Privacy Policy

Account data. When you sign up, we store your email address and a hashed password (or, if you use OAuth, your provider ID, public profile name, and avatar URL — we never see your provider password).

Generation data. Every time you ask the AI to produce or modify code, we store the prompt you sent, the chat history of that session, the generated files, the framework you selected, the model used, and the credit cost of the call.

Billing data. If you subscribe, we store your Stripe customer ID, the active plan, current period dates, and status (active, past-due, cancelled). We do not store your card number, CVC, or full payment-method details — Stripe handles those directly.

GitHub data (optional). If you connect GitHub or sign in with GitHub using the repo scope, we store an encrypted access token, your GitHub user ID, and the names of the repositories you import or push to. We use this only to read/write the repos you explicitly choose.

Operational data. Server logs (IP address, user agent, request path, timestamp), CAPTCHA challenge results, and error reports. We use these to keep the Service running, debug issues, and prevent abuse.

We process your data to:

• Authenticate you and let you access your account.
• Generate scripts in response to your prompts and store the result.
• Bill you, prevent fraud, and meter credit usage.
• Send transactional emails (verification, password reset, billing receipts).
• Diagnose bugs and monitor service health.
• Comply with our legal obligations, including tax records.

The legal bases under GDPR are: contract (to deliver the Service you signed up for), legitimate interest (security, fraud prevention, debugging), and legal obligation (accounting and tax laws). We do not use your generations to train AI models, and we do not sell your data.

We share the minimum necessary data with the following processors to run the Service:

For transfers outside the EU/EEA, we rely on the EU Standard Contractual Clauses or each provider’s equivalent transfer mechanism. Anthropic processes prompts under their commercial terms and does not use them to train base models.

We keep your account, sessions, and generated code for as long as your account is active. When you delete your account, we erase that data within 30 days, except where we are legally required to retain it (for example, tax records, which we keep for the period required by Turkish law — typically 5 years).

Server logs are retained for up to 90 days. Backups containing your data are rotated and fully purged within 60 days of the original deletion.

If you are in the EU/EEA, the UK, or Türkiye, you have the right to:

• Access a copy of the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your account and all associated data (the “right to be forgotten”).
• Port your data — we provide an export of your sessions on request.
• Restrict or object to certain types of processing.
• Withdraw consent at any time where we relied on consent.
• Lodge a complaint with a supervisory authority (e.g. KVKK in Türkiye, your national DPA in the EU).

To exercise any of these rights, email privacy@fivemscriptmaker.com. We respond within 30 days. Account deletion is also self-service from your account settings.

We use a small number of strictly necessary cookies and browser storage entries:

• Supabase session cookie — keeps you signed in.
• Stripe cookies — fraud prevention during checkout.
• Cloudflare Turnstile cookie — anti-bot challenge.
• Local-storage entries — UI preferences (sidebar collapsed state, theme, last-opened session).

We do not use third-party advertising cookies or cross-site tracking pixels. We do not need a cookie banner for strictly-necessary cookies under GDPR.

Passwords are hashed by Supabase using bcrypt. All traffic is served over HTTPS. GitHub access tokens are encrypted at rest. Database access is restricted by row-level security policies that scope every query to the authenticated user. We use Cloudflare Turnstile to block automated signup abuse.

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to security@fivemscriptmaker.com.

The Service is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has signed up, contact us and we will delete the account.

We may update this Privacy Policy as the Service evolves. Material changes are announced by email or in-product notice at least 14 days before they take effect. The “Last updated” date at the top reflects the current version.

Questions, requests, or complaints? Email privacy@fivemscriptmaker.com.