Privacy Policy
Effective Date: [INSERT DATE]
Last Updated: [INSERT DATE]
Chaptera (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our smart ebook platform and related services (collectively, the “Service”).
This policy applies to users in the European Union and European Economic Area and complies with the General Data Protection Regulation (GDPR). If you are located outside the EU/EEA, please note that your data may be transferred to and processed in countries with different data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
[COMPANY LEGAL NAME][REGISTERED ADDRESS]
[COUNTRY]
Email: [email protected]
2. Personal Data We Collect
We collect personal data that you provide directly, data generated through your use of the Service, and data from third-party sources.
2.1 Data You Provide
- Account Information: Email address, name, profile picture, password (managed by our authentication provider)
- Payment Information: Billing address, payment card details (processed by Stripe; we do not store full card numbers)
- User Content: Ebooks you upload, annotations, highlights, bookmarks, notes, comments, and collections you create
- Communications: Messages you send to customer support, feedback, and survey responses
2.2 Data Generated Through Use
- Reading Activity: Reading progress, time spent reading, pages viewed, reading speed, reading sessions
- Learning Data: Vocabulary lookups, quiz attempts, AI-generated summaries and study materials
- Search History: Queries you enter in the platform search feature
- Technical Data: IP address, browser type, device information, operating system, access times
- Usage Analytics: Features used, buttons clicked, navigation patterns
2.3 Data from Third Parties
- Authentication Provider (Clerk): Account verification, session management
- Payment Processor (Stripe): Transaction confirmations, subscription status
3. Legal Bases for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of contract | Art. 6(1)(b) |
| Providing core reading features | Performance of contract | Art. 6(1)(b) |
| Storing your annotations and bookmarks | Performance of contract | Art. 6(1)(b) |
| Processing payments | Performance of contract | Art. 6(1)(b) |
| Retaining payment records | Legal obligation | Art. 6(1)(c) |
| AI-powered features (chat, summaries) | Consent | Art. 6(1)(a) |
| Analytics cookies | Consent | Art. 6(1)(a) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Product improvement analytics | Legitimate interest | Art. 6(1)(f) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Error logging and debugging | Legitimate interest | Art. 6(1)(f) |
Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
4. How We Use Your Data
We use your personal data for the following purposes:
- To create and manage your account
- To provide the Service, including ebook reading, annotations, and progress tracking
- To process payments and manage subscriptions
- To provide AI-powered features such as chat, summaries, and quizzes (with your consent)
- To sync your reading progress across devices
- To respond to your inquiries and provide customer support
- To send service-related communications (e.g., password resets, account notifications)
- To send marketing communications (with your consent)
- To improve and optimize the Service
- To detect, prevent, and address technical issues and security threats
- To comply with legal obligations
5. Third-Party Processors
We share your personal data with the following categories of third-party processors who help us operate the Service:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication | Email, name, profile image | USA |
| Stripe | Payment processing | Email, payment details | USA |
| Google Cloud | File storage | Uploaded ebooks | USA/EU |
| OpenAI | AI features | Book excerpts, prompts | USA |
| Anthropic | AI features | Book excerpts, prompts | USA |
| Google AI | AI features | Book excerpts, prompts | USA |
| Sentry | Error tracking | Error logs, user IDs | USA |
| DeepL | Translation | Text for translation | Germany |
All processors are bound by Data Processing Agreements (DPAs) that require them to protect your data in accordance with GDPR. For transfers to processors in the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), primarily the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all US-based processors
- Supplementary Measures: Where required, we implement additional technical and organizational measures
- Adequacy Decisions: For transfers to countries with EU adequacy decisions (e.g., UK), no additional safeguards are required
You may request a copy of the relevant safeguards by contacting us at [email protected].
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Account lifetime + 30 days | Service provision |
| Reading progress | Account lifetime | Core feature |
| Annotations and bookmarks | Account lifetime | User content |
| AI interactions | 90 days | Feature improvement |
| Search history | 30 days | Personalization |
| Payment records | 7 years | Legal/tax requirements |
| Error logs | 90 days | Debugging |
| Consent records | Account lifetime + 3 years | Compliance proof |
When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain information.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
8.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to access that data along with information about how it is processed.
8.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
8.3 Right to Erasure (Article 17)
You have the right to have your personal data deleted when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful.
8.4 Right to Restriction (Article 18)
You have the right to restrict processing of your personal data in certain circumstances, such as when you contest its accuracy.
8.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
8.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right to Withdraw Consent (Article 7)
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.8 Exercising Your Rights
To exercise any of these rights, you may:
- Use the self-service options in Settings > Privacy in your account
- Email us at [email protected]
- Contact our Data Protection Officer at [email protected]
We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.
9. Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.
Our AI features generate content recommendations and learning materials based on your reading history, but these do not constitute automated decision-making under GDPR Article 22.
10. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected], and we will take steps to delete such information.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- Access controls and authentication
- Regular security assessments and penetration testing
- Employee training on data protection
- Incident response procedures
While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.
12. Cookies and Tracking
We use cookies and similar technologies to operate the Service and collect usage information. For detailed information about our use of cookies, please see our Cookie Policy.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last Updated” date. For significant changes, we will provide more prominent notice (such as email notification).
We encourage you to review this Privacy Policy periodically for any changes.
14. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In the EU, you may contact the supervisory authority in your country of residence.
We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first at [email protected].
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: [email protected]Data Protection Officer: [email protected]
Postal Address:
[COMPANY NAME]
[ADDRESS LINE 1]
[ADDRESS LINE 2]
[COUNTRY]