Privacy Policy

Last updated: July 14, 2026

1. Introduction

Letterstory ("we," "us," or "our") is an AI-powered content editing and publishing platform operated by The Letter Company. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service at letterstory.com.

2. Information We Collect

Account Information

When you create an account, we collect your email address, full name, and an optional avatar image. Authentication is handled through Supabase Auth, using either an email and password or Sign in with Google (OAuth).

Organization Data

If you create or join an organization, we store the organization name, domain, branding preferences (colors, logo, writing style, tone, and custom guidelines), member roles, and your role within the organization.

Content

We store the content you create, import, or upload — including edits, posts, stories, and collections — along with their full text, titles, metadata, and version history. Version history includes content snapshots and change logs to support versioning.

AI-Generated Content

When you use our AI features (editing suggestions, SEO analysis, content grading, table generation, Venn diagram generation, image generation, and flow processing), your content is sent to third-party AI providers for processing. Text is processed by the Anthropic Claude API; AI image generation is processed by our configured image provider (OpenAI or Bloom). The AI-generated results (suggestions, visualizations, images, and graded outputs) are stored in our database.

Connected Integrations

If you connect a third-party content platform — Notion, Contentful, Webflow, Sanity, Framer, or Google Docs — we store the identifiers needed to sync with it (such as workspace, site, space, or project IDs and names) and the credentials for that connection (an OAuth access token or API key) encrypted at rest. We also log sync operations (import/export), including item titles and sync status. We access a connected platform only to search, import, and publish content as you direct.

Site Deployments

If you deploy a hosted blog or site, we store the deployment configuration and, through our hosting provider (Vercel), the domains you connect. If you register a new domain through the service, we collect the domain name and pass the registration details required to purchase it to the domain registrar.

API Keys

If you create an API key for programmatic or MCP access, we store a hashed version of the key (never the key itself in plaintext), its scoped capabilities, and a log of when it is used.

Uploaded Files

We store files you upload, including organization logos (up to 2 MB) and custom fonts (up to 5 MB), in Supabase Storage.

Usage Analytics

We use PostHog to collect product-usage analytics — events such as sign-ups, logins, and feature interactions, along with basic device and browser information — to understand how the service is used and to improve it.

3. How We Use Your Information

  • Provide the service — process your content through AI enhancement pipelines, generate visualizations and images, and manage your content.
  • AI processing — send content to Anthropic's Claude API and to our image-generation provider to produce editing suggestions, SEO improvements, grades, data tables, Venn diagrams, and images.
  • Publishing & sync — import content from and publish content to the third-party platforms you connect.
  • Deployments — provision and host the blogs or sites you deploy, and register the domains you connect.
  • Programmatic access — authenticate and authorize requests made with your API keys.
  • Authentication — verify your identity and manage session security.
  • Sharing & review — generate share links and grant guest reviewers access to the specific content you share.
  • Transactional email — send account, invitation, and notification emails.
  • Analytics — understand usage and improve the service.

4. Third-Party Services

We use the following third-party services to operate Letterstory:

  • Supabase — database hosting, authentication, and file storage. Your data is stored in Supabase-managed PostgreSQL databases.
  • Vercel — application hosting and deployment, including hosting for the blogs and sites you deploy and connecting their domains.
  • Anthropic (Claude API) — AI processing of text for suggestions, analysis, and visualization generation. Content sent to Claude is subject to Anthropic's Privacy Policy.
  • OpenAI / Bloom — AI image generation, depending on our configuration.
  • Google — Sign in with Google (OAuth) for authentication, and Google Docs as an optional publishing destination.
  • Notion, Contentful, Webflow, Sanity, and Framer — optional content integrations for importing and publishing content. Connected via OAuth or API key, with encrypted credential storage.
  • PostHog — product-usage analytics.
  • Resend — delivery of transactional email.

5. Data Security

  • Integration credentials (OAuth tokens and API keys) are encrypted at rest using AES-256-GCM with unique initialization vectors per credential.
  • Letterstory API keys are stored only as salted hashes — never in plaintext.
  • Database access is protected by row-level security policies, ensuring users can only access data belonging to their organizations.
  • All data is transmitted over HTTPS.
  • Passwords are managed by Supabase Auth and are never stored in plaintext.
  • API endpoints are rate-limited to prevent abuse.

6. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • AI processing — content is sent to our AI providers when you use enhancement or generation features.
  • Publishing & sync — content is sent to a connected platform when you import from or publish to it.
  • Deployments & domains — deployment content is hosted by Vercel, and domain-registration details are shared with the registrar when you buy a domain.
  • Shared links & guest reviewers — when you enable a share link or invite a guest reviewer, the shared content is accessible to anyone with the link (and, for reviewers, the associated PIN).
  • Service providers — analytics and email vendors process data on our behalf to operate the service.
  • Legal requirements — we may disclose data if required by law, legal process, or government request.

7. Data Retention

Your data is retained for as long as your account is active. Version history is maintained indefinitely to support content versioning. If you delete your account, we will remove your personal data from our systems, though some data may persist in backups for a limited period.

8. Your Rights

You may:

  • Access, update, or delete your account information through your profile settings.
  • Disconnect any content integration at any time through your organization settings.
  • Revoke an API key at any time.
  • Disable a share link or revoke a guest reviewer's access at any time.
  • Request deletion of your data by contacting us at the email address below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a revised date. Your continued use of Letterstory after changes are posted constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or your data, contact us at privacy@letterbrace.com.