Privacy Policy

Inkwell ("we", "us", "our") operates the Inkwell platform at inkwell.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using Inkwell you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

• Account Data: Name, email address, and password when you register; or your Google profile information (name, email, profile picture) when you authenticate via Google OAuth 2.0.
• Billing Data: When you subscribe to a paid plan, payment details (card number, billing address) are collected and processed directly by our payment processor, Stripe Inc. We do not store full card numbers on our servers — we retain only a Stripe Customer ID and last-four digits for reference.
• Document Content: The text, configurations, attachments, and generated output of documents you create on the platform.
• Team Data: If you create or join a team, we store team name, member email addresses, roles (Owner, Admin, Editor, Viewer), and invitations.
• Integration Credentials: When you connect third-party services (Medium, Dev.to, Hashnode, LinkedIn, Google Drive, Slack, Gmail), we store encrypted OAuth tokens or API keys using Fernet symmetric encryption at rest. We never store plaintext credentials.
• Workflow Data: Node configurations, edges, schedules, and execution history associated with your no-code workflows.
• Communications: Messages sent through our contact form or support channels.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, generation counts, word counts, export frequency, and search queries within the platform.
• Device & Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and timezone.
• Cookies & Local Storage: Authentication tokens, theme preferences, and sidebar state. See our Cookie Policy for details.
• Log Data: Each API request is logged with a unique request ID, timestamp, endpoint, HTTP method, response status, and duration for debugging and security monitoring.

2. How We Use Your Information

We process your data for the following purposes:

• Service Delivery: To operate the platform, generate documents via our AI agent pipeline (Research, Writing, Formatting, Review, SEO), execute workflows, export files, and publish to connected platforms.
• AI Processing: Document configurations and content are sent to Anthropic's Claude API for generation. We transmit only the minimum data necessary for each generation step. Anthropic does not use your inputs to train their models under our commercial agreement.
• RAG (Retrieval-Augmented Generation): Completed documents are chunked and embedded locally using ChromaDB for future contextual retrieval within your user scope. RAG embeddings are never shared across users.
• Billing & Subscriptions: To process payments, manage plan upgrades/downgrades, track feature usage against plan limits, and issue invoices via Stripe.
• Communication: To send transactional emails (account verification, password resets, generation completion notifications), and, with your consent, product updates.
• Security & Fraud Prevention: To monitor for suspicious activity, enforce rate limits, and protect against unauthorized access.
• Analytics & Improvement: To understand how features are used, identify bugs, and improve the platform. Analytics data is aggregated and anonymized where possible.

3. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we rely on the following legal bases:

• Contract Performance: Processing necessary to provide the Service you signed up for (account management, document generation, workflow execution).
• Legitimate Interest: Security monitoring, fraud prevention, platform improvement, and aggregated analytics.
• Consent: Marketing communications and optional analytics cookies. You may withdraw consent at any time.
• Legal Obligation: Tax record-keeping, compliance with lawful requests from authorities.

4. Data Sharing & Third-Party Services

We do not sell your personal data. We share data only as described below:

We may also disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Inkwell, our users, or the public.

5. Data Security

• Encryption in Transit: All data is transmitted over TLS 1.2+.
• Encryption at Rest: Database backups are encrypted. Integration tokens are encrypted with Fernet (AES-128-CBC with HMAC).
• Password Hashing: User passwords are hashed with bcrypt (work factor 12) and never stored in plaintext.
• Access Control: Internal access to production data is restricted by role, logged, and audited.
• Rate Limiting: API endpoints are rate-limited to prevent abuse.
• JWT Authentication: Short-lived access tokens with secure refresh token rotation.

6. Data Retention

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Documents: Soft-deleted first (recoverable via undo for 10 seconds), then permanently deleted. Permanently deleted documents are purged from backups within 90 days.
• RAG Embeddings: Deleted when the source document is permanently deleted.
• Billing Records: Retained for 7 years as required by tax and accounting regulations.
• Server Logs: Retained for 90 days for security monitoring, then automatically purged.
• Workflow Run History: Retained for 12 months, then automatically archived.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data via your profile settings or by contacting us.
• Erasure ("Right to be Forgotten"): Request deletion of your account and associated data. Some data may be retained where required by law.
• Data Portability: Export your documents in multiple formats (PDF, DOCX, Markdown, HTML) at any time.
• Restriction of Processing: Request that we limit how we use your data while a complaint is being resolved.
• Object: Object to processing based on legitimate interest by contacting us.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@inkwell.ai. We will respond within 30 days (or 45 days for complex requests, with notice).

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale of personal information — we do not sell personal information; and (d) not be discriminated against for exercising your privacy rights.

9. International Data Transfers

Your data may be processed in countries other than your own. Where we transfer data outside the EEA, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection.

10. Children's Privacy

Inkwell is not directed to individuals under 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through an in-app notification at least 14 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

• Email: privacy@inkwell.ai
• General: support@inkwell.ai
• Postal: Inkwell, Inc., Attn: Privacy Team, Wilmington, Delaware, United States.

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local Data Protection Authority.