Privacy Policy

We try to collect as little as we can get away with. Three buckets:

Things you give us directly when you sign up, write, and pay:

• Identity from your sign-in provider — your email, name, and profile picture if Google passes one along.
• Author profile fields you fill in: display name, optional bio, language preference.
• Everything you put into the studio: the idea you start with, the answers in the interview, the table of contents you approve, chapter drafts and rewrites, cover briefs, metadata, exported PDF/EPUB files. This is your work and we treat it that way.
• Billing details when you subscribe — handled by Stripe. We never see or store full card numbers; Stripe gives us a token plus the last four digits and brand for display.
• Anything you send to support: emails, screenshots, bug reports, feedback.

Things we collect automatically while you use the app:

• Device and browser info — operating system, browser version, device type, screen size — for compatibility and bug triage.
• Network info — IP address, approximate region inferred from it, ISP — for security, fraud detection, and rate limiting.
• Activity logs — when you signed in, which page you opened, which pipeline step you ran, how long it took, whether it succeeded or errored.
• Token-usage metrics — for each AI generation we record the model used, the input/output token counts and the cost. We use this to bill credits accurately and to find places to optimize.

Things we do not collect: real-time location, contacts, calendar, microphone, camera, files outside what you explicitly upload, or browsing on other websites.

Each piece of data has a job. We use what we collect to:

• Run the studio — sign you in, generate your book, save your drafts, render your PDFs, count your credits, charge you the right amount.
• Keep things working — debug failures, recover crashed generations, monitor performance, stop abuse before it spreads.
• Talk to you when needed — receipts, password resets, security alerts, important product changes. We don't send marketing emails by default; if we ever do, you'll get an opt-out and we'll respect it.
• Improve the product — anonymized aggregates of how the pipeline behaves (success rates, latency, common error paths, average token spend) help us decide what to build next.
• Comply with the law — financial recordkeeping, tax invoicing, lawful requests from authorities, court orders.
• Defend ourselves and our users — prevent fraud, investigate abuse, protect the platform from attacks.

Booklee is an AI studio, so this part deserves its own section.

When you generate something, your prompt and the relevant context (your interview answers, your ToC, the chapter you're writing) get sent to underlying model providers — currently Anthropic (Claude) and OpenAI (gpt-image-2 for covers). We use these providers under their commercial-tier agreements, which means: your inputs and outputs are not used to train their public models.

We do not train any model — ours or anyone else's — on your private content. Period. The only learning signal we keep is anonymized: aggregate metrics like "chapter generations of length 3,000–4,000 words succeeded 94% of the time on Sonnet". Your actual prose stays yours.

Generated outputs and the prompts that produced them are stored in your account so you can keep editing them. They sit in our database (Firestore) and our object storage (Firebase Storage), encrypted at rest. You can delete them at any time.

We do not sell your personal data. We share it with three groups, only as needed:

Service providers that run the plumbing under Booklee:

• Google Firebase / Google Cloud — auth, database, file storage, hosting.
• Anthropic — Claude calls for the interview, ToC, and chapter writing.
• OpenAI — image generation for covers.
• Stripe — payment processing.
• Email delivery (transactional only) — receipts, password resets, security alerts.
• Error monitoring and product analytics tools — what stopped working, where users get stuck.

These vendors are bound by contracts that limit them to processing your data only for the services we hire them for.

Authorities, when the law requires it. We push back on overbroad requests and, when allowed, will tell you about a request that targets your account before we respond.

A future buyer or successor, if Booklee is ever acquired, merged, or wound down. In that case we'll notify you in advance and your data will continue to be governed by a privacy policy at least as protective as this one — or you can delete your account first.

Active account data sticks around as long as your account is active. If you delete your account, we erase your books, drafts, covers and personal profile from production systems within 30 days.

Some things we keep longer because we have to: payment records and tax invoices for as long as financial regulation requires (typically 7 years), security logs for up to 12 months, and content we removed for terms violations as long as we may need it to defend an enforcement action.

Backups roll off on their own schedule. A book you deleted may persist in encrypted backups for up to 60 additional days before it's gone for good.

Wherever you live, you can:

• See and edit your profile from Settings.
• Export your books as PDF and EPUB at any time — that's the format we use natively, so it's always available.
• Delete your account and the data tied to it from Settings → Permanent actions, no questions asked.
• Email support@booklee.ai to ask for a copy of any data we hold on you, to correct something, or to ask why we're processing a specific piece of information.

If you're in the EEA, UK, Switzerland or California, you have additional rights under GDPR/UK GDPR/CCPA: access, correction, deletion, portability, objection to certain processing, the right to withdraw consent, and the right to complain to your data protection authority. We handle these requests at no charge unless they're clearly excessive.

We answer privacy requests within 30 days. We may need to verify your identity first — usually a confirmation reply from the email on file is enough.

We take a defense-in-depth approach. In practice this means: HTTPS everywhere, encrypted storage, scoped access controls so engineers see only what they need to see, secret rotation on a schedule, third-party providers that hold relevant security certifications, and an internal review for any new data flow.

We don't pretend to be invincible. No internet service is. If we ever discover a breach affecting your data, we'll notify you and the appropriate authorities within the timeframe required by law (and faster when we can).

You play a role too: pick a strong password if you use email/password sign-in, enable two-factor authentication on your Google account if that's how you sign in, and tell us immediately at support@booklee.ai if you suspect anything off.

We use cookies and similar storage for essential things: keeping you signed in, remembering your language preference, protecting forms against CSRF, measuring how the app performs.

We don't run advertising cookies. We don't sell tracking pixels. The third-party scripts we do load — Stripe, Firebase, our analytics provider — are necessary for the product to function or to know whether it's working.

You can clear cookies and storage at any time from your browser. If you do, you'll be signed out and your language preference will reset to default.

Booklee isn't built for children. We don't allow anyone under 13 on the platform; if we discover an account belongs to a child under 13, we delete it and notify a parent or guardian when we have a way to reach them.

If you're a parent and believe your child has signed up, write to support@booklee.ai and we'll handle it quickly.

Booklee operates globally. To deliver the product, your data may travel to servers in the United States, the European Union, or wherever our providers run their infrastructure. When data moves out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (or equivalent legal mechanisms) to keep your protections intact.

If you'd like the specifics of where your data sits today, ask us at support@booklee.ai.

Privacy practices evolve as the product does. When we make a change that affects your rights or expands what we collect or share, we'll let you know by email and inside the app at least 14 days before it takes effect. Smaller cleanups go in silently and the "Last updated" date at the top reflects every change.

We won't make a change that retroactively reduces your rights over data we've already collected without first asking your permission.

Privacy questions, data requests, breach reports:

Email: support@booklee.ai

Operating entity: Kyntex LLC

Address: 7550 W IH-10, Suite 800, San Antonio, TX 78229, USA

If you're in the EU/UK and we appoint an EU/UK representative or DPO, this section will be updated with their contact details.