Privacy Policy

Effective date: 2026-04-28

Who we are

Script Fountain (the "Service") helps writers draft and manage screenplays using the Fountain format. T&Q Group is the entity responsible for the Service.

Scope

This policy explains what personal data we collect when you use the Service, how we use and share it, and the choices you have. It is provided as a privacy notice and does not replace any consent request that may be required for a specific feature or non-essential technology.

Data we collect

  • Account data: your email address is collected to create and authenticate your account.
  • OAuth profile data (optional): if you sign in with Google, Google may provide your email and, where available, a profile image URL. We store your email to identify your account. A profile image URL may be displayed in the UI but is not required.
  • Content you create: screenplay titles and content (including Fountain text, loglines, taglines, synopsis, treatment, character and location notes) that you choose to save in your library.
  • Billing records: invoice metadata (invoice ID/number, amount, status, date) if applicable. The Service does not store payment card numbers.
  • Technical data: basic technical information such as IP address, browser/user agent, and timestamps captured by our web server and security infrastructure to operate, secure, and troubleshoot the Service.
  • Cookies and local storage: we use cookies and similar technologies that are necessary to authenticate users, protect the Service, remember requested preferences, support editor autosave, and synchronize screenplay drafts between your browser and the Service. We do not use third-party analytics, advertising, retargeting, or cross-site tracking cookies.

How we use your data

  • Provide, maintain, and improve the Service and its features.
  • Authenticate you and secure your account.
  • Store and sync your screenplay content at your direction.
  • Communicate with you about the Service, including updates and billing (if applicable).
  • Prevent fraud, abuse, and technical issues; enforce terms; comply with legal obligations.

Legal bases (EEA/UK users)

  • Contract: to provide the Service you request.
  • Legitimate interests: to secure and improve the Service.
  • Consent: where required (e.g., Google sign‑in initiation or any future non-essential cookies or similar technologies).
  • Legal obligation: to keep records required by law (e.g., invoices).

Cookies and local storage

For users in jurisdictions that regulate cookies or similar technologies, including the EEA and the United Kingdom, Script Fountain currently uses only technologies that are necessary to provide the Service you request or to maintain its security. These technologies may include authentication cookies, security/anti-forgery tokens, Google sign-in correlation cookies during authentication, localStorage, IndexedDB, and browser messaging used for editor preferences, autosave, offline resilience, and synchronization between open tabs.

Local browser storage may contain screenplay drafts, editor state, synchronization metadata, display preferences, and similar functional information. This information is stored on your device and may remain there until it is replaced, deleted by the Service, or cleared through your browser or device settings.

We do not currently use these technologies for analytics, advertising, retargeting, sale of personal information, or cross-site tracking. If we introduce non-essential cookies or similar technologies in the future, we will request consent where required before using them and will provide a way to withdraw that consent.

Sharing and disclosures

We do not sell your personal information.

  • Service providers: infrastructure, DNS, authentication, payment, email delivery, and similar providers who help us operate the Service under appropriate safeguards.
  • Authentication: when you choose Google sign‑in, Google receives the sign‑in request and may share basic profile information with us according to your settings.
  • Content delivery: loading assets from third-party CDNs, if any remain in use, requires your browser to connect to those services, which may receive your IP address and user agent.
  • Legal/Protection: we may disclose information to comply with law, protect rights, safety, or the integrity of the Service.

Service providers and international transfers

We use a limited number of third-party providers to operate Script Fountain. These providers may process personal data in countries other than where you live. Where required, we rely on appropriate contractual and legal safeguards, such as data processing terms, standard contractual clauses, adequacy mechanisms, or equivalent protections.

  • Hostinger: provides the VPS infrastructure where the application and database run in Docker. Hostinger may process account data, screenplay content, database records, IP addresses, server logs, and technical metadata as needed to host, secure, support, and maintain the Service.
  • Google: provides optional Google sign-in. If you choose Google sign-in, Google receives authentication-related information and may provide us with your email address and profile image URL according to your Google settings and Google's own terms.
  • Cloudflare: provides DNS and domain-related infrastructure. Cloudflare may process domain, DNS, IP address, and request-routing metadata. If additional Cloudflare security, proxy, CDN, or traffic-protection services are enabled in the future, Cloudflare may process related web request metadata for those services.
  • Tilopay: is the payment gateway we plan to use for paid features. Tilopay is not used until payment functionality is enabled. Once enabled, Tilopay may process payment, transaction, billing, anti-fraud, and related checkout information needed to process payments. Script Fountain does not intend to store full payment card numbers.

Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law, tax rules, security needs, dispute resolution, or abuse prevention. When a retention period expires, we delete or anonymize the data during the next reasonable maintenance cycle.

  • Account data: retained while your account is active. After a verified account deletion request is completed, account profile data is deleted or anonymized within 30 days, except for records we must retain for legal, tax, security, or dispute-resolution reasons.
  • Screenplays and creative content: retained while you keep them in your library. Content you delete is removed from active systems after deletion is processed. Residual copies may remain in backups until those backups expire.
  • Browser storage: localStorage, IndexedDB, and similar browser storage may remain on your device until cleared by you, replaced by the Service, or removed through browser/device settings.
  • Verification and password reset data: verification codes are short-lived and are intended to expire within minutes. Expired verification records are removed through routine cleanup and, in normal operation, no later than 30 days after expiration.
  • Billing and invoice records: retained for the period required by applicable accounting, tax, payment, anti-fraud, and legal obligations. We normally expect to retain invoice and transaction metadata for up to 5 years after the relevant transaction or account closure, unless a longer period is required.
  • Server, security, and diagnostic logs: normally retained for up to 180 days. Logs may be retained longer if needed to investigate security incidents, abuse, fraud, service errors, legal claims, or regulatory obligations.
  • Data rights requests: retained for up to 6 years so we can demonstrate how we handled privacy requests and defend legal claims if necessary.
  • Backups: backups are retained on a rolling basis and normally expire within 90 days. Deleted data may remain in encrypted or access-controlled backups until the relevant backup expires.

Security

We use commercially reasonable administrative, technical, and organizational measures to protect personal data. No method of transmission or storage is completely secure.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing. You may also withdraw consent where processing is based on consent. Signed-in users can submit verified requests and download a portable ZIP export from Account / Data & Privacy Rights.

We normally respond to data rights requests within 30 days. If your request is complex, if we need more information to verify your identity, or if certain records must be retained for legal, tax, security, backup, fraud-prevention or dispute-resolution reasons, we will explain the next steps. If you cannot access your account, contact us using the details below. EEA and UK users may also have the right to lodge a complaint with their local data protection supervisory authority.

Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

Changes to this policy

We may update this policy from time to time. We will post the updated version on this page and update the effective date above.

Contact

If you have questions about this policy or your data, please contact the operator of T&Q Group in Costa Rica. You can reach us using the contact details provided within the Service or any official communications you received from us.

Legal Notice

“T&Q Group” is a trade name used for the operation of Script Fountain. At the present time, the Service is operated by Agencia de Modelos Promodels S.A., Costa Rica.