Skip to content

Yourstory.Protected.

Last updated: April 2026

Writers are protective of their work, and they should be. A story idea in its early life is fragile — half-formed, easy to dismiss, easy to steal. This page is the plain-English version of what we actually do here at Stop Writing! to earn your trust. The Privacy Policy covers the legal obligations. This one covers the practical ones.

1. Your Creative Work Is Yours

You own every word you write, every character you create, every beat you lay down. We don’t claim rights to any of it. We don’t use your creative content to train AI models. We don’t sell it. We don’t share it. We don’t analyze it for patterns we sell to someone else.

The AI we use — Anthropic’s Claude — is contractually prohibited from training on API data under their Commercial Terms. Their default API data retention is 7 days. Zero Data Retention is on our roadmap.

2. How Your Data Travels

Here’s the path your work takes, end to end:

  • Your browser → stopwriting.com (HTTPS, TLS 1.2+) → Vercel (US regions) → Supabase (Postgres, AWS us-east-1) → Anthropic’s API (HTTPS) → back to you.
  • Every hop is encrypted in transit (TLS).
  • Data at rest is encrypted (AES-256) on both Supabase and Vercel.
  • Your password is never stored in plaintext. It’s hashed with bcrypt by Supabase Auth before it ever touches the database.

3. The AI Handshake

When you chat with dAIvid, we send your message, your profile context, and the relevant state of the project you’re working on to Anthropic’s API in a single request. Claude responds. We stream the response back to you and save it to your project.

Anthropic’s track record matters here: SOC 2 Type II, ISO 27001, ISO 42001. Their Commercial Terms prohibit training on API data. Default 7-day retention on their side.

On our side, we log request metadata — token counts, model used, timestamps — so we can bill accurately and catch abuse. We do not log the content of your messages.

4. Who Can See What

Only you can see your projects. Period.

The technical mechanism is Row-Level Security (RLS), enforced inside Postgres — not at the application layer. Every query that touches your data is scoped to your user ID by the database itself. We don’t trust the app code to get it right; we let the database refuse to serve data that isn’t yours.

Our internal admin dashboard requires an explicit is_admin flag on a user record. Access is logged.

When you invite an evaluator to read a Concept, Pitch, or Outline, that evaluator sees only the single document you shared — nothing else. Their access is scoped to one evaluation via a signed token that expires.

5. You Can Leave With Everything

Your data belongs to you. You can download everything or delete your account at any time.

  • Download My Data — in Settings → Account. One click. Every project, every chat, every character, every beat, every evaluation, delivered as a ZIP file.
  • Delete My Account — permanently removes every row of your data, cancels your subscription, and confirms by email. No soft-delete games. Gone means gone.

When you leave, we don’t keep shadow copies for analytics. We don’t keep “anonymized” training sets. Your work leaves when you leave.

6. The Honest Part

No system is bulletproof. We harden ours, but we also tell you the truth: if a breach happens, we notify you within 72 hours. Not 72 days. Not in a class-action letter a year later.

We use industry-standard security headers — Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

We don’t ship third-party analytics trackers or cookies that follow you around the web. The only tracking we do is what’s needed to run the product — authentication, session state, billing.

7. Responsible Disclosure

Found a vulnerability? Email security@stopwriting.com.

We won’t sue you for reporting in good faith. We’ll thank you. If the finding is material, we’ll credit you publicly (with your permission) on this page.

Please don’t disclose publicly before we’ve had a reasonable chance to fix it — the standard 90-day window works for us.

8. What We’re Still Working On

  • Two-factor authentication (TOTP) — targeting Q2.
  • Published SOC 2 Type I report — targeting end of year.
  • Zero Data Retention with Anthropic — in discussion.
  • One-click export and account deletion — rolling out in the coming weeks.

This page gets updated when any of this changes. The date stamp at the top tells you when.

Contact

Security issues: security@stopwriting.com

General privacy questions: info@stopwriting.com

See also: Privacy Policy · Terms of Service