Last updated: April 19, 2026
Plotheus ("we", "us", "our") is a story architecture platform that helps writers structure their narrative worlds. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.
For the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is the operator of Plotheus. You can reach us at privacy@plotheus.com for any privacy, data protection, or data subject request.
When you create an account with an email and password, we collect:
If you choose to sign in with Google, we use Google OAuth 2.0 (via our authentication provider Supabase) and request the default openid, email, and profile scopes. From your Google account we receive:
We do not request, access, or store any additional Google data (such as Gmail, Drive, Calendar, Contacts, or YouTube data). We do not receive or store your Google password. See Section 7 below for our Limited Use disclosure.
When you use Plotheus, we store the content you create:
We may collect technical data to operate and improve the service:
We use strictly necessary cookies for authentication and session management, and we use your browser's local storage to remember your cookie preference and to hold an anonymous analytics identifier if you accept analytics. See our Cookie Policy for the full list.
We use your personal data to:
Under the General Data Protection Regulation, we process your data based on:
Your data is stored securely using Supabase infrastructure with encryption at rest and in transit. We implement row-level security policies to ensure users can only access their own data. Authentication is handled via industry-standard protocols.
We do not sell your personal data, we do not share it with advertisers, and we do not use it for advertising profiling. We rely on the following service providers (sub-processors), each bound by a data processing agreement:
Plotheus never hosts or proxies large language model (LLM) calls. When you export a context package to an AI agent, that data leaves our platform and is governed by the AI provider's own terms and privacy policy. You are responsible for the provider you choose.
Plotheus's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, information obtained from Google Sign-In (as listed in Section 2.2) is used only to:
We do not sell Google user data, we do not use it for advertising, we do not transfer it to third parties except as necessary to provide and secure the service (as described in Section 6), and we do not allow humans to read it except with your explicit consent, for security and abuse investigations, or when required by law.
We retain different categories of data for different periods:
You can request deletion of your account and associated data at any time by emailing privacy@plotheus.com.
Under the GDPR, the UK GDPR, and other applicable data protection laws, you have the right to:
To exercise any of these rights, contact us at privacy@plotheus.com. We will respond within the timeframes required by law (generally one month under the GDPR). If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection supervisory authority (for example, the Spanish AEPD, the Irish DPC, or the UK ICO), without prejudice to any other administrative or judicial remedy.
Because our infrastructure providers are based in the United States, personal data collected through Plotheus may be transferred to and processed in the United States or in other countries where our sub-processors operate. These countries may have data protection laws that differ from the laws in your country.
Where such transfers involve personal data protected by the GDPR or the UK GDPR, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), the EU-U.S. Data Privacy Framework where our sub-processors are certified, and supplementary technical measures such as encryption in transit and at rest. You can request a copy of the safeguards in place by emailing privacy@plotheus.com.
We implement industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, row-level security in our database, hashed credentials, short-lived session tokens, and strict Content Security Policy headers. No online service can be guaranteed to be 100% secure, but if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users without undue delay.
Plotheus is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@plotheus.com and we will delete it promptly.
We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page and, for material changes, notify you by email or through a prominent notice on the platform before the change takes effect. Continued use of the service after an update constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or about how your personal data is handled, you can reach us at:
Email: privacy@plotheus.com
For Google user data requests specifically: privacy@plotheus.com (please mention "Google data" in the subject).