This Privacy Policy explains how Deepstory BV (operating the ScriptBook service at scriptbook.io) collects, uses, discloses, and protects personal data when you visit our website, purchase an analysis, or submit a screenplay for review. We are committed to handling your data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR) and Belgian data protection law.
1. Who we are
The data controller responsible for your personal data is:
Belgian Crossroads Bank for Enterprises (CBE/KBO) number: 0799185176
Email: hello@deepstory.ai
Deepstory BV operates the ScriptBook AI screenplay analysis platform under the ScriptBook brand. References in this policy to "ScriptBook," "we," "us," or "our" refer to Deepstory BV.
2. Scope of this policy
This policy applies to personal data we process when you visit our website, purchase an analysis, submit a screenplay to us, receive automated emails from us after purchase, or contact us through any channel listed on our website. It does not apply to third-party websites linked from our site.
3. Personal data we collect
We collect only what we need to provide our service and run our business.
3.1 Information you provide to us
- Purchase information: your name, email address, billing country, and transaction reference. Payment card details are entered directly with our payment provider; we never see or store your card number or CVC.
- Screenplay submissions: the script file you send us, together with any information you include in your email (such as your name, contact details, or project notes).
- Correspondence: the content of any message you send us and the email address you send it from.
3.2 Information collected automatically
- Aggregated, cookieless analytics: we use a privacy-friendly analytics service that sets no cookies and stores nothing on your device. It records only aggregated, anonymous information such as page views, referring URL, country, and device type.
- Server logs: our hosting infrastructure keeps short-lived technical logs (such as IP address, timestamp, and request details) for security and abuse prevention.
3.3 Information from third parties
We do not buy personal data from data brokers and we do not enrich your profile with external data.
4. How and why we use your data
We process personal data on the following legal bases under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Delivering the analysis you purchased | Performance of a contract (Art. 6(1)(b)) |
| Processing your payment | Performance of a contract (Art. 6(1)(b)) |
| Sending purchase confirmations and access instructions | Performance of a contract (Art. 6(1)(b)) |
| Responding to customer enquiries | Performance of a contract or legitimate interest (Art. 6(1)(f)) |
| Aggregated, cookieless website analytics | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse mitigation | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (invoicing, accounting, tax) | Legal obligation (Art. 6(1)(c)) |
4.1 We do not train AI models on your screenplay
Your screenplay is used solely to generate your analysis report. We do not use customer-submitted screenplays as training data for our AI models or for any purpose other than delivering the service you purchased.
4.2 Marketing
We do not use your contact details for unsolicited marketing. If we introduce a newsletter in the future, we will obtain your explicit opt-in consent and you will be able to unsubscribe at any time.
5. Categories of recipients
We share personal data only with carefully selected service providers who help us deliver the service. Each provider is bound by a written data processing agreement and is required to apply appropriate technical and organisational measures. The categories of providers we rely on are:
- an EU-regulated payment processor;
- a cloud hosting and content-delivery provider;
- a cookieless analytics provider;
- an email and productivity provider for company correspondence;
- a workflow-automation provider for transactional emails.
We may also disclose personal data to public authorities or third parties where required to do so by law, where necessary to defend our legal interests, or with your explicit instruction. A current list of the specific providers we use is available on request at hello@deepstory.ai.
6. International transfers
Some of our processors are located outside the European Economic Area (EEA), in particular in the United States. Where we transfer personal data to a country that has not received an adequacy decision from the European Commission, we rely on appropriate safeguards under Article 46 GDPR, including the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. You may request a copy of the relevant safeguards by emailing hello@deepstory.ai.
7. How long we keep your data
We keep personal data only for as long as necessary for the purposes for which it was collected, including any retention period required by law:
- Customer records and invoices: 7 years, as required by Belgian accounting and tax law.
- Submitted screenplays: deleted from our systems within 90 days of the analysis being delivered to you, unless you instruct us otherwise.
- Analysis reports: retained for the duration of your relationship with us and for a reasonable period thereafter to allow re-delivery if needed.
- Email correspondence: retained for as long as needed to support our customers, generally not exceeding 5 years.
- Analytics data: aggregated, anonymous statistics only — no personally identifiable data is retained.
- Server logs: retained only for the short period needed for security and abuse prevention.
8. Your rights under GDPR
Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:
- Right of access — to obtain confirmation of whether we process your data, and a copy of that data;
- Right to rectification — to have inaccurate or incomplete data corrected;
- Right to erasure ("right to be forgotten") — to have your data deleted in certain circumstances;
- Right to restriction — to limit the processing of your data in certain circumstances;
- Right to data portability — to receive the data you provided to us in a structured, machine-readable format and to transmit it to another controller;
- Right to object — to object to processing based on legitimate interest;
- Right to withdraw consent — where processing is based on your consent, you may withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, please contact us at hello@deepstory.ai. We will respond within one month of receiving your request, and we may extend that period by a further two months for complex requests, in which case we will inform you.
9. Right to lodge a complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The competent authority in Belgium is:
Rue de la Presse 35, 1000 Brussels, Belgium
Phone: +32 2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be
10. Cookies and similar technologies
Our website does not set any tracking cookies. Analytics are handled by a cookieless, privacy-friendly service that does not store information on your device. Our checkout provider sets its own strictly necessary cookies on its own domain when you complete a purchase. For full details please see our Cookie Policy.
11. Data security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encrypted transport (HTTPS/TLS), access controls and authentication, secure email handling, the use of service providers that meet recognised security standards (such as PCI-DSS and SOC 2), and regular review of our procedures. While we strive to protect your data, no system is perfectly secure; if a breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
12. Children's privacy
Our services are intended for professionals and adults working in the film and television industry. We do not knowingly collect personal data from children under 18 years of age. If you believe a child has provided personal data to us, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will take additional steps to inform you (for example, by displaying a notice on the website or sending you an email if appropriate). We encourage you to review this policy periodically.
14. Contact us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Email: hello@deepstory.ai
The same address serves as the contact for all data protection matters, including the exercise of GDPR rights.