Privacy Policy
LAST UPDATED · JULY 1, 2026
Overview
Information We Collect
- Google account information (name, email address, profile picture) obtained through OAuth authentication
- Topics, idea selections, channel archetypes, custom rules, and style settings you provide for content generation
- Generated outputs you accept, edit, or save (scripts, titles, descriptions, thumbnail prompts and renders, voiceovers, and rendered videos)
- Voice selections and media you upload for use in your renders (footage clips, images, audio)
- Payment and billing information processed securely by Stripe (we never store your card details on our servers)
- Communications you send to us (support requests, feedback)
- Usage data: pages visited, features used, generation counts, run history
- Device information: browser type and version, operating system, screen resolution
- Network information: IP address, approximate geographic location (country/region level)
- Cookies and similar technologies for session management and analytics
- Log data: access times, referring URLs, error logs
- We do not collect biometric data
- We do not collect precise geolocation data
- We do not access your Google Drive, YouTube account, or other Google services beyond authentication
- We do not store credit card numbers, bank account details, or other financial account information
How We Use Your Information
- Provide, operate, and maintain the Service
- Process your generation requests (scripts, titles, descriptions, thumbnails)
- Process payments and manage subscriptions
- Authenticate your identity and manage your account
- Communicate with you about your account, billing, and Service updates
- Improve, optimize, and develop new features for the Service
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Comply with legal obligations and enforce our Terms of Service
- Send promotional communications (with your consent, and with the ability to opt out at any time)
We analyze data generated inside the Service (the channel archetypes you choose, your style and scripting settings, the topics and ideas you generate, and aggregate usage patterns) in aggregated and de-identified form. We use these insights to understand content and format trends, identify niche and topic opportunities, and improve our models, archetypes, and recommendations for all users. This analysis is not tied to your name, email, or any identifier that singles you out, and we never sell your personal information. We do not access your external YouTube account or analytics for this purpose (see Section 2.3). Where required, our legal basis is our legitimate interest in operating and improving the Service; you may object to this processing of your de-identified product data at any time by contacting us at the address in Section 14.
Legal basis for processing (GDPR):- Contract performance: processing necessary to provide the Service you subscribed to
- Legitimate interests: analytics, fraud prevention, service improvement
- Consent: marketing communications, optional cookies
- Legal obligation: tax records, compliance with law enforcement requests
AI Processing and Training
- Large language model providers (currently Anthropic, US) for text generation: your topics, idea selections, custom rules, and style settings are sent to produce scripts, titles, and descriptions
- An image generation provider (currently Google, US) for thumbnail rendering
- A voice synthesis and transcription provider (US): script text is sent to generate voiceovers, and generated audio may be transcribed for caption timing
- Render compute infrastructure (US) that assembles your voiceover, media, and graphics into a finished video
- Managed media retrieval providers, used only when you enable publicly sourced footage for a render
- A media processing server we operate in the European Union, used for media retrieval and transcription
How We Share Your Information
- Service providers that help us operate the Service:
- Supabase (authentication and database hosting)
- Stripe (payment processing)
- Anthropic (text generation)
- Google AI / Gemini (image generation)
- Cloudflare R2 (media storage and CDN)
- Inngest (background job processing)
- Resend (transactional emails)
- Vercel (application hosting and privacy-focused analytics)
- A voice synthesis and transcription provider (US)
- Render compute infrastructure providers (US)
- Managed media retrieval providers (used only for renders where you enable publicly sourced footage)
- A European hosting provider (EU) for media processing and transcription
- Legal authorities when required by law, legal process, or to protect our rights, property, or safety
- Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity
Data Retention
- Account data is retained for as long as your account is active
- Generated content (scripts, titles, descriptions, thumbnails, voiceovers, and videos) is retained while your account is active so you can access your run history
- You can request deletion of your generated content or your entire account at any time by emailing legal@ctrmaxxing.com. Deletion requests are processed by our team and completed within 30 days, except where retention is required by law
- Payment records are retained as required by tax and accounting laws (typically 7 years)
- Server logs are retained for up to 90 days
Children's Privacy (COPPA)
Your Privacy Rights
- Access your personal data we hold
- Correct inaccurate personal data
- Delete your account and associated data
- Opt out of marketing communications at any time
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share your personal information for cross-context behavioral advertising)
- Right to non-discrimination for exercising your privacy rights
- Right to limit the use of sensitive personal information (we do not collect sensitive personal information as defined by CPRA)
- Right to access, rectify, and erase your personal data
- Right to data portability (receive your data in a structured, machine-readable format)
- Right to restrict or object to processing
- Right to withdraw consent at any time (without affecting the lawfulness of prior processing)
- Right to lodge a complaint with your local data protection authority
Cookies and Tracking
- Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
- Analytics: We use a privacy-focused analytics service (Vercel Analytics) to understand aggregate usage of the Service. It does not use cookies and does not track you across other sites.
Data Security
- Encryption in transit (TLS/HTTPS) for all data transmissions
- Encryption at rest for stored data
- Row-level security policies in our database
- OAuth-based authentication (no passwords stored)
- Webhook signature verification on billing events
- Regular security reviews of our infrastructure