Privacy Policy

Effective

DRAFT — Not yet reviewed by counsel.

This policy is a starting draft for attorney review. It is NOT legal advice and does NOT bind RapidThumbnails until reviewed, edited, and approved by qualified counsel licensed in the operating jurisdiction. Do not rely on this document as currently written.

This Privacy Policy explains how RapidThumbnails collects, uses, shares, and protects personal information when you use our Service. We follow the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and applicable US state privacy laws.

1. Data Controller

RapidThumbnails, [LLC name pending], is the controller for personal data processed via the Service. For data-protection inquiries, contact privacy@rapidthumbnails.com.

2. Information We Collect

2.1 Information you provide

  • Account data: email address, display name, jurisdiction setting.
  • Billing data: processed by Stripe; we receive card brand + last four digits, not full card numbers.
  • Generation inputs: source URLs, reference photos (including face likenesses), descriptions, style and emotion selections.
  • Generated outputs: images, clips, captions you create.
  • Support correspondence: emails and chat messages you send us.

2.2 Information collected automatically

  • Usage data: features used, credits consumed, generation counts, timestamps.
  • Device data: browser type, operating system, screen size.
  • Network data: IP address (used for security, abuse prevention, and approximate region detection).
  • Cookies: see our Cookie Policy.

3. How We Use Information

  • To provide, maintain, and improve the Service.
  • To process payments and manage subscriptions.
  • To detect and prevent abuse, fraud, and violations of our Acceptable Use Policy.
  • To respond to support requests.
  • To comply with legal obligations (including AI content disclosure under the EU AI Act and equivalent US state laws).
  • To send transactional messages (account, billing, security). Marketing messages are opt-in only.

We do not sell your personal information. We do not use your reference photos, generated outputs, or generation prompts to train AI models.

4. Legal Bases (GDPR/UK GDPR)

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — fraud prevention, security, service improvement.
  • Consent — non-essential cookies, marketing emails.
  • Legal obligation — tax, AI disclosure, anti-money-laundering, DMCA.

5. Sharing with Third Parties

We share data with the following processors strictly as needed to operate the Service:

  • Stripe, Inc. — payment processing.
  • Supabase Inc. — authentication, application database, file storage.
  • Cloudflare, Inc. — content delivery, R2 object storage, DNS, DDoS protection.
  • Vercel Inc. — web application hosting.
  • Fly.io / The Fly Cloud Platform Inc. — background rendering workers.
  • fal.ai — AI image generation. Reference photos and prompts are sent for the duration of the render only.
  • Google LLC — Gemini API for text and image analysis.

We will not share data with third parties for their own marketing or model-training purposes. We do not transfer data outside of these processors except in response to a valid legal request or to protect rights, property, or safety.

6. International Data Transfers

Our processors operate primarily in the United States. Where required by law, transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States rely on Standard Contractual Clauses adopted by the European Commission or the UK International Data Transfer Addendum, and the EU-US / UK-US Data Privacy Frameworks where applicable.

7. Data Retention

  • Account data: retained while your account is active and for up to 12 months after closure for dispute resolution and legal compliance.
  • Reference photos and AI generations: retained while the corresponding generation history row exists; you can delete generations from your dashboard.
  • Rendered clips: retained on Cloudflare R2 while the parent clip job is active; older clip jobs are reaped automatically per our retention schedule.
  • Audit and billing records: retained as long as required by law (typically 7 years).

8. Your Rights

Depending on your location, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (subject to legal retention requirements).
  • Request portability — a copy of your data in a structured, machine-readable format.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent for processing based on consent at any time.
  • Opt out of the sale or sharing of personal data (CCPA/CPRA — note we do not sell or share personal data for cross-context advertising).
  • Lodge a complaint with your supervisory authority.

Submit rights requests to privacy@rapidthumbnails.com. We will respond within 30 days (45 days for CCPA, extendable once for complex requests).

9. Children

The Service is not directed to children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from such individuals.

10. Security

We use industry-standard measures including encryption in transit (TLS), encryption at rest for stored files, role-based access controls, and audit logging. No system is perfectly secure; if we discover a personal data breach affecting you, we will notify you and the relevant supervisory authority as required by law.

11. Changes to This Policy

We will update this Policy when material changes occur. The effective date at the top of this page reflects the most recent revision. We will provide reasonable notice of material changes by email or in-product notice.

12. Contact

Privacy questions: privacy@rapidthumbnails.com.