storyshooter
Back to home

Privacy Policy (Business)

Effective: 2026-05-17

This Privacy Policy describes how More.is.More s.r.o. ("Company", "we", "us") collects, uses, and protects your personal data when you use StoryShooter (the "Service"). We are committed to GDPR compliance and transparency about data processing. This policy is provided in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

This Privacy Policy applies to business clients and their authorized users.

1. Data Controller

More.is.More s.r.o., registered in the Commercial Register maintained by the Municipal Court in Prague (Městský soud v Praze), Section C, File No. 260062, is the data controller for the personal data processed through the Service.

  • Company name: More.is.More s.r.o.
  • IČO (Company ID): 05210275
  • DIČ (VAT ID): CZ05210275
  • Registered office: Pernerova 635/57, Karlín, 186 00 Praha 8, Czech Republic
  • Email: marek@moreismore.cz

We have not appointed a Data Protection Officer, as our processing activities do not meet the thresholds in Art. 37(1) GDPR. Privacy enquiries are handled by the controller at the address above.

2. Data We Collect

2.1 Data You Provide

We collect the following categories of personal data that you voluntarily provide to us:

| Data Category | Examples | Purpose | |---|---|---| | Account data | Name, email, password hash | Account creation and authentication | | Profile data | Display name, avatar, bio | Personalization | | Communication data | Email preferences, support messages | Service communication | | Consent records | Consent type, timestamp, IP address, policy version accepted | Demonstrating lawful consent under Art. 7 GDPR | | Business data | Company name, VAT ID (DIČ), billing address, authorized user list | Contract performance and account management | | Creative content | Screenplays, scene descriptions, prompts, uploaded reference images, generated storyboard images | Providing the storyboard generation service you requested |

Paid subscription plans are not offered in the current release. When paid plans are introduced, this policy will be re-versioned and your renewed consent requested before any payment data is processed.

2.2 Data Collected Automatically

When you use the Service, we automatically collect the following data:

| Data Category | Examples | Purpose | |---|---|---| | Session data | IP address, user agent, device info | Security and session management | | Usage data | Feature usage, credit consumption | Service operation and improvement | | Audit logs | Login events, settings changes | Security and compliance | | Email tracking | Delivery, open and click events for transactional email (via Postmark) | Measuring deliverability of essential service communications |

2.3 Data from Third Parties

If you choose to sign in using a social login provider, we receive your name, email address and profile picture from that provider for account creation and authentication. In accordance with Art. 14(2)(f) GDPR, the source of this data is the respective provider's OAuth 2.0 API, accessed only when you explicitly initiate the sign-in flow and grant permission through that provider's consent screen.

3. Obligation to Provide Data

In accordance with Art. 13(2)(e) GDPR, we inform you of the following regarding the necessity of providing personal data:

  • Required for contract performance: Email address and password (or social login credentials) are required to create an account and use the Service. Without this data, we cannot provide the Service.
  • Optional data: Display name, avatar, and bio are entirely optional.
  • Required for business accounts: Business clients must additionally provide company name, registered address, and VAT identification number (DIČ) for contract compliance.

If you do not provide the required data (email and password), we will be unable to create your account and you will not be able to access the Service.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds, mapped to each processing activity:

| Processing Activity | Legal Basis | Details | |---|---|---| | Account creation and authentication | Contract performance (Art. 6(1)(b)) | Necessary to provide the Service you requested | | Storyboard generation and AI features | Contract performance (Art. 6(1)(b)) | User-initiated features that consume account credits | | Transactional emails (Postmark) | Contract performance (Art. 6(1)(b)) | Password resets, account notifications, security alerts | | Session management and security logging | Legitimate interest (Art. 6(1)(f)) | Protecting the security of user accounts and preventing unauthorized access | | Fraud prevention and abuse detection | Legitimate interest (Art. 6(1)(f)) | Maintaining platform integrity | | Service improvement | Legitimate interest (Art. 6(1)(f)) | Understanding usage patterns to improve product quality | | Email delivery tracking (transactional) | Legitimate interest (Art. 6(1)(f)) | Monitoring deliverability of essential service communications | | Tax and accounting records retention | Legal obligation (Art. 6(1)(c)) | Czech accounting law requires retention of financial records | | Law enforcement requests | Legal obligation (Art. 6(1)(c)) | Compliance with valid legal orders from competent authorities |

For all processing activities based on legitimate interest, we have conducted documented Legitimate Interest Assessments (LIAs), available on request from the controller at marek@moreismore.cz.

5. Data Processing Agreement (DPA)

As a business client, you may act as a data controller in relation to personal data of your employees or collaborators that you process through the Service. In such cases, the Company acts as a data processor on your behalf, and the terms of our Data Processing Agreement apply and supplement this Privacy Policy.

To request a counter-signed Data Processing Agreement, contact marek@moreismore.cz.

6. AI-Powered Features

The Service uses AI to generate storyboard images from your screenplay and scene descriptions. These features are user-initiated and consume credits from your account balance.

6.1 What AI Features Exist

AI-powered features include: generation of storyboard frames and concept images from text prompts and scene descriptions (text-to-image), and image-conditioned generation from uploaded reference images (image-to-image). Each generation consumes credits according to the pricing displayed before use.

6.2 Data Sent to the AI Provider

When you use an AI-powered feature, we transmit to our AI provider:

  • The input you provide (scene text and prompts, and any reference images you upload for a generation).
  • A pseudonymous request identifier (not your email, name, or account ID).

No payment data, password hashes, or other account data is ever sent to the AI provider.

AI Provider: Google LLC, via the Google Gemini API. Google LLC processes this data as a sub-processor under the Google Cloud / Generative AI data processing terms.

6.3 No Model Training

Your prompts, reference images, and generated outputs are not used to train AI models. We use the paid Google Gemini API tier, under which submitted content is not used by Google to train or improve its models.

7. Third-Party Processors & Recipients

We share your data with the following sub-processors, each operating under a Data Processing Agreement compliant with Art. 28 GDPR:

| Processor | Purpose | Data Shared | Location | Transfer Mechanism | |---|---|---|---|---| | Hetzner Online GmbH | Infrastructure hosting (compute, database, object storage) | All Service data, hosted on our infrastructure | Germany (EU) | No transfer (EU-based) | | ActiveCampaign, LLC (Postmark) | Transactional email delivery | Email address, name | USA | EU-US Data Privacy Framework; SCCs (Decision 2021/914, Module Two) as alternative | | Cloudflare, Inc. | Media delivery (object storage edge, authenticated media gateway) | Stored media assets, request metadata, pseudonymous session identifier | USA | EU-US Data Privacy Framework; SCCs as alternative | | Google LLC | AI storyboard/image generation (Gemini API) | Prompts, scene text, uploaded reference images, pseudonymous request ID | USA | EU-US Data Privacy Framework; Google Cloud DPA SCCs as alternative |

Copies of our Data Processing Agreements are available on request by contacting marek@moreismore.cz.

8. International Data Transfers

Our primary infrastructure (compute, database, object storage) is hosted within the European Union at Hetzner Online GmbH (Germany), with no transfer to a third country. Certain sub-processors are located in the United States:

8.1 ActiveCampaign, LLC (Postmark)

ActiveCampaign is certified under the EU-US Data Privacy Framework (European Commission adequacy decision (EU) 2023/1795). As an additional safeguard, transfers are also covered by the European Commission's Standard Contractual Clauses (Decision 2021/914, Module Two). We have conducted a Transfer Impact Assessment for this transfer.

8.2 Cloudflare, Inc.

Cloudflare is certified under the EU-US Data Privacy Framework. Should that certification lapse, transfers fall back to the European Commission's Standard Contractual Clauses with supplementary measures. We have conducted a Transfer Impact Assessment for this transfer.

8.3 Google LLC

Google LLC is certified under the EU-US Data Privacy Framework. Transfers under the Google Gemini API are additionally governed by the Google Cloud Data Processing Addendum, which incorporates the European Commission's Standard Contractual Clauses. We have conducted a Transfer Impact Assessment for this transfer.

8.4 Contingency Measures

If the EU-US Data Privacy Framework is invalidated by a court of competent jurisdiction, we will promptly transition affected transfers to Standard Contractual Clauses with supplementary measures, and inform affected clients.

9. Cookies and Tracking Technologies

The Service currently uses only strictly necessary cookies (authentication session and CSRF protection). These are essential to provide the Service and do not require consent. We do not use analytics or marketing cookies in the current release. If non-essential cookies are introduced, they will be blocked until you give explicit consent, and this policy and our Cookie Policy will be updated accordingly.

10. Your Rights (GDPR Articles 15–22)

As a data subject, you have the following rights:

  • Right of access (Art. 15) — Request a copy of your personal data.
  • Right to rectification (Art. 16) — Correct inaccurate data via Account Settings.
  • Right to erasure (Art. 17) — Request account deletion with a 30-day grace period.
  • Right to data portability (Art. 20) — Export your data in a machine-readable format via Account Settings.
  • Right to restrict processing (Art. 18) — Request limitation of processing in certain circumstances.
  • Right to object (Art. 21) — Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing.
  • Right to lodge a complaint (Art. 77) — You may lodge a complaint with a supervisory authority.

10.1 How to Exercise Your Rights

To exercise any of these rights, visit Account Settings or contact us at marek@moreismore.cz.

10.2 Response Timeline

We will respond within 30 days of receipt. If your request is particularly complex, we may extend this period by up to 2 additional months in accordance with Art. 12(3) GDPR.

11. Data Retention

  • Active accounts: Data retained for the duration of account activity.
  • Deleted accounts: 30-day grace period (soft delete via pending_deletion status), then permanent deletion.
  • Anonymized audit logs: Retained after account deletion for security and compliance purposes.
  • Accounting records: Retained for the period required by Czech accounting and tax law (Act No. 563/1991 Sb.) after the transaction date.
  • Consent logs: Retained for 3 years after consent withdrawal or account deletion, in anonymized form, in accordance with Art. 5(2) GDPR.
  • Session data: Automatically purged 90 days after last activity.
  • Email send logs: Retained for 1 year, then deleted.
  • Creative content and AI inputs/outputs: Retained for the lifetime of the account; deleted when the account is permanently deleted.

12. Data Security

We implement appropriate technical and organizational measures:

  • Passwords hashed with a modern adaptive hashing algorithm.
  • All data encrypted in transit (TLS) and at rest.
  • Two-factor authentication (TOTP) available for all accounts.
  • Session management with device tracking and revocation.
  • Access controls and audit logging for all administrative actions.
  • Database backups encrypted and stored within the EU.

13. Data Breach Notification

In accordance with Art. 33 and Art. 34 GDPR, in the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Office for Personal Data Protection (ÚOOÚ) within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to individuals, we will notify affected users without undue delay.

14. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will provide at least 30 days' advance notice via email. For changes affecting processing based on your consent, we will request renewed consent before applying the changes.

15. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. For the Czech Republic, this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ):

  • Website: www.uoou.cz
  • Address: Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
  • Email: posta@uoou.cz

16. Contact

For privacy-related inquiries, contact the controller:

  • Company: More.is.More s.r.o.
  • Email: marek@moreismore.cz
  • Address: Pernerova 635/57, Karlín, 186 00 Praha 8, Czech Republic