Privacy Policy

The data controller (responsable de traitement) for the Service is the French legal entity identified on our legal notices page. For privacy questions, contact privacy@muzewriter.com.

Account information — email address, hashed password (never plaintext), display name, and optional avatar URL. Legal basis: performance of the contract (Art. 6.1.b RGPD).

Your content — manuscripts, outlines, characters, worldbuilding notes, version history. Legal basis: performance of the contract.

Usage data — AI generation logs (model used, token counts, latency, feature used) for billing and product improvement. We log a short snippet of prompts (up to 200 characters) for debugging. Legal basis: legitimate interest (Art. 6.1.f) for product improvement and abuse detection.

Payment information — Stripe processes payments. We receive transaction confirmations, subscription state, customer billing address (needed for VAT). We never see or store card numbers. Legal basis: performance of the contract; legal obligation (tax law) for invoice records.

BYOM API keys — if you provide your own AI-provider keys, they are encrypted at rest (AES-256-GCM) and used only as a relay to the provider you chose. They are never returned via our API or shared. Legal basis: performance of the contract.

Marketing preferences — whether you have opted in or out of product-update emails, and the timestamps of those decisions. We use this state to honor your choice on every send and to demonstrate compliance. Legal basis: legitimate interest (Art. 6.1.f) and soft opt-in for existing customers under Art. L. 34-5 CPCE for legacy accounts; explicit consent (Art. 6.1.a) for accounts created on or after 20 May 2026.

• Provide and improve the Service
• Process payments, calculate VAT, manage your credit balance and subscription
• Send transactional emails (password resets, invoices, mandatory loi-Châtel renewal reminders)
• Send occasional product updates and writing-craft content about Muze Writer itself, with a one-click unsubscribe in every email (see Section 9 of the Terms of Service)
• Detect abuse and enforce our Terms of Service
• Generate aggregate, anonymized usage analytics (no individual profiling)

We do not use your content to train AI models. Content you create is forwarded to third-party AI providers solely to generate the output you requested.

When you use Bring Your Own Model, your prompts are sent directly to the provider using your own API key. We act only as a relay.

We do not sell your personal data. We share data only with the following sub-processors:

• Anthropic, OpenAI, Google, DeepSeek — AI generation requests (some processing occurs outside the EU/EEA; see Section 8)
• Stripe Payments Europe Ltd. — payment processing, subscription billing, tax calculation
• Resend — transactional and marketing email delivery, including subscriber list management and one-click unsubscribe handling
• Vercel Inc. — application hosting and observability
• The database host identified in our legal notices — persistent storage

We retain your account and content data for as long as your account is active. If you delete your account, we erase your personal data within 30 days, subject to legal retention requirements (invoices and billing-related records are kept for ten years as required by French commercial law).

Archived projects are retained for 90 days before permanent deletion, allowing you to recover them.

Passwords are hashed using bcrypt. BYOM API keys are encrypted at rest with AES-256-GCM. All traffic uses HTTPS. We implement reasonable technical and organizational measures to protect your data against unauthorized access.

Some AI providers (notably Anthropic, OpenAI, Google) process data in the United States. These transfers are covered by the EU-US Data Privacy Framework where applicable, or by Standard Contractual Clauses with additional safeguards. You can avoid US-based processing entirely by using Bring Your Own Model with a provider of your choosing, or by setting your project to use only EU-hosted models when available.

If you are in the European Union, the United Kingdom, or another jurisdiction with similar rights, you have the right to:

• Access the personal data we hold about you (Art. 15 RGPD)
• Request correction of inaccurate data (Art. 16)
• Request erasure of your data (Art. 17), subject to our legal retention obligations
• Object to or restrict processing based on legitimate interest (Art. 18 and 21)
• Data portability — receive your data in a machine-readable format (Art. 20)
• Withdraw consent at any time for processing based on consent (Art. 7.3)
• Define directives for the fate of your data after death (French law)

To exercise these rights, contact privacy@muzewriter.com. We respond within 30 days.

If you believe our handling of your data violates the RGPD, you have the right to lodge a complaint with your national data-protection authority. In France, this is the CNIL — cnil.fr/fr/plaintes.

We use a single session cookie to keep you logged in (NextAuth.js). We do not use tracking or advertising cookies. Vercel Analytics records aggregate, anonymous traffic patterns without cookies.

We may update this policy from time to time. We will notify you of material changes by email at least thirty days in advance. Your continued use of the Service constitutes acceptance of the updated policy.

Privacy questions or rights requests: privacy@muzewriter.com.