Privacy Policy

Last updated: May 12, 2026 · Version 2026-05-12

Summary. Indie Author Academy LLC processes manuscripts and marketing data on behalf of indie authors. We use commercial AI services (Anthropic and Google) under enterprise agreements that prohibit those providers from training models on your content. We do not sell personal data. We honor opt-outs, including the Global Privacy Control signal. Manuscripts are encrypted at rest and in transit; access is logged. You retain full ownership of your content at all times.

Introduction & Scope
Information We Collect
How We Use Your Information
Manuscript Processing & AI Sub-Processors
EU AI Act Disclosures
How We Share Information
Sub-Processor List
Data Retention
Data Security
Your Rights (General)
California Privacy Rights
Other US State Privacy Rights
European / UK / Swiss Rights (GDPR)
International Data Transfers
Children's Privacy
Cookies & Tracking
Changes to This Policy
Contact

1. Introduction & Scope

This Privacy Policy explains how Indie Author Academy LLC ("IAA," "we," "us," or "our"), a Nevada limited liability company, collects, uses, discloses, and protects your information when you use indieauthormedia.com, mira.indieauthormedia.com, tiktok.indieauthormedia.com, amazonads.indieauthormedia.com, related subdomains, and any service we provide (the "Service"). It applies to all visitors and customers worldwide.

For the purposes of the EU and UK General Data Protection Regulation, IAA is the controller of personal data processed in connection with the Service. For California residents, IAA is the "business" under CCPA/CPRA.

2. Information We Collect

2.1 Information you provide

Account information: name, email address, business name, password (stored as a hash, never in plaintext);
Profile information: author pen name, genre preferences, marketing goals;
Communication data: messages you send us, support tickets, onboarding questionnaire responses;
Payment information: billing details, processed by our payment processor Stripe; we never store full card numbers;
Manuscript content: book manuscripts in PDF, EPUB, DOCX, or text format that you upload for indexing and slide creation;
Publishing data: KDP sales reports, BSR rankings, royalty data, ad-spend reports you voluntarily share to optimize your content strategy.

2.2 Information from connected third-party platforms

When you authorize our integrations, we collect data from the following platforms through their official APIs:

Platform	Data we collect	Purpose
TikTok	Profile information, video metrics, follower analytics, engagement data, content performance	Analytics, content strategy, performance reporting
Amazon Advertising	Campaign data, ad performance, keyword metrics, spend, ACOS/ROAS	Advertising optimization, ROI analysis
Other social platforms	Profile info, post metrics, audience demographics (only when you connect)	Cross-platform analytics, audience insights

2.3 Information collected automatically

Usage data: pages visited, features used, time on Service;
Device information: browser type, operating system, IP address, device identifiers;
Cookies: essential cookies for authentication and (with your consent) optional analytics cookies. See Section 16.

3. How We Use Your Information

Provide, maintain, and improve the Service;
Process your manuscript through the indexing pipeline and generate marketing materials;
Generate analytics, reports, and insights for your marketing activities;
Authenticate your identity and manage your account;
Communicate with you about the Service (updates, support, billing);
Detect, prevent, and address technical issues, fraud, and security threats;
Comply with legal obligations and enforce our Terms of Service;
With your consent, send marketing communications (you can unsubscribe at any time).

4. Manuscript Processing & AI Sub-Processors

Manuscripts are the most sensitive content we handle. This section explains exactly how your manuscript is processed.

4.1 Processing chain

You upload your manuscript over a TLS 1.2+ encrypted connection.
The file is encrypted at rest with AES-256-GCM using keys we control.
For analysis, we extract text and send it to the LLM provider (Anthropic or Google) you have authorized for processing — we never send the original file binary outside our infrastructure.
The LLM provider returns analysis (passages, themes, market positioning, ad-copy ideas) which we store in your account.
Marketing slides are generated combining verbatim passages from your manuscript with AI-generated visual elements.
Original files are retained only as long as your account is active or as specified in our retention table.

4.2 LLM training guarantees

Provider	Service	Training on your content?	Retention by provider
Anthropic, PBC (US)	Claude models via Anthropic API (commercial)	No — contractually prohibited under Anthropic's commercial terms	Up to 30 days for trust & safety, then deleted (Zero Data Retention requested for sensitive workloads)
Google LLC (US)	Gemini models via Vertex AI (enterprise)	No — contractually prohibited under Vertex enterprise terms	Per project settings; default 24-hour abuse-detection cache

4.3 What we will NOT do with your manuscript

No AI model training. Your manuscript is never used to train, fine-tune, or improve any language model — ours or any third party's. The LLM indexes your book to serve you; it does not learn from it.
No resale or redistribution. Your manuscript is never sold, licensed, sublicensed, or made available to any third party except the LLM provider and infrastructure sub-processors listed in Section 7.
No paraphrasing or fabrication. All passages extracted are verbatim — taken directly from your manuscript. We do not generate, rewrite, paraphrase, or fabricate content that imitates your writing.
No cross-customer usage. Your manuscript data is isolated to your account. Content from your book is never used to generate slides, recommendations, or insights for other authors.

4.4 Storage & security

Manuscripts stored on access-controlled servers with encryption at rest (AES-256-GCM) and in transit (TLS 1.2+);
Access restricted to authorized personnel involved in content production for your account;
Single sign-on and multi-factor authentication for all internal access;
Principle-of-least-privilege IAM policies;
Tamper-evident audit logs of all access to manuscript files, retained 18 months;
Book indexes and passage documents are retained after cancellation so you do not have to pay the setup fee again if you return. These are permanently deleted only upon your explicit written request.

4.5 Your rights over manuscript content

You retain full intellectual property ownership of your manuscript at all times. Our processing does not transfer, assign, or license any rights to us beyond the limited license to provide the Service described in our Terms of Service. You may request permanent deletion of your manuscript, book index, and all derived content at any time by emailing privacy@indieauthormedia.com. Deletion is completed within 30 days of your request.

5. EU AI Act Disclosures

IAA's AI features (manuscript indexer, ad-copilot, content recommendations) are within scope of Regulation (EU) 2024/1689 (the "EU AI Act") when used by persons located in the European Union. The Service uses limited-risk AI systems under Article 50 of the Act and is a downstream deployer of general-purpose AI ("GPAI") models supplied by third parties.

GPAI models used:

Anthropic, PBC — Claude family models, accessed via the Anthropic API under a commercial agreement that prohibits training on customer content.
Google LLC — Gemini family models, accessed via Vertex AI under enterprise terms that prohibit training on customer content.

Transparency commitments (Article 50):

When you interact with our AI assistants, you will be informed that you are communicating with an AI system.
AI-generated text, images, or audio surfaced to you will be marked as AI-generated where technically feasible.
You may request human review of any AI-generated output that materially affects your account or campaigns by emailing privacy@indieauthormedia.com.

Questions about our AI Act compliance: privacy@indieauthormedia.com.

6. How We Share Information

We do not sell your personal data for monetary consideration. We share information only in these circumstances:

Sub-processors and service providers: trusted third-party providers that help us operate the Service, listed in Section 7. All sub-processors are bound by written agreements requiring confidentiality and limiting use of personal data to providing services to us.
Third-party platforms you connect: when you authorize our applications to interact with platforms (like TikTok or Amazon Advertising) on your behalf, we exchange data through those platforms' official APIs.
Legal requirements: when required by law, regulation, valid legal process, or to protect the safety, rights, or property of IAA, our users, or the public. We will challenge overly broad requests and provide notice to you where legally permitted.
Business transfers: in connection with a merger, acquisition, financing, or sale of assets, with notice to affected users.
With your consent: any other sharing with your explicit consent.

7. Sub-Processor List

The following sub-processors process personal data on our behalf as of the last updated date of this Policy. We will provide 30 days' notice of any new sub-processor to enterprise customers; the current list is maintained at this section of the Policy.

Sub-processor	Function	Location	Transfer basis
Anthropic, PBC	LLM for manuscript indexing and content generation	United States	EU-US Data Privacy Framework (DPF)
Google LLC	LLM (Vertex AI) for manuscript indexing and content generation	United States	EU-US Data Privacy Framework (DPF)
Amazon Web Services, Inc.	Hosting, storage, key management, audit logging	US-East / EU-Central	DPF / Standard Contractual Clauses (SCCs)
Hetzner Online GmbH	Application hosting (TikTok and ads services)	Germany	EU intra-EEA
Stripe, Inc.	Payment processing	United States / Ireland	DPF / SCCs
Amazon SES (Amazon Web Services)	Transactional email delivery	United States	DPF / SCCs
Slack Technologies LLC	Customer-success communication	United States	DPF / SCCs
Google Workspace	Internal email, documents, calendar	United States	DPF / SCCs

8. Data Retention

We keep personal data only as long as necessary for the purposes for which it was collected, or as required by law. Retention periods are summarized below. When a period ends, data is deleted or anonymized by scheduled jobs.

Data category	Retention period	Basis / justification
Account profile (name, email, password hash)	Life of account + 30 days after deletion	Contract performance; grace window for account-recovery requests
Manuscript files (PDF, EPUB, DOCX)	Life of account; deleted within 30 days of account closure or on request	Contract performance; storage-limitation principle (GDPR Art 5(1)(e))
AI-generated analysis (book bibles, market signals, slide content)	Life of account; deleted within 30 days of account closure	Contract performance
Book indexes & passage documents	Retained after cancellation so you do not repay setup fees; deleted within 30 days of explicit written request	Customer benefit; legitimate interest; opt-out always available
LLM API request/response logs (raw)	30 days, then aggregated and anonymized	Service quality, abuse detection, billing reconciliation; legitimate interest
TikTok analytics, Amazon Ads data, KDP reports	Life of account + 24 months (rolling window for trend analysis)	Contract performance; statistical purposes
Stripe billing records and invoices	7 years	U.S. federal and state tax law; Nevada record-keeping requirements
Support tickets and customer-success conversations	3 years from last interaction	Legitimate interest in service quality and dispute resolution
Security logs, audit trails	18 months	Legitimate interest in security; PCI-DSS minimum 12 months
Marketing email lists and consent records	Until you unsubscribe + 24 months for consent proof	Consent (GDPR Art 6(1)(a)); proof of consent (Art 7(1))
Cookie consent records	13 months	ePrivacy Directive; CNIL guidance
Backups (encrypted, isolated)	35 days rolling	Operational continuity; restored data is re-deleted to honor original requests
Anonymized aggregate analytics (no personal data)	Indefinite	No longer personal data; statistical purposes (Art 89)

9. Data Security

Encryption in transit: TLS 1.2+ (TLS 1.3 preferred) for all data exchange;
Encryption at rest: AES-256-GCM with keys managed in AWS KMS or GCP KMS;
Authentication: hashed passwords (bcrypt/argon2), multi-factor authentication available for all accounts and required for internal access;
Access controls: principle of least privilege, role-based IAM policies, named-user access only;
Audit logging: tamper-evident audit trail of access to manuscript files and personal data, retained 18 months;
OAuth 2.0 for third-party platform integrations — we never store your third-party platform passwords;
Vulnerability management: regular vulnerability scans and at least annual penetration testing;
Incident response: documented incident-response plan with 72-hour breach notification under GDPR Article 33 where applicable, and notification to affected users without undue delay.

No system is completely secure. If you believe your account has been compromised, contact security@indieauthormedia.com.

10. Your Rights (General)

Regardless of where you live, you may exercise the following rights by emailing privacy@indieauthormedia.com:

Access: request a copy of the personal data we hold about you;
Correction: request correction of inaccurate or incomplete data;
Deletion: request deletion of your personal data;
Portability: request your data in a structured, machine-readable format;
Revoke consent: disconnect third-party platform access or revoke any consent at any time;
Opt out of marketing: unsubscribe from marketing emails at any time using the link in any marketing email.

We respond to verified requests within 30 days (45 days for complex requests, with notice). We may require you to verify your identity before fulfilling a request.

11. California Privacy Rights (CCPA / CPRA, 2026 amendments)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act and the regulations effective January 1, 2026:

Right to know the categories and specific pieces of personal information we collect, use, disclose, and share;
Right to delete personal information we have collected;
Right to correct inaccurate personal information;
Right to opt out of sale/sharing — IAA does not sell personal information for monetary consideration. We treat the use of advertising cookies as "sharing" and honor opt-outs accordingly;
Right to limit use of Sensitive Personal Information — limit our use of SPI to purposes necessary to provide the Service;
Right to non-discrimination — we will not deny service or charge different prices for exercising your rights;
Right regarding automated decision-making — request information about, and opt out of, our use of automated decision-making technology for decisions that significantly affect you. Our ad-budget recommendations, BSR forecasts, and copy suggestions are advisory only; you remain the decision-maker.

11.1 Sensitive Personal Information we process

Contents of communications — manuscripts you upload, drafts, and messages exchanged with our team;
Account credentials — passwords (hashed) and authentication tokens;
Financial information — payment data processed by Stripe; IAA does not store full card numbers.

11.2 Universal Opt-Out / Global Privacy Control

We honor the Global Privacy Control (GPC) signal as a valid request to opt out of sale and sharing. When we detect a GPC signal from your browser, we automatically apply the opt-out.

11.3 California Delete Act

IAA is not a registered data broker under California Civil Code §1798.99.80, because we collect personal information directly from you in connection with the Service. Accordingly, requests submitted through the CPPA's Delete Request and Opt-out Platform (DROP) do not apply to IAA. To delete your account and associated data, contact us directly.

11.4 How to exercise California rights

Email privacy@indieauthormedia.com. We will verify your identity and respond within 45 days. You may also designate an authorized agent in writing.

12. Other US State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, Maryland, and Rhode Island have rights under their state's comprehensive privacy law. IAA grants the following rights uniformly to residents of these states:

Access — confirm whether we process your personal data and obtain a copy;
Correct — request correction of inaccurate personal data;
Delete — request deletion of personal data we have collected;
Portability — receive your data in a portable, machine-readable format;
Opt out of targeted advertising;
Opt out of sale — IAA does not sell personal data;
Opt out of profiling that produces legal or similarly significant effects;
Appeal our denial of a privacy request within a reasonable time.

Universal opt-out signals. IAA recognizes the Global Privacy Control (GPC) signal as a valid opt-out of sale and targeted advertising for residents of California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

Sensitive data consent. For residents of states whose law requires it (Colorado, Connecticut, Virginia, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, Montana, Oregon, Texas), we require your opt-in consent before processing sensitive data (e.g., racial or ethnic origin, religious beliefs, health data, precise geolocation). Manuscript content is processed only after your express consent given at upload.

How to exercise. Email privacy@indieauthormedia.com. We respond within 45 days.

13. European / UK / Swiss Privacy Rights (GDPR & UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following applies under Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection.

13.1 Controller and representative

Controller: Indie Author Academy LLC, 657 Timberfalls Lane, Henderson, NV 89015, USA.
EU Representative (Article 27): contact eu-rep@indieauthormedia.com — appointment in progress as IAA scales EU customer base.
Data Protection contact: privacy@indieauthormedia.com.

13.2 Lawful bases for processing

Purpose	Lawful basis
Providing the Service (manuscript analysis, ad management)	Article 6(1)(b) — contract performance
Processing manuscript content that may contain special-category data	Article 9(2)(a) — explicit consent given at upload
Billing and tax	Article 6(1)(c) — legal obligation
Security, fraud prevention, product analytics	Article 6(1)(f) — legitimate interest (LIA documented)
Marketing emails	Article 6(1)(a) — consent (revocable at any time)

13.3 Your GDPR rights

Access, rectification, erasure, restriction of processing;
Portability of your data;
Objection to processing based on legitimate interest;
Withdrawal of consent at any time (without affecting prior lawful processing);
Right to lodge a complaint with your supervisory authority (your national DPA, the UK ICO at ico.org.uk, or the Swiss FDPIC).

13.4 Automated decision-making

We do not make decisions producing legal effects on you using solely automated means. AI-generated suggestions are advisory; a human (you or our team) makes any binding decision affecting your account.

14. International Data Transfers

Personal data is transferred to the United States and processed by IAA and our sub-processors. We rely on:

The EU-US Data Privacy Framework (and the UK Extension and Swiss-US DPF) for IAA and DPF-certified sub-processors;
The European Commission's 2021 Standard Contractual Clauses (Module 2) for non-DPF sub-processors, supplemented by Transfer Impact Assessments and technical safeguards (TLS 1.2+ in transit, AES-256-GCM at rest, EU-region storage where available).

You may obtain a copy of the relevant transfer mechanisms by emailing privacy@indieauthormedia.com.

15. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. We comply with the U.S. Children's Online Privacy Protection Act (COPPA), the California Age-Appropriate Design Code Act, and analogous state laws regarding minors.

If you believe a person under 18 has provided personal information to us, please contact privacy@indieauthormedia.com. We will verify, suspend the account, and delete the personal information within 30 days.

We do not sell, share, or use the personal information of any consumer under 18 for cross-context behavioral advertising or for training AI models, regardless of jurisdiction.

16. Cookies & Tracking

We use cookies and similar technologies for:

Essential cookies — authentication, session management, security. These are required for the Service to function and cannot be disabled.
Analytics cookies — with your consent, we measure usage of the Service to improve it. We do not use third-party advertising trackers.

For visitors from regions requiring affirmative consent (EU/EEA, UK), our cookie banner allows you to accept or reject non-essential cookies before any are set. "Reject All" is as prominent as "Accept All." You may change your preferences at any time via the cookie banner footer link or by clearing cookies in your browser.

We honor the Global Privacy Control browser signal as a valid opt-out of non-essential cookies and tracking.

17. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by email and by posting the updated policy with a revised "Last updated" date and version identifier. Non-material changes (clarifications, typo fixes) take effect upon posting. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy.

18. Contact

Indie Author Academy LLC
657 Timberfalls Lane, Henderson, NV 89015, USA
Privacy & data requests: privacy@indieauthormedia.com
EU representative: eu-rep@indieauthormedia.com
Security incidents: security@indieauthormedia.com
General: admin@indieauthormedia.com