← Back to Pholio Publisher

Drafted from standard templates — pending lawyer review

Privacy Policy

Last updated: May 8, 2026

1. Who We Are

Pholio Publisher is operated by Harpy I.T. Solutions Inc. (“we,” “us,” “our”). This policy explains how we collect, use, store, and protect your personal data when you use the Pholio Publisher service at publisher.aaservent.com.

2. Data We Collect

Account data

Email address, name (if provided), and hashed password. Collected during registration.

User content

Manuscripts, images, cover art, and project files that you create, upload, or import. Stored in our database (Neon) and file storage (Cloudflare R2).

Payment data

Payment processing is handled entirely by Stripe. We do not store your credit card number, expiration date, or CVC. We store your Stripe customer ID to manage your subscription.

Usage data

Standard server logs including IP address, browser user agent, request paths, and timestamps. Used for security monitoring and service operations.

3. How We Use Your Data

  • Account data: to authenticate you and manage your account
  • User content: to provide the authoring and publishing service
  • Payment data: to process subscriptions and billing
  • Usage data: to maintain security and improve the service

4. Legal Basis (GDPR)

For users in the EU/EEA/UK, our legal bases for processing are:

  • Contract: account data, user content, and payment data are necessary to provide the service you signed up for
  • Legitimate interest: server logs for security and operations

5. Who Receives Your Data

We share data with the following service providers, solely to operate the Service:

  • Clerk (identity and authentication) — manages user accounts, sessions, and email verification
  • Neon (database) — stores user profiles, project data, and subscription state
  • Cloudflare (R2 file storage and CDN) — stores uploaded files and serves content
  • Railway (application hosting) — processes requests and runs the application
  • Stripe (payment processing) — handles subscriptions and billing
  • BetterStack (uptime monitoring) — monitors service availability (no user data transmitted)

We do not sell your data to third parties.

6. International Transfers

Your data is processed in the United States. If you are located in the EU/EEA/UK, your data is transferred to the US under Standard Contractual Clauses or the EU-US Data Privacy Framework, as applicable to each service provider.

7. Data Retention

  • Account data and user content are retained while your account is active
  • After account deletion, data is removed within 30 days
  • Database backups may retain data for an additional period per our hosting provider's retention schedule
  • Server logs are retained for 7-30 days per our hosting providers' standard retention

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you
  • Rectification: correct inaccurate data
  • Deletion: request deletion of your account and data
  • Portability: receive your data in a machine-readable format
  • Restriction: request that we limit processing of your data
  • Objection: object to processing based on legitimate interest

To exercise any of these rights, contact us at saas@aaservent.com. We will respond within 30 days.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

9. Cookies

The Service uses essential cookies for authentication (maintaining your login session). These are strictly necessary for the Service to function and do not require consent. We do not use analytics, advertising, or tracking cookies. If we add non-essential cookies in the future, we will implement a consent mechanism before doing so.

10. Children

The Service is not directed at users under 16 years of age. If we become aware that we have collected data from a user under 16, we will take steps to delete the account and associated data. If you believe a child under 16 has created an account, please contact us.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your account at least 30 days before taking effect.

12. Contact

Harpy I.T. Solutions Inc.
Email: saas@aaservent.com

For privacy-related requests, include “Privacy Request” in your subject line.