Privacy Policy

1. Controller

2. Scope and Service Model

This Privacy Policy explains how we process personal data when you visit our website, upload files, place an order, receive processed output, use accountless restore access, contact us, or submit a legal or abuse notice.

Our service is a private, user-specific video-processing service. Uploaded source files and generated output files are not made public as part of the ordinary service flow.

Ordinary use does not require a permanent customer account. Access is handled through order-specific access controls, browser-stored access data, and, where needed, an email-based restore flow.

3. Categories of Personal Data

When you use the website or service, we may process technical access and security data such as IP address, date and time, requested pages or endpoints, technical request metadata, and, where relevant, user-agent information, rate-limit records, and abuse-prevention records.

We process data needed to create, manage, and secure an order, including your email address, order identifiers, selected processing options, public order references, access-token hashes, restore-token hashes, restore-session hashes, expiry timestamps, and related order-state records.

We process uploaded files, generated output files, and technical metadata required for verification, pricing, scheduling, processing, validation, and delivery. This may include file name, content type, size, checksum values, container and codec information, duration, resolution, frame rate, bit depth, color metadata, audio metadata, and processing or validation results.

Uploaded files may contain personal data, including images, voices, or other information relating to identifiable persons.

Payments are handled through Stripe. We do not store full payment-card details ourselves. We may receive and store payment-related metadata such as Stripe session and payment-intent identifiers, payer email, payment status, refund data, invoice or receipt URL, tax amount, customer country, and whether Stripe indicated business or tax information.

If you contact us or submit a legal or abuse notice, we may process your name, email address, message content, attachments, evidence links, notice details, and related correspondence and audit records.

Where personal data is not obtained directly from the data subject, it generally comes from customer-uploaded files, payment or billing events from Stripe, legal or abuse notices submitted by third parties, or, where remote-import features are enabled and used by you, the third-party provider selected by you for that import.

4. Purposes and Legal Bases

We process order data, uploaded files, output files, technical metadata, and access-control data in order to provide the requested video-processing service, make outputs available, and provide restore access where needed.

Legal basis: Art. 6(1)(b) GDPR.

Where uploaded files contain personal data of persons other than the customer, we process that data only to the extent technically necessary to carry out the requested private processing workflow and based on our legitimate interest in enabling the customer to have lawfully uploaded files privately processed as requested. Uploaded and generated files are not made public as part of the ordinary service flow.

Legal basis: Art. 6(1)(f) GDPR.

We process payment and billing data in order to handle checkout, verify payment, capture or release authorizations, process refunds, issue invoices or receipts, and comply with tax and accounting obligations.

Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR.

We process technical access data, IP addresses, rate-limit records, human-verification data, restore-session data, and related security records in order to protect the service, prevent abuse and fraud, enforce access control, and maintain integrity and availability.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interests are network and information security, abuse prevention, service integrity, and defense against misuse.

We process data where necessary to comply with legal obligations, respond to lawful requests, handle legal or abuse notices, enforce restrictions, preserve evidence, and establish, exercise, or defend legal claims.

Legal basis: Art. 6(1)(c) and Art. 6(1)(f) GDPR.

We process your contact and communication data to answer inquiries, send transactional emails, provide restore links, and communicate about orders, delivery, failures, refunds, restrictions, or legal issues.

Legal basis: Art. 6(1)(b) GDPR for communications directly related to order performance. Art. 6(1)(f) GDPR for other service-related communications, such as answering general inquiries, communicating about restrictions, or addressing legal issues. Our legitimate interests are operating the service, maintaining necessary contact with users, and protecting our legal position.

5. Recipients and Processors

We use service providers and infrastructure providers where necessary to operate the service. Depending on the active production setup, recipients or processors may include:

• hosting and infrastructure providers, including Google Cloud and database providers such as Supabase / managed Postgres,

• object-storage, edge, and security providers, including Cloudflare services such as R2 object storage and Turnstile,

• third-party cloud-import providers selected by you where remote-import features are enabled and used by you, such as Dropbox or Google Drive,

• and advisers, authorities, or courts where disclosure is legally required or necessary to protect legal claims.

Where a provider processes personal data on our behalf as a processor, we conclude a data processing agreement in accordance with Art. 28 GDPR.

Payment providers may also process certain data under their own responsibility to the extent inherent in payment services.

6. International Transfers

Some of our providers or their subprocessors may process personal data outside the European Union or the European Economic Area, in particular in the United States.

Where a third-country transfer is relevant, we rely on a lawful transfer mechanism under Chapter V GDPR, including where applicable:

• appropriate safeguards such as Standard Contractual Clauses under Art. 46 GDPR,

• or, in limited cases, a derogation for specific situations under Art. 49 GDPR.

Where personal data is transferred to recipients in the United States, an adequacy decision under Art. 45 GDPR currently applies only to organizations participating in the EU-U.S. Data Privacy Framework. Otherwise, we rely on Art. 46 GDPR or, where applicable, Art. 49 GDPR.

You may request more information about relevant safeguards by contacting us.

7. Storage and Deletion

We keep personal data only for as long as necessary for the relevant purpose unless longer retention is required by law.

Uploaded source files, temporary uploads, sealed copies, and processing artifacts may be kept only for as long as needed for upload handling, verification, processing, troubleshooting, abuse handling, or legal retention, and may be deleted once no longer needed for those purposes.

Processed outputs are generally made available for 7 days from the time they are first made available, unless a different period is expressly stated in the ordering flow or availability notice.

Restore-link tokens currently expire after 15 minutes. Restore-session cookies currently expire after 24 hours unless revoked earlier. Server-side order access tokens are time-limited and currently expire after up to 30 days, and may become unusable earlier if access is revoked or the order expires.

Order, payment, tax, invoice, notice, and related audit records are kept for as long as necessary to perform the contract, handle abuse or claims, and comply with statutory retention duties. Where commercial or tax law requires longer retention, the relevant records are kept for that statutory period.

Security, rate-limit, and abuse-prevention records are kept only as long as needed for security, abuse prevention, incident handling, or evidentiary preservation.

Expired order records are anonymized after the configured grace period, currently 30 days after expiry, unless longer identification is required for legal retention or claims handling.

8. Browser Storage and Cookies

We use browser storage and cookies or similar technologies for service operation, security, and continuity of requested workflows.

• browser storage for order access tokens, locally stored source-file names, upload-resume state, checkout email continuity, local checksum caching, and display-currency preference,

• an HttpOnly restore-session cookie after successful restore-link exchange,

• and Cloudflare Turnstile on protected flows such as checkout, restore, and notice submission.

The storage of information on, and access to information from, your end device is carried out in accordance with § 25 TDDDG. Where such storage or access is strictly necessary to provide a digital service expressly requested by you, no consent is required under § 25(2) no. 2 TDDDG. Otherwise, we obtain consent where required under § 25(1) TDDDG and, where personal data is then processed, Art. 6(1)(a) GDPR.

No analytics or marketing cookies or similar tracking technologies are loaded by default in the ordinary service flow.

Locally stored browser data remains on your device until it is removed by the application, overwritten, or cleared by you or your browser.

9. Whether Providing Data Is Required

Providing order data, upload data, and payment-related data is necessary if you want to use the service. Your email address is required to complete checkout, receive output or order communications, and restore access. Without that data, we cannot complete the order flow, provide output communications, or restore access.

Providing communication or notice data is required only if you choose to contact us or submit a notice.

10. Your Rights

• right to object under Art. 21 GDPR to processing based on Art. 6(1)(f) GDPR,

• and the right to lodge a complaint with a supervisory authority under Art. 77 GDPR.

If processing is based on consent in a particular case, you also have the right to withdraw that consent with effect for the future.

Right to object: Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object under Art. 21 GDPR at any time on grounds relating to your particular situation. If you object, we will no longer process the data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

You can contact us about privacy matters at privacy@stereolift.com.

11. Complaints and Automated Decision-Making

You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

We do not use solely automated decision-making within the meaning of Art. 22 GDPR as part of the ordinary service flow.