Privacy Policy

1. Information We Collect

1.1 Personal Information

• Account Information: Name, email address, and organization name when you create an account.
• Payment Information: Billing address, payment method details, and transaction history. Payment card data is processed directly by our payment processor, Stripe, Inc., and is never stored on our servers. See Section 5.1.
• Communications: Messages you send to us, support requests, and feedback.

1.2 Business Data You Provide

The following data is business and brand information you submit to generate video advertisements. This data is typically already publicly available and is processed solely to fulfill your generation requests.

• Brand and Product Data: Brand names, logos, product images, product descriptions, pricing information, brand guidelines, and other materials you upload.
• Content Preferences: Platform selections (e.g., TikTok, Meta, YouTube), audience descriptions, tone preferences, video duration preferences, and concept selections you make during the generation process.

1.3 Information Collected Automatically

• Device and Usage Data: IP address, browser type, operating system, referring URL, pages viewed, features used, timestamps, and session duration.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management. We use analytics cookies only with your consent. See Section 8.
• Log Data: Server logs recording service requests, error events, and performance metrics. Logs are retained for 90 days for debugging and security, then permanently deleted.
• Real-Time Connection Data: When you monitor job progress, we establish real-time connections that transmit job status updates. These connections are ephemeral and no additional personal data is collected through them beyond what is described above.

1.4 Information from Third-Party Sources

• Publicly Available Brand Information: When you initiate a job, we may use web research services to gather publicly available information about your brand, such as website content, social media presence, and publicly posted reviews. This research is performed solely to improve the quality and relevance of generated advertisements for your brand and is not used for any other purpose. By directing the Service to research a website, domain, or social media profile, you represent that you own or have the legal right to use the information obtained for advertising generation.
• Authentication Providers: If you sign in using a third-party OAuth provider (e.g., Google), we receive your name, email address, and profile image as authorized by you during the OAuth flow. We may add additional OAuth providers in the future, in which case this Privacy Policy will be updated accordingly.

1.5 Ad Account and Performance Data

If you choose to link a third-party advertising platform account (e.g., Meta Ads, TikTok Ads, Google Ads, Pinterest Ads, Snapchat Ads, or other supported platforms), we collect advertising performance data associated with your campaigns ("Ad Performance Data"), including:

• Campaign Metrics: Impressions, clicks, click-through rates, cost-per-acquisition, return on ad spend, conversion rates, and engagement metrics.
• Audience Summaries: Aggregated demographic and interest data as reported by the advertising platform (we do not collect individual audience member identities).
• Ad Creative Associations: Which of your Generated Content was used in which campaigns, to correlate creative decisions with performance outcomes.

How we use Ad Performance Data: We use this data solely to personalize and improve the Service for your account — for example, by analyzing which ad formats and creative styles perform best for your brand and informing future ad generation. We do not use your Ad Performance Data to train or improve AI models for the benefit of other users, unless you explicitly opt in to a separate anonymized data contribution program (if offered). See our Terms of Use, Section 3.6 for additional terms.

You may disconnect a linked ad account at any time through your account settings. Upon disconnection, we cease collecting new Ad Performance Data from that account. Previously collected data is retained and deleted in accordance with Section 6 of this Privacy Policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

3. AI Processing Disclosure

3.1 How AI Is Used in the Service

Velreel uses artificial intelligence to generate video advertisement concepts, scripts, images, video clips, music, sound effects, and voiceovers. By submitting a job, you acknowledge that your uploaded business data (brand assets, product images, text inputs) will be:

• Stored on our servers for the purpose of processing your request.
• Transmitted to third-party AI service providers to analyze, generate concepts, and produce media assets on your behalf (see Section 4.1).

Important: Once your business data is transmitted to a third-party AI provider, that provider's data handling practices govern their processing. While we maintain data processing agreements with each provider, Velreel cannot control how third-party providers handle data after receipt. A list of current AI sub-processors and their privacy policies is available upon request at privacy@velreel.com.

3.2 Important Disclosures About AI Processing

• Automated Decision-Making: The Service uses automated systems to analyze your brand assets, generate creative concepts, and produce video content. You may review, select, and reject AI-generated concepts before final video production. You retain the ability to request human review of any automated output by contacting support@velreel.com.
• AI Limitations: AI-generated content may contain inaccuracies, hallucinated brand information, or unintended content. You are responsible for reviewing all generated content before use.
• Third-Party AI Training: We do not provide your uploaded images, brand materials, or generated outputs to third-party AI providers for the purpose of training, fine-tuning, or improving their models. We maintain data processing agreements with our AI providers that contractually prohibit them from using your data for model training. Provider privacy policies are available upon request at privacy@velreel.com.
• Internal Service Improvement: We may use anonymized and aggregated data derived from your use of the Service — such as general usage patterns, generation success rates, and aggregated content characteristics — to improve Service quality, develop new features, and enhance our internal systems. This data is stripped of all identifying information and cannot be used to reconstruct your original content. Your specific uploaded content (logos, product images, brand materials) is never used in identifiable form for this purpose. You may opt out of anonymized data use at any time in your account settings or by contacting privacy@velreel.com.

3.3 Your Responsibility for Uploaded Content

The Service is designed for businesses to create advertisements using their brand assets. If you upload content that contains personal branding elements, your likeness, or personally identifiable imagery (for example, as a content creator or personal brand), you do so at your own discretion and risk. You are solely responsible for managing your personal brand, likeness, and identity in connection with the Service. Velreel processes all uploaded content as business data in accordance with this Privacy Policy and makes no distinction between corporate and personal brand assets.

3.4 Biometric Data Disclaimer

Velreel does not collect, capture, store, or otherwise obtain biometric identifiers or biometric information (as defined by the Illinois Biometric Information Privacy Act, 740 ILCS 14, the Texas Capture or Use of Biometric Identifier Act, or similar state laws) from users or any individuals. The Service generates synthetic voices, synthetic images, and synthetic video using AI models — these outputs are entirely machine-generated and are not derived from biometric scans, voiceprints, faceprints, or other biometric templates of real individuals. No biometric data is transmitted to or received from our AI sub-processors in connection with the generation process.

3.5 AI Training Data Transparency (California AB 2013 Compliance)

Velreel does not develop or train its own AI models. We use third-party AI models provided by the sub-processors described in Section 4.1. For information about the training data used by these models, please refer to each provider's published documentation. A list of current AI sub-processors is available upon request at privacy@velreel.com.

4. How We Share Your Information

We share your personal information only in the following circumstances:

4.1 Service Providers (Sub-processors)

We share data with the following categories of service providers who process data on our behalf:

• Infrastructure & Hosting: Cloudflare, Inc. (hosting, storage, compute)
• Payments: Stripe, Inc.
• Authentication: Google LLC (OAuth sign-in)
• AI Content Generation: We use multiple third-party AI providers to generate text, images, video, audio, and other creative assets from your business inputs. These providers receive only the business data necessary to fulfill your generation request — not your personal account information. A current list of AI sub-processors and their data processing agreements is available upon request at privacy@velreel.com.

International Processing: Some AI sub-processors may process business data on servers located outside the United States, including in the People's Republic of China. Only business inputs (such as brand assets and text prompts) — not your personal information — are sent to these providers. Processing by these providers is ephemeral: inputs are used solely to generate your requested output and are not retained or used for model training by the sub-processor. You are asked to acknowledge international processing each time you initiate a generation job. We maintain contractual safeguards with all sub-processors. Enterprise customers may request information about data residency options by contacting privacy@velreel.com.

4.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or similar legal procedure.

4.3 Business Transfers

If Velreel is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

We never sell, rent, or lease your personal information.

5. Payment Processing

5.1 Stripe

All payment transactions are processed by Stripe, Inc. When you provide payment information, it is transmitted directly to Stripe via their client-side SDK. Velreel does not receive, store, or process your full payment card number, CVV, or other sensitive payment credentials. Stripe is PCI DSS Level 1 certified. For Stripe's privacy practices, see: stripe.com/privacy

5.2 Billing Records

We retain billing records (transaction amounts, dates, invoice numbers, and the last four digits of your payment method) for seven (7) years to comply with tax and accounting obligations.

6. Data Retention

We retain your data for the following periods:

After the stated retention period, data is permanently deleted or irreversibly anonymized. Anonymized data may be retained indefinitely for aggregate statistical analysis.

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of your location, you may:

• Access the personal information we hold about you.
• Correct inaccurate personal information.
• Delete your account and associated data by contacting privacy@velreel.com or using the account deletion feature in Settings.
• Export your data in a machine-readable format (JSON).
• Withdraw consent for optional data processing (e.g., marketing emails) at any time.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction you requested).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
• Right Regarding Automated Decision-Making Technology (ADMT): You have the right to opt out of automated decision-making technology that produces legal or similarly significant effects. To exercise this right, contact privacy@velreel.com. You may request access to information about our use of ADMT and request human review of automated decisions.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address); commercial information (transaction records, products purchased); internet or electronic network activity (usage data, log data); audio, electronic, visual, or similar information (product images you upload, AI-generated video and audio content); professional or employment-related information (brand/business information you provide); inferences drawn from the above to generate advertisement content.

7.3 Virginia Residents (VCDPA)

If you are a Virginia resident, you have the right to access, correct, delete, obtain a copy of, and opt out of targeted advertising and profiling. To exercise these rights, email privacy@velreel.com. We will respond within 45 days. You may appeal a denial by emailing privacy@velreel.com with the subject line "VCDPA Appeal."

7.4 Colorado, Connecticut, Texas, and Other State Residents

Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Texas, Utah, Oregon, and Montana) have rights similar to those described in Section 7.2, including the right to access, correct, delete, and opt out of targeted advertising. To exercise these rights, contact privacy@velreel.com. We will respond within the time period required by your state's law (generally 45 days).

7.5 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Right Not to Be Subject to Automated Decision-Making (Article 22)

Legal Bases for Processing: See Section 2 above. Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms.

International Data Transfers: Velreel is based in Canada and your data is stored on Cloudflare's infrastructure in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data from the EEA to the United States and Canada. Cloudflare's DPA incorporates SCCs.

Privacy Contact: You may contact our Privacy Contact at privacy@velreel.com.

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.

7.6 Canadian Residents (PIPEDA)

Velreel is operated by a Canadian corporation and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are a Canadian resident, you have the following rights:

• Right of Access: You may request access to the personal information we hold about you.
• Right to Correction: You may challenge the accuracy or completeness of your personal information and request corrections.
• Right to Withdraw Consent: You may withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We will inform you of the implications of withdrawal.
• Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe your privacy rights have been violated.

To exercise any of these rights, contact privacy@velreel.com. We will respond within 30 days.

Cross-Border Transfers: Your personal information may be stored and processed in the United States on Cloudflare's infrastructure. By using the Service, you consent to this transfer. We ensure that all service providers handling your data are bound by contractual obligations providing a comparable level of protection as required by PIPEDA.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

8.2 Your Cookie Choices

• You may manage cookie preferences via our cookie banner displayed on first visit.
• You may also configure your browser to reject non-essential cookies.
• Disabling essential cookies may prevent the Service from functioning correctly.

We do not use advertising cookies, tracking pixels, or fingerprinting technologies for marketing purposes inside the logged-in Velreel application. Our public marketing website (velreel.com) may use standard analytics and conversion tracking technologies to measure the effectiveness of our own marketing campaigns. You can manage these preferences via the cookie consent banner displayed on first visit. Our payment processor, Stripe, Inc., may utilize device fingerprinting strictly for fraud prevention and payment security purposes (see Section 5.1).

9. Data Security

We implement the following technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party providers, is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All stored data is encrypted at rest using AES-256.
• Access Controls: Internal access to production data is restricted to authorized personnel using role-based access controls and multi-factor authentication.
• Infrastructure Security: Our infrastructure runs on Cloudflare's globally distributed network, which provides DDoS protection, Web Application Firewall (WAF), and network-level isolation.
• Time-Limited Access: Uploaded media is accessed via time-limited secure links that expire after the processing window, preventing unauthorized long-term access.
• Request Verification: All inbound service communications are cryptographically verified before processing, preventing unauthorized or spoofed requests.
• Vendor Security: We select sub-processors that maintain industry-standard security practices. Our primary infrastructure providers (Cloudflare, Stripe) maintain SOC 2 Type II certifications. We evaluate and monitor the security practices of all sub-processors listed in Section 4.1.
• Incident Response: We maintain a security incident response plan. In the event of a data breach affecting your personal information, we will notify you and applicable authorities within the time periods required by applicable law (72 hours under GDPR; as soon as feasible under PIPEDA; as required under applicable state and provincial breach notification laws).

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

10. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will promptly delete it. If you believe a child under 16 has provided us with personal information, please contact privacy@velreel.com.

11. International Data Transfers

Velreel is operated by 8372128 Canada Inc., a company incorporated under the Canada Business Corporations Act and based in the Province of Ontario, Canada. Your personal information is primarily stored on Cloudflare's infrastructure in the United States. If you access the Service from outside the United States or Canada, your information will be transferred to these jurisdictions.

Certain AI sub-processors may process business data in jurisdictions outside the United States and Canada, including the People's Republic of China. Only business inputs (such as brand assets and text prompts) — not your personal information — are sent to these providers. Such processing is ephemeral and sub-processors do not retain your inputs for model training. You acknowledge international processing each time you initiate a generation job. We maintain contractual safeguards with all sub-processors. Enterprise customers may request information about data residency options by contacting privacy@velreel.com.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). For transfers from the UK, we rely on the UK International Data Transfer Addendum to the SCCs. Where data is transferred to jurisdictions not covered by an adequacy decision, we implement supplementary measures as recommended by the EDPB.

For transfers from Canada to the United States, we rely on contractual protections consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable guidance from the Office of the Privacy Commissioner of Canada.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party service you interact with.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the email address associated with your account) or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

The "Last Updated" date at the top of this page indicates when this Privacy Policy was last revised.

14. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. We currently honor DNT signals and do not track users who have enabled DNT in their browsers, except for essential cookies required for authentication and session management.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our data practices, please contact us:

We will respond to all privacy-related inquiries within 30 days (or within the time period required by applicable law).