Privacy Policy

Notice at Collection (California & US States)

The following table describes the categories of personal information we collect, how we use it, and our data retention practices:

Note on "Sale/Share": We do NOT sell your personal information. "Share" under CPRA means cross-context behavioral advertising. We do not engage in this practice.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, password when you create an account
• Payment Information: Billing details processed securely through Stripe (we do not store credit card numbers)
• Profile Information: Optional profile details, preferences, and settings
• Communications: Messages you send us through contact forms or support requests

1.2 Information Automatically Collected

When you use our services, we automatically collect:

• Usage Data: URLs processed, download history, file types, quality selections
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies and Tracking: Session cookies, authentication tokens, preference cookies
• Log Data: Access times, pages viewed, features used, error logs

1.3 OAuth Authentication

When you sign in with Google, we collect:

• Your email address and verified status
• Basic profile information (name, profile picture)
• OAuth tokens for authentication (stored securely)

2. How We Use Your Information

We use the collected information for:

• Service Delivery: Process downloads, provide AI tools, manage your account
• Authentication: Verify your identity and maintain secure sessions
• Payment Processing: Handle subscriptions and billing through Stripe
• Usage Limits: Enforce free tier limits (3 downloads/day) and subscription quotas
• Service Improvement: Analyze usage patterns to improve features and performance
• Communications: Send transactional emails (download ready, subscription updates)
• Legal Compliance: Comply with legal obligations and respond to lawful requests
• Security: Detect fraud, abuse, and protect against security threats

2.1 Legal Bases (EU/EEA - GDPR Article 6)

For users in the European Union and European Economic Area, we process your data based on the following legal bases:

• Performance of Contract (Art. 6(1)(b)): To create and manage your account, provide downloading and AI services, process payments, and deliver subscriptions.
• Legitimate Interest (Art. 6(1)(f)): For security purposes, fraud prevention, abuse detection, and generating aggregated analytics to improve our services.
• Consent (Art. 6(1)(a)): For non-essential cookies, marketing communications (if you opt-in), and optional features.
• Legal Obligation (Art. 6(1)(c)): To comply with tax and accounting obligations, respond to law enforcement requests, and fulfill other legal requirements.

2.2 Age Requirements (EU/EEA)

In the EU/EEA, when consent is the legal basis and local law requires it, we only request consent from users who meet the minimum applicable age (13–16, depending on country). Our services are not directed to children under 13.

3. Data Storage and Retention

3.1 Retention by Category

• Account Information: While your account is active + 12 months after deletion (for backups and legal defense)
• Downloaded/Processed Files: 3 days in Cloudflare R2, then automatically deleted
• Download Logs: 90 days for operational purposes and abuse prevention, then anonymized or deleted
• Billing Records: 7 years if required by applicable tax law (through Stripe)
• Security Logs: 90 days for incident response and fraud detection
• Session Cookies: 2 hours (essential) or until browser closure

3.2 Data Location

Your data is primarily processed and stored in:

• United States: Application servers and databases
• Cloudflare Global Network: CDN, R2 storage (distributed globally)
• Stripe (USA): Payment processing
• Google (USA): OAuth authentication

4. Information Sharing and Disclosure

We do NOT sell your personal information. We share information only as described below:

4.1 Core Sub-Processors

We work with the following trusted service providers:

We maintain Data Processing Agreements (DPA) with sub-processors as required. For UK data, we apply UK International Data Transfer Agreement (IDTA) or UK Addendum to SCC.

4.2 International Data Transfers

We primarily process data in the United States. For transfers from the EU/UK to the US or other jurisdictions, we rely on:

• Standard Contractual Clauses (SCC): EU Commission-approved transfer mechanism
• UK IDTA: UK-specific international data transfer agreement
• Supplementary Measures: Encryption in transit (TLS 1.3) and at rest (AES-256), access controls, audit logs, data minimization

We conduct Transfer Impact Assessments (TIA) when required and apply additional safeguards to ensure adequate protection for international data transfers.

4.3 Legal Requirements

We may disclose information if required by law, including:

• Compliance with legal process (subpoenas, court orders)
• DMCA takedown requests for copyrighted content
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

4.3 Business Transfers

In the event of a merger, acquisition, or sale, your information may be transferred to the successor entity.

5. Cookies and Tracking Technologies

We use essential cookies (authentication, security) and non-essential cookies (analytics, preferences). For users in the EU/UK, we request your consent before setting non-essential cookies through our cookie banner.

• Essential Cookies: XSRF-TOKEN (CSRF protection), laravel_session (session management), remember_web (persistent login)
• Functional Cookies: Language preference, theme selection, video quality defaults
• Performance Cookies: Aggregated analytics to improve service quality (Cloudflare insights)
• Third-Party Cookies: Stripe (payment processing), Google OAuth (authentication when used)

6. Your Rights and Choices

6.1 GDPR Rights (EU Users)

If you are in the European Union, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request restriction of processing in certain circumstances

6.2 California (CPRA) Rights

California residents have enhanced rights under the California Privacy Rights Act (CPRA):

• Know: What personal information we collect, use, disclose, and retain
• Correct: Request correction of inaccurate personal information
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of "sale" or "sharing" for cross-context behavioral advertising (we do not engage in these practices)
• Limit Use: Limit use of sensitive personal information (we do not use sensitive data for profiling)
• Non-Discrimination: No discrimination for exercising your rights

6.3 How to Exercise Your Rights

To exercise your privacy rights:

• Email: [email protected]
• Online Form: Submit a request through your Account Settings
• Verification: We verify your identity using your verified email address plus a challenge question. We may request additional information (e.g., last login confirmation or order number) to verify identity and prevent fraud.
• Response Time: 30 days (GDPR) or 45 days (CPRA), extendable with notice
• Appeal Process: Colorado/Virginia residents may appeal within 45 days if we deny your request

6.4 Account Management

• Update Information: Edit your profile in Account Settings
• Download Data: Export your download history from My Files
• Delete Account: Contact us to permanently delete your account and data
• Cancel Subscription: Manage your subscription in Account Settings

7. Security & Incident Response

We employ industry-standard security measures to protect your information:

• Encryption in Transit: TLS 1.3 for all HTTPS connections
• Encryption at Rest: AES-256 for stored files in Cloudflare R2
• Authentication: Bcrypt password hashing, secure OAuth 2.0 implementation
• Access Control: Role-Based Access Control (RBAC), principle of least privilege
• Infrastructure: Cloudflare WAF (Web Application Firewall), DDoS protection
• Monitoring: Access logging, error tracking, audit trails
• Payment Security: PCI DSS compliant via Stripe (we never store credit card numbers)

7.1 Data Breach Notification

In the event of a security incident that poses a high risk to your rights and freedoms, we will:

• Notify affected users without undue delay
• Report to relevant supervisory authorities as required by applicable law (within 72 hours under GDPR)
• Provide information about the nature of the breach, likely consequences, and mitigation measures

7.2 Vulnerability Disclosure

Important Note: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security but continuously work to improve our defenses.

8. Third-Party Services

Our service integrates with third-party platforms:

• Video Platforms: We access publicly available content from YouTube, TikTok, Instagram, etc. We do not share your personal information with these platforms.
• Analytics: We may use analytics tools to understand usage patterns (anonymized data)
• External Links: Our site may link to external websites. We are not responsible for their privacy practices.

9. Automated Decision-Making and Profiling

We do NOT engage in automated decision-making that produces legal effects or similarly significantly affects you (GDPR Article 22).

Our anti-abuse controls (rate limiting, fraud detection) use technical rules to protect service integrity, but these do not constitute "profiling" under GDPR. These are security measures applied uniformly based on objective criteria (e.g., request frequency, IP reputation).

10. Children's Privacy

Our services are not intended for users under 13 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at [email protected], and we will promptly delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a notice on our website homepage

Your continued use of our services after changes indicates acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

13. Data Protection Officer (EU Inquiries)

14. Right to Lodge a Complaint

If you are in the EU/EEA and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority:

• Find your supervisory authority: European Data Protection Board
• UK residents: Information Commissioner's Office (ICO)