Privacy Policy

Data you provide directly

• Account information: email address (required), first name, last name, and company name (optional). Your email serves as your login identifier.
• Payment information: processed entirely by Stripe. We never receive, store, or process your payment card numbers, CVVs, or full card details. We store only your Stripe customer ID, subscription status, and billing interval.
• Support requests: any information you include when contacting us via email or our contact form.

Data collected automatically

• API usage: endpoints called, source URLs submitted, job parameters, job type, job status, timestamps, and credits consumed.
• Technical data: IP address and user agent string, logged in security audit events (retained for 90 days).
• Authentication events: login timestamps and authentication method (email or OAuth provider name). When you sign in via an OAuth provider (GitHub or Google), we store only the provider user ID — we do not store your OAuth tokens.
• Webhook configuration: endpoint URLs you configure for delivery notifications, and associated delivery logs.

Data we do NOT collect

• We do not use analytics cookies or tracking pixels.
• We do not use Google Analytics or any similar service.
• We do not track you across websites.
• We do not collect browsing behaviour, mouse movements, or keystrokes.
• We do not process or inspect the content of files you download or transcribe — we treat your processed content as opaque data.

Under the GDPR, we must have a lawful basis for each type of personal data processing. The table below sets out the legal basis we rely on for each purpose.

We use only essential cookies required for the Service to function. No consent is required for essential cookies under the GDPR and ePrivacy Directive.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. Because we only use strictly necessary cookies, we do not require a cookie consent banner under the ePrivacy Directive. However, we display a notice informing you of our cookie use.

We use your personal data for the following purposes:

• To create and manage your account.
• To authenticate your API requests.
• To process and fulfil your API jobs (downloads, transcriptions, translations, format conversions, and other supported operations).
• To track credit usage and manage billing.
• To send transactional emails (welcome, password reset, billing notifications, job notifications).
• To send marketing emails (only with your explicit consent, which you can withdraw at any time).
• To detect, prevent, and respond to security incidents and abuse.
• To maintain audit logs for security purposes (90-day retention).
• To comply with legal obligations.
• To improve the Service (we may analyse aggregated, anonymised usage patterns — never individual behaviour).

We do not use your data for advertising. We do not sell your personal data to anyone. We do not share your data with data brokers. We do not use your processed content for training AI models or any purpose beyond delivering it back to you.

We share your data only with the following processors, and only as necessary to provide the Service:

We do not sell your personal data to anyone. We do not share your data with advertisers or data brokers.

We may disclose data if required by law, court order, or government request. We will notify you unless legally prohibited from doing so.

Our servers are located in the European Union. We do not transfer personal data outside the EU for our own processing purposes.

Some of our processors (Stripe, Postmark) are based in the United States. These transfers are protected by the EU–US Data Privacy Framework and/or Standard Contractual Clauses as approved by the European Commission.

We do not transfer data to countries without adequate data protection unless appropriate safeguards are in place.

We retain different categories of data for different periods, based on necessity and legal requirements:

When you delete your account, we delete your personal data within 30 days. Some data may be retained longer if required by law (e.g., invoicing records for tax purposes — up to 7 years under Estonian law, Accounting Act § 12).

Processed files are automatically and permanently deleted after 24 hours regardless of account status.

You have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of all personal data we hold about you. Use the “Export My Data” feature in your dashboard or email info@videoconduit.com.
• Right to rectification (Art. 16): update inaccurate data via your dashboard settings or by contacting us.
• Right to erasure (Art. 17): delete your account and all associated data via the dashboard or by contacting us. We will process deletion within 30 days.
• Right to restriction (Art. 18): request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON). Use the “Export My Data” feature.
• Right to object (Art. 21): object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing. Use the unsubscribe link in any email or update your preferences in the dashboard.
• Right to lodge a complaint: you have the right to file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with the supervisory authority in your EU member state of residence.

To exercise any of these rights, contact us at info@videoconduit.com. We will respond within 30 days as required by the GDPR. There is no fee for exercising your rights.

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

• All data in transit is encrypted via TLS 1.2 or higher.
• API keys are stored as irreversible SHA-256 hashes.
• Webhook secrets are encrypted.
• Database connections use TLS.
• File download URLs use signed tokens that expire after 24 hours.
• We implement rate limiting, brute-force protection, and IP-based security measures.
• Access to production systems is restricted to authorised personnel.
• We maintain security audit logs.

In the event of a personal data breach, we will notify the supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33 and 34.

The Service is not directed to children under 18. We do not knowingly collect personal data from children under 18. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, contact us at info@videoconduit.com.

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect.

The “Last updated” date at the top indicates the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), aki.ee