Privacy Policy

Effective date: June 19, 2026 | Last modified: June 19, 2026

This Privacy Policy (the “Policy”) explains how PublishDrive Inc. (“PublishDrive”, “Company”, “we”, or “us”) collects, stores, uses, and discloses personal data of our users (“you”, “user”) in connection with the website located at publishdrive.com (the “Website”) and the services provided through it (the “Services”).

Please read and make sure you understand this Policy. If you do not agree with this Policy or our practices, you may not use our Website or the Services. This Policy forms an integral part of our Terms of Service. We may update this Policy from time to time; your continued use of the Website and the Services constitutes your acceptance of the updated version. We encourage you to review this Policy periodically.

PublishDrive processes personal data of individuals located in the European Union (“EU”) and the European Economic Area (“EEA”) in accordance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”), the relevant national implementing laws (including, where applicable, Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, “Info Act”), and the guidance of the European Data Protection Board (“EDPB”). For users located in the United Kingdom, references to the GDPR shall be read as references to the UK GDPR as applicable.

1. Data Controller

The controller of your personal data is:

• PublishDrive Inc., with its registered US office at 541 Jefferson Ave., Suite 100, Redwood City, CA 94063, United States;

PublishDrive carries out its processing in the context of the activities of its European establishment, PublishDrive Kft. (registered seat: Bajcsy-Zs. U. 83, Siófok, 8600, Hungary). As PublishDrive maintains an establishment in the EU, no representative under Article 27 GDPR is designated.

For any data protection inquiry, you may contact us via the contact form on the Website.

2. What does this Privacy Policy cover?

This Policy covers how PublishDrive processes personal data when you access the Website as a user and when you use the Services. It also describes the categories of recipients with whom we share personal data. This Policy does not apply to the practices of third parties we do not own or control (such as third-party websites that you may access via links from our Website) or to individuals we do not employ or manage.

3. What Personal Data Do We Collect?

3.1 Information you provide to us

We receive and store the information you enter on our Website or provide to us in any other way. Depending on how you interact with the Services, this may include:

Identification and contact data: full name, email address, password (in hashed form), mailing address (optional), phone number (optional);
Account and profile data: username, pen name, author biography and other author information;
Content and metadata: eBooks, audiobooks, print-ready PDF files and associated book metadata uploaded and shared via the Services;
Financial data: account holder name, bank name, account number, currency of account;
Tax data: Tax ID (e.g. US TIN / SSN / EIN), citizenship, country of residence and – where required by applicable tax law – government-issued ID, Green Card or other proof of address or residency status;
Communication data: the content of your communications with our customer support.

3.2 Information collected automatically

When you use the Website or the Services, we automatically collect certain information on our server logs, including: IP address, unique device identifier, browser type and characteristics, operating system, language preferences, referring URLs, actions taken on our Website (pages requested, content viewed, uploaded or shared), search queries, and dates and times of visits. We also receive sales-related data from our book retailer partners, which we make available to you in your user account.

3.3 Cookies and similar technologies

We use cookies and similar technologies to operate the Website, analyse traffic, remember your preferences, and (subject to your consent) for marketing purposes. Detailed information on the cookies we use is available in our separate Cookie Policy. You can manage your cookie preferences via the cookie banner or your browser settings.

3.4 Special categories of personal data

We do not request or intentionally process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.) in connection with the Services. Please do not submit such data to us.

4. Purposes and Legal Bases of Processing

We process your personal data for the purposes and on the legal bases set out below (Article 6(1) GDPR):

4.1 Performance of the contract (Art. 6(1)(b) GDPR)

We process the following categories of data to provide the Services, manage your account, fulfil your orders, process payments and royalties, and respond to your requests:

Identification and contact data (full name, email, optional mailing address and phone number);
Account, profile and content data (including uploaded books and metadata);
Financial and tax data required to process payouts;
Sales-relevant data received from retailer partners;
Contractual and communication data.

4.2 Compliance with legal obligations (Art. 6(1)(c) GDPR)

We process personal data to comply with our statutory obligations, including tax, accounting, anti-money-laundering, invoicing, and responding to lawful requests from public authorities. This processing includes, where applicable, financial and tax data, billing data, and data required to assist law enforcement.

4.3 Legitimate interests (Art. 6(1)(f) GDPR)

We process personal data on the basis of our legitimate interests to:

Secure and operate the Website and the Services, prevent fraud (including fraudulent uploads and transactions), monitor against theft and protect the rights and property of our users and the Company;
Improve and develop our products and Services, including conducting analytics, research and surveys, primarily using aggregated or pseudonymised data;
Send service-related communications (e.g. notifications about changes to the Services, security alerts, administrative messages);
Establish, exercise or defend legal claims.

Where we rely on legitimate interests, we carry out a balancing test to ensure that our interests are not overridden by your interests or fundamental rights and freedoms. You have the right to object to this processing (see Section 10 below).

4.4 Consent (Art. 6(1)(a) GDPR)

We process the following categories of data on the basis of your consent:

Full name, email address and (optionally) mailing address or phone number – for direct marketing, newsletters, promotional offers and similar communications;
Data collected via non-essential cookies and similar technologies – for analytics and advertising purposes, as described in our Cookie Policy.

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by using the unsubscribe link in our emails, by changing your cookie preferences, or by contacting us.

5. AI-Assisted Features – Transparency, Absence of Profiling and Automated Decision-Making

PublishDrive offers AI-assisted tools that help authors and publishers create and manage their books. Specifically:

AI Metadata Generator – assists in generating book descriptions, keywords and other discoverability metadata based on content you provide;
AI Cover Generator – assists in generating cover image concepts and visual direction based on inputs you provide;
AI-assisted chat / support – assists in answering questions through a conversational interface;
Book Review / content integrity – supports our internal content-integrity processes.

These features use third-party AI models (see Section 7). They are used solely as creative or operational aids. PublishDrive does not carry out profiling of users within the meaning of Article 4(4) GDPR, and does not take decisions based solely on automated processing (including profiling) that produce legal effects concerning users or similarly significantly affect them within the meaning of Article 22 GDPR. Any outcome relevant to the user (e.g. acceptance or rejection of uploaded content) is reviewed by a human and subject to human decision.

We do not provide user-supplied content or personal data to AI providers for the purpose of training their foundation models. Contractual commitments from our AI subprocessors regarding non-use for training are reflected in the data processing agreements we have entered into with them.

5.1 EU AI Act transparency

PublishDrive uses third-party general-purpose AI models as a deployer (and not as a provider) within the meaning of Regulation (EU) 2024/1689 (the “EU AI Act”). Our AI-assisted features are limited-risk tools and do not constitute high-risk AI systems under Annex III of the EU AI Act.

In line with the transparency obligations under Article 50 of the EU AI Act:

where you interact with an AI-based chat or assistant feature, we inform you that you are interacting with an AI system;
content generated or materially modified with the help of AI (such as AI-generated cover concepts or draft metadata) is identified as AI-assisted or AI-generated, and we are implementing the marking of such outputs as artificially generated in a machine-readable format where technically feasible and/or ask the client to mark it on the platform if they used such technologies.

These transparency measures complement, and do not replace, the information provided elsewhere in this Policy. The EU AI Act applies alongside the GDPR; it does not change the legal bases or your rights described in this Policy.

6. How Long Do We Retain Your Personal Data?

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements. The retention periods we apply are, in summary:

Category	Retention period	Basis
Account, profile and contact data	Duration of the contract + up to 5 years after termination	Limitation periods for civil claims
Invoicing, accounting and tax data	8 years from issue (Hungarian Accounting Act) / applicable US tax retention periods	Legal obligation
Content uploaded via the Services	Duration of the contract, then deletion following the notice period set out in the Terms of Service	Performance of the contract
Marketing communications data	Until consent is withdrawn, or 3 years of inactivity, whichever is earlier	Consent
Server logs, security logs	Up to 12 months	Legitimate interest
Cookies	As set out in the Cookie Policy	Consent / legitimate interest
Backup archives	Rolling backups are overwritten in accordance with our backup policy; data in backups is isolated from active processing until deletion occurs	Legitimate interest / legal obligation

Where we no longer have a lawful basis to process your personal data, we will either delete or anonymise it or, if this is not technically possible (for example, because the data is stored in backup archives), we will securely store it and isolate it from any further processing until deletion is possible.

7. Recipients and Processors

We share personal data only to the extent necessary for the purposes described above. Our recipients fall into the following categories: our affiliated entities, service providers acting as data processors on our behalf, and independent third parties (including book retailers) with whom we share data at your direction or based on contractual necessity.

7.1 Data processors

We engage the following main data processors. Each has entered into a data processing agreement with us under Article 28 GDPR, requiring them to process personal data only on our instructions and under appropriate security measures:

Processor	Seat/country	Purpose	Transfer safeguard
PayPal, Inc.	United States	Online payments / recurring charges	Standard Contractual Clauses (EU Commission Decision 2021/914)
Wise Payments Ltd. (formerly TransferWise)	United Kingdom	Online money transfer	UK adequacy decision
Tipalti Inc.	United States	Collection of bank and tax data; payouts	Standard Contractual Clauses
Intuit Inc.	United States	Online invoicing	EU-U.S. Data Privacy Framework
HubSpot, Inc. / HubSpot Ireland Ltd.	Ireland / United States	Sales, marketing and support CRM	EU-U.S. Data Privacy Framework
Paddle.com Inc.	United States	Recurring payment monitoring	Standard Contractual Clauses
Mixpanel, Inc.	United States	Customer behaviour analytics	EU-U.S. Data Privacy Framework
Avalara, Inc. (Avalara 1099)	United States	Tax reporting	Standard Contractual Clauses
Igil Webs SRL	Romania	Affiliate and referral management	EEA – no third-country transfer
Leonardo Interactive Pty Ltd	Australia	AI Cover Generator (image generation)	Standard Contractual Clauses
Anthropic, PBC	United States	AI Cover Generator, AI Metadata Generator, Book Review	Standard Contractual Clauses under the Anthropic DPA
OpenAI, L.L.C.	United States	Chatbot / AI-assisted answers via OpenAI API	Standard Contractual Clauses under the OpenAI DPA
Google LLC	United States	Analytics, advertising (Google Analytics, Google Ads)	EU-U.S. Data Privacy Framework
Hotjar Ltd.	Malta	Website usage analytics	EEA – no third-country transfer
Meta Platforms, Inc. (Facebook Pixel)	United States	Advertising / conversion tracking (subject to consent)	EU-U.S. Data Privacy Framework

7.2 Third-party book retailers

PublishDrive shares certain personal data (such as author name or pen name, book metadata and sales-relevant data) with the book retailers and library partners selected by you in the course of using the Services. These retailers are independent controllers of the data they further process. The list of retailers and stores is available in your user account.

7.3 Other recipients

We may also disclose personal data:

in response to subpoenas, court orders or other legal process, to the extent permitted by law;
when disclosure is necessary to maintain the security and integrity of the Website or to protect the rights, safety or property of PublishDrive, our users or others;
with your consent or at your direction; and
in connection with a business transaction (such as a merger, acquisition, financing, reorganisation or sale of all or part of our assets), subject to appropriate confidentiality safeguards.

8. International Data Transfers

Some of our recipients are located outside the European Economic Area, including in the United States. When we transfer personal data to such recipients, we ensure that one of the following appropriate safeguards under Articles 44–49 GDPR is in place:

an adequacy decision of the European Commission (e.g. the United Kingdom, or the EU-U.S. Data Privacy Framework in respect of DPF-certified US recipients);
Standard Contractual Clauses adopted by the European Commission pursuant to Decision (EU) 2021/914, supplemented where necessary by additional technical, organisational and contractual measures identified in a transfer impact assessment;
where necessary and permitted, one of the derogations listed in Article 49 GDPR (e.g. the transfer is necessary for the performance of a contract between you and PublishDrive).

The previously applicable EU-U.S. and Swiss-U.S. Privacy Shield frameworks are no longer a valid transfer basis and have been replaced by the EU-U.S. Data Privacy Framework (together with the UK Extension and the Swiss-U.S. Data Privacy Framework, the “DPF”), adopted by the European Commission on 10 July 2023 (Decision (EU) 2023/1795). Where a US recipient is DPF-certified, we rely on the DPF as the appropriate safeguard. Where a US recipient is not DPF-certified, we rely on Standard Contractual Clauses. Transfers to countries without an adequacy decision (such as Australia) are made on the basis of Standard Contractual Clauses.

You may request a copy of the Standard Contractual Clauses or further information on the transfer safeguards we have in place by contacting us via the contact form on the Website.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration or destruction. These measures include encryption in transit (TLS), access controls, segregation of environments, regular backups, logging and monitoring, employee confidentiality obligations, and vendor security assessments. You can help keep your data secure by choosing a strong password, keeping it confidential and logging out at the end of each session. No system is perfectly secure; in the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with Articles 33–34 GDPR.

10. Your Rights

Subject to the conditions and limitations set out in the GDPR, you have the following rights in relation to your personal data:

Right of access (Art. 15) – to obtain confirmation of whether we process personal data concerning you and, if so, a copy of that data;
Right to rectification (Art. 16) – to have inaccurate data corrected or incomplete data completed;
Right to erasure / “to be forgotten” (Art. 17) – to have your personal data deleted in certain circumstances;
Right to restriction of processing (Art. 18);
Right to data portability (Art. 20) – to receive the personal data you provided to us in a structured, commonly used and machine-readable format;
Right to object (Art. 21) – to object to processing based on our legitimate interests; you have an absolute right to object to processing for direct marketing purposes;
Right to withdraw consent (Art. 7(3)) – where processing is based on your consent;
Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22) – as set out in Section 5, we do not take such decisions.

You can exercise these rights at any time by contacting us via the contact form on the Website, or, where applicable, through your user account. We will respond to your request within one month of receipt, as required by Article 12(3) GDPR; this period may be extended by a further two months where necessary, taking into account the complexity and number of requests. To protect your privacy, we may take reasonable steps to verify your identity before complying with the request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Hungary, the competent supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH; website: naih.hu).

11. Children's Privacy

Our Website and Services are not directed to children under the age of 18 and we do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data of a child under 18 without the consent of a parent or legal guardian, we will take steps to delete such data from our files as soon as possible. If you believe a child under 18 is using the Services, please contact us.

12. Links to Third-Party Websites

The Website may contain links to third-party websites or services operated by parties unrelated to us. We are not responsible for the privacy practices of such third parties. We recommend that you review the privacy policies and terms of use applicable to such websites or services before using them.

13. Modifications to this Policy

We may modify this Policy from time to time if our privacy practices change or to reflect changes in applicable law. The current version is always available on the Website with the effective date indicated at the top of the page. If the changes are material, we will provide a more prominent notice (including, where appropriate, by email). Please review this Policy periodically.

14. Contact

If you have any questions concerning this Policy or our data processing practices, please contact us:

via the contact form on the Website.
Postal address (US controller): PublishDrive Inc., 541 Jefferson Ave., Suite 100, Redwood City, CA 94063, United States;
PublishDrive Kft (EU establishment): Bajcsy-Zs. U. 83. , Siófok, 8600, Hungary