Privacy Policy

Effective Date: March 1, 2026 Last Updated: March 1, 2026

This Privacy Policy describes how Roam Ebooks ("we," "us," or "our"), operating the Roam Creator platform at creator.roamebooks.com (the "Service"), collects, uses, stores, and shares your information. By using the Service, you agree to the practices described in this policy.

This document is provided for informational purposes and does not constitute legal advice. We recommend consulting with a qualified attorney for guidance specific to your situation.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Profile image (if provided or imported from OAuth)
  • Password (securely hashed; only for email/password accounts)
  • Username and display name
  • Locale preference

1.2 Authentication Data

Depending on your sign-in method, we may collect:

  • OAuth tokens and profile data from Google or GitHub
  • Passkey/WebAuthn credentials (public keys and device information)
  • Two-factor authentication secrets (encrypted at rest)
  • Magic link verification tokens (temporary, auto-expire)

1.3 Content Data

When you use the Service to create books, we store:

  • Book projects: titles, loglines, genres, tones, author pen names
  • Characters: names, roles, archetypes, summaries, backstories, appearances
  • Locations: names, types, summaries, geography, history, society details
  • Story architecture: scene structures, chapter organizations, drafts
  • Marketing content: titles, subtitles, keywords, categories, blurbs
  • Cover configurations and generated images
  • Exported manuscripts (DOCX, PDF, EPUB)

1.4 Automatically Collected Information

  • Session data: IP address, user agent string, session tokens
  • Cookie consent preference
  • Locale preference cookie

1.5 AI Usage Data

  • AI interaction logs: provider used, model, task type, input/output token counts, estimated cost, success/failure status
  • AI usage budgets and consumption tracking per billing period

1.6 Payment Information

  • Stripe customer ID (links your account to Stripe for billing)
  • Purchase records: subscription IDs, product IDs, purchase type, status

We do not collect, see, or store your full credit card number, CVV, or bank account details. All payment processing is handled exclusively by Stripe.

2. How We Use Your Information

  • Providing the Service: Account creation, authentication, session management, and delivering the book creation pipeline
  • AI-Powered Content Generation: Processing your book data through AI providers to generate characters, storylines, chapters, marketing content, and cover images
  • Billing and Payments: Processing subscriptions and one-time purchases through Stripe
  • AI Usage Management: Tracking and enforcing AI usage quotas based on your subscription tier
  • Communication: Transactional emails including verification, password reset, and magic link emails
  • Security: Fraud prevention, session management, and two-factor authentication
  • Service Improvement: Analyzing aggregate, anonymized AI usage patterns and performance

3. AI-Specific Data Processing

This section is important because Roam Creator uses third-party AI services to generate content for your books.

What data is sent to AI providers

When you use AI features (generating chapters, characters, storylines, marketing copy, cover images, etc.), portions of your book content — such as loglines, character descriptions, scene details, and chapter text — are sent to third-party AI providers for processing.

Which AI providers we use

  • Google Gemini API (Google LLC): Used for market research, genre analysis, character generation, location generation, storyline expansion, and various content generation tasks
  • Google Imagen (Google LLC): Used for cover image generation
  • Anthropic Claude API (Anthropic PBC): Used for creative synthesis, chapter drafting, scene generation, editorial scanning, blurb generation, and content refinement

What is NOT sent to AI providers

Your personal account information — including your email address, payment details, IP address, and authentication credentials — is never included in AI prompts or sent to AI providers.

How AI providers handle your data

Both Google and Anthropic operate under commercial API terms, which means your inputs and outputs are generally not used to train their AI models. For details, please refer to:

4. Third-Party Services

We use the following third-party services to operate Roam Creator:

| Service | Provider | Data Shared | Purpose | |---------|----------|-------------|---------| | Database Hosting | Supabase Inc. | All database records | PostgreSQL database hosting | | Payment Processing | Stripe Inc. | Email, customer ID, payment data | Subscription and purchase processing | | AI Content Generation | Google LLC | Book content | Gemini API and Imagen for AI features | | AI Content Generation | Anthropic PBC | Book content | Claude API for creative synthesis | | Authentication | Google LLC | Email, profile data | Google OAuth sign-in | | Authentication | GitHub (Microsoft) | Email, profile data | GitHub OAuth sign-in | | Image Storage | Vercel Inc. | Generated cover images | Vercel Blob storage for cover images |

We do not sell your personal information to third parties. We share data only as described in this policy or as required by law.

5. Cookies and Tracking Technologies

Essential Cookies

  • Session cookie: Authenticates your session (expires after 30 days of inactivity)
  • Locale cookie: Stores your language preference

Analytics Cookies

Analytics cookies are only set if you consent via the cookie consent banner. You may decline non-essential cookies without affecting your ability to use the Service.

What We Don't Use

We do not use advertising cookies, marketing trackers, or cross-site tracking technologies.

6. Data Storage and Security

  • All data is stored in a Supabase-hosted PostgreSQL database
  • Passwords are cryptographically hashed
  • Two-factor authentication secrets and backup codes are encrypted at rest
  • All data transmission uses SSL/TLS encryption
  • OAuth tokens are stored server-side in the database
  • Cover images are stored in Vercel Blob storage
  • AI API keys are server-side only and never exposed to your browser
  • Access controls ensure you can only access your own book data

7. Data Retention

  • Account and book data: Retained as long as your account is active
  • AI usage logs: Retained for billing period tracking and internal analytics
  • Session data: Automatically expires after 30 days
  • Verification tokens: Expire and are cleaned up automatically
  • Cover images: Retained until you delete them or delete your account
  • Payment records: Retained per Stripe's requirements and for tax/accounting purposes

8. Your Rights and Choices

  • Access: View your account data in the Settings page
  • Correction: Update your profile, email, and username in Settings
  • Deletion: Delete your entire account via Settings. This permanently and irreversibly deletes all your data — books, characters, locations, reports, AI usage logs, sessions — and cancels any active subscriptions
  • Data Portability: Export your book content in DOCX, PDF, or EPUB format at any time
  • Cookie Preferences: Manage via the cookie consent banner
  • Two-Factor Authentication: Enable or disable in account settings

If you are located in the EU (GDPR) or California (CCPA), you may have additional rights including the right to know what data we hold, the right to request deletion, and the right to opt out of data sharing. To exercise these rights, contact us at roamebooks@gmail.com.

9. International Data Transfers

The Service is hosted in the United States. AI processing occurs on servers operated by Google and Anthropic in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

10. Children's Privacy

The Service is not intended for users under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at roamebooks@gmail.com and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through an in-app notification. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

Email: roamebooks@gmail.com