Privacy policy.

Overview

SmartPact OÜ ("we", "us") provides an AI-native video studio at smartpactai.com. This policy explains what personal data we process about you when you use the platform.

What we collect

Account data

Name, email, hashed password, account creation date, login timestamps, language preference.

Billing data

Token purchase history, country of billing, last 4 digits of card and card brand (returned by our payment processor), invoice records. We do not see or store full card numbers.

Content you provide

Reference images, audio, prompts, brand assets, characters you create, and any text you submit through the platform.

Content you generate

Renders (video, image, audio) created via the platform, render metadata (timestamps, token cost, model used).

Usage data

Pages visited, features used, error logs, device type, browser, IP address, approximate location (country/city level) — collected to keep the service running and improve it.

Communications

Support tickets, contact-form submissions, and email correspondence you initiate with us.

How we use it

We process personal data to:

• Provide, maintain and operate the Service (account, generation pipeline, publishing).
• Process payments and handle refunds and chargebacks.
• Communicate about your account (login alerts, password resets, billing receipts, service notices).
• Investigate abuse, enforce our Terms, and comply with legal obligations.
• Improve product quality through aggregated, anonymised analytics.

We do not sell your personal data. We do not use your private prompts, references, or renders to train our base AI models. We do not share your content with advertisers.

Legal basis (GDPR)

For users in the European Economic Area, United Kingdom and Switzerland, our legal bases for processing are:

• Contract — to deliver the Service you signed up for (account, generation, billing).
• Legal obligation — for tax, anti-fraud, and regulatory record-keeping.
• Legitimate interest — for security, abuse prevention, and limited service-improvement analytics.
• Consent — for marketing communications and optional analytics cookies. You may withdraw consent at any time.

Cookies and tracking

We use a small set of essential cookies to keep you logged in, remember your preferences, and protect against fraud. Optional analytics cookies are only set after you accept the banner.

Detailed breakdown of every cookie we set is on our Cookie Policy page.

Sharing & sub-processors

We only share personal data with a tight list of sub-processors, each bound by a Data Processing Agreement:

• Payment processor — to process card payments and refunds (Visa/Mastercard).
• Cloud infrastructure — to host our database and serve the application.
• AI model providers — to run renders. Your prompts and inputs are transmitted to providers solely for generation; providers do not retain them after the render completes.
• Email delivery — to send transactional emails (verification, password reset, receipts).
• Error monitoring — to receive sanitised crash logs.

We may disclose data when legally compelled (subpoena, court order, lawful regulatory request), and we will notify you where legally permitted.

Storage & retention

We retain personal data only as long as needed to provide the Service and meet legal obligations:

• Account data — until you delete your account, plus 30 days for backup expiry.
• Renders & inputs — stored while your account is active. Deleted within 30 days of account deletion.
• Billing records — retained for 7 years for tax compliance.
• Server logs — 90 days.

Security

We protect your data with industry-standard measures: TLS 1.3 for all traffic, bcrypt password hashing, encrypted-at-rest databases, role-based internal access, regular security audits, and mandatory 2FA for staff.

No system is invulnerable. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours as required by law.

Your rights

Depending on your jurisdiction, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectify — correct inaccurate or incomplete data.
• Erase — delete your account and associated data ("right to be forgotten").
• Restrict — limit how we process your data.
• Object — to processing based on legitimate interests or for direct marketing.
• Port — receive your data in a structured, machine-readable format.
• Complain — lodge a complaint with your local data-protection authority.

Most of these are self-serve in Settings → Privacy. For everything else, email privacy@smartpactai.com — we respond within 30 days.

Children's data

SmartPact is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete the account and associated data.

International transfers

SmartPact is operated from the European Union. When we transfer data outside the EEA (e.g. to AI providers based in the US), we rely on Standard Contractual Clauses approved by the European Commission and additional safeguards where required.

Changes

We will notify you of material changes by email at least 14 days before they take effect. Minor clarifications may be made without notice; the effective date at the top of this page always reflects the current version.

Contact

Data controller: SmartPact OÜ, Tallinn, Republic of Estonia.
Data protection enquiries: privacy@smartpactai.com
Postal mail: see /contact.