← Back to OutScript

Privacy Policy

How we collect, use, and protect your information — explained clearly, without the legalese.

Effective: April 11, 2026Last updated: April 11, 2026

In Plain English

  • We collect the data we need to run OutScript: your account info, your client intake forms, and the competitor URLs you ask us to research. Nothing more.
  • We never sell your data. We don't use your content to train our own AI models.
  • We use trusted sub-processors (Firebase, Stripe, Google Gemini, Apify, Supadata, YouTube API, Vercel) — all named below, each with their own strong privacy commitments.
  • You have full rights under GDPR, UK GDPR, CCPA/CPRA, and India's DPDP Act — access, delete, export, or correct your data any time by emailing privacy@outscript.io.
  • We encrypt data in transit, store it with Google Firebase, and notify you within 72 hours of any data breach that affects you.

This summary is for quick understanding and is not legally binding. The full text below is the authoritative version.

Heads up

OutScript is operated by [Legal Entity Name], a private limited company in the process of incorporation in India. Once registration is complete, this policy will be updated with the full legal entity name, registered office address, and jurisdiction. Continued use of the service after that update constitutes acceptance of the updated policy.

1. Who We Are

This Privacy Policy describes how OutScript("OutScript," "we," "us," or "our"), a product operated by [Legal Entity Name], collects, uses, stores, and protects information about you when you visit our website, create an account, or use our content research and script generation services (collectively, the "Service").

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and India's Digital Personal Data Protection Act 2023 ("DPDP Act"), OutScript is the data controller of personal data processed through the Service. If you have questions about this policy, you can reach our privacy team at privacy@outscript.io.

2. Scope of This Policy

This policy applies to:

  • Visitors to our public website, including the landing page and marketing content
  • Account holders who sign up, log in, or subscribe to OutScript
  • Anyone who contacts us by email or through the site

It does not apply to third-party websites, tools, or services that we link to or integrate with — those have their own privacy policies, which we link to in Section 6 below.

3. Data We Collect

We only collect the data we need to operate OutScript and deliver the Service you signed up for. The categories below describe exactly what we collect and where it comes from.

3.1 Account Data

When you sign up, we collect your name, email address, and a securely hashed password. If you sign in with Google, we receive your name, email, and Google profile ID. Authentication is handled by Firebase Auth.

3.2 Billing Data

Subscription payments are processed by Stripe. Stripe collects and processes your payment card details directly — we never see or store your full card number, CVV, or bank account information. We only receive a customer ID, subscription status, and the last four digits of your card from Stripe, for billing and account management purposes.

3.3 Client & Intake Data

When you create a client profile in OutScript, you provide information such as the business name, niche, offer, target audience, brand rules, pain points, proof points, and any other details you choose to submit in the intake form. This data is stored against your account and is visible only to you.

3.4 Competitor URLs & Research Data

You tell OutScript which competitors to research by submitting their public profile URLs (Instagram, TikTok, YouTube, LinkedIn). We then fetch publicly available content — posts, videos, captions, transcripts, view counts, and engagement metrics — from those profiles via our sub-processors. See Section 12 below for a specific disclosure about this category.

3.5 Usage Data

We log how you use the Service: scripts you generate, ratings you give, chat sessions with the AI, features you access, and timestamps of your activity. This helps us keep the Service working, enforce plan limits, and improve the product.

3.6 Technical Data

When you visit or use OutScript, our infrastructure automatically collects certain technical information: your IP address, browser type, device type, operating system, referring URL, and error logs. We use this data for security, fraud prevention, debugging, and performance monitoring.

3.7 Communications

If you email us, fill in a contact form, or reach out through support channels, we retain the content of those communications so we can respond and keep a record of the conversation.

4. How We Use Your Data

We use the information we collect for the following purposes:

  • To provide the Service — creating and maintaining your account, generating scripts, running pattern analysis, storing your client profiles
  • To process payments — billing, subscription management, refunds, and tax compliance
  • To communicate with you — service notifications, transactional emails, responses to your questions, and (with your consent) product updates
  • To improve the product — understanding which features are used, fixing bugs, measuring performance, and planning new functionality (using aggregated and anonymized data where possible)
  • To keep the Service secure — detecting abuse, preventing fraud, enforcing our Terms, and protecting users and the platform
  • To comply with legal obligations — tax, accounting, regulatory reporting, and responding to lawful government requests

We do not sell your personal data. We do not share it with advertisers. We do not use your content to train our own AI models.

If you are in the EU, UK, or European Economic Area, GDPR requires us to tell you the legal basis under which we process your personal data. Depending on the activity, our legal bases are:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide you the Service you signed up for, such as creating your account, generating scripts, processing payments, and storing your client profiles
  • Legitimate interests (Art. 6(1)(f)) — product improvement, security, fraud prevention, analytics, and keeping the Service reliable. We balance these interests against your rights and only rely on this basis where your fundamental rights do not override ours
  • Consent (Art. 6(1)(a)) — marketing emails, optional cookies, and any processing where we have explicitly asked for your permission. You can withdraw consent at any time
  • Legal obligation (Art. 6(1)(c)) — retention of billing records for tax purposes, responses to court orders, and compliance with applicable laws

6. Sub-Processors We Work With

OutScript uses carefully selected third-party service providers ("sub-processors") to help deliver the Service. Each of them processes data only on our instructions and is bound by data protection agreements. We name them all below — this list is authoritative and will be updated whenever we add or change a sub-processor.

ProviderPurposeData processedLocation
Google Firebase
Privacy		Authentication, database (Firestore), hosting, backend compute (Cloud Run)Account data, client profiles, usage data, technical data, scraped contentUnited States
Stripe
Privacy		Payment processing, subscription billing, invoicing, tax handlingName, email, billing address, card details (held by Stripe, not us)United States, EU
Google Gemini API
API Terms		AI script generation, pattern analysis, AI chatClient intake data, competitor transcripts, chat messages (sent as prompts)United States
Apify
Privacy		Public content scraping (Instagram, TikTok, LinkedIn)Competitor profile URLs you submitEU (Czech Republic)
Supadata
Privacy		Instagram Reels transcript extractionInstagram post URLs you submitUnited States
YouTube Data API v3
Google Privacy		Fetching public YouTube channel and video metadataChannel URLs you submitUnited States
Vercel
Privacy		Web hosting, CDN, edge functions, analyticsIP address, browser type, page views, request logsUnited States, global edge

When we add, replace, or remove a sub-processor, we will update this list. Material changes are communicated in advance as described in Section 18.

7. International Data Transfers

Because we operate a global SaaS and rely on sub-processors located primarily in the United States, your personal data may be transferred to, stored in, and processed in countries other than the one you live in — including outside the EU, UK, and India.

When we transfer personal data out of the EU or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. Our sub-processors (Google, Stripe, Vercel, etc.) are all signatories to SCCs or offer equivalent transfer mechanisms.

For users in India, cross-border transfers are handled in line with the DPDP Act 2023 and any rules notified by the Indian government.

8. Data Retention

We keep personal data only for as long as we need it to provide the Service, comply with legal obligations, and resolve disputes. Specific retention periods are:

  • Account data — for as long as your account is active, plus 60 days after you request deletion (grace period to allow you to recover if you change your mind)
  • Generated scripts and chat history — tied to your account lifetime; deleted when you close your account
  • Client profiles and scraped competitor data — while the client profile is active; purged within 30 days when you delete a client
  • Billing records and invoices — retained for 7 years as required by Indian tax and accounting law, even after you close your account
  • Server logs and technical data — 90 days by default, longer if needed for security investigations
  • Marketing email records — until you unsubscribe, plus 30 days to process the opt-out

9. Your Rights

Depending on where you live, you have specific rights over your personal data. OutScript respects these rights regardless of your location — we extend the strongest available protections to all users, so you benefit even if you are not formally covered by GDPR or CCPA.

9.1 Rights under GDPR and UK GDPR (EU/UK users)

  • Right to access — ask for a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure("right to be forgotten") — request deletion of your data, subject to legal retention obligations
  • Right to restrict processing — pause certain uses of your data
  • Right to data portability — receive your data in a structured, machine-readable format and move it elsewhere
  • Right to object — object to processing based on legitimate interests, including profiling for marketing
  • Right to withdraw consent — revoke any consent you previously gave
  • Right to lodge a complaint — file a complaint with your local data protection authority. In the EU, you can find yours at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO)

9.2 Rights under CCPA / CPRA (California users)

  • Right to know — what personal information we collect, use, and share
  • Right to delete — request deletion of your personal information
  • Right to correct — request correction of inaccurate information
  • Right to opt out of sale or sharing — we do not sell or share your personal data for cross-context behavioral advertising, so there is nothing to opt out of
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service
  • Right to non-discrimination — we will not penalize you for exercising your privacy rights

9.3 Rights under the DPDP Act 2023 (India users)

  • Right to access the personal data we process about you
  • Right to correction and erasure
  • Right to grievance redressal through our designated contact
  • Right to nominate another person to exercise your rights in case of death or incapacity

To exercise any of these rights, see Section 17 below.

10. Cookies & Tracking Technologies

OutScript uses a minimal set of cookies and similar technologies — we do not use third-party advertising cookies or behavioral tracking pixels.

  • Essential cookies — session cookies set by Firebase Auth to keep you logged in. These are strictly necessary for the Service to function and do not require consent under GDPR
  • Analytics — Vercel Analytics (privacy-first, no cookies, no cross-site tracking) measures page views and performance
  • No advertising cookies — we do not place any advertising or tracking cookies from third parties

11. AI & Automated Decision-Making

OutScript uses artificial intelligence — specifically Google Gemini — to generate scripts, analyze competitor patterns, and power our AI chat feature. Under GDPR Article 22 and the EU AI Act, we want to be transparent about how this works.

  • What the AI does — Gemini analyzes competitor content you submit and generates script drafts based on your client profile, brand rules, and patterns it identifies
  • Human oversight — every script is reviewable and editable by you before publication. You decide what to film, post, or discard
  • No solely automated decisions with legal effect — OutScript does not make decisions that produce legal effects on you or significantly affect you in a similar way. The AI produces creative drafts; you remain in control
  • Confidence scores — scripts come with a confidence score (60-95%) which is an internal heuristic. It is not a guarantee of performance

12. How We Handle Competitor Data

Specific to OutScript

When you submit a competitor profile URL, OutScript fetches publicly available content from that profile through our sub-processors. This may include captions, transcripts, view counts, and engagement metrics. Transcripts may contain personal data about the creator — their voice, their statements, their visible information.

We handle this data as follows:

  • We only fetch content you specifically ask us to research, and only from publicly accessible profiles
  • The data is stored against your client profile and is visible only to you and our technical staff for troubleshooting
  • We do not re-publish, re-sell, or redistribute scraped competitor content to any third party
  • We use the data solely for the purposes you asked for: pattern analysis, insight generation, and script drafting
  • When you delete a client profile, the associated competitor data is purged within 30 days
  • If a creator contacts us at privacy@outscript.io to request removal of their content from our systems, we will comply promptly where feasible

13. AI Model Training

We want to be explicit about this because it matters: we do not use your content — or content you submit for research — to train our own AI models. OutScript does not train a proprietary model on customer data. Ever.

When we send prompts to Google Gemini (the AI we use), those prompts are governed by Google's Gemini API Terms, which — for our paid API tier — do not use API inputs to improve or train Google's generally available AI products.

14. Children's Privacy

OutScript is a professional tool built for creators, agencies, and businesses. It is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you believe a child has submitted personal information to us, please contact privacy@outscript.io and we will delete the data and close the account.

15. How We Protect Your Data

Security is taken seriously at OutScript. We implement industry-standard technical and organizational measures to protect your information, including:

  • Encryption in transit — all traffic to and from OutScript uses HTTPS/TLS
  • Encryption at rest — data stored in Firebase and on our backend infrastructure is encrypted at rest
  • Access controls — Firestore security rules enforce per-user data isolation; only authenticated users can access their own data
  • Authenticated backend services — our Cloud Run scraper is protected by bearer-token authentication
  • Secrets management — API keys and credentials are stored as environment variables, never committed to source control
  • Principle of least privilege — staff access to production data is limited to those who need it for their role

No system is 100% secure. If we learn of a breach that affects your personal data, we will notify you as described in Section 16.

16. Data Breach Notification

If we experience a personal data breach that is likely to result in risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33
  • Notify affected users without undue delay, describing the nature of the breach, the data affected, likely consequences, and measures taken
  • Document the breach and our response in our internal incident register

17. How to Exercise Your Rights

To exercise any of the rights described in Section 9, email us at privacy@outscript.iowith the subject line "Privacy Rights Request" and tell us:

  • Your full name and the email address on your account
  • Which right you want to exercise
  • Any details we need to identify the data in question

We will respond within 30 days of receiving your request. For complex or high-volume requests, we may extend this by a further 60 days and will let you know if we need the extra time. We may ask you to verify your identity before fulfilling the request, to protect you from unauthorized disclosure.

Exercising your privacy rights is free of charge. We will not discriminate against you for making a request.

18. Changes to This Policy

We may update this Privacy Policy from time to time — for example, when we add new features, change sub-processors, or update our legal obligations. When we make changes:

  • The "Last updated" date at the top of this page will change
  • For material changes (anything that meaningfully affects your rights), we will notify you by email and in-app at least 30 days before the changes take effect
  • For minor corrections and clarifications, we will update the policy without advance notice

Continued use of OutScript after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account at any time.

19. Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or our handling of your personal data, please reach out to us:

  • Email: privacy@outscript.io
  • Entity: [Legal Entity Name]
  • Registered office: [Registered Office Address], India

We aim to respond to all privacy inquiries within 5 business days.

A note on transparency

This document will change as OutScript grows, as we register our legal entity, and as privacy laws evolve. We will always keep it as plain and honest as we can. If something is unclear, tell us — we'll rewrite it.