Privacy Policy
This policy describes exactly what data the DFY TikTok service collects, where it lives, which third parties process it, and how long each piece is kept.
Data collected at checkout
When you pay for DFY v2 through the embedded Stripe checkout on this page, the following pieces of information are collected: your email address, first and last name, and pen name through our own form; your manuscript file (accepted formats include .docx, .pdf, and .epub, uploaded directly to our server and never through Stripe); your book title, Amazon ASIN, optional TikTok handle or handles, selected content wallet tier, and the timestamped record of your AI-consent confirmation. Stripe collects the payment-method details (card number, expiry, CVC) directly inside its iframe; those never reach our servers. After sign-in, an optional goals questionnaire at /intake may collect additional strategic context (catalog maturity, revenue band, reader infrastructure, 12-month goal, biggest marketing challenge) when you choose to fill it in — every field is optional and can be edited or left blank.
Storage locations and retention
Stripe holds your payment method and retains the transaction record per its own PCI-DSS SAQ A compliance program. Our servers never see a card number, CVC, or full PAN. Your customer record, intake metadata, and optional profile answers live in a Postgres database hosted at Hetzner in the United States inside the mira.app_* and core.* schemas. Your manuscript file is stored separately in Cloudflare R2 object storage, linked to your customer record by a per-book storage key. We do not auto-delete manuscripts; you retain them for the life of your account and can request deletion at any time per the Data Deletion policy on this site. The derivative post content generated by MIRA is retained as a service record for the duration of your subscription and for ninety days after cancellation so weekly reports, content audits, and KU-activity reconciliations remain reconstructible. Your manuscript is also forwarded cross-schema to the Booketeer pipeline where it is analyzed into scene-moment structures used for post generation.
Third-party data processors
Four external services receive parts of your data in the course of delivering DFY v2. Stripe processes payment data under its PCI-DSS SAQ A certification and its own privacy policy. Anthropic (Claude API, United States) and Google (Gemini API, United States) receive chapter-level excerpts of your manuscript for the sole purpose of generating scene moments, under processor agreements that forbid training on customer content. Amazon Simple Email Service in region us-east-1 receives transactional message content, your recipient address, and delivery metadata for kickoff confirmations, weekly reports, and future notification emails.
Cookies and analytics
At launch we set only essential cookies: the Stripe session cookie that keeps your checkout state consistent, and a consent-preferences cookie that remembers whether you opted in or out of future analytics. We do not run Google Analytics, Plausible, or any general-purpose analytics provider on this page. When Meta Pixel is added in a future release for Facebook ad retargeting, it will be gated behind an explicit opt-in cookie consent banner and will not fire on any visit where consent has not been granted.
Email communications
We send transactional email only: the checkout kickoff confirmation, future billing notices for month-two and beyond, weekly Slack report summaries, and the occasional operational email (service interruption, data deletion confirmation). We do not auto-subscribe you to any marketing list. If we ever add an opt-in newsletter, it will be explicit and separate. Amazon SES retains delivery logs and bounce-complaint records for approximately fourteen months in its us-east-1 region so we can honor spam-complaint handling, suppress hard bounces, and reply to delivery-investigation requests. Those logs are metadata about email delivery, not the body of your emails.
International data transfers
Your customer record, your intake metadata, your manuscript, and your derivative posts live in the United States (Hetzner US for Postgres; Cloudflare R2 object storage with automatic region routing for your manuscript file). Anthropic, Google, and Amazon SES also process data in the United States. If you are resident in the European Union or the United Kingdom, we rely on each processor's published Standard Contractual Clauses (with the UK Addendum where applicable) to cover the transatlantic leg of those transfers. If you are resident in California, your CCPA rights apply.
Your rights
You have the right to access the data we hold about you, correct inaccuracies, request export in a portable format (typically JSON), request deletion of the raw manuscript and intake metadata, and withdraw your AI-processing consent prospectively. These rights are recognized under GDPR (European Union), the UK GDPR, CCPA and CPRA (California), and PIPEDA (Canada). The data-deletion flow on this site details the exact request path and processing timeline; access, correction, and export requests follow the same path at support@indieauthormedia.com.
Contact
For any privacy-related question, correction request, deletion request, or consent withdrawal, email support@indieauthormedia.com. If you believe we have failed to honor a right and you are in the European Union, you may also lodge a complaint with your local Data Protection Authority.
Questions? Email support@indieauthormedia.com. The broader Indie Author Academy policies remain complementary at indieauthormedia.com/terms.html and /privacy.html; this document is the DFY v2 specific layer.