Privacy Policy

Last updated — May 2026

This Privacy Policy explains how [CONTROLLER LEGAL NAME] ("we," "us," or "our"), operator of Nebula Novel and its associated services (the "Services") — including the marketing site at nebulanovel.com, the writing application at app.nebulanovel.com, the community application at community.nebulanovel.com, the subscription management application at subscriptions.nebulanovel.com, and the documentation wiki at wiki.nebulanovel.com — collects, uses, discloses, and protects your personal information.

If you have questions, contact us at hello@nebulanovel.com.

1. Who is the controller of your data

The data controller is:

• [CONTROLLER LEGAL NAME]
• [CONTROLLER ADDRESS]
• [CONTROLLER STATE], [CONTROLLER COUNTRY]
• Privacy contact: hello@nebulanovel.com

EU representative

[TBD — Phase 2b] We will designate an EU representative under Article 27 of the EU GDPR when we expand the Services to the European Economic Area.

UK representative

[TBD — Phase 2b] We will designate a UK representative under Article 27 of the UK GDPR when we expand the Services to the United Kingdom.

2. What data we collect

We collect only the data we need to provide the Services, run the business, and comply with the law.

2.1 You give us directly

• Account data: email address, password (stored hashed by AWS Cognito), display name, optional profile information.
• Payment data: name, billing address, last four digits of payment card, card brand and expiry. Full card details are processed by our payment processor Stripe; we never store them.
• Content you create: manuscripts, chapters, notes, and other writing you store in the writing application; messages and posts you submit in the community application; comments and reactions; profile preferences.
• Communication preferences: newsletter and marketing email opt-ins and category preferences.
• Support communications: any messages you send to our support inbox.

2.2 We collect automatically

• Technical data: IP address, browser type and version, operating system, time zone, referring URL, pages visited, and timestamps. Used for security (rate limiting, abuse detection), fraud prevention, debugging, and aggregated analytics.
• Authentication data: session cookies and refresh tokens that keep you signed in.
• Browser-storage entries: see the storage inventory below.

2.3 We receive from third parties

• Federated sign-in providers: if you sign in with Google, we receive your email address, name, and Google account identifier from Google. We do not receive your Google password or any data beyond what Google's OAuth scopes disclose at consent.
• Payment processor: Stripe sends us confirmation of charges, refunds, and subscription status updates. We do not receive full card data.

2.4 What we explicitly do not seek

We do not solicit, encourage, or knowingly collect sensitive personal information under CCPA/CPRA (precise geolocation, racial or ethnic origin, religious or philosophical beliefs, mail or message contents, genetic data, biometric data, health data, or sex life / sexual orientation data). If you choose to include such information in your manuscripts or community messages, we will process it as part of the Services you have requested, but we strongly recommend against doing so unless you fully understand and accept the risks.

We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the Services. If we learn we have collected data from a child under 13, we will delete it. See section 10.

3. Why we use your data

We use your data only for the purposes below. For California residents and residents of other US states with comprehensive privacy laws, these are the "business purposes" under CCPA/CPRA and equivalent frameworks. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

• Provide the Services (account creation, login, content storage, community participation, billing).
• Process payments and manage subscriptions.
• Communicate transactional messages (receipts, security alerts, password resets, account changes).
• Send marketing emails — only if you have opted in. Withdraw any time via the preference center.
• Protect against fraud, abuse, and security threats.
• Comply with legal obligations (tax records, lawful requests from authorities, DMCA notices).
• Improve the Services through aggregated analytics.
• Defend or assert legal claims.

[TBD — Phase 2b] EU lawful-basis mapping (GDPR Article 6) will be added when the Services are available in the EEA.

4. Who we share data with

We share data only with the recipients required to operate the Services. Each is a "service provider" under CCPA/CPRA (equivalent to a "subprocessor" under GDPR) and is bound by a contract that restricts use of your data to the purposes we direct.

• Amazon Web Services (AWS) — infrastructure hosting, identity (AWS Cognito), object storage (S3), email delivery (Amazon SES), domain DNS (Route 53), monitoring (CloudWatch). Primary region us-east-1; disaster-recovery region us-west-2.
• Stripe — payment processing, subscription management, tax calculation.
• Google (LLC) — federated sign-in (OAuth) when a user chooses to sign in with Google.
• Sentry — application error reporting (after PII scrubbing). Errors are tagged with a session ID, never user email or content.

We may also disclose your data:

• To legal authorities when required by valid legal process. We will challenge overly broad or facially invalid requests and notify you where lawfully permitted.
• To a successor entity in the event of a merger, acquisition, or sale of substantially all of our assets. Your data would remain subject to the privacy commitments in effect at the time of transfer; you will be notified of any material change.
• With your explicit consent for any purpose not otherwise covered.

5. International data transfers

[TBD — Phase 2b] Our infrastructure is hosted in the United States. We do not currently offer the Services outside the United States. International transfer disclosures (Standard Contractual Clauses, Transfer Impact Assessment, EU-US Data Privacy Framework) will be added when we expand internationally.

6. How long we keep your data

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law.

7. Your rights

7.1 Universal rights

You may request the following actions regarding your personal data, regardless of where you live:

• Access — receive a copy of the personal data we hold about you.
• Correction — update or correct data that is inaccurate.
• Deletion — delete your account and associated personal data.
• Portability — receive your personal data in a structured, machine-readable format.
• Withdraw consent — for any processing that depends on consent (for example, marketing emails).

You can exercise most of these rights yourself from within the Services:

• Export — sign in at subscriptions.nebulanovel.com → "Export my data." We email you a download link within a reasonable time.
• Delete — sign in → "Delete my account." There is a 7-day grace period during which you may cancel the deletion by clicking the link in the goodbye email.
• Marketing preferences — manage in the preference center, accessible from the footer of every marketing email.

For all other requests, contact hello@nebulanovel.com. We will respond within 30 days; we may extend by up to 60 days for complex requests, in which case we will notify you within the first 30 days.

7.2 If you are a California resident

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have:

• The right to know what personal information we collect and disclose.
• The right to delete personal information we have collected, subject to legal-obligation exceptions.
• The right to correct inaccurate personal information.
• The right to limit our use and disclosure of "Sensitive Personal Information." We do not currently collect Sensitive Personal Information beyond account credentials, which are necessary for the Service.
• The right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information for these purposes. A "Do Not Sell or Share My Personal Information" link is provided in the footer of every page for transparency — see Privacy Choices.
• The right not to be retaliated against for exercising your rights.

The categories of personal information we collect, by CCPA category:

• Identifiers (name, email, IP address, account ID)
• Customer records (limited to billing details)
• Commercial information (subscription history)
• Internet activity (technical / browsing data within the Services)
• Geolocation data (city-level, derived from IP)

We disclose these categories to the service providers listed in section 4 for the purposes listed in section 3. We do not sell or share these categories.

We respect the Global Privacy Control (GPC) browser signal as a valid opt-out request.

7.3 If you are in another US state with a privacy law

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other US states with comprehensive privacy laws: your rights are substantially the same as the California rights above. Submit a request through the self-serve tools or to hello@nebulanovel.com.

7.4 If you are in the EEA, UK, or Switzerland

[TBD — Phase 2b] EU / UK / Swiss-specific rights and the right to lodge a complaint with a supervisory authority will be added when the Services are available in those jurisdictions.

8. Cookies and similar technologies

What "cookies and similar technologies" means here

"Cookies" are small pieces of data your browser stores on your device when you visit a site. They let a site remember things between page loads — like that you're signed in, or that you prefer the midnight theme. "Similar technologies" includes localStorage, sessionStorage, and IndexedDB, which serve the same purpose with different APIs. Where this policy says "cookies" we mean the whole family.

Cookie categories and what we use

Cookies are commonly grouped into four categories. We use only the first one.

• Strictly necessary — required for the site to work. Disabling these breaks core functionality (themes, signup gate, the opt-out preference itself). We currently use these only.
• Functional — remember preferences across sessions. We do not currently use these beyond what is covered by "strictly necessary" above.
• Analytics — measure how visitors use the site. We do not currently use any analytics. If we add any in the future, they will appear in the inventory below and will be gated behind your opt-out preference.
• Marketing — track behavior across sites to serve targeted ads. We do not use any marketing cookies. We do not sell or share personal information for cross-context behavioral advertising.

Third-party cookies on our pages

We do not load any third-party scripts that set cookies on nebulanovel.com. Fonts, icons, and styles are all self-hosted from our own origin. The only third-party domains your browser contacts when viewing this site are AWS CloudFront (which serves the static files) and the recipients you explicitly choose to visit by clicking outbound links (Substack, social profiles).

The Nebula Cloud application (app.nebulanovel.com) and the subscription management application (subscriptions.nebulanovel.com) do load third-party scripts (notably Stripe.js on checkout pages). Each surface has its own cookie disclosure.

Storage inventory for nebulanovel.com

Everything we store is in your browser’s localStorage on your own device. We do not write any of these to a server, and we do not share them with third parties.

If we add analytics in the future, they will appear in this table and will be gated client-side behind your opt-out preference — if you have opted out (explicitly or via GPC), no analytics SDK will be initialized.

How to control these

• Our banner / Privacy Choices page. On first visit you'll see a cookie banner. The same controls live at Privacy Choices and can be changed any time.
• Your browser. Most browsers let you clear or block storage per-site. The exact path varies (Chrome: Settings → Privacy and security → Site settings; Firefox: Settings → Privacy & Security; Safari: Preferences → Privacy). Blocking strictly-necessary storage on this site will cause some features to stop working — the alpha-preview gate, theme preference, and your opt-out preference itself.
• Global Privacy Control (GPC). See the subsection below.

Global Privacy Control (GPC)

If your browser sends the Sec-GPC: 1 header (or sets navigator.globalPrivacyControl to true), we treat it as a standing CCPA / CPRA opt-out and we do not show the banner. This is required by California law and is honored regardless of what you have set in Privacy Choices.

9. Security

We maintain technical and organizational measures appropriate to the risk, including:

• TLS 1.2+ encryption for all data in transit.
• Encryption at rest for all stored data and backups.
• Password hashing with industry-standard algorithms (handled by AWS Cognito).
• Principle of least privilege for staff and infrastructure roles.
• Multi-region encrypted backups.
• Regular vulnerability scanning of container images.
• Documented incident response procedures.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay where required by law.

To report a security issue, contact hello@nebulanovel.com.

10. Children

The Services are not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal data, contact hello@nebulanovel.com and we will delete it. Our Terms of Service prohibit account creation by anyone under 13.

11. Special note on community content

When you participate in the community application, your messages and posts are visible to other authenticated members. If you later delete your account, your messages remain in the community archive to preserve continuity for the other members, but your personal identifiers (display name, profile image, IP address, metadata) are stripped so the messages are no longer attributable to you. They appear as authored by "Anonymized Writer."

This anonymization is necessary to balance your right to erasure with other members' legitimate interest in the integrity of conversations they paid to access. By creating a community account, you acknowledge this approach. You are reminded at signup.

If you would prefer your messages be deleted rather than anonymized, contact hello@nebulanovel.com. We will evaluate the request on a case-by-case basis. We are not obligated to delete messages whose deletion would unduly burden the community's continued operation.

12. Automated decisions

We do not make decisions about you that produce legal effects or similarly significant effects using solely automated processing.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to opted-in users by email at least 14 days before they take effect. The "Last updated" date at the top of this policy will always reflect the current version.

14. Contact

• General privacy questions: hello@nebulanovel.com
• EU / EEA inquiries: [TBD — Phase 2b]
• UK inquiries: [TBD — Phase 2b]
• Security disclosures: hello@nebulanovel.com
• Mailing address: [CONTROLLER LEGAL NAME], [CONTROLLER ADDRESS], [CONTROLLER STATE], [CONTROLLER COUNTRY]