Privacy & Security — How We Protect Your Data
How BookAuth protects your personal data, payment information, and manuscripts — our security practices, data handling, and your privacy rights.
BookAuth takes data security seriously. This guide explains how we protect your personal information, payment data, and creative works.
What You'll Learn
- How your data is protected
- Payment security measures
- Manuscript protection
- Your privacy rights
Data Security
Infrastructure Security
| Layer | Protection |
|---|---|
| Hosting | Kubernetes-based infrastructure with isolated workloads |
| CDN | Cloudflare for DDoS protection and edge caching |
| Database | PostgreSQL with encryption at rest (AES-256) |
| File Storage | Cloudflare R2 (S3-compatible) with encryption at rest |
| Transport | All connections encrypted via TLS 1.3 |
| Authentication | WorkOS AuthKit with MFA support |
Application Security
- Role-based access control (RBAC) — users can only access their own data
- Input validation — all user inputs are sanitized and validated
- SQL injection prevention — parameterized queries throughout
- XSS protection — content sanitization and CSP headers
- CSRF tokens — all state-changing requests are protected
Payment Security
BookAuth never stores your payment card details:
- Stripe handles all payment processing — PCI DSS Level 1 compliant
- Card data goes directly to Stripe's servers, never touching BookAuth
- Author payout bank details are stored in Stripe, not BookAuth
- All payment pages use HTTPS with TLS 1.3 encryption
Manuscript Protection
Your manuscripts are your most valuable creative assets:
| Protection | Details |
|---|---|
| Encryption at rest | AES-256 encryption on all stored files |
| Access control | Only verified purchasers can generate download links |
| Signed URLs | Download links are time-limited and cryptographically signed |
| No DRM | BookAuth does not apply DRM to your files (your choice, your creative control) |
| Deletion | When you delete a book, the manuscript file is permanently removed from storage |
Your Privacy Rights
Data You Control
- Profile information — edit or delete at any time
- Books and content — full CRUD control
- Subscriber list — export or delete
- Account — delete your entire account and all associated data
Data We Collect
| Data Type | Why We Collect It | How Long We Keep It |
|---|---|---|
| Account info (name, email) | Authentication and communication | Until account deletion |
| Profile data | Display on your public profile | Until you delete it |
| Books and manuscripts | Hosting and distribution | Until you delete them |
| Transaction records | Legal and financial compliance | 7 years (legal requirement) |
| Analytics | Website traffic, sales metrics | Aggregated indefinitely |
| Support requests | Customer service | 2 years |
Data We Never Sell
BookAuth never sells your personal data, subscriber lists, or usage analytics to third parties.
Account Deletion
To delete your account and all associated data:
- Navigate to Settings > Account
- Click "Delete Account"
- Confirm by entering your password
- All data is permanently deleted within 30 days
Frequently Asked Questions
Q: Can BookAuth employees read my manuscripts?
A: Our engineering team may have technical access to stored files for debugging purposes, but company policy prohibits reading author manuscripts without express written permission.
Q: How do I report a security vulnerability?
A: Email [email protected]. We take responsible disclosure seriously and will respond within 24 hours.
Q: Is my subscriber list shared with other authors?
A: No. Your subscriber list is completely private and inaccessible to other authors.
Q: What happens to my data if BookAuth shuts down?
A: In the unlikely event of a shutdown, all users would receive 90 days notice with the ability to export all their data.
Related Articles
- Connecting Stripe for Payouts
- Managing Your Subscription (Free/Pro/Business)
- Account Deletion Guide