personal data.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Services we offer. Material changes will be communicated via email and/or an in-app notification at least 14 days before taking effect, along with an updated "Last updated" date at the top of this page.

If you do not agree with the updated policy, you may delete your account before the changes take effect.

For data protection inquiries, to exercise your rights, or to raise a concern, contact us at: privacy@plotwell.co

PLOTWELL, S.L. · NIF B26924068 · Calle Princesa 31, 2-2, 28008 Madrid, Spain