Privacy Policy

Last updated: February 9, 2026

1. Introduction

PPOSB ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Script Factory ("the Service"), operated by PPOSB.

We process personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

PPOSB is the data controller responsible for your personal data. If you have questions about how your data is processed, you may contact us at admin@pposb.org.

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Email address — used for authentication, account recovery, and service communications.
  • OSBot username — used to associate your account with the OSBot platform.
  • Password — stored in hashed form only; we never store or have access to your plaintext password.

3.2 Transaction Data

  • Purchase history — credit purchases, amounts, and timestamps.
  • Stripe identifiers — checkout session IDs and payment intent IDs for transaction reconciliation. We do not store your credit card number, CVV, or full billing details. All payment processing is handled directly by Stripe.

3.3 Usage Data

  • API request logs — endpoint accessed, token usage, timestamps, and request/response sizes for billing and service monitoring.
  • AI interaction data — prompts sent to and responses received from AI models, used solely for processing your requests. We do not use your AI interactions to train models.

3.4 Technical Data

  • IP addresses — collected in server logs for security and abuse prevention.
  • Device/browser information — user-agent strings collected automatically by web servers.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): Processing your account information, transactions, and usage data is necessary to provide the Service you have requested.
  • Legitimate interests (Art. 6(1)(f)): Collecting technical data for security, fraud prevention, and service improvement, where these interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by tax and financial regulations.
  • Consent (Art. 6(1)(a)): Where required, we will obtain your explicit consent before processing data for specific purposes such as marketing communications.

5. How We Use Your Data

  • To create and manage your account.
  • To process credit purchases and maintain transaction history.
  • To provide AI-assisted script generation services.
  • To monitor and enforce usage limits and billing.
  • To detect and prevent fraud, abuse, and unauthorized access.
  • To communicate with you about your account, transactions, or service changes.
  • To comply with legal obligations.

6. Third-Party Services

We share data with the following third-party processors, strictly as needed to operate the Service:

6.1 Stripe (Payment Processing)

All payment transactions are processed by Stripe, Inc. When you make a purchase, your payment information is submitted directly to Stripe and is never transmitted to or stored on our servers. Stripe's handling of your data is governed by their Privacy Policy. Stripe is PCI DSS Level 1 certified.

6.2 OpenAI (AI Services)

AI-powered features are provided by OpenAI, L.L.C. When you use AI features, your prompt data is sent to OpenAI's API for processing. OpenAI's handling of your data is governed by their Privacy Policy and API Data Usage Policy. We encourage you not to include sensitive personal information in your AI prompts.

6.3 Hosting Providers

Our servers and databases are hosted by reputable infrastructure providers. Data may be stored in data centers located in the United States or the European Union.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including:

  • Passwords are hashed using industry-standard algorithms (bcrypt).
  • API authentication uses token-based security (Laravel Sanctum).
  • HTTPS encryption for all data in transit.
  • Access controls limiting who can access personal data.
  • Webhook signature verification for payment processing.

However, no method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. We are not liable for any breach of security beyond our reasonable control.

8. Data Retention

  • Account data: Retained for the lifetime of your account and deleted upon request, subject to legal retention requirements.
  • Transaction data: Retained for a minimum period as required by applicable tax and financial regulations (typically 7 years).
  • API request logs: Retained for up to 12 months for billing and monitoring purposes, then anonymized or deleted.
  • Server logs: Retained for up to 90 days for security purposes.

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at admin@pposb.org. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Cookies

The Service uses essential cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and do not require consent under GDPR. We do not use advertising, tracking, or analytics cookies.

11. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions, as required by GDPR.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes may be communicated via email or in-service notification. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Contact Us

For any privacy-related questions, data requests, or concerns, contact us at:

admin@pposb.org