Privacy policy

“inkplume”, “we”, and “us” refer to the operator of inkplume.com. We are the data controller for the account, payment, and site data you give us. For SEO data we pull from third-party APIs (DataForSEO, Serper, YouTube, Google Search Console), we are also the controller of what we cache; the upstream providers remain the controllers of their own data.

Account data

• Name, email address, password (stored as a hash, never plaintext).
• Organization name and slug.
• Team membership and role (OWNER / ADMIN / EDITOR / VIEWER).

Payment data

Stripe handles all card data directly. We never see or store your card number, CVC, or expiry. We do store the Stripe customer ID attached to your organization, your subscription status, and your invoice history reference.

Site and content data

• Site URLs you add, niche, audience, target keywords, schedule, and generation history.
• Articles inkplume generates for you, including outlines, drafts, images, and publish status.
• CMS credentials you provide for publishing (WordPress, Webflow, Shopify, Ghost, Notion, Wix, Framer, custom webhook). These are encrypted at rest using libsodium (XChaCha20-Poly1305) before they touch the database. They are never returned in any API response.

Usage data

• Request logs (IP address, user agent, timestamp, response code).
• Audit log entries for security-sensitive actions (login, integration changes, billing changes).
• Token counts and per-article costs, so we can show you usage in-app.

Cookies and similar

We use a session cookie for authentication on .inkplume.com (essential). The cookie banner on the landing site offers an “essential only” option that keeps things minimal. If we ever add analytics (GA4, PostHog, or similar), they will be opt-in and listed here.

• To deliver the service you signed up for (generate, publish, track).
• To bill you and process renewals or cancellations.
• To send transactional email (welcome, invoices, password reset, broken integration alerts, daily digests).
• To maintain the security and integrity of the platform.
• To respond to your support requests.

We do not sell your data. We do not share your data with third parties for their own marketing.

These companies process data on our behalf to make inkplume work. All are bound by their own privacy commitments and data-processing agreements:

• Stripe — billing, payment processing, tax calculation (EU VAT).
• Resend — transactional email delivery.
• Cloudflare R2 — image and asset storage, with immutable cache headers.
• Anthropic (Claude), OpenAI, and Google AI (Gemini) — large-language-model inference and embeddings for article generation, scoring, and image generation. Your prompts and site context are sent to these providers only at generation time and are not used to train their models when called through their API tier.
• DataForSEO, Serper.dev — search engine results and keyword data. Queries leave our servers; no user identifiers go with them.
• YouTube Data API, Google Search Console (when you connect them) — video and ranking data.
• Self-hosted PostgreSQL and Redis on our own infrastructure — no third-party database vendor.
• Cloudflare Turnstile (when enabled) — captcha on signup, signin, and password reset.

If you need this list as a formal sub-processor schedule for a DPA, email hello@inkplume.com.

Our application servers and database run in the European Union. Some sub-processors are based in the United States (Stripe, Anthropic, OpenAI, Google, Cloudflare, Resend). When data crosses borders, those providers rely on the Standard Contractual Clauses and other recognized transfer mechanisms.

• Account, site, and article data: as long as your account is active.
• After you delete your organization (we provide a one-click delete in the dashboard), data is removed within 30 days from operational systems. Encrypted off-site backups roll off within 90 days.
• Audit logs are kept for up to 24 months for security and accounting purposes, then deleted.
• Invoices and billing records may be retained longer where local tax law requires it (typically 7 to 10 years).

Under GDPR (EEA / UK) and CCPA (California), and as a matter of policy for everyone else, you have the right to:

• Access the data we hold on you. Use the in-dashboard data export (a one-click JSON export of your full organization, with credentials redacted).
• Delete your data. Use the delete-organization button. This cancels Stripe subscriptions first, then hard- deletes the org via cascade.
• Correct inaccurate data. Most fields are editable in the dashboard; for anything that isn't, email us.
• Object to specific processing or withdraw consent. Email us.
• Lodge a complaint with your local data protection authority.

CMS credentials are encrypted with libsodium (XChaCha20-Poly1305) before they hit the database. Passwords are stored as hashes, never plaintext. The web traffic to inkplume.com, app.inkplume.com, and the API is served over HTTPS with HSTS. Outbound webhooks are HMAC-SHA256 signed so receivers can verify the payload came from us.

No system is unbreakable. If you suspect a security issue, email hello@inkplume.com and we'll respond within one business day.

inkplume is built for businesses and creators. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

inkplume generates articles using third-party large language models. The drafts are produced from your site context, target keyword, and any brand voice samples you upload. You retain ownership of the output. You are responsible for reviewing it before publishing — particularly factual claims, citations, and any compliance-sensitive material.

We may, internally, retain a small sample of prompt + output pairs to debug pipeline regressions. These are not used to train models and are not shared with anyone.

We will update this page when our practices change. Material changes will be emailed to account owners at least 14 days before taking effect. The “Last updated” date at the top always reflects the current version.

For anything privacy-related: email hello@inkplume.com. Subject line “Privacy” and we'll route it.