Privacy Policy

Last updated: 2026-05-27

1. What we collect

We collect the minimum needed to run the service:

  • Account data — email address, name (via Supabase).
  • Billing data — payment method handled by Xendit; we store only invoice IDs + last-4 + payment status. We never see full card numbers.
  • Content you create — characters, briefs, generated videos, scheduled posts, Linktree profile.
  • Connected social accounts — OAuth tokens (encrypted at rest, AES-256-GCM) and public profile metadata (handle, display name, avatar) for Instagram, TikTok, and Facebook.
  • Operational data — request logs, error traces (no PII in payload bodies), and audit trail of state changes.

2. Why we collect it

  • To operate the service you signed up for (generate content, publish posts, bill subscriptions).
  • To prevent fraud and abuse.
  • To comply with legal obligations (tax, anti-money-laundering, data-protection regulators).

We do not sell your data. We do not use your generated content to train models without explicit opt-in.

3. Third-party processors

We rely on these processors. They each receive only the data needed to perform their function:

  • Supabase — authentication, session management, and managed Postgres database (data encrypted at rest + in transit).
  • Xendit — payment processing (Indonesia-licensed payment gateway).
  • Cloudflare R2 — object storage + CDN for character image sets, generated videos, and uploaded post assets (the high-volume read surface).
  • Supabase Storage — object storage for Linktree profile photos and in-app thumbnails (the integration-aware low-volume surface).
  • Higgsfield — AI model inference (Cinema Studio video, Speak 2.0 voice + lip-sync).
  • Anthropic + OpenAI — LLM and image-generation APIs for character pipeline + brief writing.
  • Meta (Instagram + Facebook) and TikTok — only when you connect those accounts, and only to publish content you've authored.
  • Resend — transactional email.
  • Sentry + Axiom — error monitoring and structured logs.
  • Vercel — application hosting.

4. Instagram, Facebook, and TikTok data

When you connect a social account, we receive a long-lived access token and public metadata (your handle, display name, avatar). We use this strictly to publish content you've created in the studio.

  • We never read your DMs, comments on other accounts, or follower lists beyond what's needed to display your connected account.
  • We never publish without an explicit publish action by you (scheduled posts run at the time you scheduled them).
  • You can disconnect at any time from the Social page. Disconnecting revokes the token and deletes our copy of it.
  • If you remove the app from Instagram/Facebook directly, we honor the Meta data-deletion callback and delete the connection within 24 hours.

5. Data retention

  • Account + content: kept while your account is active.
  • Generated videos: kept for 12 months after generation, then archived (low-cost cold storage) for an additional 24 months, then deleted.
  • OAuth tokens: deleted on disconnect or app-removal callback.
  • Billing records: 7 years (tax compliance).
  • Logs: 90 days, then aggregated and anonymized.

6. Your rights

You can request to:

  • Access a copy of your data — email privacy@clonestudios.ai.
  • Correct inaccurate data — most fields are editable in Settings.
  • Delete your account and associated data — use data deletion or email us. Honored within 30 days (faster on request).
  • Export your data in JSON — same email or via Settings (V1+ feature).
  • Object to processing or withdraw consent at any time.

7. Security

  • TLS 1.3 for all data in transit.
  • AES-256-GCM for OAuth tokens at rest.
  • Row-Level Security in Postgres enforcing tenant isolation.
  • Webhook signatures verified on every receiver (Xendit, Meta, TikTok, Supabase).
  • Two-factor authentication available via Supabase on every account.

8. Children

The service is not directed to children under 16. If we learn we've collected data from a child under 16 without parental consent, we delete it.

9. International transfers

Our processors operate globally (US, EU, Singapore). Where required, we use Standard Contractual Clauses and equivalent safeguards.

10. Changes

If we make material changes, we'll notify you by email at least 14 days before they take effect. Continuing to use the service after the effective date constitutes acceptance.

11. Contact

privacy@clonestudios.ai — for any privacy question or request.