Legal

Script Security

Last updated: May 23, 2026

Your scripts are yours.

We never use them to train AI. We never sell them. We never share them. This page explains exactly how we keep that promise.

What happens when you upload

  • 1. Parsed in your browser

    Your file is read and parsed locally. We never receive your raw file — only the cleaned-up text needed to power your analysis.

  • 2. Encrypted, then stored in your private account

    Before it touches our database, your script is encrypted on our server with AES-256-GCM. Even a database leak would surface only opaque ciphertext. Every row is also protected by row-level access control — only your user account can read your scripts.

  • 3. Only you can see it — and you can see who touched it

    No other user can ever fetch your scripts, even by guessing IDs. Every script has an Activity log on its page showing every view, export, and edit — visible only to you.

  • 4. Delete anytime, permanently

    Hitting delete is a hard delete — the script, its analysis, and its activity log are removed immediately. You can also delete every script, or your entire account, from the Billing page.

Where analysis runs today

100% in your browser. Every analysis feature currently in ScriptDen — scene timeline, character graph, dialogue vs action, sentiment, locations, storyboard — is computed locally on your device using plain JavaScript. No script text is sent to any AI model.

When we add AI features

Three guarantees that will never change:

  1. Opt-in, per script. AI features are off by default. You turn them on for a specific script when you want them.
  2. Snippet-scoped. We only send the minimum text needed for the feature (e.g. a synopsis for a logline generator) — never the full 120 pages.
  3. Zero retention, no training. AI calls go through the Lovable AI Gateway, which routes to providers (Google, OpenAI) under zero-retention API terms. Your content is not used to train any model.

What we never do

  • Train AI models on your scripts. Not ours, not anyone's.
  • Sell or share script content with third parties.
  • Log script text in our application logs.
  • Allow engineering staff to browse user content casually — production access is restricted and audited.
  • Use anonymous accounts for uploads. You sign in first, so every script has a clear owner.

Your controls

  • Activity log — every script page shows the last 50 events (uploads, views, exports, deletions) so you can spot anything unexpected.
  • Watermarked exports — every PDF or CSV export carries a small footer with your email and the export timestamp, so if a copy ever leaks you know where it came from.
  • Delete a single script — from the script page; immediate and permanent.
  • Delete everything — from the Profile page, a single action removes every script and analysis on your account.
  • Delete your account — also on the Profile page. Permanently wipes scripts, analyses, activity, and sign-in.

Transport and storage

All traffic between your browser and our servers is encrypted in transit (TLS / HTTPS). Script content is encrypted at rest with AES-256-GCM before it's written to the database, so the underlying Postgres stores only ciphertext. Title, author, and genre are kept as plain metadata so your library search keeps working.

Reporting a concern

Found something that doesn't match what's on this page? Email security@scriptden.app and we'll respond quickly.

See also our Privacy Policy and Terms & Conditions.