Privacy Policy

1. Who We Are and What This Policy Covers

VibeFrame is an AI-powered thumbnail generation platform operated by VibeFrame Inc. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website and services located at vibe-frame.com (the "Service").

This policy applies to all users of our Service, regardless of location. For European Union residents, this policy also ensures compliance with the General Data Protection Regulation (GDPR).

2. Information We Collect

Account and Profile Information

When you create an account with us, we collect:

• Email address: Used for account authentication and important service communications
• Name: Optional, used for personalization and account management
• Password: Encrypted and stored securely using industry-standard hashing
• Profile photo: Optional, for account personalization
• Subscription information: Billing details processed securely through Stripe

Content and Training Data

To provide our AI thumbnail generation service, we process:

• Face training photos: 5-8 images you upload to train personalized AI models
• YouTube channel data: Thumbnail images and performance metrics (CTR, views) accessed via YouTube Analytics API
• Generated thumbnails: AI-created images based on your trained models
• Style preferences: Your choices and feedback to improve generation quality

Technical and Usage Information

We automatically collect:

• Device and browser information: User agent, IP address, device type
• Usage analytics: Features used, time spent, interaction patterns
• Performance data: Error logs, response times, system diagnostics
• Cookies and tracking: Session management and user preferences

3. How We Use Your Information

AI Model Training and Service Provision

• Personalized AI models: Your face photos train AI models exclusively for your account
• Style analysis: YouTube data helps us understand what thumbnail styles work for your audience
• Content generation: Creating custom thumbnails based on your trained models
• Performance optimization: Improving generation quality based on your feedback

Account and Service Management

• Authentication: Secure login and account access
• Billing: Processing payments and managing subscriptions
• Customer support: Responding to inquiries and resolving issues
• Service communications: Important updates, security alerts, policy changes

Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contractual necessity: To provide the services you've subscribed to
• Legitimate interests: To improve our service, ensure security, and prevent fraud
• Consent: For optional features like marketing communications (where required by law)
• Legal obligations: To comply with applicable laws and regulations

4. Information Sharing and Disclosure

We Never Share Your Personal Content

We do not sell, trade, rent, or otherwise transfer your personal content (face photos, YouTube data, generated thumbnails) to third parties. Your content remains private to your account.

Limited Service Providers

We share minimal data with trusted service providers who help us operate our platform:

• Supabase: Secure database and file storage (encrypted data)
• Vercel: Website hosting and performance optimization
• Replicate: AI model training and inference (your data is isolated and not shared between users)
• Stripe: Secure payment processing (we never store payment card details)
• Google: YouTube API access (limited to Analytics data you authorize)

Legal Requirements

We may disclose information if required by law, court order, or government request. We will notify you of such requests unless prohibited by law and will challenge overly broad requests.

5. Data Security and Protection

Technical Safeguards

• Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access controls: Strict employee access with multi-factor authentication
• Secure infrastructure: Data stored in SOC 2 Type II compliant facilities
• Regular audits: Security assessments and vulnerability testing
• Isolated storage: Your AI models and training data stored separately from other users

Organizational Measures

• Privacy by design: Data protection built into all system architectures
• Employee training: Regular privacy and security training for all staff
• Incident response: Documented procedures for handling security breaches
• Data minimization: We only collect and process data necessary for our services

6. Your Privacy Rights and Choices

Universal Rights

All users have the right to:

• Access: Request a copy of all personal data we hold about you
• Correction: Update or correct inaccurate personal information
• Export: Download your generated content and account data
• Account deletion: Permanently delete your account and all associated data
• Data portability: Receive your data in a machine-readable format

Additional Rights (EU/UK Residents)

Under GDPR, you also have the right to:

• Object to processing: Opt out of data processing based on legitimate interests
• Restrict processing: Limit how we process your data in certain circumstances
• Withdraw consent: Remove consent for optional data processing activities
• Lodge complaints: Contact your local data protection authority

YouTube Data Controls

• Disconnect YouTube: Remove YouTube API access at any time
• Data deletion: Delete previously imported YouTube analytics data
• Scope control: Modify which YouTube data we can access

7. Data Retention and Storage

Retention Periods

• Active accounts: Data retained while your account remains active
• Inactive accounts: Account data retained for 24 months after last login
• Deleted accounts: All data permanently deleted within 30 days
• Legal holds: Data may be retained longer if required by law or legal proceedings
• Aggregated analytics: Anonymized usage statistics may be retained for service improvement

Data Storage Locations

Your data is primarily stored in secure data centers in the United States. For EU users, we ensure adequate protection through Standard Contractual Clauses and our service providers’ compliance with international data protection standards.

8. Cookies and Tracking Technologies

Essential Cookies

• Authentication: Keep you logged in securely
• Preferences: Remember your settings and choices
• Security: Protect against fraud and unauthorized access

Analytics Cookies

• Usage analytics: Understand how users interact with our service
• Performance monitoring: Identify and fix technical issues
• Feature optimization: Improve user experience based on usage patterns

You can control cookie preferences through your browser settings or our cookie management interface.

9. Third-Party Integrations

YouTube Integration

When you connect your YouTube account, we access only the specific data necessary for our service through Google’s official YouTube Analytics API. We comply with Google’s API Terms of Service and User Data Policy.

Payment Processing

Payment information is processed directly by Stripe. We never store your payment card details on our servers. Stripe’s privacy policy governs how they handle your payment information.

10. Children’s Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will delete it immediately and terminate the associated account.

11. International Data Transfers

Your data may be processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses: EU-approved data transfer mechanisms
• Adequacy decisions: Transfers to countries with adequate protection levels
• Certification schemes: Service providers with recognized privacy certifications

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will:

• Notify you by email: For significant changes that affect your rights
• Update our website: Post the revised policy with a new "Last updated" date
• Provide transition time: Give you time to review changes before they take effect
• Seek consent: If required by law for material changes

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

• Privacy Officer: privacy@vibe-frame.com
• General inquiries: support@vibe-frame.com
• Data Protection Officer (EU): dpo@vibe-frame.com

14. Regulatory Information

EU Representative

For EU-related privacy matters, you can contact our EU representative at eu-rep@vibe-frame.com.

Supervisory Authority

EU residents have the right to lodge complaints with their local data protection authority. You can find contact information for EU data protection authorities at https://edpb.europa.eu.