CineMake Privacy Policy

Version: v0.4.0

CineMake Privacy Policy

Effective Date: January 27, 2026 Version: 0.4.0

  1. Scope

    1. This Privacy Policy describes how CineMake processes personal data when you use our AI filmmaking services and related sites, and how we share data with Providers (OpenAI, Google Veo/Vertex AI, Supabase, Clerk, Vercel, Paddle) to operate the Service.
    2. Provider Privacy Policies: Your use of Provider services through CineMake is also subject to their respective privacy policies:
      • OpenAI Privacy Policy (updated June 27, 2025) — governs how OpenAI collects and processes data when you use features powered by their models
      • Google Cloud Privacy Notice (effective December 18, 2025) — governs Service Data processing for Google Cloud Platform services including Vertex AI/Veo
      • Paddle Privacy Policy — governs payment data processing for checkout and billing

  2. Categories of Data We Process

    1. Account & identity data (via Clerk): email, identifiers, authentication signals, and account status.
    2. Technical/log data: IP address, user agent, device/OS, timestamps, policy version accepted, consent surface (web/mobile), and in-app events required for security, fraud prevention, analytics, and audit. Supabase PostgreSQL stores audit logs with append-only retention policies.
    3. Rendering metadata: prompts, settings, model/provider selections, generation IDs, watermarks, output hashes, and related operational data.
    4. Billing/commerce metadata (via Paddle): transaction IDs, currency, amount, taxes, payment method type, subscription status, credit pack purchases, refund status, and break-the-seal timestamps. Paddle is Merchant-of-Record and handles payment card data securely—CineMake does not store payment card numbers.
    5. Credit usage data: Credit pack status (unopened/opened/refunded), refund window expiry dates, consumption timestamps, FIFO tracking, and usage snapshots for billing reconciliation.
    6. Hosting/analytics telemetry (via Vercel): privacy-forward analytics that do not use third-party cookies; visitors are identified by a request hash and session data is short-lived.

  3. Purposes and Legal Bases

    1. We process data to:
      1. authenticate and manage accounts (Clerk);
      2. render outputs, deliver features, and moderate per Provider policies;
      3. bill, track credits, and handle taxes/refunds (Paddle) including break-the-seal refund eligibility tracking;
      4. secure, audit, and comply using Supabase PostgreSQL audit tables and immutable Ledger entries; and
      5. measure and improve using privacy-forward, cookie-less analytics.

  4. Sharing and Disclosures

    1. We share personal data with Processors/Providers to the extent necessary to operate the Service:

      • Supabase (database/backend), Clerk (identity), Vercel (deployment/analytics), Google Cloud Storage (asset storage)
      • Paddle (payments/Merchant-of-Record): Paddle processes payment data to facilitate transactions. Paddle is PCI-DSS compliant and handles sensitive payment information securely. See Paddle's Privacy Policy for details on their data practices.
      • OpenAI (model inference): Per OpenAI's Privacy Policy, they collect Content (prompts and uploads) to provide services. You can opt out of training data usage per their instructions. API data is retained up to 30 days for safety monitoring unless configured otherwise.
      • Google Veo/Vertex AI (video generation): Per Google Cloud Privacy Notice, Google processes Service Data to provide, maintain, and improve services. Google does not use Customer Data to train models without consent. Automated safety tools may log prompts if abuse is detected (per Section 4.3 of Google Cloud Terms).
      • Each publishes compliance materials (e.g., Paddle's DPA; Vercel and Clerk DPAs; OpenAI and Google Cloud DPAs for enterprise customers).

    2. We also disclose data where required by law, to protect rights/safety, or in corporate transactions subject to appropriate safeguards.

  5. International Transfers

    1. Where data move across borders, we rely on our processors' transfer mechanisms (e.g., SCCs under their DPAs). See Vercel DPA, Clerk DPA, and Paddle DPA.

  6. Retention

    1. Ledger/consent records and security logs: retained for the life of your account and for a period thereafter necessary for compliance and audit. Supabase PostgreSQL supports configurable retention policies.
    2. Account and billing data: retained while your account is active and as needed post-closure for fraud prevention, tax, disputes, and legal obligations.
    3. Credit pack and usage data: retained for billing reconciliation, refund eligibility verification, and compliance with 2026 Digital Fairness Regulations audit requirements.
    4. Rendering metadata/outputs: retained to operate features (history, re-download), support moderation/investigations, and comply with law.

  7. Your Rights

Subject to applicable law, you may access, correct, delete, object/restrict, or port your data. Submit requests from your account or email support@cinemake.ai

  1. Provider-Specific Rights:

    • OpenAI: You can exercise rights through privacy.openai.com or dsar@openai.com per their Privacy Policy
    • Google Cloud: Rights requests should be directed to your Google Cloud account settings or Google's data subject request process
    • Paddle: For payment data inquiries, contact Paddle directly or submit requests through support@cinemake.ai

  2. Data Training Opt-Out

    1. OpenAI: Per OpenAI's Content policy, you can opt out of having your Content used to train their models by following instructions at openai.com/policies/how-your-data-is-used-to-improve-model-performance
    2. Google Cloud: Per Google Cloud Terms, Google does not train models on Customer Data by default for Google Cloud Platform services

  3. Children's Privacy

    1. Our Service is not directed to children under 13. Per OpenAI's Privacy Policy, their Services are not directed to children under 13, and users under 18 must have parental permission.

  4. Changes to This Policy

  5. We may update this Privacy Policy from time to time. Material changes require re-acceptance via our consent flow. The Ledger records the version you accepted.