Privacy Policy

• What we collect: your email, the videos you record or upload, the audio captured by your microphone (used only to power the teleprompter), the scripts you generate, payment metadata (handled by Stripe — we never see your card number), and basic device + usage analytics.
• Why: to render your videos, save your projects, charge for credits, and improve the product.
• Who we share with: Supabase (storage + auth), Anthropic (script generation), ElevenLabs (voiceover + voice cloning), Apify (public trend data), Modal (video processing), Stripe (payments), Vercel (hosting). We do not sell your data to anyone, ever.
• Your rights: access, export, delete, correct, or restrict processing of your data — anytime, from Settings or by emailing privacy@zelfie.ai.
• Account deletion: available in-app under Settings → Delete Account, or by email. We purge your account and all associated content within 30 days.

Zelfie AI (“Zelfie AI,” “we,” “us,” or “our”) operates the Zelfie AI application and website at zelfie.ai and viralu.vercel.app (the “Service”). This Privacy Policy explains what personal data we collect when you use the Service, how we use it, and the choices you have.

The data controller is Arturo Canuelas. For privacy questions, contact privacy@zelfie.ai.

2.1 Information you give us directly

• Account data: email address, display name, password hash (managed by Supabase Auth — we never store the plaintext password).
• Profile preferences: niches, language, and creator-style presets you select during onboarding.
• Content you create: the videos you record in-app or upload, the topics and scripts you generate, the captions you edit, and any annotations you make.
• Microphone audio: while you are recording in the teleprompter view, we process your speech locally and via the browser's speech-recognition API to advance the teleprompter. The audio itself is stored only as part of the video you choose to save.
• Camera video: the video you record is uploaded to our storage so we can render it into your final asset.
• Communications: emails or messages you send us (e.g., support requests, abuse reports).

2.2 Information collected automatically

• Device + browser: device type, OS version, browser, screen size, and locale. Used to deliver an appropriate render and diagnose bugs.
• Usage data: which features you use, render counts, credit consumption, error logs.
• IP address: collected by our hosting provider (Vercel) and authentication provider (Supabase) for security, rate-limiting, and fraud prevention.
• Cookies + local storage: we use first-party cookies and localStorage to keep you signed in and remember your preferences. We do not use third-party advertising cookies.

2.3 Payment information

Payments are processed by Stripe. We receive only a customer identifier, subscription status, and the last four digits of your card for receipts. We never see or store full payment card numbers. Stripe's privacy policy applies to data they collect: stripe.com/privacy.

2.4 Information we do NOT collect

• We do not access your contacts, photo library, or location.
• We do not use third-party advertising trackers (Meta Pixel, Google Ads tag, etc.).
• We do not knowingly collect data from children under 13 (under 16 in the EU — see Section 11).

If you choose the optional Voice Clone add-on, you may record a sample of your own voice. We use it solely to create a private voice model (via our processor ElevenLabs) that is linked only to your account and used only to generate your own videos. By creating a clone you confirm the voice is yours and that you consent to its processing. Your voice model is:

• Private — never shared with or accessible to other users.
• Sensitive/biometric data — handled with extra care under GDPR, CCPA, and biometric laws (e.g. Illinois BIPA).
• Deletable at any time — from the app, and automatically deleted (including from ElevenLabs) when you delete your account.

• To deliver the Service: render your videos, save your projects, sync across devices.
• To generate scripts and presets: we send your topic prompts and onboarding preferences to Anthropic (Claude) to draft script and hook options.
• To process payments: via Stripe.
• To improve the product: we look at aggregate, de-identified usage to decide which features to build next.
• To prevent abuse: rate-limiting, fraud detection, and blocking misuse of the platform.
• To communicate with you: transactional emails (receipts, password resets) and — only if you opt in — product updates.
• To comply with the law: respond to lawful requests from regulators, courts, or law enforcement.

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract: to provide the Service you signed up for (account management, video rendering, billing).
• Consent: for microphone and camera access, marketing emails, and any optional features. You can withdraw consent at any time.
• Legitimate interests: security, fraud prevention, product analytics in aggregate form.
• Legal obligation: tax records, abuse reporting, lawful authority requests.

[LEGAL REVIEW REQUIRED] Confirm legitimate-interest balancing tests are on file before launch.

We share data only with the service providers needed to run the Service. Each is contractually bound to use your data only on our instructions.

We do not sell your personal data. We do not share it with advertisers or data brokers. We may disclose data when legally required (court order, subpoena, law enforcement request) or to protect the rights, safety, or property of Zelfie AI, our users, or the public.

Some of our service providers are located in the United States. When we transfer data from the EEA, UK, or Switzerland to the US, we rely on Standard Contractual Clauses approved by the European Commission, or on each provider's certification under the EU-US Data Privacy Framework where available.

[LEGAL REVIEW REQUIRED] Verify each subprocessor's current transfer mechanism before launch.

• Account data: kept while your account is active. Deleted within 30 days after you delete your account.
• Videos + projects: kept while your account is active or until you delete them. Deleted videos are purged from our hot storage within 24 hours and from backups within 30 days.
• Server logs: kept for up to 90 days for security and debugging.
• Payment records: kept for the period required by tax law (typically 7 years).
• Abuse / fraud signals: may be kept longer to prevent repeat offenses.

Depending on where you live, you have the right to:

• Access: request a copy of the data we hold about you.
• Correct: update inaccurate or incomplete data.
• Delete: ask us to delete your data (the “right to be forgotten”). You can delete your account at any time from Settings → Delete Account.
• Export: receive a machine-readable copy of your data (portability).
• Restrict / object: ask us to limit how we use your data.
• Withdraw consent: for any processing based on consent.
• Complain: file a complaint with your local data-protection authority. EU users may contact their national DPA; UK users, the ICO; California users, the California Privacy Protection Agency.

To exercise any right, email privacy@zelfie.ai. We respond within 30 days. We will not discriminate against you for exercising your rights.

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any “sale” or “sharing” (we do neither), to limit the use of sensitive personal information, and to non-discrimination for exercising these rights.

In the past 12 months we have not sold or shared personal information in the CCPA sense. The categories of data we collect are listed in Section 2.

To submit a CCPA request, email privacy@zelfie.ai with the subject line “CCPA Request.”

We use industry-standard measures to protect your data:

• HTTPS / TLS for all data in transit.
• Encrypted storage at rest (Supabase + AWS S3 server-side encryption).
• Password hashing using bcrypt or scrypt (handled by Supabase Auth — we never store plaintext passwords).
• Role-based access controls and row-level security on the database.
• Regular dependency audits and security patches.

No system can be 100% secure. If we ever learn of a breach affecting your data, we will notify you and the appropriate regulator within the timeframes required by law (within 72 hours for GDPR-applicable breaches).

The Service is not intended for children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with data, email privacy@zelfie.ai and we will delete it immediately.

The Service may link to third-party sites (e.g., Instagram, TikTok, Stripe's checkout). Their privacy practices are governed by their own policies. We are not responsible for content or practices on external sites.

We may update this policy from time to time. When we make material changes, we will notify you by email or by an in-app notice at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy questions, requests, or complaints, contact:

• Email: privacy@zelfie.ai
• Entity: Arturo Canuelas
• Postal address: 1019 Ave Jose Vigoreaux, Guaynabo, PR 00966, Puerto Rico, United States.

This policy is governed by the laws of the Commonwealth of Puerto Rico, United States, without regard to its conflict-of-laws principles. Nothing in this section limits any rights you have under your local consumer or data-protection laws.