Privacy Policy

Effective Date: April 18, 2026

Version 3.0 — COPPA 2025 Amendments + Data Retention Schedule + Written Security Program

This is the Privacy Policy for Inkwell.wiki (writing competitions, Story Stones, Bookmarks, Forum, Flock Star, Shell Shock, and related G10be services). For The Black Book (racer.wiki) privacy policy, click here.

1. Who We Are

Inkwell.wiki is operated by G10be, a for-profit commercial enterprise based in Amarillo, Texas (Lyle Gilcoat, sole proprietor). We are not a nonprofit, charity, or 501(c)(3). Contact: support@inkwell.wiki.

Our Designated Security Coordinator is Lyle Gilcoat, reachable at the address above. This individual is responsible for our written information security program and coordinates our response to data incidents.

2. Information We Collect

We collect only what we need to operate the service. Categories:

Account data: email address, display name or pen name, account creation timestamp
Authentication data: password hash (we never store your actual password), optional 6-digit PIN hash
Submitted writing: text you enter into competitions, bookmark forges, Story Stone generators, or forum posts
Generated outputs: AI-generated 3D models, SVG bookmarks, Stonekeeper replies, editorial feedback
Payment data: processed entirely by Stripe; we store the Stripe customer ID, subscription status, and purchase history. We never see or store your card number, CVV, or bank account details.
Usage data: run counts, word counts, feature interactions (used only to enforce plan limits)
Forum content: posts, comments, replies, votes, flags
SafeByte allergen profiles (if you use SafeByte): allergen list, severity, reactions, diagnosis metadata. Managed by parents on behalf of children under 13 — we never let children under 13 create their own SafeByte account.

We do NOT collect biometric identifiers. We do not collect fingerprints, facial geometry, voiceprints, iris scans, or gait patterns. We do not collect government-issued identifiers (driver's license numbers, passport numbers, Social Security numbers).

3. How We Use Your Information

Process purchases and deliver digital and physical products
Generate Story Stones, Bookmarks, and other AI-assisted outputs from your text
Run skill-based writing competitions
Prevent fraud, abuse, and service disruption
Communicate service updates, order status, and security notices
Improve platform reliability (aggregated, non-identifying usage analysis)
Comply with legal obligations (tax, law enforcement requests)

We do not use your data for behavioral advertising, ad targeting, or profile-building for commercial purposes unrelated to service delivery.

4. Children's Privacy (COPPA — Updated for 2025 Amendments)

We comply with the Children's Online Privacy Protection Act (COPPA), including the final rule amendments effective June 23, 2025, with a compliance deadline of April 22, 2026.

4.1 Age Thresholds Across Inkwell Services

Paid writing competitions — must be 18 or older (contract capacity)
Writing Forum — account creation requires age 13+; forum browsing requires no account
Flock Star — neutral age screen ("Are you 13 or older?"). Users who select "no" are shown parent resources only; no data is collected from anyone regardless of age response.
Shell Shock — COPPA/Teen rated; no personal data collected from players
SafeByte — intended for PARENTS managing children's allergen profiles. Children under 13 may not create their own accounts.

4.2 Verifiable Parental Consent

Where we knowingly collect information from a child under 13 (currently limited to SafeByte allergen profiles managed by a parent), we obtain verifiable parental consent at the time of profile creation. We use a credit card verification or email-plus-consent-form method consistent with the FTC's approved mechanisms.

4.3 Parental Rights

Parents and legal guardians have the right to:

Review the personal information we have collected from their child
Refuse to permit further collection or use of their child's information
Request deletion of their child's information at any time

To exercise these rights, email support@inkwell.wiki with the subject line "COPPA Parental Request." We will respond within 30 days and will verify your identity as the parent or guardian before acting on the request.

4.4 Separate Consent for Third-Party Disclosures

We do not disclose information collected from children under 13 to third parties for advertising, profiling, or any purpose other than the operational service providers listed in Section 7. If we ever intend to do so, we will obtain separate, specific parental consent at that time.

5. Written Data Retention Schedule

We retain personal data only as long as necessary for the purposes described in this policy. The following schedule applies:

Data Category	Retention Period	Trigger for Deletion
Account data (email, display name)	Duration of account + 30 days	Account deletion request
Authentication data (password hash, PIN hash)	Duration of account + 30 days	Account deletion request
Submitted writing (contest entries, forum posts)	Duration of account + 30 days	Account deletion request; may be retained longer if published in a public competition archive, subject to user opt-out
Generated outputs (Story Stones, bookmarks)	Duration of account + 30 days	Account deletion request
Payment records	7 years	Required by U.S. federal tax law (held by Stripe)
Forum content	Duration of account; content may persist anonymized if part of a public thread	Account deletion request
Children's allergen profiles (SafeByte)	Duration of parental account + 30 days	Parent deletion request; automatic review every 24 months to confirm continued need
Server access logs	90 days	Automatic rolling deletion
AI processing context (Anthropic)	Not retained beyond active session	Anthropic enterprise terms prohibit training on our data

We do not retain personal data indefinitely. All retention triggers are automatic or user-initiated.

6. Written Information Security Program

We maintain a written information security program proportionate to the size of our service and the sensitivity of the data we hold. Key elements:

Designated Security Coordinator: Lyle Gilcoat (contact above) owns the program, approves material changes, and coordinates response to incidents.
Access controls: Row-level security at the database layer; encrypted connections (TLS 1.2+) for all data in transit; encryption at rest at our hosting provider (Supabase).
Annual risk assessment: Once per calendar year, we evaluate threats to the data we hold and update safeguards accordingly.
Incident response: In the event of a data breach affecting personal information, affected users will be notified via email within 72 hours of our confirming the scope, and we will report to regulators where required by law.
Regular testing: Automated monitoring and periodic manual review of access patterns, failed login attempts, and anomalous activity.
Vendor audit: We maintain the service provider inventory in Section 7 and confirm annually that each provider's data handling practices remain consistent with our commitments here.

7. Service Providers (SDK / Data Processor Inventory)

We share data with the following service providers only to the extent necessary to operate our service. Each provider has its own privacy and security commitments.

Provider	Role	Data Passed	Location
Supabase	Database, authentication, file storage	All account and service data	United States (AWS us-east)
Anthropic	AI inference (Claude API)	Text you submit for editorial feedback, Story Stone generation, or forum moderation	United States
Stripe	Payment processing	Email, purchase amount; Stripe handles card data directly — we never see it	United States / global
Cloudflare	DNS, CDN, Worker routing, DDoS protection	IP address, request metadata	Global edge network
Resend (or equivalent SMTP)	Transactional email delivery	Email address, message body for service emails	United States
Printful / print-on-demand partner	Physical merchandise fulfillment (Story Stones, shirts)	Shipping address and order details for paid physical products only	United States

We do not sell personal data to data brokers, advertisers, or any third party. The providers above act as data processors under our instruction and under their own published privacy and security commitments.

8. AI Processing Disclosure

Text you submit to Inkwell is processed by Anthropic's Claude API. Under our enterprise data processing terms, Anthropic does not retain our submitted text for model training. Each API call sends only the specific context needed for that response — not your full account history.

AI-generated outputs (editorial feedback, Story Stones, Stonekeeper replies) are the product of statistical language models and may contain errors, biases, or inconsistencies. They are suggestions, not medical advice, legal advice, or guarantees of publication success.

9. California BOT Disclosure Act

The Stonekeeper, forum auto-replies, bookmark generation, editorial feedback, and similar features are AI-powered and clearly disclosed as such in the interface, in compliance with California SB 1001 and subsequent amendments.

10. Your Rights

You may at any time:

Access the personal information we hold about you
Correct inaccurate information
Delete your account and associated data
Export your submitted writing and account data in a portable format
Object to processing for direct marketing (we do none, so this is automatic)
Withdraw consent where consent was the basis of processing

To exercise any of these rights, email support@inkwell.wiki. We will respond within 30 days.

11. California, Virginia, Colorado, and Other State Privacy Laws

Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have the rights described in Section 10. We do not "sell" personal information as defined under CCPA. We do not engage in targeted advertising or profile-building that would require an opt-out under these laws.

12. International Users

Our services are operated from the United States. If you access Inkwell from outside the U.S., your information will be transferred to and processed in the U.S. and in the jurisdictions of our service providers listed in Section 7. By using our services from outside the U.S., you consent to this transfer.

13. Changes to This Policy

We will notify registered users of material changes to this policy by email at least 30 days before the changes take effect. Minor clarifications that do not change how we handle your data may be posted without advance notice. The "Effective Date" at the top of this page reflects the most recent update.

14. Contact

Questions, data requests, COPPA parental requests, or privacy concerns:
support@inkwell.wiki
G10be / Inkwell.wiki — Amarillo, Texas, USA

For law enforcement requests or formal legal process, please address correspondence to the email above; we will respond promptly and in compliance with applicable law.

G10be / The Black Book — Amarillo, Texas