Privacy Policy

PanzLab is a free peer-to-peer feedback platform for screenwriters and filmmakers. Members review each other's screenplays through a credit economy — earning credits by reviewing, spending them to submit their own work. The platform is currently operated by its founding team. PanzLab acts as the data controller for personal information collected through the platform.

Privacy contact and data subject requests: support@panzlab.com

PanzLab is an adults-only platform. We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that a user is under 18, we will terminate their account and delete associated personal data as soon as practicable. If you believe a minor has registered, please report it to support@panzlab.com immediately.

We collect information you provide directly, information generated by your use of the platform, and limited information from third-party services we rely on.

Information you provide:

• Account data: email address, display name, password (stored as a cryptographic hash), and profile fields you complete.
• User-generated content: script files (PDF), review text, ratings, report submissions, dispute messages, and other content you submit.
• Communications: messages, feedback, or support requests you send us directly.
• Optional profile signals: creator role, interests, bio, external links, and project preferences you choose to share.

Information collected automatically:

• Usage data: pages visited, features accessed, timestamps, session duration, and navigation patterns.
• Device and technical data: IP address, browser type and version, operating system, device identifiers, and error logs.
• Session data: authentication session tokens (e.g., panzlab_session) required for route access control and authenticated features.
• Security signals: Google reCAPTCHA verification data where enabled, used to detect and prevent bot activity and abuse.

Information from third-party providers:

• Firebase (Google) authentication tokens and associated authentication metadata when you log in.
• If you use social login options (e.g., Google Sign-In), we receive basic profile information from that provider per your authorization.

We use personal information for the following purposes:

• Service operation: creating and managing accounts, processing script submissions, administering the credit and review system, and running moderation workflows.
• Security and trust: detecting and preventing fraud, abuse, unauthorized access, policy violations, and security incidents; enforcing community rules.
• Platform improvement: analyzing usage patterns to improve reliability, performance, and user experience; developing and testing new features.
• Communications: sending account-related notices, security alerts, policy updates, and responding to your support requests. We do not send unsolicited marketing emails.
• Legal compliance: complying with applicable laws, regulations, court orders, and legitimate legal requests; enforcing our Terms of Service.

For users in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:

• Contract performance: processing necessary to provide the platform services you signed up for (account creation, submission workflows, review mechanics).
• Legitimate interests: platform security, fraud prevention, abuse detection, product improvement, and communications about your account — where our interests do not override your fundamental rights and freedoms.
• Legal obligation: processing required to comply with applicable laws or regulatory requirements.
• Consent: for any processing not covered by the above, we will ask for your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

We do not sell your personal information.

We share information only in the following circumstances:

• Infrastructure providers: Firebase / Google Cloud for authentication, database, and file storage; Vercel for hosting and edge delivery. These providers process data on our behalf under data processing agreements.
• Security providers:Google reCAPTCHA for bot and abuse prevention, processed subject to Google's Privacy Policy.
• Other users (by design): your display name, reviews you write, scripts you submit, and group membership may be visible to other platform users as part of core platform functionality. You control what optional profile information you share.
• Legal authorities: when required by valid legal process, court order, or governmental authority; or when we believe in good faith that disclosure is necessary to protect rights, safety, or the integrity of the platform.
• Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets; affected users will be notified prior to personal data becoming subject to a different privacy policy.
• Professional advisors: lawyers, accountants, and insurers where necessary for legal, compliance, and risk management purposes, subject to appropriate confidentiality obligations.

PanzLab uses session cookies and similar technologies necessary for authentication, route access control, and basic platform functionality. These are strictly necessary and cannot be disabled without breaking core features.

We do not currently use advertising or behavioral tracking cookies. If this changes, we will update this policy and provide appropriate consent mechanisms where required by law.

You can manage cookies through your browser settings. Disabling session cookies will prevent you from logging in or using authenticated features.

We retain personal information for as long as necessary to provide the service and fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Active account data: retained for the lifetime of your account.
• User-generated content: retained until you delete it or close your account, subject to retention obligations below.
• Post-closure retention: we may retain limited records (e.g., moderation logs, dispute records, security events, transactional records) after account closure for up to 3 years where necessary for fraud prevention, legal compliance, abuse prevention, dispute resolution, or audit purposes.
• Aggregated and anonymized data: may be retained indefinitely for platform analytics and improvement purposes.

We implement reasonable technical and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include:

• Encrypted data transmission (HTTPS/TLS) for all platform traffic.
• Password storage using one-way cryptographic hashing (via Firebase Authentication).
• Role-based access controls limiting internal data access to those who need it.
• Security monitoring and automated abuse-detection systems.
• Google reCAPTCHA to detect and prevent bot-driven account abuse.

No security system is impenetrable. If you believe your account has been compromised, contact support@panzlab.com immediately. In the event of a data breach affecting your rights, we will notify affected users and relevant regulators as required by applicable law.

PanzLab operates with infrastructure primarily based in the United States. If you access PanzLab from outside the U.S., your personal information may be transferred to and processed in the U.S. or other countries where our service providers operate.

For transfers of personal data from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, as applicable. You may request information about our transfer safeguards by contacting support@panzlab.com.

We use automated systems for spam and bot detection, abuse prevention (via reCAPTCHA), and platform security scoring. These are used as signals, not as sole determinants of consequential decisions about your account.

Where automated processing could produce decisions with legal or similarly significant effects, we provide for human review and an appeal pathway, in compliance with applicable law.

Depending on your location, you may have the following rights regarding your personal information. To exercise any right, contact support@panzlab.com. We may need to verify your identity before fulfilling your request.

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete personal data.
• Deletion: request deletion of your personal data, subject to our legal retention obligations.
• Restriction: request that we limit processing of your data in certain circumstances.
• Portability: request a machine-readable copy of personal data you provided to us.
• Objection: object to processing based on legitimate interests or direct marketing.
• Withdraw consent: where processing is based on consent, withdraw consent at any time without affecting prior lawful processing.

We will respond to verified requests within 30 days, or within any shorter period required by applicable law. We will not discriminate against you for exercising your privacy rights.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

Categories of personal information we collect (as defined by CCPA):

• Identifiers (email address, IP address, display name, account ID).
• Internet or network activity (usage data, navigation, session data).
• Inferences drawn from the above to understand user behavior for security.
• User-generated content (scripts, reviews, reports you submit).
• Professional or creator-related information you voluntarily provide.

We do not "sell" or "share" personal information for cross-context behavioral advertising as defined by the CCPA/CPRA. If this ever changes, we will provide a "Do Not Sell or Share" mechanism and honor Global Privacy Control (GPC) signals.

Your CCPA rights include: Right to Know (categories and specific pieces of data); Right to Delete; Right to Correct; Right to Opt-Out of Sale/Sharing; Right to Limit Sensitive Personal Information Use; Right to Non-Discrimination.

To exercise your California rights, contact support@panzlab.com. We will respond within 45 days (extendable by an additional 45 days with notice). We do not require you to create an account to submit a request, but we will need to verify your identity.

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR in addition to the rights described in Section 11 above.

You have the right to lodge a complaint with your local data protection supervisory authority. For EEA residents, your relevant authority is the data protection authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

Where PanzLab relies on legitimate interests as a legal basis, you have the right to object. We will honor your objection unless we have compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defense of legal claims.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. For material changes that affect your rights, we will provide at least 14 days' advance notice via email or a prominent in-platform notice.

Continued use of PanzLab after an updated Privacy Policy takes effect constitutes acceptance of the revised policy. If you disagree with any change, you may close your account.

For privacy questions, data subject requests, or security concerns:

• Email: support@panzlab.com
• Data requests: support@panzlab.com (include "DATA REQUEST" in subject)
• Urgent privacy matters: include "URGENT — PRIVACY" in subject line
• Data breach reports: include "SECURITY INCIDENT" in subject line

We aim to respond to all privacy inquiries within 5 business days and to fulfill verified data subject requests within the timeframes required by applicable law.