Scriptorium.works
Scriptorium.works / Legal

Legal

Privacy Policy

Last updated / Ultima actualizare: June 14, 2026

This Privacy Policy explains what personal data Scriptorium.works collects, how we use it, who we share it with, and what rights you have. The Platform is operated by IVI CREATIVE AGENCY LLC, a limited liability company organized under the laws of the State of Ohio, USA. We are committed to complying with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data protection laws. The English-language version of this Policy is the authoritative legally binding version.

1. Data Controller / Business

The data controller (under GDPR) and business (under CCPA) for personal data processed through Scriptorium.works is:

IVI CREATIVE AGENCY LLC

Email: [email protected]

Telephone: +1 (440) 454-4790

For EU/EEA users: We do not currently have a designated EU representative under GDPR Article 27. All data protection inquiries should be addressed to [email protected] in English or Romanian.

2. Data We Collect

Account data: Name or pseudonym, email address, username, password (hashed via bcrypt or equivalent), country, language preference, profile photo (optional), biography (optional).

Transaction data: Purchase history, download records, listing ownership records. We do NOT store full payment card numbers — all payment data is processed by Stripe, Inc. ("Stripe") under their own terms and privacy policy. For authors with Stripe Connect Standard accounts, we receive only non-sensitive metadata (connected account ID, capabilities status) from Stripe.

Content metadata: Titles, descriptions, tags, language, word count, and other metadata of content you upload. We do not read or store the full text of unpublished manuscripts beyond what is necessary to fulfill a transaction.

Upload declarations: For each upload, we record the chosen category (own work / third-party PD / third-party CC / third-party permission), the individual checkboxes you confirmed, any required attachments (license, permission document), timestamp, IP address, browser user agent, and the version of the Upload Agreement in effect at the time. This data is stored permanently as evidence of your declarations under applicable law.

Communications: Messages sent through the Platform's internal chat system, support tickets, dispute communications, and email correspondence.

Technical data: IP address, browser type and version, operating system, device type, pages visited, session duration, referring URLs, and similar information collected via server logs and first-party analytics.

Authorship Certificate data: If you use the /protect service, we store the SHA-256 cryptographic hash of your file, the declared author name, declared title, UTC timestamp, and the blockchain anchoring receipt. We do NOT store the file contents.

Cookies and local storage: See our Cookies Policy for the categories of cookies and local-storage items we use.

3. How We Use Your Data

We use your data to: (a) create and manage your account; (b) facilitate transactions, payments, and payouts (via Stripe Connect Standard for authors); (c) enable communication between buyers, authors, and readers; (d) provide customer support and resolve disputes; (e) send transactional emails (order confirmations, payment notifications, strike notifications, content removals, dispute updates); (f) detect fraud, abuse, and policy violations; (g) comply with legal obligations (DMCA, tax, accounting, court orders); (h) improve Platform performance via aggregated, anonymized analytics.

We do NOT: sell your personal data to third parties; use your content to train artificial intelligence or machine-learning models without explicit consent; send marketing emails without your explicit opt-in consent; use behavioral tracking for targeted advertising.

4. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Platform services you requested — account creation, listing publication, transaction processing, payout coordination.

Legitimate interests (Art. 6(1)(f)): Fraud prevention, security, Platform improvement via anonymized analytics, defense against legal claims, evidentiary preservation of upload declarations.

Legal obligation (Art. 6(1)(c)): Tax records, anti-money-laundering compliance, response to court orders and valid legal process, DMCA recordkeeping.

Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies, where applicable. You may withdraw consent at any time without affecting prior processing.

5. CCPA / California Privacy Rights

California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to know — what categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it.

Right to delete — request deletion of your personal information, subject to legal retention obligations.

Right to correct — request correction of inaccurate personal information.

Right to opt out of sale or sharing — we do NOT sell or share your personal information for cross-context behavioral advertising. You have nothing to opt out of in this regard.

Right to limit use of sensitive personal information — we do not use sensitive personal information beyond purposes permitted by law.

Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any CCPA right, contact [email protected]. We will respond within 45 days (with a possible 45-day extension if needed).

6. Data Sharing and Recipients

We share your data only with the following categories of recipients, all bound by appropriate contractual protections:

Payment processor: Stripe, Inc. — for processing payments, payouts, KYC/AML compliance, and tax form generation. Stripe processes your data under its own Privacy Policy (stripe.com/privacy).

Database and authentication provider: Supabase / equivalent — data storage with EU or US data center options.

Security and content delivery: Cloudflare — for DDoS protection, CDN delivery, and security.

Hosting: Vercel — for application hosting.

Email transactional: Resend / Postmark / equivalent — for sending transactional emails on our behalf.

Public blockchain timestamping (OpenTimestamps or equivalent): When you use /protect, only the SHA-256 hash is transmitted publicly — no personal data, no file contents.

Law enforcement: Where required by valid legal process (subpoena, court order, search warrant).

All third-party processors are bound by data processing agreements compliant with GDPR Article 28 (where applicable).

7. Data Retention

Account data: Retained while your account is active, plus 2 years after deletion (for dispute resolution and legal compliance).

Transaction records: 7 years (U.S. federal tax requirement) or longer where required by Romanian/EU tax law for EU users.

Upload declarations and copyright records: Retained permanently as legal evidence of your declarations under DMCA and applicable law.

Messages: 3 years after the last message in a conversation.

Authorship Certificate records: Indefinitely — these are timestamped evidentiary records that may be needed years later.

Technical logs: 90 days, then anonymized for analytics.

DMCA notices and counter-notifications: 7 years.

8. Your GDPR Rights (EU/EEA and UK Users)

If you are located in the EU/EEA or UK, you have the right to:

Access — request a copy of all personal data we hold about you.

Rectification — correct inaccurate or incomplete data.

Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.

Restriction — request limitation of processing in certain circumstances.

Portability — receive your data in a machine-readable, portable format.

Objection — object to processing based on legitimate interests.

Withdrawal of consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9. International Data Transfers

Scriptorium.works is operated from the United States by IVI CREATIVE AGENCY LLC. Personal data of EU/EEA users may be transferred to and processed in the United States.

For such transfers, we rely on the following safeguards: (a) Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914); (b) supplementary measures as recommended by the European Data Protection Board where applicable; (c) Stripe's and other processors' own SCC-based or Adequacy Decision-based mechanisms.

You may request a copy of the SCCs by contacting [email protected].

10. Cookies

We use only essential cookies necessary for Platform functionality (authentication session, language preference, CSRF protection). We do NOT use third-party advertising cookies or cross-site tracking.

See our Cookies Policy for complete details on cookie categories, purposes, and retention.

11. Children's Privacy

The Platform is not directed at users under 16 years of age (or 13 in the United States under COPPA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately at [email protected] and we will delete it promptly.

12. Security

We implement reasonable technical and organizational measures to protect your personal data, including: encryption in transit (TLS 1.3); hashed passwords (bcrypt or equivalent); access controls and audit logs; regular security reviews; incident response procedures.

However, no method of transmission or storage is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the appropriate supervisory authority without undue delay and where feasible within 72 hours of becoming aware, in accordance with GDPR Article 33.

13. Changes to This Policy

We will notify registered users by email at least 14 days before any material changes to this Policy take effect. The updated Policy will be published at this URL with a new "Last Updated" date. For non-material changes (clarifications, formatting, minor edits), changes take effect upon publication.

14. Contact

Data protection / privacy inquiries: [email protected]

General legal: [email protected]

Mailing address: IVI CREATIVE AGENCY LLC

Telephone: +1 (440) 454-4790