Privacy Policy

Effective date: February 22, 2026  ·  Last updated: February 22, 2026

Novel Forge ("we," "our," or "us") operates the website at mintybug.ai. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights. We are committed to compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and other applicable privacy laws.

1. Data Controller

Novel Forge is the data controller for personal data collected through the Platform.

  • Email: privacy@mintybug.ai
  • Website: https://www.mintybug.ai

For GDPR purposes, if you are located in the EU/UK and have concerns about how we process your data, you may contact our privacy team at the address above. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK or your national data protection authority in the EU).

2. Personal Data We Collect

2.1 Account & Identity Data

  • Name and email address (provided during registration or via Google OAuth).
  • Profile information: display name, avatar, bio.
  • Authentication tokens and session identifiers.

2.2 Content Data

  • Templates, stories, characters, and descriptions you create or upload.
  • Novels or writing samples uploaded to the Writer's Guide feature.
  • Bookshelf entries and cloud save data.
  • Choices and inputs made during interactive gameplay.

2.3 Payment & Financial Data

  • Token purchase history and current balance.
  • Earnings records and withdrawal history.
  • Payment card details are processed directly by Stripe and are not stored on our servers. We receive only a tokenised reference and the last four digits of your card for display purposes.
  • For creator payouts, Stripe Connect may collect additional KYC information (e.g., government-issued ID, bank account details) subject to Stripe's own privacy policy.

2.4 Usage & Analytics Data

  • Pages visited, features used, buttons clicked.
  • Session duration and navigation patterns.
  • AI generation requests (prompt metadata, model used, token cost).
  • Referral source and referral programme activity.

2.5 Technical Data

  • IP address and approximate geolocation (country/region).
  • Browser type, version, and operating system.
  • Device type and screen resolution.
  • HTTP request logs and error logs.

2.6 Communications Data

  • Emails sent to or received from our support team.
  • Transactional emails (account confirmation, payment receipts, payout notifications).

2.7 Data We Do Not Collect

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data. We do not knowingly collect personal data from children under 13 without parental consent.

3. How We Collect Data

  • Directly from you — when you register, create content, make purchases, or contact support.
  • Automatically — through cookies, server logs, and analytics SDKs as you use the Platform. See our Cookie Policy.
  • From third parties — Google provides your name and email when you sign in with Google OAuth; Stripe provides payment status and payout confirmations.

4. How We Use Your Data

We process your personal data only for the purposes and on the legal bases described below.

PurposeData UsedLegal Basis (GDPR Art. 6)
Provide and operate the PlatformAccount, content, technical dataContract performance (Art. 6(1)(b))
Process token purchases and payoutsPayment & financial dataContract performance (Art. 6(1)(b))
Send transactional emailsEmail address, event dataContract performance (Art. 6(1)(b))
Moderate content and prevent fraudContent, usage, IP dataLegitimate interests (Art. 6(1)(f))
Analytics and platform improvementUsage & technical dataLegitimate interests (Art. 6(1)(f)); Consent where required by national law
Rate limiting and securityIP, usage dataLegitimate interests (Art. 6(1)(f))
Legal compliance and tax obligationsFinancial data, identity dataLegal obligation (Art. 6(1)(c))
Referral programme administrationAccount data, referral codesContract performance (Art. 6(1)(b))

5. How We Share Your Data

We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary:

5.1 Service Providers (Data Processors)

  • Stripe (stripe.com) — payment processing and creator payouts. Data transferred to the US under SCCs.
  • Google — OAuth authentication. Governed by Google's Privacy Policy.
  • PostHog — product analytics. We use PostHog's EU-hosted option where available; data may be transferred under SCCs.
  • Resend / Postmark — transactional email delivery.
  • Axiom / BetterStack — application logging and monitoring. Logs may contain IP addresses and are retained for 30 days.
  • OpenAI, Anthropic, DeepSeek, Google DeepMind, xAI — AI story generation. Your prompts and story context are sent to these providers for inference. Please review their respective privacy policies.
  • Cloud Storage Provider — user-uploaded files (e.g., Writer's Guide novels) are stored in encrypted cloud storage.

5.2 Legal Requirements

We may disclose your data to law enforcement or regulatory authorities where required by applicable law, including in response to lawful court orders, to protect our legal rights, or to prevent fraud, abuse, or illegal activity.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you via email or platform notice before your data becomes subject to a materially different privacy policy.

5.4 Public Content

Templates and stories you publish publicly are visible to all Platform users and may be indexed by search engines. Your display name is shown alongside your published content.

6. International Data Transfers

We are based in the United States. When we transfer personal data from the EU/UK/Switzerland to countries that have not been deemed adequate by the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards. You may request a copy of applicable transfer mechanisms by contacting privacy@mintybug.ai.

7. Data Retention

  • Account data: retained for the lifetime of your account plus 30 days after deletion.
  • Content data: deleted within 30 days of account deletion, except where legal holds apply.
  • Payment records: retained for 7 years to comply with tax and accounting obligations.
  • Application logs: retained for 30 days.
  • Analytics data: retained for 24 months in aggregated/pseudonymous form.

8. Your Rights Under GDPR (EU & UK)

If you are located in the EU or UK, you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data where no legal basis for retention exists.
  • Right to restriction of processing (Art. 18) — ask us to stop processing your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
  • Right not to be subject to automated decisions (Art. 22) — we do not use solely automated decision-making with legal or similarly significant effects.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@mintybug.ai with the subject line "Data Subject Request." We will respond within 30 days (extendable to 90 days for complex requests with notice). We may need to verify your identity before processing your request. Exercising your rights is free of charge.

You also have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.

9. Your Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

  • Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
  • Right to delete — request deletion of personal information we have collected, subject to certain exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioural advertising. No opt-out is therefore necessary, but you may still submit a request.
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA.
  • Right to non-discrimination — we will not discriminate against you for exercising any of the above rights.

Categories of Personal Information Collected (CCPA)

  • Identifiers (name, email, IP address, account ID).
  • Commercial information (token purchase history, earnings).
  • Internet or network activity information (usage data, log data).
  • Inferences drawn from usage data to understand user preferences.

To submit a California privacy rights request, email privacy@mintybug.ai with the subject line "California Privacy Request." We will respond within 45 days (extendable to 90 days with notice).

10. Children's Privacy

The Platform is not directed to children under 13. We do not knowingly collect personal data from children under 13. If we learn we have inadvertently collected such data, we will delete it promptly. Users between 13 and 17 may use the Platform only with parental consent and are restricted from adult-rated content. If you believe we have collected data from a child under 13, please contact privacy@mintybug.ai immediately.

11. Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data.
  • Access controls limiting employee access to personal data on a need-to-know basis.
  • Regular security reviews and dependency auditing.
  • Hashed and salted credential storage (we never store plaintext passwords).

No method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities as required by law (within 72 hours under GDPR).

12. Cookies & Tracking

We use cookies and similar technologies. For full details on the cookies we use, their purposes, and how to control them, see our Cookie Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent in-platform notice at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact & Data Protection Enquiries

For any privacy-related questions, requests, or complaints:

  • Privacy email: privacy@mintybug.ai
  • General support: support@mintybug.ai
  • Website: https://www.mintybug.ai

We aim to acknowledge all privacy enquiries within 5 business days.