Privacy Policy
Version: pp-1.0-draft Effective date: 2026-04-11 Last updated: 2026-04-11
1. Introduction
Wonderthrough is a creative writing tool built for novelists. It helps you develop manuscripts, characters, worlds, and story structures — with optional AI-powered pipelines that analyze, enrich, and synthesize your creative work.
This Privacy Policy explains what personal data Wonderthrough collects, why we collect it, how we use and protect it, who we share it with, and what rights you have over it. It applies to all Wonderthrough services: the Wonderthrough desktop app, the Wonderthrough web app at app.wonderthrough.com, and the marketing and help site at wonderthrough.com.
This policy does not cover third-party services you connect to Wonderthrough (such as AI providers you access using your own API keys). Those services have their own privacy policies, which apply in addition to ours when you use them.
Our privacy posture, in one sentence: Wonderthrough is local-first when you use the desktop app, cloud-synced only when you explicitly opt in, AI pipeline content is in-transit only and not retained beyond the call itself — except where a saved result deliberately includes the prompt that produced it (image-generation results preserve the assembled prompt on the saved image so you can reproduce or adjust it later, and the prompt travels with the image if it syncs to cloud or is exported) — we do not scan your content for moderation or any other purpose, and we do not use your content to train AI models.
2. Who we are and how to contact us
Wonderthrough, Inc. is incorporated in the State of Delaware, United States.
- General inquiries, privacy requests, and account questions: support@wonderthrough.com
- DMCA notices: dmca@wonderthrough.com (for details on our DMCA process, see our Acceptable Use Policy)
- Mailing address: Wonderthrough, Inc., Delaware, United States (specific street address to be published before public launch)
Response time: We respond to all inquiries within 2 business days.
EU/EEA/UK representation: Wonderthrough will designate a representative in the European Union under GDPR Article 27 before or shortly after accepting EU/EEA/UK user registrations. Once appointed, the representative’s name and contact details will be published here. If you need to reach us on a data protection matter before the representative is appointed, contact privacy@wonderthrough.com.
3. What data we collect
We collect data in four broad categories: creative content, account data, billing data, and diagnostic data. Below is a summary of what we collect and why. We do not collect data beyond what is described here.
Creative content
Manuscript prose (scene body text). The text you write in Wonderthrough’s editor. On the desktop app, this is stored locally on your device. On the web app (or if you enable cloud sync on the desktop app), it is stored in our cloud database. We collect and store this data to provide the core writing service.
Entity profiles. The characters, locations, props, lexicon entries, and other worldbuilding elements you create. Storage follows the same pattern as manuscript prose — local on the desktop app, cloud-stored on the web app or with cloud sync enabled.
Project and book metadata. Project names, book titles, genre selections, configuration settings, and structural data (scene order, folder hierarchy). This metadata is necessary to organize and deliver your creative workspace.
AI pipeline results. When you run an AI pipeline (book synthesis, character enrichment, arc analysis, scene analysis, and similar features), the output is stored alongside your project data. On the desktop app, results are stored locally. On the web app, results are stored in our cloud database. You own these outputs — see Section 14 for details.
Search index (World Search). When World Search is enabled, Wonderthrough creates a searchable index of your manuscript passages, entity profile sections, and author memory entries so you can ask questions grounded in your own work. Where that index is stored depends on your setup:
- Web app, or desktop app with cloud sync enabled: chunks and their vector embeddings are stored in our cloud database (Supabase), scoped per-project with row-level security.
- Desktop app without cloud sync: chunks and embeddings are stored locally on your device. AI calls still route through Wonderthrough’s servers using platform keys (on the Standard preset) or directly to your AI provider (on the Private AI preset).
- Private AI and Local-only: the index is always stored locally on your device (in a LanceDB database inside Wonderthrough’s userData directory). Nothing is transmitted to Wonderthrough’s servers for search.
The index is used only to serve your own search requests. No one at Wonderthrough queries it for any other purpose, and its contents are never used for training.
Account data
Authentication credentials. Your email address and a cryptographic hash of your password (we never see or store your plaintext password), or your Google OAuth identity if you sign in with Google. We collect this to authenticate you and secure your account.
User profile data. Your display name, avatar, trial start and end dates, subscription tier, your account-level Cloud Sync preference (on or off), and a record of which version of the Terms of Service you accepted and when. We collect this to manage your account, deliver tier-appropriate features, and maintain a legal record of your consent.
Privacy preset preference. Your choice of privacy preset (Standard, Private AI, or Local-only) is stored locally on the device where you set it. Privacy preset is per-device, not per-account: your desktop app and your web sessions, and any second desktop you install, can each have their own privacy preset. It is not transmitted to Wonderthrough’s servers. We use this preference to determine how your AI tool requests are routed from that device.
Telemetry consent preference. Your choice to allow or decline optional product analytics is stored locally on your device. It is not transmitted to Wonderthrough’s servers. We use this to respect your analytics preferences.
BYO API keys (your own AI provider keys). When you bring your own API key for an AI provider (Anthropic, OpenAI, or Google), where the key is stored depends on which surface you’re using:
- Wonderthrough desktop app, Cloud Sync off: keys are stored only in your operating system’s secure keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux). They never touch our servers in storage form.
- Wonderthrough desktop app, Cloud Sync on: the same OS-keychain copy stays on your device, and an encrypted copy is also stored on our servers in the
user_api_keystable so that your other devices can find the key on first launch and prompt you to re-enter it. - Wonderthrough web app: the web app has no OS keychain, so any key you save is stored on our servers in the
user_api_keystable.
In all cases where keys touch our servers, they are encrypted at rest using AES-256-GCM with a server-held encryption key. The masked preview shown in the app (e.g. sk-ant-…XYZ) and the timestamp of last validation are stored alongside the encrypted blob.
When you submit a key — to validate it, to save it, or to remove it — the unencrypted key transits our api-keys edge function in memory only. The function calls the AI provider once to confirm the key is valid, encrypts the key for storage if you asked us to save it, and discards the unencrypted value when the request completes. It is not written to logs. We never send a stored key back to a device in decrypted form. This is a deliberate architectural posture, not a temporary limitation. The practical consequence is that when you set up Wonderthrough on a new desktop, you re-enter your keys on that device — the encrypted copy on our servers is used to recognize that you have a key for that provider, but it cannot be used to retrieve the key value to your new device.
When you delete a key from Settings → Keys & Models, the corresponding row in user_api_keys is deleted. When you delete your account, all of your keys are deleted as part of that flow. When you turn off Cloud Sync and choose “delete keys from cloud,” the same deletion runs and your local OS-keychain copy stays on the device.
AI tool routing preferences. When you change which AI model handles which tool (Settings → Keys & Models → routing controls), those preferences are stored on our servers in the user_routing_overrides table so the same routing applies on your other devices. The table contains your user ID, the tool identifier, and your chosen provider/model — no manuscript content. Routing preferences are deleted when you delete your account or use the “Delete all cloud data” action.
Billing data
Stripe customer and subscription references. When you subscribe or make a purchase, Stripe (our payment processor) creates a customer record. We store a reference to your Stripe customer ID and subscription ID in our database — never your payment card number, which stays with Stripe. We collect this to manage your subscription and process billing.
Allowance and debit logs. Records of your credit balance, credit usage per pipeline run, and top-up purchase history. We collect this to track your usage, enforce credit limits, and support billing accuracy.
AI pipeline usage metadata. Each time you run an AI tool, metadata about the run is logged: token counts, estimated and charged costs, tool type, AI model used, duration, key source (platform, your own key, or local model), and a timestamp. You decide what happens to that metadata through three settings, each independent of the others:
- Cloud Sync (per device) — you decide whether this device participates in cloud sync at all. When off, no usage metadata leaves this device via the sync path. When on, the device can both upload its own rows and pull rows other devices wrote.
- Sync activity between desktop and web (per account) — you decide whether your desktop app’s behavioral records reach our servers. On the desktop app, when off, your writing activity log, BYO usage records, and World Search diagnostic rows stay in local files on the device that captured them. When on, they upload to our cloud and stream back to your other devices. On the web, behavioral records flow to our cloud regardless — there’s no local-only mode for any data on web (closing the browser tab would mean lost work); this setting then controls whether your cross-device view on web aggregates other devices’ contributions.
- Briefing Detail (per account) — you decide how much per-call attribution is included on rows that do upload. At “robust”, reference identifiers (book, character, result IDs — these are database keys, not your content) are preserved. At “minimal”, they are stripped. At “off”, refusal-reason labels are also stripped. Briefing Detail does not decide whether rows upload — that’s the job of the two settings above.
You can change any of these settings at any time, and we never override a selection you’ve made. Where you start depends on your plan and where you live: accounts in the European Union, European Economic Area, and United Kingdom begin with the most restrictive defaults; outside those regions, some Pro features (like cross-device summaries) start enabled so the product works as advertised — you can turn them off immediately. Your current state is always visible and editable in Settings → Privacy & Data.
The AI engine that produced a row (platform credit, your own key, or a local model) does not change what we keep or send — your settings do. The one carve-out: platform-credit calls always create a billing record on our servers because we have to charge against your account credit. Everything else — your own keys, local models, all detailed metadata beyond that billing record — follows the settings you chose.
Local and cloud usage history. A local copy of usage metadata is preserved on each device so your usage history and cost summaries continue to work even when the network is unavailable. You own this record on your device — your AI tool calls are financial transactions, and we keep them on your machine for as long as you keep them. The local store is layered for performance: detailed per-call records for the most recent 90 days in a single hot file; older per-call records moved into monthly archive files (one file per month) so they remain inspectable; and per-day cost summaries kept indefinitely so historical totals are always available without reading every individual record.
When Cloud Sync and “Sync activity between desktop and web” are both on, your devices pull each other’s usage rows from our servers and merge them into the same local archive, deduplicating by call so each AI tool run is counted once. The result: each of your devices ends up with a complete, granular record of every AI tool call across all your devices — for as long as you keep the local files. You can see the total disk space used and the span of days covered by your local usage data in Settings → Billing → Local usage data, and export the merged history to JSON from the same panel.
The local usage log on the desktop app is the canonical record of every AI tool call you make on that device. It is populated automatically per call, regardless of cloud sync preferences, and is yours to read, export, or delete at any time. Whether a cloud record also exists depends on the platform, the key type, and (on desktop) your sync settings.
On the desktop app, calls using Wonderthrough’s platform keys always produce a cloud billing record — that’s required for us to bill you and meet our tax / audit obligations. Calls using your own API keys (BYO) or a local LLM behave as follows:
- Cloud Sync off for the active project: the call travels directly from your device to the provider via your operating system’s secure keychain (local-LLM calls stay entirely on-device). Wonderthrough’s servers don’t see the request. Usage metadata stays in a local file on the device that captured it.
- Cloud Sync on for the active project (BYO only — local-LLM is always direct): the call briefly transits Wonderthrough’s ai-proxy so the BYO key can be resolved server-side from the encrypted copy in
user_api_keys. The prompt and response aren’t kept by ai-proxy beyond the call. Usage metadata is logged on our server. If your cloud-stored BYO key fails (missing, invalid, or revoked) and a working local copy exists on the device’s keychain, we’ll fall back to the direct local path so you can keep working.
On the web app, AI calls — including those using your own API keys — pass through our server (the ai-proxy that forwards your call to the provider), because the browser can’t safely call providers directly. The ai-proxy logs the usage record on our server regardless of any client-side setting. Web BYO usage records always exist in our cloud; there’s no local-only mode for them on web. Local-model calls aren’t supported on the web app.
BYO authentication fallback. When you’re on the desktop app with Cloud Sync on and we can’t use the BYO API key stored on our servers (because it’s missing, the provider rejected it, or you’ve revoked it), Wonderthrough will fall back to using the same key from your operating system’s keychain — sending the call directly from your device to the provider for that one call. We surface this as a notice in the app so you know it happened and can update the cloud copy of the key. This fallback only engages when a working local copy of the key exists; without one, the call returns an error so you can fix the key.
When you delete your account, the retained billing records described above have their user identifier replaced with a fresh anonymous value, severing the link to the deleted account. Aggregate financial records (such as total revenue) remain queryable for tax-compliance purposes; per-user attribution after account deletion is irrecoverable by design.
When an AI tool run fails (for example, because the AI provider declined the request), we also log the failure status, a broad technical error category (such as “rate_limit” or “safety_filter”), and the provider’s error code. The error category is a technical classification bucket — it is never a fragment of your content. The Briefing Detail setting controls which of these fields reach our servers: at “minimal” the refusal-reason category label is additionally stripped because even the label implies server-side inspection of the response. This metadata is used for billing correctness and support diagnostics, never for content moderation or account review.
Diagnostic data
Feedback submissions. When you use the in-app feedback form, we collect the title, description, and severity you provide, along with technical context (app version, platform, operating system, current route, recent error codes, your telemetry and privacy preset preferences). If you choose to attach a screenshot, that is included as well. We never auto-populate your manuscript text or entity names into feedback — only you decide what to type and what to screenshot. We collect this to improve the product and resolve issues you report.
Product telemetry (PostHog). We collect product analytics events via PostHog. These events include feature usage patterns, funnel completion data, and feature flag exposure. They never include manuscript text, entity names, or any of your creative content. Session recording is disabled. See Section 13 for details on essential versus optional telemetry and how consent works.
World Search query log (Standard preset only). When you ask a World Search question on the Standard preset, we record a single diagnostic row to help us understand and improve retrieval quality. This row includes: a SHA-256 hash of the normalized query (never the raw text), the query’s length, the tab scope (scene / book / project / discovery / entity), the chunk identifiers returned by retrieval, the chunk identifiers the model cited, per-step latencies, the model used, and a success/error/cancelled status. It does not include your query text, any chunk text, or the generated response. On the Private AI and Local-only presets, this log is not written at all.
Where the diagnostic row lives depends on your Writing activity details setting and the platform. Off — nothing is recorded, on any platform. Minimal — chunk identifiers are stripped at write time. Robust — full row. On the desktop app, Sync activity between desktop and web then governs whether the row leaves the device (off keeps it in a local file). On the web app, the row flows to our cloud regardless (no local-only mode), and that setting controls the cross-device view at read time.
The returned and cited chunk identifiers are derived from entity UUIDs that Wonderthrough already holds for project data on the Standard preset. Aggregated over time, they reveal which entities you searched most — a behavioral signal about your creative process. No prose, names, or content are included in these identifiers. This is why the Minimal level strips them.
Activity metadata (Standard preset only). When you edit a scene, save an entity, run an AI pipeline, or open a writing session, Wonderthrough records a structured event for that action — capturing the action type, timestamp, word-count deltas, and structural reference identifiers (which scene, book, entity type, session). We use this metadata to power cross-device session briefings (“here’s what you worked on yesterday on your other device”), writing analytics (per-day word counts, revision intensity), and pipeline budget status.
Whether the event reaches our cloud database depends on the platform. On the desktop app, events are written first to a local file (activity.jsonl) and uploaded to our cloud only when Sync activity between desktop and web is on — otherwise they stay on the device. On the web app, events are written directly to our cloud (no local-only mode); the same setting then controls whether your cross-device view aggregates other devices’ events into the unified history.
This metadata does not include:
- Prose or any manuscript text
- Scene titles, chapter titles, arc titles, or character/location/entity names you’ve authored
- File paths on your device
- Names automatically detected by our prose scanner during a writing session
These fields are stripped by a privacy filter on your device before any event reaches our servers. This stripping is verified by our internal privacy audit and by continuous test coverage of the strip rule.
What we do receive includes: the action type (for example, scene-edit, pipeline-run, session-open), the timestamp, structural reference identifiers (database UUIDs that link back to your project data — reference keys, not your content), word counts (numbers only, never the words themselves), and for pipeline-run events the model used, duration, charged cost, and a result identifier that points to the corresponding pipeline output already stored in your account.
On the Private AI and Local-only presets, no activity metadata is sent to our servers. Events are recorded only in a local file on your device, where they continue to power same-device session briefings and writing analytics. They never leave the machine. The privacy preset in effect at the moment each event was emitted is recorded on the event itself, and our sync layer respects that recording: events emitted on Private AI or Local-only stay local even if you later switch to Standard, and events emitted on Standard sync as expected even if you later switch to a non-syncing preset.
Error reports (Sentry). When the application encounters an error, we may send an error report to Sentry containing the error message, stack trace, and platform/environment tags. These reports never include your manuscript text or creative content.
Settings change history. A timestamped record of when you change any of the four atomic privacy settings (Allowed AI sources, Cloud Sync, Writing activity details, Sync activity between desktop and web). Each entry includes the new value, the previous value, the device class (desktop-mac / desktop-win / desktop-linux / web-browser), and an opaque per-device identifier. Not a device fingerprint — no canvas, font, or hardware enumeration. We keep this as a forensic audit trail (proving we honored your settings at any past moment); it will also power a user-facing settings-history view in a future release. Retention: rolling 24 months; deleted on account deletion; not affected by the per-feature Manage your data controls.
Entitlement cache. A local cache of your current subscription tier and feature entitlements, used to deliver the correct feature set without requiring a network call on every action. On the desktop app, this cache is encrypted using your operating system’s secure keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux). On the web app, it is stored in your browser’s local storage.
4. How we use your data
We process your personal data under the following legal bases, as defined by the EU General Data Protection Regulation (GDPR) Article 6:
Contract performance (Article 6(1)(b))
We process data as necessary to provide the Wonderthrough service to you:
- Storing and delivering your manuscripts, entities, projects, and AI pipeline results
- Authenticating your identity and managing your account
- Processing billing, managing subscriptions, and tracking credit usage
- Sending your content to AI providers when you run a pipeline, and returning the results to you
- Producing a data export when you request one
Legitimate interest (Article 6(1)(f))
We process certain data where we have a legitimate business interest that does not override your rights:
- Essential telemetry for service reliability: authentication events (signup completed, signup failed), billing webhook processing, and crash reports that block service delivery. These events are necessary to keep the service running and do not include your manuscript content or entity names.
- Security monitoring: access logging, session management, and admin audit trails to protect your data and our systems.
- Product improvement via aggregated, non-content usage patterns (pipeline completion rates, feature adoption) to understand how the product is used and where it needs improvement.
- Feedback triage: processing your feedback submissions to resolve bugs and improve the product.
Consent (Article 6(1)(a))
We process certain data only with your explicit, informed consent:
- Optional product analytics via PostHog: feature usage, funnel analysis, and performance metrics. You can grant or withdraw consent at any time in Settings, and your choice is respected immediately.
- Google OAuth sign-in: when you choose to sign in with Google, you grant Google permission to share your email and profile information with us. You can revoke this in your Google account settings.
Legal obligation (Article 6(1)(c))
We process certain data to comply with legal requirements:
- Financial record retention: billing records, usage logs, and transaction history are retained for 7 years to comply with US tax and financial audit regulations (IRS requirements and California state tax law).
- Mandatory reporting: if we become aware of child sexual abuse material (CSAM), we are required to report it to the National Center for Missing & Exploited Children (NCMEC) under 18 U.S.C. section 2258A.
- Legal process: we comply with valid subpoenas, warrants, and court orders as required by applicable law.
What we do not do with your data:
- We do not use your content for advertising or ad targeting.
- We do not build behavioral profiles of you for marketing purposes.
- We do not sell your personal data to any third party, in the ordinary sense or in the CCPA/CPRA sense.
- We do not use your content to train AI models. This applies to Wonderthrough and to our AI providers under their current commercial API terms.
- We do not scan your private content for moderation, compliance, or any other purpose. The code paths to do so do not exist in our product.
5. Privacy presets
Wonderthrough offers three privacy presets that give you control over how your data flows when you use AI tools. This is one of Wonderthrough’s core features and we want you to understand exactly what each preset means.
Privacy preset is per-device. Your choice of privacy preset applies to the device or browser where you set it. If you use Wonderthrough on a desktop and on the web, or on two desktops, each surface can have its own privacy preset. We do not synchronize this preference across devices.
Privacy preset is independent of Cloud Sync. Cloud Sync is an account-level toggle (Settings → Data) that controls whether your projects, BYO keys, and routing preferences are mirrored to our servers across your devices. Privacy preset controls how AI tool calls flow from a single device. The two compose:
- Cloud Sync on + Standard: AI calls route through Wonderthrough; project content syncs across your devices.
- Cloud Sync on + Private AI: AI calls transit Wonderthrough’s ai-proxy so your BYO key can be resolved server-side (the conversation isn’t kept beyond the call); project content still syncs. If you want full bypass, leave the Private AI preset’s Cloud Sync at its default — off.
- Cloud Sync off + Standard: AI calls route through Wonderthrough; project content stays local to this device.
- Cloud Sync off + Private AI / Local-only: nothing about AI tool runs from this device transits our servers, except the usage-metadata exception described below. This is the Private AI preset’s default state.
Standard (default)
Available on: web app and desktop app.
When you run an AI tool on the Standard preset, your content is sent to the selected AI provider through Wonderthrough’s proxy layer (an edge function called “ai-proxy”). The proxy authenticates your request, routes it to the provider, and returns the response. The proxy processes your content in memory and does not store it. It is a stateless transit layer.
Usage metadata logged on the Standard preset includes reference identifiers (book ID, character ID, result ID) that link back to your project data. These are database keys used for support and billing audit, not your content.
Standard preset is the default because it is the most convenient: it works on all platforms, uses Wonderthrough’s platform API keys when you don’t have your own, and requires no additional configuration.
On the Standard preset, your World Search index lives where your project content lives: when Cloud Sync is on (Pro) and you’ve opted the project in to sync, both your manuscript and search index are stored on our servers, scoped per-project with row-level security, and available from any device where you’re signed in. When Cloud Sync is off — or for projects you have not opted in to sync — the index is stored locally on the device that owns the project.
Private AI
Available on: desktop app only.
On the Private AI preset (desktop app only), your content bypasses Wonderthrough’s proxy entirely on that device. AI tool requests go directly from your device to the AI provider using your own API keys (bring-your-own, or BYO). Wonderthrough’s servers never see your content from a Private-AI desktop session. Note for web users: the Private AI preset is not available on the web app — on the web, all AI calls (including those using your own keys) pass through our ai-proxy as described in the platform-availability section below.
Usage metadata is still logged for billing purposes, but all reference identifiers (book ID, character ID, result ID) are stripped before the metadata reaches Wonderthrough’s servers. Even failure-category labels that could imply server-side inspection are stripped. What reaches our servers is limited to technical fields: token counts, costs, tool type, model, duration, and timestamps.
The Private AI preset requires you to provide your own API keys for the AI provider(s) you want to use. Where those keys are stored is described in Section 3 under “BYO API keys” — in summary, the desktop app stores them in your operating system’s keychain by default, and an additional encrypted copy is held on our servers if you have Cloud Sync turned on. Your billing and content relationship with the AI provider is directly between you and them — their privacy policies apply in addition to ours.
A note on key storage versus AI call routing. The Private AI preset controls where AI tool calls go from this device — they bypass our servers and reach the AI provider directly. The preset also sets Cloud Sync to off by default (this is what keeps the routing direct), which in turn means your BYO API keys live only in your operating system’s keychain on this device — no encrypted server-side copy is held. If you manually re-enable Cloud Sync after selecting Private AI (so cross-device project access works), an encrypted copy of each key is then mirrored to user_api_keys, and BYO calls from this device will route through our ai-proxy so the key can be resolved server-side. Most users who pick Private AI specifically to keep content off our servers will want to leave Cloud Sync at its preset default (off).
World Search on the Private AI preset stores the search index locally on your device (LanceDB inside Wonderthrough’s userData directory). Embedding requests go directly from your device to OpenAI using your own key, and generation requests go directly to Anthropic using your own key. Nothing transits or lands on Wonderthrough’s servers for search, and no query telemetry is logged. Private AI requires both an OpenAI API key (for embeddings) and an Anthropic API key (for generation). Because the index is on your device, it does not sync across computers. Opening the same project on a second machine will build a fresh index on that machine.
Local-only
Available on: desktop app only.
On the Local-only preset, AI tools run entirely on your device using a local language model. No AI requests leave your machine. No content is transmitted over the network for AI processing.
Usage records produced by AI tool runs against a local model — like any other usage records — follow your Cloud Sync and Sync activity between desktop and web settings. If both are off, the records stay on this device. If both are on, they sync to our servers and become visible on your other devices alongside records from other engines. Briefing Detail still governs the per-call attribution included in any row that does sync. The local store layout described in Section 4 (90-day hot file, monthly archives, per-day summaries kept indefinitely) applies regardless of which engine produced the row.
World Search on the Local-only preset runs entirely on your device. Embeddings and generation go through a local Ollama model on your machine, and the search index is stored locally in LanceDB. No cloud provider calls are made for search. As with Private AI, the local index does not sync across computers. Local-only requires Ollama to be installed and running, an embedding model pulled (nomic-embed-text), and a generation model of your choice.
Platform availability summary
| Mode | Web app | Desktop app |
|---|---|---|
| Standard | Yes (default, only option) | Yes (default) |
| Private AI | Not available | Yes |
| Local-only | Not available | Yes |
Availability applies to both AI pipelines and World Search. On the web app, World Search is available only on the Standard preset.
Important note for web app users with BYO keys: On the web app, all AI tool requests — including those using your own API keys — transit Wonderthrough’s servers for authentication, rate limiting, and entitlement enforcement. Your key is stored encrypted-at-rest on our servers and used on your behalf at request time; we never send the decrypted key value back to your browser. If you want your content to go directly from your device to the AI provider without transiting our servers, use Private AI preset on the desktop app.
6. Who we share data with
We share your data with the following third-party service providers (sub-processors), each of which processes data on our behalf under contractual obligations that limit their use of your data to providing their service to us.
Infrastructure and payments
Supabase — our core infrastructure provider. Handles authentication, database storage, edge functions, and real-time data sync. Receives your account data, project data (for web app and cloud-synced desktop users), usage logs, and feedback metadata. Region: US (AWS us-east-1). DPA.
Stripe — our payment processor. Handles subscription billing, payment processing, and the Customer Portal where you manage your payment methods and invoices. Receives your email address and tokenized payment information (Wonderthrough never sees or stores your card number). Region: US (global processing). DPA.
AI providers
We use three AI providers. When you run an AI pipeline using platform keys, your content transits our proxy layer in memory and is sent to the selected provider. The proxy does not store your content. When you use your own API keys on the desktop app on the Private AI preset, both AI pipeline content and World Search embedding/generation traffic go directly from your device to the provider, without transiting our servers. In that case, your relationship with the provider (including their retention of your requests) is directly between you and them under their terms.
None of our AI providers use your content to train their models under their current commercial API terms, and Wonderthrough has confirmed this with each provider.
Anthropic (Claude) — primary AI provider for most text-based pipelines. Receives manuscript content, entity profiles, and pipeline instructions when you run a pipeline routed to Claude. Region: US. Commercial terms.
OpenAI (GPT, DALL-E) — secondary AI provider for select text pipelines and image generation. Receives manuscript content or image generation prompts depending on the pipeline. Region: US. DPA.
Google (Gemini + OAuth) — optional AI provider (Gemini) and authentication provider (Google OAuth). Gemini receives manuscript content when you run a pipeline routed to Gemini. Google OAuth receives your sign-in request and returns your email and profile information. Wonderthrough does not request the birthday scope from Google OAuth. Region: US (global). DPA.
Analytics and error tracking
PostHog — product analytics and feature flags for both the app and the marketing site (wonderthrough.com). Receives event names and structured metadata properties only; for the marketing site this is website-usage data such as pages visited and referral source. Does not receive manuscript text, entity names, or any creative content. Session recording is disabled. On the marketing site, analytics cookies are set only with your consent in the EU, EEA, UK, and Switzerland. Region: US (PostHog Cloud). DPA.
Sentry — error tracking and monitoring. Receives error messages, stack traces, and platform/environment tags. Does not receive manuscript text or creative content. Region: US (Sentry Cloud). DPA.
Other services
Vercel — hosts our marketing and help site at wonderthrough.com. Receives standard web-hosting data (client IP addresses, request headers, HTTP request paths). The marketing site lets you sign in so your session carries over from the app; authentication is handled by Supabase, and Vercel receives only standard hosting data, not the contents of your account. Region: US with global CDN. DPA.
Craft — feedback collection backend. When you submit feedback via the in-app feedback form, your submission (title, description, technical context, and any screenshot you attached) is forwarded to Craft for triage by our team. No manuscript content or entity names are included in feedback submissions. Region: United States (pending confirmation). DPA: pending (account-specific — Wonderthrough is obtaining a DPA from Craft before publication of this policy).
For the full, current sub-processor list, see wonderthrough.com/legal/sub-processors.
7. International data transfers
All of our sub-processors process data primarily in the United States. If you are located in the European Union, European Economic Area, or United Kingdom, your data is transferred to the United States for processing.
We rely on the following mechanisms to ensure these transfers comply with applicable data protection law:
Standard Contractual Clauses (SCCs). We use the European Commission’s 2021 standard contractual clauses, incorporated into our Data Processing Agreement and into each sub-processor’s own data processing agreement. SCCs provide contractual safeguards for international data transfers as recognized by EU and UK data protection authorities.
Supplementary measures. In addition to SCCs, we implement:
- Encryption in transit (TLS/HTTPS) for all data transfers
- Minimum-necessary data sharing — we send each sub-processor only the data required for their specific function
- Contractual restrictions on sub-processor use of your data beyond the purpose for which it was shared
Transfer Impact Assessment. Wonderthrough has conducted a transfer impact assessment evaluating the risk of government access to personal data transferred to the United States. The assessment considers the nature of the data we process, the legal framework in the destination country, and the supplementary measures described above. Business customers with an executed DPA may request a copy of this assessment by contacting support@wonderthrough.com.
If the legal landscape for international data transfers changes (for example, through new adequacy decisions or transfer frameworks), we will update our transfer mechanisms accordingly and notify affected users.
8. How long we keep your data
We retain your data only as long as necessary for the purpose it was collected, or as required by law. Below are the specific retention periods for each data category.
| Data category | Retention period | Reason |
|---|---|---|
| Active account data (profile, auth, projects, content) | Duration of your account | Necessary to provide the service |
| Deleted account data (soft-delete grace period) | 30 days after deletion request | Accidental deletion recovery window |
| Manuscript, entity, and project content (cloud-stored) | Duration of your account + 30-day grace period | Necessary to provide the service; the 30-day grace period is a recovery window after account deletion. Deleting an individual project removes that project’s content immediately, with no grace period or recovery window (see “Delete a single project from the cloud” below). |
| Project deletion record (project name and deletion timestamp only — no content) | Up to 30 days after you delete a project | Tells your other devices that the project has been deleted so they can remove their local copies; permanently removed by an automated sweep after 30 days |
BYO API keys (encrypted, in user_api_keys) | Until you remove the key, turn off Cloud Sync with the “delete keys” choice, or delete your account | Used to authenticate requests to AI providers on your behalf |
AI tool routing preferences (user_routing_overrides) | Duration of your account | Used to apply your tool-by-tool model choices across your devices |
AI tool usage metadata — calls billed by Wonderthrough’s platform keys (ai_usage_log rows where key_source = 'app', cloud) | 7 years measured from each row’s creation date | US tax and financial audit compliance; per-call detail required for billing audit. Cannot be deleted on user request during the retention window — these records prove what we charged you for. After account deletion they have their user identifier replaced with a fresh anonymous value and continue to be retained for the remainder of each row’s 7-year retention measured from the row’s own creation date (not from the account-deletion date). |
AI tool usage metadata — calls using your own keys or a local LLM (ai_usage_log rows where key_source IN ('byo', 'local'), cloud) | Until you delete them, or until account deletion | These rows are in our cloud only because you opted into Sync activity between desktop and web — they let your other devices see calls you made elsewhere. No retention obligation. Deletable on demand via Manage Cloud Data → Delete cloud usage history. At account deletion, removed alongside other deletable cloud data. |
| Deleted project record (billing stub) | 7 years (matches ai_usage_log retention) | When you delete a project, the projects row is stripped to a minimal billing stub (project ID, an anonymized label like “Deleted Project · abc123”, created/deleted timestamps, owner reference) and retained so the associated ai_usage_log rows have a stable, attributable target. The original project name is replaced with the anonymized label at the 30-day strip mark; no user-authored content is retained. |
| AI tool usage metadata — per-day aggregates (cloud) | n/a | We do not currently maintain a server-side rollup table for AI usage; per-call rows are the source of truth for the 7-year retention window |
| Local usage log — detailed per-call records (desktop, hot file) | 90 days | Bounded to keep the active log fast to read; older detail moves to monthly archive files on the same device. Populated unconditionally per AI call from this device — neither Cloud Sync nor Sync activity between desktop and web gates this-device ledger writes. |
| Local usage log — monthly archive files (desktop) | Until you delete them | On-device record of every AI tool call you’ve made (and, when cross-device summaries are on, calls made on your other devices); merged at age-out time so each call is preserved exactly once |
| Local per-day cost summaries (desktop) | Indefinitely | Powers fast historical charts and lifetime spend; small in size |
| Billing records (debit logs, top-up records, allowances) | 7 years | US tax and financial audit compliance |
| Stripe customer records | Per Stripe’s own retention policy (indefinite) | Managed by Stripe independently of Wonderthrough |
| PostHog telemetry events | 24 months | Product analytics; GDPR data minimization |
| Sentry error reports | 90 days | Debugging utility; automatic expiry |
| World Search index (cloud, Standard preset with sync) | Duration of project + 30-day grace | Necessary to provide World Search; tied to project lifecycle |
| World Search query log (Standard preset only) | 24 months | Diagnostic analytics; matches PostHog retention |
Activity metadata — granular events (activity_log, cloud) | 90 days | Powers recent cross-device session briefings; bounded to keep the per-event footprint small. Matches local desktop retention so the user’s view is consistent on both surfaces |
Activity metadata — per-day aggregates (activity_rollups, cloud) | Duration of your account + 30-day grace | Powers the writing heatmap, streak counters, and historical analytics across multi-year ranges. Aggregates contain no per-event attribution, no prose, and no user-authored display strings — just summed counts and word-count deltas keyed on (project_id, scene_id, date) |
Settings change history (user_settings_history, cloud) | 24 months from each change’s timestamp | Forensic audit trail for the four atomic privacy settings; deleted on account deletion; not affected by per-feature Manage your data controls |
| World Search index (local device, all other modes) | Until you delete it | Stored on your device; not retained by Wonderthrough |
| Feedback submissions | 3 years | Product improvement and support pattern analysis |
| Webhook idempotency records | 30 days | Billing processing integrity |
| Auth sessions | Per Supabase defaults (1-hour access token, 30-day refresh token) | Standard session management |
Important disclosures about billing-linked records:
AI pipeline usage metadata and billing records (debit logs, top-up records, and allowance tables) are retained for 7 years from the transaction date. This is required by US federal tax law (IRS rules require 7-year retention of financial records) and California state tax law. These records cannot be deleted on your request during the 7-year retention window. They contain no manuscript content — only metadata such as transaction amounts, timestamps, token counts, pipeline types, and model identifiers. On the Standard preset, they also contain database reference identifiers (book ID, character ID, result ID) that can be joined to your project data by Wonderthrough engineers for debugging and billing audit; no third party has access to perform this join. On the Private AI and Local-only presets, these reference identifiers are stripped.
Your Stripe customer record (payment history, subscription records, invoices) is retained by Stripe per Stripe’s own data retention policy, independently of Wonderthrough. When you delete your Wonderthrough account, we remove the link between your Wonderthrough profile and your Stripe customer record, but we cannot force Stripe to delete their record. Stripe’s privacy policy governs their retention of that data.
Activity metadata comes in two layers in our cloud, retained on different schedules per the table above. Granular events (one row per scene edit, session open, etc.) are kept for 90 days — long enough to power recent cross-device session briefings, bounded so the per-event footprint stays small. Per-day aggregates (one row per scene per day with summed counts) are kept for the duration of your account; they power the writing heatmap, streaks, and multi-year historical views, and contain no per-event attribution or prose. Both layers contain no user-authored display strings (scene titles, character names, arc titles) and no file paths — those fields are stripped on your device before upload. The structural reference identifiers granular events contain (book ID, scene ID, entity ID) can be joined by Wonderthrough engineers to your project data for debugging, support, or your own data export request — the same correlative-identifier capability that applies to AI pipeline usage metadata. No third party has access to perform this join. On the desktop app, when Cloud Sync or “Sync activity between desktop and web” is off, activity metadata stays in local files on the device and is never sent to our servers, so this retention schedule does not apply. On the web, activity metadata always reaches our servers (no local-only mode), and the retention schedule above applies regardless.
Legal hold exception: Any retention period may be extended for accounts subject to active legal process, regulatory investigation, or other legal obligations. This is managed via an internal flag and is used only when required by law.
9. Your rights
You have rights over your personal data under applicable privacy law. This section describes those rights and how to exercise them.
Rights for all users
Access. You can request a copy of the personal data we hold about you. Standalone data access requests (without deletion) are fulfilled within 30 days in a machine-readable format (ZIP archive containing your manuscripts, entities, project metadata, AI pipeline results, feedback submissions, billing history, and usage logs). If you request account deletion, an expedited data export is included in the deletion confirmation within 2 business days — see “Deleting your account” below.
Rectification. You can correct inaccurate personal data. Most data (display name, email, project content) can be corrected directly in the app. For data you cannot edit yourself, contact us and we will correct it.
Erasure (“right to be forgotten”). You can request deletion of your account and associated data. See “Deleting your account” below for the full process, including the 48-hour reversal window and the billing-record retention carve-out.
Restriction. You can ask us to pause processing of your data while we resolve a dispute or verify a correction.
Portability. You can receive your data in a machine-readable format. The same ZIP export used for access requests and account deletion serves this purpose.
Objection. You can object to processing based on our legitimate interests. We will stop that processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms.
Consent withdrawal. You can withdraw consent for optional telemetry at any time in Settings. Your withdrawal takes effect immediately and does not affect the lawfulness of processing before withdrawal.
Automated decision-making. Wonderthrough does not make automated decisions that produce legal or similarly significant effects on you.
Additional rights for California residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, disclose, and sell
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of your personal information. Wonderthrough does not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not sell data to data brokers, advertisers, or any other third party. We do not share data for cross-context behavioral advertising.
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising any of these rights. We will not deny you service, charge you different prices, or provide a different quality of service because you exercise your privacy rights.
- Authorized agents. You may designate an authorized agent to exercise your CCPA/CPRA rights on your behalf. To do so, provide the agent with written permission signed by you, and have the agent contact privacy@wonderthrough.com with that documentation. We may verify your identity directly before fulfilling the request, even when submitted by an authorized agent.
Additional rights for EU/EEA/UK residents (GDPR / UK-GDPR)
If you reside in the European Union, European Economic Area, or United Kingdom, you have all of the rights described above plus:
- Right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your data violates applicable data protection law
Deleting your account
Wonderthrough offers two related deletion paths:
- Delete all cloud data (in the desktop app, Settings → Data) wipes your projects, BYO API keys, and routing preferences from our servers. Your account and subscription stay active; your local data on each device stays where it is. The confirmation modal includes an opt-in to request full account deletion in the same flow.
- Full account deletion (requested via support email or via the opt-in above) additionally removes your account profile and authentication credentials. The request is processed manually after a 48-hour reversal window. During that window you can cancel at any time via a one-click link in the confirmation email, via the in-app banner that appears on every authenticated page, or by replying to the confirmation email. After 48 hours, the account cannot be recovered through our user-facing support channels.
To delete your Wonderthrough account, send an email to support@wonderthrough.com or use the opt-in in the “Delete all cloud data” modal. We will respond within 2 business days with a confirmation that includes a copy of your data in a ZIP archive.
We retain flagged-as-deleted account data internally for an additional period of up to 30 days after the 48-hour reversal window for legal-hold safety and accidental-deletion recovery, after which the account data is permanently anonymized or removed as described below.
What is deleted:
- Your account profile, email, authentication credentials, and session tokens
- Your privacy preferences, telemetry consent, and feature flags
- Any manuscripts, entities, projects, and AI tool results that were synced to our cloud (web app users, or desktop app users with Cloud Sync enabled)
- Your BYO API keys (encrypted entries in
user_api_keys) and your AI tool routing preferences (user_routing_overrides) - Your feedback submissions
What is NOT deleted:
- Local data on the desktop app. Your manuscripts, entities, and project files stored locally on your computer are not affected by account deletion. The same applies to BYO API keys held in your operating system’s keychain — only the encrypted server-side copy is removed; the local copy stays on the device. Wonderthrough does not have access to these files; they remain on your device.
- Billing records and AI usage metadata are retained for 7 years from each row’s creation date as required by US tax and financial audit regulations. These records contain no manuscript content — only per-call metadata (timestamp, model, token counts, cost, the project ID and book/character/result identifiers when present, and a request ID for cross-referencing).
- Anonymized project stubs (for projects you’ve deleted) are retained alongside the billing records during the same 7-year window so the records have a stable target. Each stub contains the project’s ID, deletion date, and an anonymized label (e.g., “Deleted Project · abc123”). The original project name is replaced with the anonymized label when the project’s 30-day grace window ends. No user-authored content (manuscripts, entities, worldbuilding, or the original project name) is retained.
- Account-level anonymization. When you delete your account, the retained billing records described above have their user identifier replaced with a fresh anonymous value before your account is removed. They continue to be retained for the remainder of each row’s 7-year retention measured from the row’s own creation date (a row from 5 years before account deletion has 2 years left, not a fresh 7). The aggregate financial records remain for tax-compliance purposes but are no longer linkable to you. We cannot reverse this; per-user attribution after account deletion is irrecoverable by design.
- Consent records (EU Settings 3/4 consent, telemetry consent, age attestation) are pseudonymized rather than deleted, retained for approximately 3 years to demonstrate compliance under GDPR Article 7(1) (“controller shall be able to demonstrate that the data subject has consented”), and disconnected from your identity. The original user identifier is cleared at the moment of account deletion; only the compliance artifacts (timestamp, disclosure version, choice, jurisdiction, lawful basis) remain. After the 3-year retention, the rows themselves are deleted.
- Operator audit link. For legal-hold capability, we retain an access-restricted operator audit record linking your deleted account to the anonymous billing identifier for 6 years post-deletion. After 6 years the audit record is destroyed, after which the link between your original account and the anonymous billing rows is irrecoverable by anyone — including operators with legal-hold authority.
- Your Stripe customer record is retained by Stripe per Stripe’s own data retention policy. We remove our link to it, but Stripe maintains the record independently.
Deleting cloud data without deleting your account
Wonderthrough offers two distinct deletion paths and they do different things. Full account deletion is requested via support email (described above) and removes the account itself along with everything attached to it. Scoped cloud-data deletion is initiated in the desktop app and removes content from our servers without touching the account or subscription. The remainder of this section covers the scoped path.
You don’t have to delete your account to remove your content from our servers. The Wonderthrough desktop app provides two scoped deletion actions in Settings → Privacy & Data:
- Delete a single project from the cloud. Removes that project’s manuscript, entities, scene content, notes, search index, and stored images from our servers. This deletion is immediate and permanent — the content is removed right away, with no grace period or recovery window, and cannot be restored by us. (The local copy on your device is unaffected, and if you keep that local copy you can re-upload it later.) A minimal record of the project (the project name and the deletion timestamp only — no content) is retained for up to 30 days so your other devices can detect the deletion and remove their local copies; an automated sweep permanently removes the record after 30 days.
- Delete all cloud data. Removes every project you own from the cloud (using the same per-project flow above for each project), plus your BYO API keys and your AI tool routing preferences. Your account, subscription, and local data on each device stay where they are. The same 30-day per-project deletion-record retention applies to each project removed by this action.
Both actions use a confirmation prompt before they run. Account-scope deletion requires a recent sign-in (within the last few minutes) to prevent stale-session mass-delete; if your session is older, we ask you to sign in again before the action proceeds.
Local data storage and deletion
When you use the Wonderthrough desktop app, certain behavioral records are stored on your device in addition to (and sometimes instead of) our servers:
- AI usage records. Per-call records of every AI tool you’ve run — model used, tokens consumed, estimated and charged cost, whether the call used a Wonderthrough-billed platform key or your own (BYO) API key. The recent 90 days are kept in detail; older detail moves to per-month archive files; per-day cost summaries are kept indefinitely. Records of calls billed through Wonderthrough’s platform keys are uploaded to our servers automatically (we need them for billing). Records of calls using your own API keys or a local LLM follow your routing setup: on the desktop app with Cloud Sync off for the active project, these records are kept on the device only and reach our cloud only if you also turn on “Sync activity between desktop and web”; on the desktop app with Cloud Sync on (or on the web app at all times), BYO calls transit our ai-proxy so the key can be resolved server-side, and the usage record is logged on our server as part of the call — independent of the “Sync activity between desktop and web” setting. Local-LLM calls always stay device-local and follow the Sync-activity setting normally.
- Writing activity. A timeline of writes, runs, and acceptances per project, used for briefings and the writing-history timeline. Mirrored to our servers when sync is on.
- World Search history. Searches you’ve run against your worldbuilding entities. Mirrored to our servers when sync is on.
- BYO API keys. API keys you’ve added are stored in your operating system’s keychain (macOS Keychain, Windows Credential Manager, or freedesktop.org Secret Service). When sync is on, an encrypted copy is also mirrored to our servers so the same key works across your devices.
The web app does not store these records locally — they live only on our servers.
You can delete this data at any time. In the desktop app, go to Settings → Privacy & Data → Manage your data. Each category can be removed from this device, from our servers, or both. You’ll be asked to confirm by typing your email when the action affects our servers; the local-only path skips that step. On web, the same panel removes data from our servers.
Records of charges billed through Wonderthrough’s platform keys (where Wonderthrough provides the AI access) are retained for 7 years as required by US tax and financial audit regulations. These records cannot be deleted during that window; when you delete your Wonderthrough account, they are anonymized rather than deleted (as described above in “Deleting your account”). Records of BYO API key usage and local-LLM usage are removed when you delete them.
If any rows in your local copy haven’t yet been uploaded to our servers — typically because “Sync activity between desktop and web” was off when they were written — removing them is permanent. They never reached our servers and can’t be recovered. The app warns you of this before confirming and tells you how many rows are at risk.
How to exercise your rights
Contact privacy@wonderthrough.com to exercise any of these rights. We respond within 2 business days.
10. Children’s privacy
Wonderthrough is not directed to children. We do not knowingly collect personal information from children below the applicable minimum age.
Minimum age requirements:
- Globally: you must be at least 13 years old to create an account and use Wonderthrough.
- European Union, European Economic Area, and United Kingdom: you must be at least 16 years old to create an account and use Wonderthrough.
Age is self-attested at signup via the Terms of Service acceptance checkbox, which includes an age attestation. We determine which age threshold to display (13 or 16) based on your browser’s timezone: if your timezone corresponds to an EU/EEA/UK location, you see the 16+ attestation; otherwise, you see the 13+ attestation. When timezone detection is ambiguous, we default to the stricter EU threshold (16). We do not collect your date of birth, and we do not use third-party age verification services. Note: timezone detection is a best-effort signal — if you are an EU/EEA/UK resident whose browser reports a non-EU timezone (for example, due to a VPN or employer-configured device), you may see the 13+ threshold instead of 16+. Your legal obligations under GDPR Article 8 still apply regardless of which threshold our system displays. If you believe you were shown the wrong age attestation, contact support@wonderthrough.com.
We do not implement a parental consent flow. If you are below the applicable minimum age, you may not create a Wonderthrough account.
If we become aware that a user below the applicable minimum age has created an account, we will terminate the account and delete the associated data following the account deletion process described in Section 9.
Parents and guardians: if you believe your child has created a Wonderthrough account, please contact us at support@wonderthrough.com and we will promptly investigate and, if confirmed, delete the account and its data.
11. Security
We implement reasonable administrative, technical, and physical safeguards to protect your data. We are transparent about what measures we take and what certifications we do and do not hold.
Encryption in transit. All data transmitted between your device and our servers uses HTTPS (TLS). This includes authentication, API calls, database queries, and AI pipeline requests.
Encryption at rest. Our database provider (Supabase) encrypts stored data at rest using standard database encryption. On the desktop app, the entitlement cache is encrypted using your operating system’s secure keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux).
Access controls. Our database enforces per-user data isolation through Row Level Security (RLS). Each user can only access their own data through the application. Service-role keys used by our edge functions for administrative operations are access-controlled and logged via an admin audit trail.
Authentication. Passwords are hashed before any network transmission — Wonderthrough never receives or stores your plaintext password. Google OAuth is supported as an alternative sign-in method via our authentication provider.
No content scanning. Wonderthrough does not scan your private content for moderation, compliance, training, or any other purpose. This is not merely a policy choice — the code paths to scan content do not exist in our product. This is a core trust commitment. For details on how we handle content policy matters, see our Acceptable Use Policy.
Incident response. In the event of a personal data breach, we will notify affected users and applicable supervisory authorities as required by law. Under GDPR Article 33, this means notification to the relevant supervisory authority within 72 hours of becoming aware of the breach, and notification to affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Security documentation. Business customers with an executed Data Processing Agreement can request reasonable security documentation about our safeguards.
What we do not claim: Wonderthrough does not currently hold SOC 2, ISO 27001, HIPAA, or any other security certification. We implement reasonable security practices as described above and will pursue formal certifications as the business grows.
12. Storage technologies
Wonderthrough uses the following storage technologies on your device. We do not use tracking cookies for advertising, and we do not use third-party cookies for behavioral profiling.
Web app (app.wonderthrough.com)
The web app uses browser localStorage to store:
- Your telemetry consent preference
- Your privacy preset preference
- An anonymous telemetry device ID (rotating, not linked to your account unless you consent to optional analytics)
- Your entitlement cache (subscription tier and feature entitlements)
Our authentication provider (Supabase) stores your signed-in session in a strictly necessary first-party cookie on the .wonderthrough.com domain. This cookie keeps you logged in and is shared between the app and the marketing site so you do not have to sign in twice. It is not used for analytics or advertising, it refreshes as you keep using the service, and it otherwise expires within a year.
Desktop app
The desktop app uses:
- Your operating system’s secure keychain (via the platform’s safe storage API) for the encrypted entitlement cache
- The local filesystem for your manuscripts, entities, projects, and AI pipeline results
- Browser-like localStorage for preferences (telemetry consent, privacy preset)
Marketing site (wonderthrough.com)
The marketing and help site uses cookies:
- a strictly necessary cookie (
wt_cookie_consent) that records your cookie choice so we can honor it; - the shared strictly necessary sign-in session cookie described above, if you are signed in;
- a non-essential website-analytics cookie (PostHog) that helps us understand how people find and move around the site. In the EU, EEA, UK, and Switzerland this is set only after you consent through our cookie banner; everywhere else it runs by default and you can opt out at any time, including through the Cookie Settings link in the site footer.
Full cookie names, purposes, and lifespans are listed in our Cookie Policy.
Clearing stored data
You can clear your browser’s site data (which includes both cookies and localStorage) using your browser’s standard controls. Doing so will log you out of the web app, clear your telemetry consent choice, and reset your privacy preset preference. In all major browsers, clearing “cookies and site data” also clears localStorage.
13. Telemetry
Wonderthrough collects two categories of telemetry, with different consent requirements for each.
Essential telemetry (always on)
Essential telemetry events are necessary to operate and secure the service. They fire regardless of your consent preference and are processed under our legitimate interest (GDPR Article 6(1)(f)). Essential telemetry includes:
- Authentication events: signup completed, signup failed, login events. These help us detect authentication issues and maintain service reliability.
- Billing webhook processing: records of subscription lifecycle events (payment succeeded, payment failed, subscription canceled). These ensure billing accuracy.
- Crash reports that block service delivery: critical errors that prevent the application from functioning.
- Subscription state changes: tier transitions and trial lifecycle events.
Essential telemetry events do not include manuscript text, entity names, or any of your creative content. They use a rotating anonymous device ID that is not linked to your account identity.
Optional telemetry (consent-gated)
Optional telemetry events provide product analytics that help us understand how features are used, identify usability problems, and make product decisions. They require your explicit consent and include:
- Product analytics (PostHog): feature usage patterns, funnel completion, feature flag exposure. No content is included.
- Non-blocking error reports (Sentry): application errors that do not prevent service delivery.
- Performance metrics: page load times and other UI performance signals.
How consent works
When you first use Wonderthrough, you see a consent surface:
- EU/EEA/UK users see a blocking modal that requires an explicit opt-in choice before proceeding. Optional telemetry is off by default.
- Non-EU users see a dismissible banner. Optional telemetry is on by default, and you can opt out by interacting with the banner or at any time in Settings.
Both groups can change their telemetry preference at any time in Settings, under the Data section.
Per-user identity linkage
Per-user identity linkage (connecting telemetry events to your account via PostHog’s identify() function) is gated on optional telemetry consent. If you have not consented to optional telemetry, your events use a rotating anonymous device ID with no link to your Wonderthrough account.
If you used the demo before signing up and consented to optional telemetry, your pre-signup demo activity (the sample you explored and the actions you took on it) is linked to your new account at the moment of signup. Demo activity stays unlinked if you declined optional telemetry, and the link does not retroactively transmit additional data beyond what was already captured under your demo-time consent.
World Search diagnostic data (Standard preset)
When World Search is enabled on the Standard preset, we log a small diagnostic row per query, as described in Section 3 above. The log contains a hash of the query (never the raw text), shape metadata, chunk identifiers returned and cited, per-step latencies, and success/error status. It contains no manuscript text, no query text, and no generated response. On the Private AI and Local-only presets, no World Search telemetry is written.
Content exclusion
No manuscript text, entity names, book titles, or AI pipeline output appears in any telemetry event, regardless of category. Session recording is disabled.
14. AI providers and your creative content
This section describes how your creative content is handled when you use Wonderthrough’s AI-powered pipelines. We consider this our most important trust disclosure.
Which AI providers we use
Wonderthrough uses Anthropic (Claude), OpenAI (GPT, DALL-E), and Google (Gemini) as third-party AI providers. Each provider is used for different pipeline types, and you can configure which provider is used for specific tasks through Wonderthrough’s AI routing settings.
How your content flows to AI providers
When you run an AI pipeline using Wonderthrough’s platform keys, your content transits our proxy layer in memory and is sent to the selected provider. The proxy authenticates and routes the request; it does not store your content.
When you use your own API keys on the desktop app (the Private AI preset, or the equivalent atomic settings), your content goes directly from your device to the AI provider. It does not pass through Wonderthrough’s servers at all.
When you use a local language model on the desktop app (the Local-only preset, or the equivalent atomic settings), AI runs entirely on your device. No content leaves your machine for AI processing.
We do not train on your content
None of the AI providers train their models on Wonderthrough users’ API-submitted content under their current commercial API terms, and Wonderthrough has confirmed this relationship with each provider. Wonderthrough itself does not train AI models and does not use your content for training purposes.
You own your AI pipeline outputs
You retain all rights to the outputs generated by AI pipelines, including scene analyses, character enrichments, book synthesis summaries, arc analyses, and all other pipeline results. Wonderthrough claims no ownership of these outputs. This is described in detail in our Terms of Service.
Provider content policies and refusals
Each AI provider has its own content policies and may decline to process content that violates their rules. When a provider declines your request:
- Wonderthrough does not review your content. The refusal is surfaced to you as a user-facing error with actionable next steps (such as trying a different model, using your own API key, or using a local model).
- The refusal is not used as evidence against you. Provider refusals are not treated as violations of our Acceptable Use Policy and are not used to build a record against your account.
- Failure metadata is logged, not content. We record a broad technical category (such as “safety_filter” or “content_policy”) in the usage log. This category label is never a fragment of your content — it is a technical classification used for billing correctness and support diagnostics.
For more on our content policy posture, see our Acceptable Use Policy.
Using your own API keys (BYO)
If you provide your own API keys, your billing and content relationship with the provider is directly between you and them. The provider’s privacy policy applies in addition to ours. On the web app, BYO-key requests still transit our servers for authentication and entitlement enforcement. On the desktop app on the Private AI preset, BYO-key requests go directly from your device to the provider.
15. Legal requests and law enforcement
We may disclose your personal data when required by law or in response to valid legal process.
How we handle legal requests:
- We comply with valid legal process, including subpoenas, court orders, and search warrants, as required by applicable law.
- We review each request to confirm it is valid, properly scoped, and narrowly targeted.
- We attempt to notify you of legal requests affecting your data before disclosing it, unless we are prohibited from doing so by the legal process itself or by applicable law.
Mandatory reporting:
For certain categories of illegal content that we become aware of, we are required by law to report to the appropriate authorities without notifying the user. This includes:
- Child sexual abuse material (CSAM): reported to the National Center for Missing & Exploited Children (NCMEC) under 18 U.S.C. section 2258A.
- Non-consensual intimate imagery (NCII): cooperation with victim takedown requests.
- Terrorism-related content: cooperation with law enforcement as required by applicable law.
Because Wonderthrough does not scan private user content, these reporting obligations apply only when we become aware of such content through other means (such as a user report or law enforcement notification), not through proactive monitoring.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law.
How we notify you of changes:
- Material changes (changes that affect your rights, the data we collect, or how we use it) will be announced via email to affected users and via an in-product notification. We will provide at least 30 days’ advance notice before material changes take effect.
- Non-material changes (clarifications, formatting, typographical corrections) may be made without advance notice.
The version number at the top of this document changes with each material update. Previous versions are archived at /legal/changes.
Your continued use of Wonderthrough after a material change takes effect constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you may delete your account as described in Section 9. We will never make material changes retroactive — they apply only going forward from their effective date.
17. Contact us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to report a concern:
- Privacy and data protection inquiries: privacy@wonderthrough.com
- General support: support@wonderthrough.com
- DMCA notices: dmca@wonderthrough.com
- Mailing address: Wonderthrough, Inc., Delaware, United States
- Response time: 2 business days
This Privacy Policy is version pp-1.0-draft, last updated 2026-04-11. It has not yet been reviewed by external legal counsel. See Terms of Service | Acceptable Use Policy | Data Processing Agreement | Sub-Processor List