Security & privacy

Your stories are not our training data.

Micro Drama protects scripts, bibles, ideas, media and account data through technical, contractual and organisational controls. Micro Drama does not train AI models on your content.

Controls reviewed 10 July 2026 · policy version 1.0

Our commitments

No Micro Drama training

We do not use your inputs, projects or outputs to train, fine-tune or evaluate a general-purpose model.

Processing you trigger

Content is sent to an AI provider only when you invoke the relevant feature, and solely to produce the requested result.

Isolated access

Projects require authentication. Access rules isolate the owner and the collaborators they authorise.

Data-minimised logs

Technical logs retain useful diagnostics — size, status, model and cost — not script text or generated responses.

AI: deny by default

An integration is disabled in production until its service tier, exact model and confidential-processing terms have been verified. Providers receive only the data needed for the requested feature.

ProviderPurposeApplied safeguard
OpenAIWriting and script doctorAPI data is not used for training by default unless opted in. Calls use a private gateway with store:false; safety retention and ZDR depend on the applicable agreement.
AnthropicWriting and script doctorCommercial API: customer content is not used for training. Documented standard retention; zero-retention option by contract.
Google GeminiText, image and voiceFeatures are blocked until the paid project and its no-training terms are confirmed.
fal.aiImage and videoFeatures are blocked until every active model is verified Enterprise Ready and covered by the applicable terms/DPA.
ReplicateSpecialised modelsFeatures are blocked until model-specific terms and the processor agreement are verified.
LumaImage and videoAPI use is limited to terms prohibiting training on API inputs and outputs.
BytePlusVideoVideo terms prohibit training without consent; provider inventory is reviewed before activation.

Technical measures

  • TLS in transit and cloud-infrastructure encryption at rest
  • AES-256-GCM encrypted history archives with keys managed outside the codebase
  • Server-side API secrets only and mandatory production authentication
  • Owner-scoped Firestore access, separate admin roles and an audit trail
  • Private-network request blocking, URL validation and payload size limits
  • CSP, HSTS, anti-framing, permissions policy and allowlisted CORS
  • Responsible disclosure through security.txt and an incident-response process

Control of your data

You retain ownership of your content. You may request access, correction or deletion of your data and projects. Legal bases and retention details are set out in our privacy policy.

Read the privacy policy

Question or vulnerability?

Contact us with the useful context. For a vulnerability, do not include personal data or an exploitable secret in your first message; we will arrange a suitable channel.

[email protected]