Privacy Policy
Last updated: 28 March 2026
1. Who we are
Asermu is operated by Carlos Diaz, a sole trader based in England.
Email: [email protected]
Address: 124 City Road, London EC1V 2NX
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Carlos Diaz is the data controller.
2. What data we collect
2.1 Account data (stored on our servers)
When you create an account, we collect and store:
| Data | Purpose | Legal basis |
|---|---|---|
| Name | Display in the app | Contract |
| Email address | Authentication, account recovery, service communications | Contract |
| Password (bcrypt hash) | Authentication (email/password sign-up only) | Contract |
| OAuth tokens (Google, GitHub) | Authentication and, if you opt in, cloud backup to your own Google Drive or GitHub account | Contract / Consent |
| Profile image URL | Provided by OAuth provider, displayed in the app | Contract |
| Stripe customer ID, subscription ID | Payment processing and subscription management | Contract |
| Account creation date | Record keeping | Legitimate interest |
2.2 Creative content (stored on your device)
Your manuscripts, characters, locations, timeline events, plot threads, notes, encyclopedia entries, and all other creative content are stored locally in your browser using IndexedDB. This data does not leave your device unless you explicitly choose to use the cloud backup feature.
2.3 Cloud backup data (Writer, Pro, and Lifetime tiers)
If you are on the Writer, Pro, or Lifetime tier and enable cloud backup, your project data is exported as a JSON file and uploaded to your own Google Drive account or GitHub Gist account. This transfer happens through our server as a relay, but we do not store, read, or process the content of your creative work. The backup file is stored in your own third-party account.
2.4 Anonymous usage analytics
We use Umami Cloud, a privacy-focused analytics service, to understand how visitors use the site. Umami does not use cookies, does not collect personal data, does not track users across sites, and is fully GDPR compliant. The data collected includes page views, referrer URLs, browser type, and country — all in aggregate with no way to identify individual users. No IP addresses are stored.
2.5 Data we do not collect
- We do not use advertising or marketing cookies
- We do not use personally identifiable tracking tools
- We do not read or process your creative content on our servers
- We do not share your data with data brokers
3. Cookies
We use only strictly necessary cookies for authentication. See our Cookie Policy for details. We do not use any analytics, advertising, or tracking cookies. Our analytics service (Umami) is fully cookieless.
4. Third-party processors
We share your data with the following third-party services, solely to operate the service:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, name, payment details (handled by Stripe) |
| Google (OAuth) | Authentication and cloud backup (if opted in) | Email, name, profile image; Drive access for backup only |
| GitHub (OAuth) | Authentication and cloud backup (if opted in) | Email, name; Gist access for backup only |
| Railway | Application hosting | Server-side data as described in section 2.1 |
| Neon | PostgreSQL database hosting | Server-side data as described in section 2.1 |
5. Data retention
- Account data: Retained for as long as your account is active. Deleted when you delete your account.
- Creative content: Stored locally in your browser. You control its retention entirely. Clearing your browser data removes it.
- Cloud backup files: Stored in your own Google Drive or GitHub account. You control their retention.
- Stripe data: Retained by Stripe according to their privacy policy and applicable financial regulations.
6. Your rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data (you can update your name directly in the app)
- Erasure — delete your account and all associated server-side data
- Data portability — export your account data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request that we limit processing of your data
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. International data transfers
Our servers are hosted by Railway and Neon, which may process data in the United States or other countries. Where data is transferred outside the UK, we rely on the service provider's Standard Contractual Clauses or other appropriate safeguards as required by UK data protection law.
8. Children
Asermu is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.
9. Security
We protect your data using industry-standard measures including HTTPS encryption, bcrypt password hashing, CSRF protection, secure HTTP headers (HSTS, X-Frame-Options, X-Content-Type-Options), and server-side session management. Your creative content is stored locally in your browser and does not traverse our servers unless you opt into cloud backup.
10. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the app. The “Last updated” date at the top of this page reflects the most recent revision.
11. Contact
If you have questions about this policy or your personal data, contact us at [email protected].