Last updated: March 27, 2026 (added Custom API clause)  ·  Effective: March 27, 2026

This policy explains what data WriteFlow (writenow.cc) collects, uses, and stores when you use the service. WriteFlow is committed to minimal data collection — only what is necessary for the service to function.

• Email address: Provided at registration; used for login, email verification, and password reset emails.
• Password: Your raw password is never stored. Only a SHA-256 hash computed in your browser is uploaded; the database holds only the hash.
• Username (optional): The display name you set on your profile page.
• Avatar (optional): Stored as a base64 data URL in the database when uploaded.

• Story input text: The text you submit in the story field; saved to generation history when logged in.
• AI writing output: Each successful generation's input and output are stored together in generation history.
• Writing memory: Chapter summary snippets you choose to save.
• World Bible data: Titles, descriptions, characters, items, factions, and locations you create in the Worldview section.
• Generation parameters: Style, genre, length, and Pro advanced settings (stored with each history record).

• Session token: A random UUID generated at login, stored in your browser's localStorage; the server keeps a copy (7-day TTL) for authentication.
• Pro usage count: When the World Bible is enabled, tracks how many Pro generations you've made in the current hour (5/hour limit); only the current time-window count is stored.
• Frontend error logs: When an uncaught JavaScript error occurs, WriteFlow automatically reports the error type, message, code location, and page path to help diagnose bugs. Your story content is never included.
• Feedback content: Text you voluntarily submit via the Feedback feature.

• If you use the Custom API feature, your API Key is stored only in your browser's localStorage. WriteFlow's servers never save or log the Key.
• On each generation, the Key is sent with the request to WriteFlow's server solely to forward that request to your chosen API provider; it is discarded immediately after.
• You can remove the Key from local storage at any time using the Clear button in the Custom API drawer.

• WriteFlow does not use any third-party advertising or tracking scripts (e.g. Google Analytics).
• WriteFlow does not actively log your IP address (Cloudflare infrastructure may retain it briefly in their own logs).
• WriteFlow does not collect information about other apps on your device and does not build behavioral profiles.

• Storage: All data is stored in Cloudflare D1 (SQLite), deployed on Cloudflare's global edge network across Asia-Pacific, Europe, and North America.
• Account TTL: Account data (including email) expires automatically after approximately 6 months.
• Encryption: All HTTP traffic is encrypted via HTTPS.
• Data sales: WriteFlow never sells your data to any third party.

• Access: You can view all stored creative content on your Profile and Generation History pages.
• Deletion: To delete your account and all associated data, submit a request via Feedback and it will be processed as soon as possible.
• Correction: You can update your username, avatar, and email on the Profile page.

For any questions about this policy, please use the in-app Feedback feature.

This policy may be updated from time to time. You will be notified of significant changes via in-app notices.