Authorlify – AI Content for Authors

Privacy Policy

This Privacy Policy describes how Harbinger Bros. LLC collects, processes, stores, and discloses personal data in connection with the Authorlify platform. It is intended to satisfy the information obligations under GDPR Articles 13 and 14, and the disclosure requirements of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It applies to all users regardless of jurisdiction.

1. Data Controller

Harbinger Bros. LLC

1309 Coffeen Avenue STE 1200, Sheridan, WY 82801, United States

Contact: support@laenethylabs.com

Harbinger Bros. LLC is the sole data controller for all personal data collected through the Authorlify platform as defined under GDPR Art. 4(7). As the controller is established exclusively in the United States and not within the EEA, we are not currently required to designate an EU representative under GDPR Art. 27, as our processing of EEA residents' data is occasional and does not involve large-scale processing of special categories of data or processing that poses a high risk. Should our processing scale or risk profile change, we will appoint an EU representative accordingly and update this Policy. EEA and UK residents may exercise all data subject rights by contacting us directly at support@laenethylabs.com. We will acknowledge all requests within 5 business days and respond substantively within 30 calendar days (GDPR Art. 12(3)), extendable by a further 2 months for complex or multiple requests, with prior written notice of extension.

2. Categories of Personal Data and Data Flows

The following categories of personal data are collected and processed, distinguished by persistence and processing context:

2.1 Account Data — Persistent Storage

The following data is collected at registration or during use and stored persistently in our application database:

Full name
Email address
User role identifier (e.g., user, admin)
Account creation timestamp
Last authentication timestamp
Subscription plan identifier (e.g., free, pro, author_pro_plus)
Subscription status (e.g., active, cancelled, expired)
Lemon Squeezy customer ID and subscription ID (paid plans only)

This data is stored in our hosted application database and is accessible to authorized personnel only.

2.2 AI Content Inputs — Transient, with Third-Party Transmission

When you use the content generation features, you submit structured inputs including: book title, description, genre, target social media platform, and language. These inputs are transmitted over an encrypted (TLS) connection from our application server to one or more third-party AI inference providers for real-time language model processing.

Data flow: User browser → Authorlify application server (in-memory) → AI subprocessor API (in-transit and in-processor infrastructure) → Response returned to application server (in-memory) → Result delivered to user browser.

Content inputs are not written to our persistent database. They may be transiently present in: application server memory during request processing; network transmission buffers during API calls; and the AI subprocessor's own infrastructure (e.g., request queues, inference pipelines, short-term operational logs) according to that provider's internal policies. We exercise contractual controls over subprocessor data handling but cannot independently audit or guarantee the absence of transient retention within subprocessor infrastructure beyond the terms of our data processing agreements.

2.3 AI Output Data — Transient

Generated outputs (hooks, social media posts, video scripts, SEO keywords, authority content) are returned from the AI subprocessor to our application server, and then delivered to your browser session. These outputs are not written to our persistent database. They may transiently exist in application memory and network buffers during delivery. Once delivered to your browser, no server-side copy is retained by Authorlify.

2.4 Pseudonymized Analytics Data — Persistent

We collect pseudonymized usage event data to analyze feature utilization and improve the service. Each event record contains: an anonymized or pseudonymized session or user identifier (no direct identifiers such as email or name); an event type label (e.g., "content_generation_triggered", "seo_analyzer_used"); selected parameters (e.g., platform name, language selection — not content values); and a timestamp.

AI content inputs, generated outputs, and directly identifying information (name, email) are not included in analytics event records. Analytics data is stored persistently in our application database and retained for up to 24 months.

2.5 Server Access Logs — Short-Term Retention

Our application infrastructure generates standard server access logs, which may contain IP addresses, request paths, HTTP method, response status codes, and timestamps. IP addresses constitute personal data under GDPR where they can be attributed to an identified or identifiable individual. These logs are retained for a maximum of 30 days, solely for the purposes of security monitoring, intrusion detection, error diagnosis, and abuse prevention (legal basis: Art. 6(1)(f) GDPR — legitimate interests in system security). They are not used for behavioral profiling, marketing, or any purpose other than those stated. Access to server logs is restricted to authorized technical personnel.

3. Legal Basis for Processing (GDPR)

Each processing activity is grounded in a specific legal basis under GDPR Art. 6. Where processing involves special categories of data under Art. 9, a corresponding condition under Art. 9(2) applies (note: Authorlify does not currently process special categories of data). The legal basis for each processing activity is documented in the Retention Schedule in Section 6.

Art. 6(1)(b) — Contract performance: Processing of account data and AI content inputs is necessary to provide the service you have subscribed to. Without this processing, the service cannot be delivered.
Art. 6(1)(f) — Legitimate interests: Pseudonymized analytics data and server access logs are processed on the basis of our legitimate interests in understanding service performance and maintaining system security respectively. A Legitimate Interests Assessment (LIA) has been conducted for each activity. Processing is proportionate and limited to pseudonymized event records (analytics) and short-term operational logs (security). These interests do not override data subjects' fundamental rights and freedoms, and are subject to your right to object under Art. 21.
Art. 6(1)(c) — Legal obligation: Payment-related identifiers are retained to comply with applicable financial record-keeping and tax obligations.
Art. 6(1)(a) — Consent: Non-essential cookies or client-side tracking technologies, if deployed, will be activated only upon your informed, freely given, and specific consent. Consent may be withdrawn at any time without detriment to service access.

4. Subprocessors and Data Flows

The following third parties act as data processors or sub-processors on our behalf. Each is engaged under a contractual data processing agreement that specifies the scope, purpose, and security requirements of processing.

AI Inference Provider(s)

Role: Data Processor (AI model inference)

Processing location: United States (and potentially other jurisdictions depending on provider infrastructure)

Transfer mechanism: Standard Contractual Clauses (SCCs) or equivalent mechanism

Content inputs (book title, description, genre, platform, language) are transmitted to one or more third-party AI model providers for the sole purpose of generating the requested content. These providers process data transiently under our instructions. We contractually restrict these providers from using submitted inputs for model training or secondary purposes. However, we acknowledge that transient retention in the provider's operational infrastructure (e.g., request logs, buffers) may occur and is subject to the provider's own data retention and security policies, over which we have limited direct technical control.

Lemon Squeezy

Role: Merchant of Record / Payment Processor

Processing location: United States

Transfer mechanism: Standard Contractual Clauses (SCCs) where applicable

Lemon Squeezy acts as the Merchant of Record for all paid subscription transactions. Billing and payment data (card details, billing address) is collected and processed directly by Lemon Squeezy and is not transmitted to or stored by Authorlify. We receive subscription lifecycle events (created, updated, cancelled, expired) via authenticated webhooks, and store only the resulting subscription status and Lemon Squeezy-issued customer and subscription identifiers.

Application Hosting and Database Provider

Role: Data Processor (infrastructure)

Processing location: United States (primary); EU region may be available depending on provider configuration

Transfer mechanism: Standard Contractual Clauses (SCCs) or applicable adequacy mechanism

Our application server, backend functions, and application database — which store account data and pseudonymized analytics — are hosted on a third-party cloud infrastructure provider. This provider processes data strictly under our instructions as an infrastructure processor. Specific provider identity is available upon request.

Analytics Data Store

Role: Data Processor (analytics infrastructure)

Processing location: Co-located with application hosting infrastructure

Transfer mechanism: Same as hosting provider

Pseudonymized usage event data is stored within our application database hosted on the above infrastructure provider. No third-party client-side analytics scripts (such as Google Analytics) are currently deployed without explicit user consent. Analytics processing is conducted server-side and limited to pseudonymized event records as described in Section 2.4.

A current and complete list of subprocessors, including names and processing locations, is available upon written request to support@laenethylabs.com.

5. International Data Transfers

Harbinger Bros. LLC is incorporated and operated in the United States. The United States does not, as a general matter, provide an equivalent level of data protection to that afforded by EU/EEA law. Accordingly, transfers of personal data from the EEA, United Kingdom, or Switzerland to the United States are subject to appropriate safeguards.

Such transfers are conducted on the basis of one or more of the following mechanisms, as applicable:

Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Art. 46(2)(c), as updated by Commission Decision (EU) 2021/914.
UK International Data Transfer Agreements (IDTAs) for transfers subject to UK GDPR.
Contractual necessity (Art. 49(1)(b) GDPR) for specific transfers required to perform the service you have requested, where no other mechanism is available.

Where SCCs are relied upon as the transfer mechanism, we conduct a Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020 to evaluate whether the legal framework of the recipient country undermines the effectiveness of the SCCs as required by GDPR Art. 46. Where a TIA identifies residual risks, we implement supplementary technical measures (e.g., encryption, pseudonymization) as appropriate. Documentation of applicable transfer mechanisms and TIA summaries is available upon written request to support@laenethylabs.com.

Where transfers are based on contractual necessity under Art. 49(1)(b), this derogation is applied only to specific, non-repetitive transfers that are strictly necessary for the performance of the contract. We do not rely on Art. 49 derogations as a general transfer mechanism.

6. Data Retention Schedule

Account data (name, email, role, timestamps)

Duration of account + 30 days post-deletion from primary systems; residual backup copies purged within 90 days of deletion.

Legal basis: Contract / Legal obligation

Subscription identifiers (Lemon Squeezy IDs, plan status)

Duration of subscription relationship + up to 7 years as required by applicable financial and tax regulations.

Legal basis: Legal obligation

AI content inputs (marketing generator)

Not persistently stored by Authorlify. Transient in application memory and network buffers only (duration of request, typically seconds). Subprocessor transient retention governed by processor agreements.

Legal basis: Contract performance

AI generated outputs (marketing content)

Not persistently stored by Authorlify. Transient in application memory during delivery. No server-side copy retained post-delivery.

Legal basis: Contract performance

AI-generated blog post content & images

Persistently stored in the application database as part of the BlogPost entity. Retained for the duration of the account plus 30 days post-deletion. Admin-only content; not linked to end-user personal data.

Legal basis: Legitimate interests (content publication)

Pseudonymized analytics events

Up to 24 months from event date, after which data is either deleted or further aggregated in a form that cannot be attributed to any individual or pseudonymous identifier.

Legal basis: Legitimate interests

Server access logs (IP address, request path, timestamp)

Up to 30 days. Not used for profiling or marketing.

Legal basis: Legitimate interests (security)

7. Cookies and Tracking Technologies

7.1 Technically Necessary Cookies and Local Storage

We deploy technically necessary cookies solely for the purpose of maintaining authenticated user sessions. These cookies contain a session token and are required for the operation of the platform. They are set only upon login and expire upon logout or session timeout. No consent is required for technically necessary cookies under GDPR Recital 25 and ePrivacy Directive Art. 5(3).

In addition, we store a single language preference value (authorlify_lang) in the browser's localStorage to remember the user's chosen interface language (e.g. "en", "de", "fr") across sessions. This value does not contain personal data, is not transmitted to our servers, and is stored exclusively in the user's own browser. It can be cleared at any time via browser settings. No consent is required for this storage as it serves a legitimate user experience function with no privacy impact.

7.2 Non-Essential Cookies and Tracking

No non-essential cookies, tracking pixels, behavioral profiling scripts, or third-party advertising trackers are currently deployed on the Authorlify platform without prior explicit consent. Should such technologies be introduced, they will be activated only upon your freely given, specific, informed, and unambiguous consent, obtained via a compliant consent management interface. Consent records will be maintained and withdrawal will be available at any time without penalty.

7.3 Third-Party Client-Side Scripts

No third-party analytics or marketing scripts (e.g., Google Analytics, Meta Pixel) are currently loaded client-side without consent. All analytics processing described in this policy is server-side only.

8. Your Rights Under GDPR (EEA and UK Residents)

If you are located in the EEA, United Kingdom, or Switzerland, you hold the following rights under GDPR and, where applicable, UK GDPR:

Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy. Exercisable via the Security & Privacy page (Download My Data) or by email.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete account data.
Right to erasure (Art. 17): Request deletion of your account and associated personal data, subject to retention obligations under applicable law. Exercisable via the Security & Privacy page (Delete My Account).
Right to restriction (Art. 18): Request that we restrict processing in defined circumstances (e.g., while accuracy is contested or processing is unlawful but you oppose erasure).
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON export via the Security & Privacy page).
Right to object (Art. 21): Object to processing based on legitimate interests, including pseudonymized analytics. Upon objection, we will cease such processing unless we demonstrate compelling legitimate grounds.
Rights related to automated decision-making (Art. 22): Authorlify does not engage in solely automated decision-making with legal or similarly significant effects. This right is not currently applicable but will be respected if the service's scope changes.
Right to lodge a complaint: You have the right to lodge a complaint with your competent national supervisory authority (e.g., your country's data protection authority). In Germany: Bundesbeauftragter für den Datenschutz; in Ireland: Data Protection Commission; in France: CNIL.

To exercise rights not self-serviceable within the application, contact support@laenethylabs.com. We will acknowledge within 5 business days and respond substantively within 30 calendar days.

9. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the following rights apply under the CCPA (Cal. Civ. Code § 1798.100 et seq.) as amended by the CPRA:

Right to know (§ 1798.110): Request disclosure of the categories and specific pieces of personal information collected, the business or commercial purpose for collection, and the categories of third parties to whom personal information is disclosed.
Right to delete (§ 1798.105): Request deletion of your personal information, subject to exceptions for legal obligation compliance, security, and fraud prevention.
Right to correct (§ 1798.106): Request correction of inaccurate personal information.
Right to opt out of sale or sharing (§ 1798.120): We do not sell or share personal information as those terms are defined under the CCPA/CPRA. No opt-out mechanism is currently required, but we will implement one if our data practices change.
Right to limit use of sensitive personal information: We do not process sensitive personal information as defined under CPRA beyond what is necessary for service delivery.
Right to non-discrimination (§ 1798.125): Exercise of privacy rights will not result in denial of service, different pricing, or reduced quality of service.

To submit a verifiable consumer request under CCPA/CPRA, contact support@laenethylabs.com. We may request reasonable verification of identity (e.g., confirmation of account email and details) before fulfilling requests that involve access to or deletion of personal information, as permitted by Cal. Civ. Code § 1798.130(a)(4). We will respond to verifiable requests within 45 calendar days. If additional time is required (up to 90 days total), we will notify you of the extension and the reason within the initial 45-day period. We provide two or more methods for submitting requests, including email and in-application controls.

10. Security Measures

We implement technical and organizational measures (TOMs) appropriate to the risk of processing, as required by GDPR Art. 32. Current measures include:

Encryption in transit: TLS 1.2 or higher for all data transmitted between user browsers, application servers, and AI subprocessor APIs
Encryption at rest: Application database encrypted at the storage layer by the hosting infrastructure provider
Access controls: Role-based access controls (RBAC) limiting data access to authorized personnel on a need-to-know basis
Authentication: Managed authentication mechanisms for user account access
Data minimization: AI inference requests are stripped of account identifiers prior to transmission
Secure deletion: Documented deletion procedures applied upon account deletion requests, with primary deletion within 30 days and backup purge within 90 days
Subprocessor due diligence: Contractual data processing agreements with all subprocessors, requiring equivalent or higher security standards

These measures are reviewed periodically and updated in response to changes in processing activities, threat landscape, or regulatory guidance. Where processing activities pose an elevated risk to data subjects, we conduct a Data Protection Impact Assessment (DPIA) under GDPR Art. 35 prior to commencing processing.

No technical or organizational security system is entirely risk-free. In the event of a personal data breach meeting the notifiability threshold under GDPR Art. 33(1), we will notify the competent supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, affected individuals will be notified without undue delay in accordance with GDPR Art. 34.

11. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect changes in data processing practices, subprocessor relationships, or applicable legal requirements. Updates are versioned and dated at the top of this document. Material changes — defined as changes that affect: (a) the categories of personal data collected; (b) the legal basis for processing; (c) the identity or role of data processors or subprocessors; (d) international transfer mechanisms; or (e) data subject rights or contact procedures — will be communicated to registered users via email notification and a prominent in-application notice, no fewer than 14 days prior to the new version taking effect. Non-material changes (e.g., formatting, typographic corrections, clarifications that do not alter substantive rights) take effect upon publication. Continued use of the service after the effective date of a material revision constitutes acknowledgment of and agreement to the updated terms.

12. Contact

For all privacy-related inquiries, data subject requests, or complaints:

Email: support@laenethylabs.com

Postal: Harbinger Bros. LLC · 1309 Coffeen Avenue STE 1200, Sheridan, WY 82801, United States

AI Integrity Statement

This statement describes the technical design, data handling practices, and governance principles governing Authorlify's use of artificial intelligence. It is intended to provide auditable transparency regarding AI processing pipelines, output responsibilities, and applicable regulatory considerations.

1. Architecture and Nature of AI Processing

Authorlify uses one or more third-party AI language model inference services for two distinct purposes: (1) generating promotional marketing content for authors, and (2) generating blog post articles and cover images for the Authorlify public blog. Content generation is triggered by administrator- or user-submitted structured inputs.

Marketing content pipeline (session-based, no persistence):

User browser → HTTPS → Authorlify application server (input assembled in memory, not written to database) → HTTPS → AI subprocessor inference API → Response returned to application server (output in memory) → Delivered to user browser → No server-side copy persisted.

Blog content pipeline (persistent):

Admin browser → HTTPS → Authorlify application server → HTTPS → AI subprocessor (text generation) + AI image generation service → Generated blog post text and cover image URL stored persistently in the application database. Blog posts are admin-controlled and reviewed before publication. No end-user personal data is transmitted.

Authorlify does not persistently store AI content inputs or outputs. Transient presence in AI subprocessor infrastructure — including request queues, inference pipelines, or operational logs — is governed by the applicable data processing agreement.

2. AI Subprocessor Controls and Limitations

We enter into data processing agreements with AI inference providers that include the following obligations, to the extent available under the provider's terms:

Prohibition on use of submitted inputs for model training, fine-tuning, or improvement
Restrictions on secondary use of transmitted data
Obligations to implement appropriate technical and organizational security measures
Obligations to notify Authorlify in the event of a security incident affecting transmitted data

We acknowledge that the degree of contractual control achievable with large-scale AI infrastructure providers may differ from that achievable with smaller, dedicated processors. A current list of AI subprocessors is available upon written request to support@laenethylabs.com.

3. Output Quality, Accuracy, and User Responsibility

All content generated by Authorlify's AI system is provided as a creative suggestion and starting point. Language model outputs may contain inaccuracies, inconsistencies, or content that is unsuitable for direct publication without review. Harbinger Bros. LLC makes no representations or warranties regarding the accuracy, originality, completeness, fitness for purpose, or compliance with third-party platform policies of any generated output.

Users are solely and exclusively responsible for reviewing, editing, and verifying all AI-generated content prior to any use, publication, or distribution. This responsibility includes, without limitation: compliance with applicable intellectual property laws; adherence to platform-specific content policies; accuracy of factual claims; and compliance with applicable marketing, consumer protection, and advertising regulations.

4. Data Minimization in AI Processing

We implement data minimization at the AI inference layer. Only the structured inputs necessary for a specific content generation request are transmitted to AI subprocessors. Account identifiers (user ID, email), payment information, and analytics data are not included in AI inference requests. Derived outputs are not cross-referenced with user identity in any persistent data store.

For blog post generation: inputs consist solely of an admin-submitted topic string and language selection. No end-user personal data is transmitted. AI processing is conducted strictly for the purpose of generating the requested content response. Inputs are not used for behavioral profiling, audience segmentation, advertising targeting, or cross-user analysis.

5. Absence of Consequential Automated Decision-Making

Authorlify does not employ AI to make automated decisions that produce legal effects or similarly significant effects on users. AI outputs are presented solely as creative assistance. Eligibility for service access, subscription tier assignment, account restrictions, and pricing determinations are not made by AI inference systems and do not constitute automated decision-making within the scope of GDPR Art. 22.

6. Human Oversight and Editorial Responsibility

Authorlify is designed as a human-in-the-loop assistive tool. The platform generates content suggestions that require human review and editorial judgment before use. The service does not replace professional authorship, legal review, marketing strategy, or publishing expertise. Users retain full creative, editorial, and legal responsibility for all content they choose to publish or distribute based on AI-generated suggestions.

7. Applicable Regulatory Framework and EU AI Act Considerations

7.1 High-Risk Classification (EU AI Act Annex III)

Based on our current assessment, Authorlify's content generation functionality does not appear to fall within the high-risk AI system categories enumerated in Annex III of the EU AI Act (Regulation (EU) 2024/1689), which covers areas including biometric identification, critical infrastructure, education assessment, employment, essential services, law enforcement, migration, and administration of justice. This assessment is preliminary, subject to revision, and will be reviewed as EU AI Act obligations enter into force.

7.2 General-Purpose AI (GPAI) Models

Authorlify integrates one or more third-party general-purpose AI (GPAI) models as defined under EU AI Act Art. 3(63). Authorlify functions as a deployer of these models within a defined use case (book marketing content generation). Obligations applicable to GPAI model providers under Chapter V of the EU AI Act rest with those providers and not with Authorlify as deployer. Authorlify's obligations as a deployer are governed by the applicable provisions of the EU AI Act as they come into force.

7.3 GDPR Interaction

AI processing activities that involve personal data are subject to GDPR in parallel with the EU AI Act. Where a Data Protection Impact Assessment (DPIA) under GDPR Art. 35 is required for an AI-related processing activity, it will address both data protection and AI-related risks. We monitor EU, US, and other applicable AI and data protection regulatory developments on an ongoing basis. This section will be updated without undue delay upon any material regulatory development affecting Authorlify's compliance posture.

8. AI Integrity Contact

For inquiries regarding our AI processing architecture, subprocessor agreements, data minimization practices, or regulatory compliance posture: