Privacy Policy

Vivid Moments ("we", "our", "us") takes your privacy seriously. This Privacy Policy applies to all users of the Vivid Moments application — including anonymous visitors and authenticated account holders — and describes:

• What personal data we collect and why
• How we store, protect, and delete your data
• Your rights under applicable privacy law
• How to contact us with questions or requests

By using the Service, you acknowledge you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1.1 Data You Provide Directly

Photographs

Images you upload to generate videos. Stored server-side with session-scoped paths, renamed to UUIDs, and EXIF metadata stripped before storage.

Google account info

When you sign in with Google: your email address and display name. We do not receive your Google password.

Feedback

Optional star ratings and text feedback you submit on generated videos. Not linked to your identity unless you are signed in.

1.2 Data We Collect Automatically

Session cookie

A cryptographically random cookie stored in an HttpOnly, Secure, SameSite=Strict cookie. Used to identify your session. Contains no personal information.

Usage analytics

We use PostHog to collect product usage events such as page views, make_video_clicked, photos_uploaded, generate_clicked, video_watched, video_shared, video_downloaded, feedback_left, buy_tokens_viewed, and purchase_started. PostHog may collect your approximate location (country/region), browser type, device type, and referring page. We use anonymised person profiles for anonymous users and identified profiles only after you sign in. Events are sent to PostHog Cloud (US region).

Payment metadata

When you purchase tokens, Stripe provides us with a transaction ID, the package purchased, the amount charged, and a timestamp. We do not receive or store your card number, CVV, or billing address.

Log data

Standard server logs may record your IP address, request path, timestamp, and HTTP status code for security and debugging purposes. Logs are retained for a maximum of 90 days.

1.3 Data We Do Not Collect

• Payment card numbers, CVV codes, or billing addresses (handled entirely by Stripe)
• Passwords (authentication is handled by Google)
• Audio or video from your device
• Contacts, location data beyond country/region, or device identifiers beyond browser type

We use the data we collect only for the following purposes:

• Providing the Service: Processing your uploaded photos, generating videos, managing your session, displaying your token balance, and delivering generated videos to you.
• Authentication: Verifying your identity via Google OAuth to allow you to download, share, and purchase tokens.
• Payments: Creating Stripe Checkout sessions and crediting your account with purchased tokens after webhook validation.
• Analytics: Understanding how users interact with the Service so we can improve it. Analytics data is anonymised and aggregated.
• Security: Detecting and preventing abuse, fraud, and unauthorised access.
• Legal compliance: Meeting our obligations under applicable law.

We do not use your data to train AI models. We do not sell, rent, or share your personal data with third parties for advertising purposes.

If you are located in the European Economic Area (EEA) or United Kingdom, our legal basis for collecting and using your personal data depends on the data in question:

• Performance of a contract: Processing your uploaded photos and generating videos is necessary to perform the Service you have requested.
• Consent: Where we rely on cookies or analytics beyond strictly necessary functionality.
• Legitimate interests: Security logging, fraud prevention, and product improvement, where these interests are not overridden by your rights.
• Legal obligation: Where required by applicable law.

We share data only with the following categories of third-party processors, strictly for the purposes described:

Evolink

Receives your uploaded images to generate transition video clips. Data is transmitted over TLS. Evolink's own privacy policy governs their processing.

Stripe, Inc.

Processes your payment card data. We share a user ID reference (client_reference_id) so we can credit your account. Stripe's Privacy Policy applies to payment data.

Google LLC

Provides OAuth authentication. We receive your email address and display name. Google's Privacy Policy applies to authentication data.

Cloudflare

Provides cloud storage for uploaded images and generated videos. Files are stored in private buckets inaccessible without a signed URL.

PostHog

Provides product analytics. Receives anonymised (or, after sign-in, identified) event data describing how you interact with the Service. PostHog's Privacy Policy applies to analytics data.

Resend

Delivers transactional emails (video-ready notifications, feedback forwarding). Receives your email address and the message contents.

We do not transfer your personal data to any third parties outside the above list. We require all processors to maintain appropriate technical and organisational security measures.

We retain personal data only as long as necessary for the purposes described in this Policy:

Uploaded photographs

Deleted 7 days from each file's individual upload date (per-file clock). Deletion is automatic and permanent.

Anonymous session videos

Deleted 24 hours from the time of generation.

Authenticated user videos

Deleted 7 days from the time of generation.

Anonymous session data

Session cookie and associated data expire after 30 minutes of inactivity.

Authenticated account data

Session expires after 30 days of inactivity. Account data (email, token balance, purchase history) is retained until you request deletion.

Payment records

Transaction IDs and purchase metadata are retained for 7 years to comply with financial record-keeping requirements.

Server logs

Retained for a maximum of 90 days, then permanently deleted.

Analytics data

Retained by PostHog per our project retention settings (default: 12 months). You may request deletion of your analytics profile by contacting us.

We implement industry-standard technical and organisational measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS. All outbound requests to third-party APIs use TLS with verified certificates.
• Storage security: Files are stored in private, non-publicly-accessible S3-compatible buckets. Access is provided only via cryptographically signed, time-limited URLs (maximum 7 days).
• Session security: Session identifiers are stored in HttpOnly, Secure, SameSite=Strict cookies. Session IDs are cryptographically random (CSPRNG). A new session ID is issued on authentication to prevent session fixation.
• File sanitisation: All uploaded files are validated via magic-byte inspection, renamed to UUIDs, and stripped of EXIF metadata before storage.
• Access controls: API keys and secrets are stored in encrypted platform vaults and never committed to source control or exposed in client-side responses.
• Security headers: All responses include Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security headers.

No security measure is 100% effective. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as required by applicable law.

7.1 Strictly Necessary Cookies

We use one strictly necessary cookie to operate the Service: a session identifier cookie. This cookie is HttpOnly, Secure, and SameSite=Strict. It does not contain personal information. Without this cookie, the Service cannot function.

7.2 Analytics Cookies

We use PostHog, which sets cookies (and uses localStorage) to distinguish users and sessions and to compile usage reports. These cookies are not strictly necessary. You may opt out by:

• Using your browser's built-in cookie controls to block third-party cookies
• Using a browser in private/incognito mode

7.3 No Advertising Cookies

We do not use advertising, tracking, or retargeting cookies. We do not allow third-party advertisers to place cookies on our Service.

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child under 13, please contact us at support@vivid-moments.video and we will delete it promptly.

Users between 13 and 18 must have verifiable parental consent to use the Service. Parents or guardians who believe their child has used the Service without consent should contact us immediately.

9.1 All Users

Regardless of your location, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Deletion: Request that we delete your personal data. Note that some data (e.g. payment records) may be retained as required by law.
• Correction: Request that we correct inaccurate personal data.
• Withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9.2 EEA / UK Users (GDPR / UK GDPR)

If you are located in the EEA or United Kingdom, you additionally have the right to:

• Data portability: Receive your personal data in a structured, machine-readable format.
• Object to processing: Object to processing based on our legitimate interests.
• Restrict processing: Request that we restrict processing while a complaint is under review.
• Lodge a complaint: File a complaint with your local supervisory authority (e.g. the ICO in the UK or your national Data Protection Authority in the EEA).

9.3 California Users (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Opt out of sale: We do not sell your personal information.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of the above rights, contact us at support@vivid-moments.video with the subject line "Privacy Request". We will respond within 30 days.

Vivid Moments is operated from the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US or other countries where our processors operate. These countries may have different data protection laws than your own.

Where we transfer personal data from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required by applicable law.

The Service may contain links to third-party websites (e.g. Stripe's payment page, Google's sign-in page). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data to them.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and provide notice via in-app notification or email where required by law. Your continued use of the Service after the effective date constitutes your acceptance of the revised Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: support@vivid-moments.video

For EEA or UK users who wish to escalate a complaint, you may also contact your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.