title: "Privacy Policy" effectiveDate: "22 June 2026" slug: "privacy" sourceFile: "Privacy_Policy.md"

Privacy Policy

Audience: End users of the FramePath application on iOS, iPadOS, and macOS.

Effective date: 22 June 2026 Last updated: 23 June 2026

1. Who we are

FramePath ("FramePath", "we", "us", or "our") is an application designed for filmmakers and screenwriters to plan scripts, scenes, shot lists, and storyboards.

The data controller for the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK-GDPR") is:

  • Controller: Miikka Putaala (sole proprietor), publisher of FramePath
  • Postal address: [Postal address — to be completed before publication]
  • Privacy contact: mputaala@me.com

We have not appointed a Data Protection Officer because the scale and nature of our processing does not require one under Article 37 GDPR. The privacy contact above is the single point of contact for all data-protection matters.

2. Scope

This Privacy Policy explains what personal data FramePath collects when you use the FramePath application on iOS, iPadOS, or macOS (the "App"), how we use it, with whom we share it, and what rights you have over it.

This policy does not cover:

  • Apple's own processing of your Apple ID, device data, or App Store transactions (see Apple's Privacy Policy);
  • the content you create in the App, which is stored in your own iCloud account and is not accessible to us except as described in Section 4.

3. Personal data we collect

We deliberately collect the minimum data needed to operate the App. The categories below describe everything we collect.

3.1 Account data (collected only when you sign in)

  • Apple user identifier — an opaque, team-scoped identifier returned by Sign in with Apple. We never receive your real Apple ID.
  • Email address — only if you choose to share it during Sign in with Apple. Apple may give us a "private relay" forwarding address rather than your real address; we treat both the same.
  • Display name — only on first sign-in, and only if you choose to share it.
  • Firebase user ID (UID) — an internal identifier generated by Firebase Authentication when your Apple credential is exchanged. This is the key we use to look up your wallet and entitlements.

3.2 Subscription and wallet data

  • Subscription state and entitlement — whether you hold an active "Pro" subscription, managed via RevenueCat and bound to your Firebase UID.
  • Token wallet balance — a server-side counter (in Firebase Firestore at users/{uid}) recording your remaining AI tokens and whether your welcome allotment has been granted.
  • Purchase history — receipt-validation records held by RevenueCat and Apple. We do not store credit-card or payment-instrument data; Apple handles payment.

3.3 AI-generation content (only when you use AI features)

When you ask the App to generate shots for a scene, the App sends the following to our Firebase Cloud Function ask_claude, which forwards it to Anthropic's Claude API:

  • the scene description you typed (up to roughly 1,000 characters);
  • optionally, the list of scene elements (locations, props) you've defined for that scene;
  • optionally, the list of character names relevant to that scene.

We do not send screenplay metadata, your identity, or other scenes. The model's reply (a list of suggested shots) is returned to your device, stored locally in your project, and synced to your iCloud — it is not retained on our servers. See Section 5 for what Anthropic does with this content.

3.4 Project content (stored in your iCloud, not by us)

Your screenplays, scenes, shots, storyboard drawings, photographs, character lists, and production metadata (e.g., director and camera-operator names) are stored in your private CloudKit database (container iCloud.framepath.framepath). This content lives in your Apple iCloud account; we do not have access to it and cannot read, copy, or recover it.

3.5 Data we do not collect

For transparency, the App does not collect any of the following:

  • No analytics: Firebase Analytics, Google Analytics, and equivalent SDKs are not enabled (IS_ANALYTICS_ENABLED is false in our Firebase configuration).
  • No crash reporting to us: Crashlytics is not enabled. Apple may collect anonymised crash reports under your device settings; that flow is governed by Apple, not by us.
  • No advertising identifiers: we do not request the IDFA and we do not show ads.
  • No App Tracking Transparency prompt: we do not track you across apps or websites.
  • No precise location, contacts, calendars, microphone, or health data.
  • No device fingerprinting beyond the platform interface idiom (phone vs. tablet) used locally for layout.

4. Why we use your data and on what lawful basis

For users in the EU, EEA, or UK, we rely on the following lawful bases under Article 6 GDPR / UK-GDPR:

| Purpose | Data used | Lawful basis | | --- | --- | --- | | Authenticate you and provide an account | Apple user ID, email, display name, Firebase UID | Article 6(1)(b) — performance of a contract (our Terms of Use) | | Sync your project content across your devices | Project content in CloudKit | Article 6(1)(b) — performance of a contract | | Validate your subscription and grant entitlements | Subscription state, wallet balance | Article 6(1)(b) — performance of a contract | | Generate AI shot suggestions on request | Scene description, optional scene elements, optional character names | Article 6(1)(b) — performance of a contract; you initiate each request | | Prevent abuse, fraud, and service misuse | Firebase UID, request metadata, RevenueCat purchase data | Article 6(1)(f) — our legitimate interest in operating a secure, sustainable service | | Respond to your privacy or support enquiries | Contact details and the content of your message | Article 6(1)(c) — legal obligation; and Article 6(1)(f) — legitimate interest |

We do not rely on consent for any of the above because none of these uses is optional once you choose to use the relevant feature. If you do not wish to use the AI features, simply don't trigger them; no data is sent to Anthropic in that case.

We do not engage in profiling or automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Who we share your data with

We use a small number of carefully chosen processors and sub-processors. Each has its own privacy obligations and is bound by a data-processing agreement where required.

5.1 Apple Inc. (United States, Ireland)

  • Sign in with Apple (authentication)
  • CloudKit (storage of your project content in your private iCloud database)
  • App Store and StoreKit (payment processing for subscriptions and in-app purchases)

Apple acts as an independent controller for sign-in and payment data and as a processor for CloudKit content. See Apple's Privacy Policy.

5.2 Google LLC / Google Ireland Limited (Firebase)

  • Firebase Authentication (exchanging your Apple credential for a Firebase UID)
  • Cloud Firestore (storing your wallet/entitlement document)
  • Cloud Functions (running the ask_claude server function)

Google acts as our processor. See Google's Privacy Policy and the Firebase data-processing terms.

5.3 RevenueCat, Inc. (United States)

  • Subscription-state management and entitlement reconciliation, bound to your Firebase UID.

RevenueCat acts as our processor. See RevenueCat's Privacy Policy.

5.4 Anthropic, PBC (United States)

  • Generates AI shot suggestions from the scene text you submit.

Anthropic acts as our processor for the API call. Under Anthropic's commercial API terms, your inputs and outputs are not used to train Anthropic's models and are retained only for a limited period for abuse-monitoring purposes. See Anthropic's Privacy Policy.

5.5 We do not sell your data

We do not sell, rent, or trade your personal data, and we do not share it for cross-context behavioural advertising.

5.6 Disclosure required by law

We may disclose personal data if required by a valid legal process (court order, subpoena, regulatory request). Where lawful, we will notify you before doing so.

6. International transfers

Most of our processors are based in the United States. When personal data is transferred from the EU, EEA, or UK to a country that has not received an adequacy decision from the European Commission or the UK Government, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum, supplemented by additional safeguards (encryption in transit and at rest, access controls).

You can request a copy of the relevant transfer safeguards by contacting mputaala@me.com.

7. How long we keep your data

| Data | Retention | | --- | --- | | Apple user ID, Firebase UID, email | Until you delete your account, then deleted within 30 days | | Wallet/entitlement document in Firestore | Until you delete your account, then deleted within 30 days | | Subscription records held by RevenueCat | Per RevenueCat's retention policy; tax-record obligations may require retention up to 7 years for invoice metadata | | AI prompt content sent to Anthropic | Not retained by us; retained by Anthropic per its commercial-API terms (currently up to 30 days for abuse monitoring) | | Project content (screenplays, shots, storyboards) | Held in your own iCloud — we never store it. Deletion is controlled by you in the iCloud settings on your device | | Privacy / support correspondence | Up to 3 years after the matter is closed |

To delete your account, choose Settings → Account → Delete account in the App, or email mputaala@me.com.

8. Your rights (EU, EEA, UK)

Under GDPR and UK-GDPR you have the right to:

  • Access the personal data we hold about you (Article 15);
  • Rectify inaccurate data (Article 16);
  • Erase your data, also known as the "right to be forgotten" (Article 17);
  • Restrict processing in certain circumstances (Article 18);
  • Port your data to another service in a structured, machine-readable format (Article 20);
  • Object to processing carried out on the basis of legitimate interest (Article 21);
  • Withdraw consent at any time where we rely on consent (we currently do not — see Section 4); and
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email mputaala@me.com. We will respond within one month, as required by Article 12(3) GDPR. There is no fee unless the request is manifestly unfounded or excessive.

If you believe we have processed your data unlawfully, you may complain to your local data-protection authority. For example:

A full list of EEA authorities is maintained by the European Data Protection Board.

9. Security

We rely on the security controls of our platform providers and apply the following measures:

  • All network traffic between the App and our backend uses TLS 1.2 or higher.
  • Authentication uses Apple-issued OAuth tokens exchanged via Firebase Authentication; we never see your Apple ID password.
  • The wallet document in Firestore is read-only to clients; only server-side Cloud Functions can mutate balances.
  • CloudKit data is encrypted in transit and at rest by Apple and resides in your private database.
  • We do not store payment-card data.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours, as required by Article 33 GDPR, and notify you without undue delay where Article 34 applies.

10. Children

The App is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13.

For users in the EU and EEA, GDPR Article 8 sets the age of digital consent at 16 by default, with member states permitted to lower it to as low as 13. If you are under the applicable age of digital consent in your country, you must have the consent of a parent or legal guardian before using the App. Parents who believe their child has provided us with personal data without consent should contact mputaala@me.com and we will delete the data promptly.

We do not knowingly use children's data for profiling, behavioural advertising, or any non-essential purpose.

11. Apple App Store privacy disclosures

For alignment with Apple's App Privacy "nutrition label" on the App Store, our declared data practices are:

  • Data linked to you: User ID (Apple user ID, Firebase UID), Email Address (only if shared via Sign in with Apple), Purchase History, Other User Content (the AI scene text you submit on demand).
  • Data not linked to you: None additionally; we do not collect telemetry.
  • Data used to track you: None.

If our practices change, we will update both this policy and the App Store privacy declaration.

12. Changes to this policy

We may update this policy from time to time to reflect changes to the App, the law, or our processors. When we make a material change, we will:

  1. update the Last updated date at the top of this policy;
  2. notify you in-app on next launch where the change is material; and
  3. for changes that require a new lawful basis or expanded data collection, ask for your consent before the change takes effect.

The most recent version of this policy is always available inside the App under Settings → Privacy Policy and at the URL we publish on the App Store listing.

13. Contact

For any privacy question, request, or complaint:

Email: mputaala@me.com Postal address: [Postal address — to be completed before publication]

We will acknowledge your message within five working days and substantively respond within one month.

References