Privacy Policy

Last Updated: November 28, 2025

Nitwit AB ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

When you create an account with StoryPlan, we collect:

• Email address - For authentication and account security
• Name - Your display name (if you provide it)

• Journal entries - Your personal reflections and stories
• Chat conversations - Your conversations with our AI coach
• Plans and progress - Your communication planning journey
• Account preferences - Your settings and configurations

• IP address - For security and fraud prevention
• Browser type and version - For support and compatibility
• Device information - Operating system and device type
• Session cookies - For authentication (via Logto, hosted in Europe)
• Analytics cookies - For service improvement (via PostHog, hosted in Europe and configured for privacy-safe mode)

We use your information solely to provide and improve StoryPlan:

Service Delivery

• Authenticate your account via Logto
• Provide AI-powered coaching conversations
• Save your progress and journal entries
• Display personalized content

Service Improvement

• Understand how you use StoryPlan (privacy-safe analytics)
• Fix bugs and improve performance
• Develop new features based on usage patterns

Communication

• Send important service updates (rare, essential only)
• Respond to your support requests

We will NEVER:

• Sell your personal information
• Share your journal entries with third parties
• Use your data for advertising
• Train AI models on your private content
• Use third party services that train AI models with user data

We work with carefully selected service providers who help us deliver StoryPlan:

Anthropic (AI Processing)

• Purpose: Powers our AI coaching conversations using Claude
• Location: United States
• Data security: All data is encrypted
• Data shared: Your chat messages and journal content (context for AI responses only)
• Privacy guarantee: Anthropic does NOT train models on customer data
• Learn more: Anthropic Privacy Policy

MongoDB Atlas (Data Storage)

• Purpose: Securely stores your account data, journals, and chat history
• Location: Stockholm, Sweden
• Data shared: All your StoryPlan data
• Security: Encryption at rest, restrictive role-based access control
• Learn more: MongoDB Privacy

Logto (Authentication)

• Purpose: Handles secure e-mail based authentication
• Location: EU region
• Data shared: Email address
• Learn more: Logto Privacy

PostHog (Analytics)

• Purpose: Privacy-safe analytics to improve the service
• Location: EU region
• Data shared: Page visits, feature usage (no personal content)
• Privacy mode: Input masking enabled, sensitive data excluded
• Learn more: PostHog Privacy

As a user in the European Economic Area, you have the following rights:

Right to Access - Request a copy of all your personal data

Right to Rectification - Update or correct your information (edit in your profile)

Right to Erasure ("Right to be Forgotten") - Delete your account and all associated data

Right to Data Portability - Receive your data in a structured, machine-readable format (JSON)

Right to Restriction of Processing - Request we limit how we use your data

Right to Object - Object to certain types of data processing

Right to Lodge a Complaint - File a complaint with your local data protection authority

To exercise any of these rights, visit your account settings or contact us at privacy@nitwit.se
or go to the account page:

Active Accounts

• Your data is retained as long as your account is active
• You control your data and can delete it anytime

Deleted Accounts

• 30-day grace period: After deletion, we retain your data for 30 days in case you change your mind
• Email anonymization: Your email is immediately anonymized to prevent re-registration
• Permanent deletion: After 30 days, all data is permanently deleted from our systems
• Audit trail: Token usage and credit transaction records are preserved for financial compliance

Analytics Data

• PostHog analytics data is retained for 12 months
• Anonymized usage metrics for service improvement

We take security seriously and implement industry-standard protections:

Encryption

• In transit: TLS 1.3 encryption for all data transmission
• At rest: AES-256 encryption for database storage (MongoDB Atlas)

Access Control

• Role-based access control (RBAC) for all team members
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing

Data Isolation

• Your data is strictly isolated from other users
• All database queries validate ownership before returning data

Monitoring

• 24/7 security monitoring for suspicious activity
• Automated alerts for potential security incidents
• Regular backups stored securely in EU region

EU Data Storage

• Your primary data is stored in Stockholm, Sweden (AWS eu-north-1)
• All storage, processing, and backups occur within the EU

US Data Processing (Anthropic)

• Your chat messages are sent to Anthropic (US) for AI processing
• Transfer mechanism: Standard Contractual Clauses (SCCs)
• Anthropic's commitment: No training on customer data, enterprise-grade security
• Data is processed in real-time and not permanently stored by Anthropic

Essential Cookies (Required for Service)

• Logto authentication: Session cookies to keep you logged in
• Duration: Until you sign out or 30 days of inactivity

Analytics Cookies (Optional, Privacy-Safe)

• PostHog analytics: Privacy-safe usage tracking
• What we track: Page visits, feature usage, error reports
• What we DON'T track: Personal content, passwords, journal entries
• Privacy mode: Input masking enabled, console logs disabled
• Opt-out: You can disable analytics in your browser settings

No Third-Party Advertising

• We do not use advertising cookies
• We do not sell your data to advertisers
• We do not participate in ad networks

StoryPlan is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@nitwit.se and we will delete it immediately.

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements

Notification of Changes:

• We will notify you via email for significant changes
• The "Last Updated" date at the top will always reflect the most recent version
• Continued use of StoryPlan after changes constitutes acceptance

Data Controller: Nitwit AB

Privacy Questions: privacy@nitwit.se

Data Protection Officer: Mark Dixon, mark@nitwit.se

Postal Address: Årstavägen 9, 112 50, Sweden

Under GDPR, we process your personal data under the following legal bases:

• Contract: To provide the StoryPlan service you signed up for
• Legitimate Interest: To improve our service and prevent fraud
• Consent: For analytics cookies and optional features (where applicable)

Key Commitments:

• ✅ EU-based data storage (Stockholm)
• ✅ No training on your data
• ✅ Export your data anytime
• ✅ Delete your account with one click
• ✅ GDPR compliant
• ✅ Privacy-safe analytics