1. Introduction
Bookmancer ("we," "our," or "us") is an AI-powered book recommendation service operated by an individual based in Brazil. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services at https://bookmancer.app (the "Service").
This policy is designed to comply with applicable data protection laws, including Brazil's General Data Protection Law (Lei Geral de Proteção de Dados — LGPD), the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
By using our Service, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will obtain your consent before processing your personal data.
2. Information We Collect
2.1 Personal Information You Provide
When you create an account or use our Service, we may collect:
- Account Information: Your name, email address, and profile picture — provided directly or through third-party sign-in providers (Google or Microsoft)
- Reading Preferences: Your responses to our recommendation form, including preferred genres, books and authors you love or dislike, reading moods, narrative styles, topics of interest, and any additional context you share about your reading life
- Payment Information: When purchasing credits, your billing details are collected and processed directly by Stripe, our payment processor. We do not receive or store your full credit card number, CVV, or other sensitive payment details
- Contact Form Submissions: If you contact us, we collect your name (optional), email address (optional), and message content
2.2 Information Collected Automatically
When you access our Service, we automatically collect:
- IP Address: Collected via Cloudflare's infrastructure and stored with your session for security purposes
- User Agent: Your browser type, version, and device information, stored with your session
- Usage Data: Pages visited, features used, searches performed, and recommendations viewed
- Analytics Data: Page views and interaction events collected through Umami, a privacy-focused, cookie-free analytics tool that does not collect personally identifiable information
2.3 Cookies and Local Storage
We use the following technologies to store information on your device:
- Session Cookies: Essential cookies to maintain your authenticated session. These expire when your session ends or after the configured session lifetime
- Cloudflare Turnstile: Bot detection cookies set by Cloudflare's CAPTCHA service during sign-in to protect against automated abuse
- Local Storage: We use your browser's local storage to save your language preference, theme preference (light/dark mode), your chosen recommendation quality mode (Fast or High Quality), and a temporary history of recently recommended book titles (automatically deleted after 24 hours) to help avoid duplicate recommendations. This data stays on your device and is not transmitted to our servers except when you request new recommendations, at which point the recent titles and your quality mode selection are sent so we can process your request accordingly
3. How We Use Your Information
We use the information we collect to:
- Provide Personalized Recommendations: Process your reading preferences through our AI system to generate tailored book suggestions
- Manage Your Account: Create and maintain your account, track your credit balance, and process purchases
- Improve the Service: Analyze usage patterns to enhance features, fix issues, and optimize performance
- Protect the Service: Detect and prevent fraud, abuse, and security threats using IP addresses, user agents, and CAPTCHA verification
- Communicate with You: Send transactional emails (magic link sign-in, account notifications) and respond to contact form inquiries
- Comply with Legal Obligations: Meet applicable legal requirements and enforce our Terms of Service
4. AI Processing Disclosure
Our book recommendation engine is powered by a third-party large language model (LLM) provider. When you request recommendations, we process your data as follows:
- Data Sent to AI: Your reading preferences from the recommendation form — including genres, moods, styles, topics, books liked/disliked, and additional context. We also send a list of your previously saved books so the AI can avoid recommending duplicates
- Data NOT Sent to AI: Your name, email address, IP address, payment information, or any other personally identifiable information is never sent to the AI model
- AI Request Routing: AI requests are routed through Cloudflare AI Gateway to a third-party AI model provider. Responses may be cached at the edge — if you search with identical preferences, we may return a cached result at no credit cost. Users can choose between a Fast mode (1 credit) and a High Quality mode (2 credits), each using a different AI model
- AI Provider's Data Practices: We use paid API tiers from our AI provider, which means your prompts and responses are not used to train or improve their models. The provider may temporarily retain data for abuse monitoring and safety purposes in accordance with their terms of service
- AI Limitations: Recommendations are generated by AI and may contain inaccuracies, references to books that do not exist, or incorrect information about authors or content. We make no guarantee of accuracy
Important: Please do not include sensitive personal information (such as health conditions, financial details, or government identifiers) in the recommendation form. The form is designed for reading preferences only.
5. Third-Party Service Providers
We work with the following third-party service providers who may process your data on our behalf:
- Google — OAuth authentication (sign-in only). See Google's Privacy Policy
- Microsoft — OAuth authentication (sign-in). See Microsoft's Privacy Statement
- Umami — Cookie-free usage analytics. No cookies are set, and no personal data is collected. See Umami's Privacy Policy
- Stripe — Secure payment processing for credit purchases. See Stripe's Privacy Policy
- Cloudflare — Website hosting, bot protection (Turnstile CAPTCHA), and content delivery (CDN). See Cloudflare's Privacy Policy
- Amazon — Book recommendation cards include links to Amazon for purchasing. As an Amazon Associate, Bookmancer earns from qualifying purchases. Clicking these links redirects you to Amazon's platform, subject to Amazon's Privacy Notice
6. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR (Article 6) and LGPD (Article 7):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| Generating AI recommendations | Performance of contract |
| Processing credit purchases | Performance of contract |
| Sending transactional emails (magic links) | Performance of contract |
| Security measures (IP logging, CAPTCHA) | Legitimate interest (service security) |
| Analytics and service improvement | Legitimate interest (service improvement) |
| Responding to contact form inquiries | Consent / Legitimate interest |
| Legal compliance and fraud prevention | Legal obligation / Legitimate interest |
7. How We Share Your Information
We do not sell, rent, or trade your personal information. We do not share your data for third-party marketing purposes. We share your information only in these circumstances:
- Service Providers: With the third-party providers listed in Section 5, strictly to operate and improve the Service
- Legal Requirements: When required by law, court order, or government request, or to protect our rights, safety, or property
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy
8. International Data Transfers
Your information may be processed in multiple locations due to the nature of our infrastructure:
- Cloudflare: Processes requests at edge locations worldwide, with databases hosted in Cloudflare's infrastructure
- Google and AWS: May process data in the United States and other countries where they operate
For users in the European Economic Area (EEA): Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as implemented by our service providers.
For users in Brazil: International transfers are conducted in compliance with LGPD Article 33, based on contractual necessity and the data protection commitments of our service providers.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- HTTPS encryption for all data in transit
- Secure authentication tokens with expiration
- OAuth 2.0 protocols for third-party sign-in
- Cloudflare's DDoS protection and WAF (Web Application Firewall)
- Cloudflare Turnstile CAPTCHA to prevent automated abuse
However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
10. Data Retention
We retain your personal information according to the following schedule:
- Account Data: Retained for as long as your account remains active
- Session Data: Sessions expire according to our authentication configuration and are cleaned up automatically
- Saved Books and Recommendations: Retained for as long as your account is active
- Payment Records: Transaction records are retained as required by applicable tax and financial regulations
- Server Logs: Retained according to Cloudflare's log retention policies
- Contact Form Submissions: Retained for as long as needed to address your inquiry, then deleted
- After Account Deletion: See Section 12 for details on what happens when you delete your account
11. Your Rights
11.1 For All Users
Regardless of your location, you can:
- Access and update your account information at any time through your account settings
- Delete your account through your account settings
- Contact us at bookmancer.app/contact for any privacy-related requests
11.2 For Users in Brazil (LGPD Rights)
Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have the right to:
- Confirmation of Processing: Confirm whether we process your personal data
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate, incomplete, or outdated data
- Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD
- Data Portability: Request portability of your data to another service provider
- Information About Sharing: Request information about which third parties have access to your data
- Consent Revocation: Withdraw your consent at any time, where processing is based on consent
- Opposition: Object to processing that you believe violates the LGPD
- Complaint to ANPD: You have the right to file a complaint with Brazil's National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD) at www.gov.br/anpd
We will respond to LGPD requests within 15 days of receipt, as required by law.
11.3 For Users in the EU/EEA (GDPR Rights)
Under the General Data Protection Regulation, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data
- Data Portability: Request your data in a structured, machine-readable format
- Restriction: Request that we limit how we process your data
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Where processing is based on consent, withdraw it at any time
- Lodge a Complaint: File a complaint with your local Data Protection Authority
11.4 For Users in California (CCPA/CPRA Rights)
- Right to Know: What personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
- Do Not Sell or Share: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
- Automated Decision-Making: Our AI-powered recommendations involve automated processing of your reading preferences. You may request information about the logic involved and opt out of automated decision-making where required by law
To exercise any of these rights, please contact us at bookmancer.app/contact.
12. Account Deletion
You may delete your account at any time through your account settings. When you do:
- Your saved books, reading preferences, and recommendation history are permanently deleted
- Your credit balance is reset to zero — unused credits are forfeited
- Your OAuth account connections (Google, Microsoft) are unlinked
- Core account records (such as your user ID and email) are anonymized and retained for a limited period (up to 30 days) for legal compliance, fraud prevention, and to resolve any pending disputes, after which they are permanently deleted
Account deletion is irreversible and cannot be undone.
13. Children's Privacy
Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. Under Brazil's LGPD, processing personal data of children and adolescents requires specific parental or legal guardian consent.
If you believe a child under 16 has provided us with personal information, please contact us immediately, and we will take steps to delete such information.
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we commit to:
- Notifying affected users without undue delay via the email address associated with their account
- Reporting the breach to relevant supervisory authorities as required by law — including Brazil's ANPD (under LGPD) and applicable EU Data Protection Authorities (under GDPR)
- Providing information about the nature of the breach, the data affected, and the measures taken to address it
15. Cookie Management
You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, please note:
- Blocking session cookies will prevent you from signing in to the Service
- Analytics: We use Umami, which is cookie-free — no analytics cookies are set, and no opt-out action is needed
- Local storage preferences (language, theme) can be cleared through your browser's developer tools or site settings
16. Third-Party Links
Our Service contains links to third-party websites, primarily Amazon for book purchases. As an Amazon Associate, Bookmancer earns from qualifying purchases. We are not responsible for the privacy practices of external sites. We encourage you to review their privacy policies before providing any personal information.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by:
- Posting the updated Privacy Policy on this page
- Updating the "Last Updated" date at the top
- Sending a notification to your registered email address for significant changes
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy, to the extent permitted by applicable law.
18. Contact and Data Protection
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is handled, please contact us through our contact page at bookmancer.app/contact.
As Bookmancer is operated by an individual, we do not have a formal Data Protection Officer (DPO). However, we are committed to responding to all privacy inquiries and data subject requests within the timeframes required by applicable law.
By using Bookmancer, you acknowledge that you have read and understood this Privacy Policy.