Privacy Policy
Last updated: 2026-01-01
This Privacy Policy explains how we process personal data when you visit our website and use the ClipDone web app (together, the “Services”).
1) Controller / who is responsible
Controller (data controller) for the processing described in this Privacy Policy:
vidAds (Einzelunternehmen), Moritz Kieser Stadlerweg 2b, 83734 Hausham, Bavaria, Germany Email: [email protected] VAT ID: DE361097604
If we have appointed a Data Protection Officer (DPO), we will list the contact details here. Currently: no DPO appointed.
2) Our role: Controller vs. Processor (B2B)
ClipDone is a B2B service. Depending on the context, we process personal data in different roles:
- Controller: We process account data, website/app logs, support communications, and security data to operate the Services.
- Processor: When business customers upload videos/files that contain personal data (e.g., faces/voices), we typically process that “Customer Content” on behalf of the customer to provide the Service.
Where we act as a Processor, the customer is typically the Controller and a Data Processing Agreement (DPA) applies.
3) Personal data we process
Depending on how you use the Services, we may process:
- Website/app usage data: IP address, timestamps, browser/device information, referrer URLs, and error logs.
- Account data: name, email address, profile image (if provided by Google), and account settings.
- Authentication via Google OAuth: We use Google OAuth (OpenID Connect) for login with basic scopes (e.g., openid, email, profile). We receive the data needed to create and secure your account.
- Customer Content and Output: uploaded videos/files, associated metadata, project settings, prompts/instructions, and generated outputs.
- Support communications: messages you send us and attachments.
- Billing and subscription data: if you purchase a paid plan, checkout, payments, taxes (e.g., VAT/sales tax), invoices/receipts, and refunds/chargebacks are handled by a Merchant of Record (“MoR”), currently Polar.sh (“Polar”). We may share limited account/contact data with Polar (e.g., name, email, business name, billing address, VAT ID if provided) to enable billing, and we may receive limited metadata back (e.g., subscription status, plan, period dates, invoice identifiers). We typically do not receive full payment card details.
4) Purposes and legal bases
We process personal data for the following purposes and legal bases (GDPR Art. 6):
- Providing the Services (account, authentication, core features, outputs): contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).
- Security and abuse prevention (fraud prevention, rate limiting, debugging): legitimate interests (Art. 6(1)(f)).
- Support and communications: contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).
- Legal compliance and enforcement (e.g., responding to lawful requests, enforcing terms): legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)).
- Marketing: We do not send newsletters or marketing emails unless you explicitly opt in. Where required, we rely on consent (Art. 6(1)(a)).
If we process Customer Content as a Processor, the customer (Controller) determines the legal basis and provides notices to data subjects.
5) AI / automated processing
ClipDone uses automated processing (including AI/ML/LLM components) to generate outputs from Customer Content. Outputs may be inaccurate or incomplete.
ClipDone does not make decisions that produce legal effects about individuals based solely on automated processing (no automated decision-making under GDPR Art. 22).
Model training: We do not use Customer Content to train or fine-tune generalized AI models unless explicitly agreed (opt-in). We may use aggregated and/or de-identified telemetry to improve reliability and performance.
6) Recipients / service providers
We share personal data with recipients to operate the Services (e.g., hosting, database, compute/processing, AI features, authentication, and billing). Depending on the context, recipients may act as our processors (GDPR Art. 28), or as independent controllers for their own purposes (e.g., authentication providers, billing providers).
Key recipients (overview)
| Recipient | Why we share data | Typical data | Typical processing location / transfers | Role (typical) |
|---|---|---|---|---|
| Cloudflare (Pages/Workers/CDN) | Hosting, delivery, security | Website/app requests, IP address, logs | Cloudflare global infrastructure; may involve processing outside the EEA/UK | Processor |
| Cloudflare (R2) | Object storage for uploaded files and outputs | Uploaded files/outputs and object metadata | Cloudflare global infrastructure; may involve processing outside the EEA/UK | Processor (and subprocessor under DPA) |
| Convex | Database and backend application platform | Account data, project metadata, job state | May involve processing outside the EEA/UK | Processor (and subprocessor under DPA) |
| Modal | CPU/GPU compute for processing jobs | Customer Content during processing, processing metadata | May involve processing outside the EEA/UK | Processor (and subprocessor under DPA) |
| OpenRouter | LLM routing for AI features | Prompts/instructions and model outputs (as provided by users) | May involve processing outside the EEA/UK | Processor (and subprocessor under DPA) |
| Google (Gemini models) via OpenRouter | Model inference | Prompts/instructions and model outputs (as provided by users) | May involve processing outside the EEA/UK | Subprocessor (via OpenRouter) |
| xAI (Grok models) via OpenRouter | Model inference | Prompts/instructions and model outputs (as provided by users) | May involve processing outside the EEA/UK | Subprocessor (via OpenRouter) |
| Google (OAuth / Sign-In) | Authentication (login) | Email, name, profile image (if provided) | Google global infrastructure; may involve processing outside the EEA/UK | Independent controller for its services; we are controller for our account processing |
| Polar.sh (Merchant of Record) | Billing, taxes, invoicing, refunds/chargebacks | Billing/contact details and transaction metadata | May involve processing outside the EEA/UK | Typically independent controller for billing services |
Where required, we enter into Data Processing Agreements (DPAs) with processors (GDPR Art. 28). If we process Customer Content on behalf of a business customer, a separate Data Processing Agreement (DPA) applies to that processing.
For billing, Polar typically acts as an independent controller for its billing services. Polar’s terms and privacy policy apply to its processing in that context.
7) Cookies and similar technologies
We use essential cookies and similar technologies for security, authentication, and basic preferences. We do not use analytics or marketing cookies. If we introduce non-essential cookies/technologies (e.g., analytics), we will request consent where required and provide a cookie settings option.
Current analytics: none (no analytics/marketing cookies).
8) International transfers
Some providers may process data outside the EEA/UK (e.g., in the United States). Where required, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum.
9) Retention
We keep personal data only as long as necessary for the purposes described:
- Customer Content and outputs: stored while your account is active and/or until you delete them; after account deletion we delete or anonymize Customer Content and outputs within 30 days, except where retention is required for security, dispute resolution, or legal compliance, or until backups are rotated.
- Account and support data: retained for as long as needed to operate your account and provide support; deleted upon account deletion/request unless retention is required for legal obligations or to establish/exercise/defend legal claims.
- Billing metadata: where we retain billing-related metadata (e.g., subscription status, plan, invoice identifiers), we retain it as necessary for accounting, dispute resolution, and legal compliance. Invoices/receipts and payment data are primarily retained by Polar under its policies and legal obligations as MoR.
- Security logs: retained for a limited period to ensure security and prevent abuse, and deleted when no longer needed for those purposes.
10) Is providing personal data required?
If you create an account and use the Service, providing certain personal data is required to provide the Services (e.g., email address for login, and service-related data for processing). If you do not provide the required data, you may not be able to create an account or use the Service.
11) Your rights
If we process your personal data as Controller, you may have rights under GDPR, including access, rectification, erasure, restriction, data portability, and objection (Arts. 15–21), and the right to lodge a complaint with a supervisory authority.
For Bavaria (Germany), the competent authority for the private sector is generally the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).
If your request relates to Customer Content processed on behalf of a business customer, we may redirect you to that customer (Controller).
12) Security
We implement appropriate technical and organizational measures to protect personal data (e.g., access controls, encryption in transit, least privilege).
13) Children
The Services are intended for business use and are not directed to children.
14) Changes
We may update this Privacy Policy from time to time. The “Last updated” date indicates the latest revision.
15) Contact
For privacy questions, contact: [email protected]