Privacy Policy

1. Data Controller

The data controller responsible for your personal information is CineAudit (“we,” “our,” or “us”), operating the platform accessible at cineaudit.app.

For privacy inquiries, you may contact our Data Protection team at: privacy@cineaudit.app

2. Data We Collect

2.1 Account Data

When you register, we collect:

• Full name and email address
• Hashed password (we never store passwords in plain text)
• OAuth identity tokens (if you sign in with GitHub or Google)
• Billing information (processed and stored by our payment processor, Stripe; we do not store card numbers)

2.2 Usage & Production Data

• Video production requests: scenario text, style selections, uploaded reference assets
• Generated outputs: rendered video files, intermediate assets (images, audio clips)
• Pipeline logs: timestamps, processing steps, error events
• API usage metrics: requests made, compute minutes consumed

2.3 Technical Data

• IP address, browser type, operating system, device identifiers
• Session tokens and authentication cookies
• Log files for security monitoring and debugging
• Crash reports and performance telemetry (anonymised where possible)

2.4 Communications

• Support messages and attachments you send us
• Feedback, survey responses, and user research inputs
• Email communication preferences

3. Legal Basis for Processing (GDPR Article 6)

For users in the EU/EEA and the UK, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the CineAudit service you have subscribed to — account management, video generation, billing.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, improving our models' quality, and sending transactional product communications.
• Legal obligation (Art. 6(1)(c)): Compliance with tax, financial, and data retention laws applicable in the jurisdictions where we operate.
• Consent (Art. 6(1)(a)): Marketing emails and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. How We Use Your Data

• Providing, operating, and improving the CineAudit video generation platform
• Processing payments and managing subscription billing
• Sending transactional emails (receipts, production notifications, account alerts)
• Detecting and preventing fraud, abuse, and security threats
• Complying with legal obligations (tax records, court orders, regulatory requests)
• Conducting anonymised research to improve AI model quality — we do not use your production outputs to train third-party foundation models without explicit consent
• Sending service updates and, with consent, marketing communications

5. Sharing & Disclosure

We do not sell your personal information. We share data only in the following circumstances:

5.1 Sub-processors

We engage the following categories of service providers who process data on our behalf under binding data processing agreements:

• Cloud infrastructure: Hosting, storage, and compute providers (e.g., AWS, Google Cloud)
• Payment processing: Stripe, Inc. — PCI-DSS Level 1 compliant
• AI model APIs: Third-party model providers used to generate video, audio, and images (Kling AI, Fal.ai, Stable Audio, Sync Labs, Whisper, etc.) — only the content required for generation is transmitted; no account-identifying data is shared
• Email delivery: Transactional and marketing email service providers
• Analytics: Privacy-friendly analytics tools that do not build cross-site profiles

5.2 Legal Disclosure

We may disclose data when required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of CineAudit, its users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data is subject to a different privacy policy.

6. Data Retention

• Account data: Retained for the duration of your account plus 90 days after deletion request, then permanently erased.
• Generated video files: Stored for 30 days after generation; you may download them at any time within this window. Deleted automatically thereafter unless you opt into extended storage.
• Billing records: Retained for 7 years to comply with tax and accounting regulations (EU Directive 2006/112/EC; US IRS requirements).
• Security logs: Retained for 12 months for threat detection and incident response.
• Support communications: Retained for 3 years or until resolution, whichever is longer.

7. Your Rights

7.1 Rights Under GDPR (EU/EEA/UK)

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights:

• Right of access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data where there is no overriding legal obligation to retain it.
• Right to restriction of processing (Art. 18): Request that we limit processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing at any time.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with legal or similarly significant effects on individuals.

To exercise any of these rights, contact privacy@cineaudit.app. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

7.2 All Users

• Unsubscribe from marketing emails at any time via the link in any email
• Delete your account at any time from the dashboard settings
• Request a data export by contacting our privacy team

8. International Data Transfers

CineAudit operates globally. Personal data may be transferred to and processed in countries outside your country of residence, including the United States. When transferring personal data from the EU/EEA or the UK to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs)approved by the European Commission (Decision 2021/914) and the UK's International Data Transfer Agreement (IDTA) as appropriate legal transfer mechanisms.

You may request a copy of the applicable transfer safeguards by contacting privacy@cineaudit.app.

9. Cookies & Tracking Technologies

9.1 Strictly Necessary Cookies

Required for the service to function — session authentication, CSRF protection, load balancing. These cannot be disabled.

9.2 Analytics Cookies

Used to understand how users interact with the platform. We use privacy-preserving analytics. These cookies are only set with your consent.

9.3 Preference Cookies

Remember your settings (theme, language, dashboard layout). Stored locally on your device.

You can manage cookie preferences through your browser settings or via our Cookie Preferences panel accessible from the footer. Disabling analytics cookies does not affect platform functionality.

10. Children's Privacy

CineAudit is not directed at children under the age of 16 (or under 13 in the United States, in accordance with the Children's Online Privacy Protection Act — COPPA). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal information, please contact us at privacy@cineaudit.app and we will promptly delete it.

11. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.

To exercise your California rights, submit a verifiable consumer request to privacy@cineaudit.app. We will respond within 45 calendar days.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Regular security assessments and penetration testing
• Role-based access controls limiting internal data access
• Multi-factor authentication for privileged systems

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33–34.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the “Effective date” at the top of this page at least 14 days before changes take effect. Continued use of the service after that date constitutes acceptance of the revised policy.

14. Contact Us

For any privacy-related questions, requests, or complaints:

• Email: privacy@cineaudit.app
• General support: support@cineaudit.app
• Response time: We aim to respond to all privacy requests within 5 business days and are legally required to respond within 30 days (GDPR) or 45 days (CCPA/CPRA).