Privacy Policy
Last updated: May 15, 2026
This Privacy Policy explains how Cineflow ("we", "us", "our") collects, uses, and shares information when you use Cineflow ("the Service"). By using the Service, you agree to the practices described here.
1. Information We Collect
1.1 Information You Provide
- Account information: email address, display name, and authentication identifiers. If you sign in with Google, we receive your basic profile information (name, email, profile picture) from Google.
- Payment information: billing address, country, and tax identifiers required to process subscriptions and purchases. Card data and full payment details are collected and stored by our payment processor, Polar, and are not stored on our servers.
- Content you submit: prompts, reference images, generation settings, project metadata, and messages you send to the in-app assistant.
- Support communications: messages and attachments you send to our support team.
1.2 Information Collected Automatically
- Usage data: actions you take in the Service (e.g., generations started, credits consumed), session identifiers, feature interactions, and timestamps.
- Device and log data: IP address, browser type and version, operating system, approximate location derived from IP, referring URL, and error logs.
- Cookies and local storage: used to keep you signed in, remember preferences (language, billing cycle), and maintain session state. See Section 6.
1.3 Information from Third Parties
- Google OAuth: when you sign in with Google, Google provides your basic profile and a verified email.
- Polar: transaction status, subscription state, and tax residency required to apply the correct VAT/GST.
1.4 What you should NOT submit
Inputs you upload — including reference images — are transmitted to and processed by our third-party AI providers in order to generate Outputs. To protect your own legal interests and the rights of others, please do not submit:
- Identifiable images of other people without their consent. Photos of faces and other distinguishing features may be processed by AI providers and may produce Outputs that resemble those individuals. You are responsible for obtaining any required permissions.
- Biometric, sensitive personal, or otherwise regulated data — for example government IDs, medical or health records, financial account details, or fingerprint/retina scans. Some jurisdictions classify face geometry as biometric data; treat photos accordingly.
- Confidential, proprietary, or trade-secret information that you would not want transmitted to a third-party AI provider.
- Content that infringes third-party copyright, trademark, publicity, or privacy rights.
You are responsible for the content you submit. See our Terms of Service for the full list of prohibited uses.
2. How We Use Information
| Purpose | Legal basis (GDPR) |
|---|
| Operate the Service, authenticate you, and deliver generations. | Contract |
| Process subscriptions, credit packs, and invoices. | Contract / legal obligation |
| Prevent fraud, abuse, and violations of our Terms. | Legitimate interest |
| Maintain security, diagnose errors, and improve reliability. | Legitimate interest |
| Improve features and develop new ones (using aggregated or de-identified data where feasible). | Legitimate interest |
| Send service announcements and respond to support requests. | Contract / legitimate interest |
| Send marketing communications (only with your consent where required). | Consent |
| Comply with legal obligations and enforce our rights. | Legal obligation / legitimate interest |
3. How We Share Information
We do not sell your personal information. We share it only with the categories of recipients below, and only to the extent necessary:
- AI model providers (e.g., Anthropic, Google, OpenAI, Black Forest Labs, Kling, BytePlus) — we transmit your prompts, reference images, and generation parameters so they can produce Outputs. Providers process this data under their own terms.
- Cloud infrastructure — Amazon Web Services hosts the Service, stores generated assets, and delivers them through its CDN.
- Payment processor — Polar (Polar Software, Inc.) acts as the merchant of record for subscriptions and credit packs and handles payment, tax, and invoicing.
- Authentication providers — Amazon Cognito and Google (when you choose Google sign-in) authenticate your identity.
- Analytics and error monitoring — limited telemetry used to diagnose issues and understand aggregate usage.
- Legal and safety — we may disclose information to comply with legal process, respond to lawful requests, protect the rights, property, or safety of our users or the public, or investigate violations.
- Corporate transactions — if we are involved in a merger, acquisition, or asset sale, information may be transferred, subject to this Policy.
4. Generated Content & Model Training
We do not use your prompts, reference images, or Outputs to train our own foundation models, and we do not share them with third parties for their model training except as necessary to deliver the requested generation. Some AI providers may retain prompts for short periods for abuse monitoring under their own terms; consult their policies for details.
Automated decision-making. We do not engage in automated decision-making within the meaning of Article 22 of the GDPR — that is, we do not make decisions about your account, eligibility, pricing, or service tier solely by automated means in a way that produces legal or similarly significant effects on you. The AI models that generate images and videos are tools you direct; they do not make decisions about you. Our automated systems are limited to operational tasks such as content moderation, fraud detection, and abuse prevention, and significant outcomes (such as account suspension) are subject to human review on request.
5. Data Retention
- Account data — kept while your account is active, and for a reasonable period afterward for billing, tax, and dispute-resolution purposes.
- Generated assets and project data — kept as long as you maintain the project in your account; deleted when you delete the project or your account.
- Billing records — retained for the period required by applicable tax and accounting law (typically up to 7 years).
- Logs and telemetry — typically retained for 30–90 days.
6. Cookies & Local Storage
We use only strictly necessary cookies and browser local storage to keep you signed in, remember your preferences (language, billing cycle), and operate the checkout flow. We do not set Google Analytics, advertising pixels, or cross-site tracking cookies on our domain.
What's actually in use:
- Authentication tokens stored in browser local storage under the
cv_director_* prefix (your sign-in session). Cleared when you log out.
- Amazon Cognito session cookies issued by our authentication provider during sign-in.
- AWS CloudFront bot-protection cookies set by our CDN to prevent abuse.
- Polar / Stripe cookies on Polar's hosted checkout page only (not our domain), required for payment processing and fraud prevention. These are governed by Polar's and Stripe's own privacy notices.
You can clear cookies and local storage through your browser settings; doing so will sign you out and reset preferences.
Do Not Track. Our Service does not respond to "Do Not Track" browser signals. Because we do not engage in cross-site tracking or behavioral advertising, our processing is not affected by these signals in practice.
7. International Transfers
We are based in the Republic of Korea, and our infrastructure and processors operate in multiple countries, including the United States and the European Union. When we transfer personal data from the European Economic Area or the United Kingdom to a country that has not been deemed to provide adequate protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
8. Your Rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- delete your data, subject to legal retention requirements;
- object to, or restrict, certain processing;
- export your data in a portable format;
- withdraw consent where processing is based on consent;
- lodge a complaint with your local data-protection authority.
To exercise these rights, email support@cineflow.cam. We may need to verify your identity before responding.
9. Children
The Service is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Security
We use administrative, technical, and organizational measures designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest, least-privilege access controls, and secure key management (AWS KMS). No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
If we become aware of a personal-data breach affecting your information, we will notify you and the appropriate supervisory authorities in accordance with applicable law — including, where required, within 72 hours of becoming aware of the breach under Article 33 of the GDPR.
11. Changes to This Policy
We may update this Policy from time to time. We will post the updated version here and update the "Last updated" date. Material changes will be communicated through the Service or by email.
12. Contact
Privacy questions or requests: support@cineflow.cam.