Privacy Policy | VideoContentEditor

Effective Date: February 6, 2026 Last Updated: February 6, 2026

This document is a draft prepared for review by a qualified attorney. It is not legal advice and must be reviewed by a licensed lawyer in each applicable jurisdiction (EU, US, Russia) before publication.

1. Introduction and Data Controller

Welcome to VideoContentEditor ("VCE", "we", "us", "our"), a web-based video editing service available at vcecloud.com. We are committed to protecting the privacy and personal data of our users. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data.

This Privacy Policy applies to all users of the VCE web application at vcecloud.com and the VCE API at api.vcecloud.com, regardless of their location. It covers all personal data processed through the Service, including data provided directly by users, data collected automatically, and content uploaded to the Service.

Data Controller:

Konstantin White Email: privacy@vcecloud.com Address: (To be provided upon entity formation)

If you are located in the European Union or the European Economic Area, Konstantin White acts as the Data Controller within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

If you have questions about this Privacy Policy or wish to exercise any of your rights described in Section 9, please contact us at privacy@vcecloud.com.

2. Definitions

The following definitions apply throughout this Privacy Policy:

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1). This includes, but is not limited to, names, email addresses, IP addresses, and device identifiers.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Article 4(2). This includes collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, and destruction.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (GDPR Article 4(7)). For this Service, the Controller is Konstantin White.
"Processor" means a natural or legal person which processes Personal Data on behalf of the Controller (GDPR Article 4(8)). Our Processors include our hosting provider and cloud storage provider.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates. In the context of this Privacy Policy, this is you, the user.
"Service" means the VCE web application, API, and all related features available at vcecloud.com and api.vcecloud.com.
"Content" or "User Content" means any media files (video, audio, images), project data, subtitles, or other materials that you upload to, create with, or store on the Service.

3. Information We Collect

3.1 Information You Provide Directly

When you create an account and use VCE, you provide the following Personal Data:

Account Information:

Data	Purpose	Required
Email address	Account identification, authentication, and communication	Yes
Display name	User identification within the Service	Yes
Password	Account authentication (stored only as a secure, industry-standard cryptographic hash; we never store your plaintext password)	Yes
Avatar URL	Profile personalization	No
Timezone	Displaying correct timestamps in the interface	No (defaults to UTC)
Locale/language preference	Interface language	No (defaults to English)

User Preferences:

You may also configure preferences that are stored in association with your account: interface theme, default export preset, default frame rate, custom keyboard shortcuts, and UI layout configuration. These preferences do not typically constitute Personal Data but are stored within your account.

3.2 Information Collected Automatically

When you access and use the Service, we automatically collect the following technical data:

Session Information:

Data	Purpose	Retention
IP address (IPv4 or IPv6)	Security, abuse prevention, session management	Duration of session + 30 days
User-Agent string	Device identification, compatibility, security	Duration of session + 30 days
Device name (if provided by your browser)	Session management, allowing you to identify your active sessions	Duration of session + 30 days
Device type	Session management	Duration of session + 30 days
Session creation timestamp	Security audit trail	Duration of session + 30 days
Last activity timestamp	Session timeout management	Duration of session + 30 days

Activity Logs:

We log certain user actions for security monitoring, abuse prevention, and service improvement purposes:

Login and logout events (with IP address)
Project creation, opening, and saving
Media file uploads and deletions
Export operations (start and completion)
Template applications
Batch processing operations

Activity logs include your user ID, the action performed, a timestamp, your IP address, and contextual metadata related to the action (such as which project was affected). Activity logs do not include the content of your media files or projects.

Usage Statistics:

We maintain aggregated daily usage metrics per user, including: number of projects created, number and size of media files uploaded, number of exports, total processing time consumed, and active usage minutes. These statistics are aggregated on a daily basis and linked to your user account.

3.3 Content You Upload

When you use VCE, you may upload media files and create projects. We process and store the following:

Media Files:

The media files themselves (video, audio, images, subtitles, fonts, and other supported formats), stored on our cloud storage infrastructure
File metadata extracted during processing: original filename, file type, file size, checksum, and technical properties relevant to media processing (such as duration, resolution, and codec information)
Derived files generated by the Service: thumbnails, proxy files for editing, audio waveform visualizations, and exported output files Project Data:
Project structure, timeline data, effect settings, and other editing configurations
Associations between projects and media files

We do not examine or view the content of your media files. Processing is performed automatically by our processing tools without human review, except when required to respond to a valid legal request or to enforce our Terms of Service regarding prohibited content.

3.4 Information We Do NOT Collect

To be transparent about the boundaries of our data collection, we explicitly state that VCE does not collect or process:

Biometric data. Our AI subtitle generation feature processes audio solely to produce text transcriptions. It does not perform speaker identification, voice profiling, facial recognition, or any biometric analysis.
Payment or financial data. VCE is currently a free service. We do not collect credit card numbers, bank account details, or any financial information. If paid features are introduced in the future, we will update this Privacy Policy before collecting any payment data.
Third-party tracking data. We do not use third-party analytics services (such as Google Analytics), advertising networks, or social media tracking pixels. We do not track you across other websites.
Social media account data. We do not offer social login (OAuth) and do not access any data from social media platforms.
Location data. We do not use GPS, Wi-Fi, or Bluetooth signals to determine your precise location. IP addresses may indicate an approximate geographic area but are not used by us for geolocation purposes.
Third-party cookies. We do not set or use any third-party cookies.

4. How We Use Your Information

We use the Personal Data we collect for the following purposes:

4.1 Providing and Maintaining the Service

Creating and managing your user account
Authenticating your identity when you log in
Storing and serving your media files and projects
Processing your media files (encoding, transcoding, thumbnail generation, waveform generation, rendering, and exporting)
Delivering AI-powered features (automatic subtitle generation, silence detection)
Maintaining your preferences and settings
Tracking your storage usage against your account quota

4.2 Security and Abuse Prevention

Detecting and preventing unauthorized access to your account
Implementing rate limiting to protect against brute-force attacks
Maintaining session records so you can review and revoke active sessions
Logging user activity for security audit trails
Identifying and blocking abusive behavior

4.3 Communication

Sending account-related notifications (password changes, security alerts, session activity)
Responding to your support requests and inquiries
Notifying you of material changes to this Privacy Policy or our Terms of Service (with at least 30 days' notice)

4.4 Service Improvement

Analyzing aggregated usage statistics to understand how the Service is used and to identify areas for improvement
Monitoring service performance and reliability
Diagnosing technical issues

4.5 Legal Compliance

Responding to valid legal requests from law enforcement or regulatory authorities
Complying with applicable laws and regulations
Enforcing our Terms of Service

Important: We do NOT use your Personal Data or Content for:

Training, fine-tuning, or improving any artificial intelligence or machine learning models
Advertising or targeted marketing
Selling to or sharing with third parties for their marketing purposes
Building user profiles for commercial exploitation
Automated decision-making that produces legal or similarly significant effects on you

5. Legal Basis for Processing (GDPR Article 6)

For users in the European Union and the European Economic Area, we process your Personal Data under the following legal bases:

5.1 Performance of a Contract (Article 6(1)(b))

Processing that is necessary for the performance of our contract with you (the Terms of Service):

Account creation and management (email, name, password hash)
Media file storage and processing
Delivering the video editing service and its features
Managing your storage quota
Providing AI-powered features you request

5.2 Legitimate Interests (Article 6(1)(f))

Processing that is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms:

Security: Collecting IP addresses, User-Agent strings, and session data to protect your account and the Service from unauthorized access, fraud, and abuse. Implementing rate limiting and maintaining activity logs.
Service improvement: Analyzing aggregated usage statistics to improve the Service.
Technical operation: Maintaining server logs for operational purposes and troubleshooting.

We have conducted a balancing assessment for each of these legitimate interests and have determined that the processing is proportionate, limited to what is necessary, and that appropriate safeguards (data minimization, retention limits, access controls) are in place.

5.3 Consent (Article 6(1)(a))

Where we process your data based on consent, that consent is:

Freely given, specific, informed, and unambiguous (GDPR Article 7)
Withdrawable at any time by contacting privacy@vcecloud.com or through the Service settings
Not a precondition for accessing the Service, unless the processing is essential to the service itself

Currently, we rely on consent for:

Receiving optional communications beyond essential service notifications (if introduced in the future)

If we introduce new features requiring consent (such as analytics cookies or marketing communications), we will obtain your explicit, opt-in consent before processing and update this Privacy Policy accordingly.

5.4 Legal Obligation (Article 6(1)(c))

We may process your data when required by law, for example:

Responding to valid court orders, subpoenas, or regulatory requests
Complying with mandatory reporting obligations (such as CSAM reporting under 18 USC Section 2258A)
Retaining certain records as required by applicable tax, commercial, or criminal law

6. How We Share Your Information

6.1 Service Providers (Data Processors)

We share your data with the following third-party service providers, who act as Data Processors under GDPR Article 28. We have Data Processing Agreements (DPAs) in place, or will execute DPAs before launch, with each Processor:

Service Provider	Role	Data Shared	Location	DPA Status
Contabo GmbH	Hosting provider (VPS)	All data (database, application data, server logs)	Munich, Germany (EU)	Required before launch
Cloudflare, Inc.	Object storage (R2)	Media files, derived files (thumbnails, waveforms, proxies, exports)	Automatic region selection (EU region expected based on server location)	Required before launch
Let's Encrypt (ISRG)	TLS certificate authority	Domain names (vcecloud.com, api.vcecloud.com) only	United States	Not required (no Personal Data processed)

Our Processors are contractually bound to:

Process your data only on our documented instructions
Ensure confidentiality of your data
Implement appropriate technical and organizational security measures
Assist us in fulfilling our obligations regarding your data protection rights
Delete or return all Personal Data upon termination of the service agreement
Make available all information necessary to demonstrate compliance

6.2 Legal Requirements

We may disclose your Personal Data if we are required to do so by law, or if we believe in good faith that such disclosure is necessary to:

Comply with a legal obligation, court order, or legal process served on us
Protect and defend our rights or property
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

Where permitted by law, we will notify you of any legal request for your data unless we are legally prohibited from doing so.

6.3 Business Transfers

If VCE is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your Personal Data may be transferred as part of that transaction. In such an event, we will notify you (via email and/or a prominent notice on the Service) before your Personal Data is transferred and becomes subject to a different privacy policy. You will have the right to delete your account and data before such a transfer.

6.4 We Do NOT Sell Your Data

We do not sell, rent, or trade your Personal Data to any third party. This applies to all jurisdictions, including under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not "sell" or "share" Personal Data as those terms are defined under California Civil Code Section 1798.140(ad) and Section 1798.140(ah).

6.5 We Do NOT Use Your Content for AI Training

We do not use your uploaded Content, project data, or any derivative works to train, fine-tune, or improve any artificial intelligence or machine learning models, whether our own or those of third parties. Your Content is processed solely to deliver the features you request.

7. International Data Transfers

7.1 Primary Data Location

Your Personal Data and Content are primarily stored on servers located in Germany (European Union):

Application server, database, and cache: Contabo VPS, Germany
Object storage (media files): Cloudflare R2, EU region

Because Germany is an EU member state, storage of your data in Germany is compliant with GDPR data residency expectations for EU users.

7.2 Transfers Outside the EU/EEA

Cloudflare, Inc. is a US-based company. While Cloudflare R2 is designed to store data close to the point of origin (in our case, our German server), certain operational metadata may be processed by Cloudflare infrastructure outside the EU/EEA.

For any transfers of Personal Data to countries outside the EU/EEA that have not received an adequacy decision from the European Commission, we rely on:

Standard Contractual Clauses (SCCs) as adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, included in our Data Processing Agreement with Cloudflare
EU-US Data Privacy Framework, where the recipient is a certified participant under the Framework (Executive Order 14086)
Supplementary technical measures, including encryption in transit and at rest

7.3 Data Localization (Russia, 152-FZ)

Under Federal Law No. 152-FZ "On Personal Data," Article 18(5), operators collecting personal data of Russian citizens through the Internet must ensure that the recording, systematization, accumulation, storage, refinement, and extraction of personal data of Russian citizens is performed using databases located on the territory of the Russian Federation.

Current status: VCE does not currently operate servers in the Russian Federation. If you are a citizen of the Russian Federation, please be aware that your Personal Data is stored on servers in Germany. We are evaluating compliance options for Russian data localization requirements and will update this Policy when a determination is made. Users in Russia should be aware of this limitation before creating an account.

8. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table describes our retention periods:

Data Category	Retention Period	Basis
Account data (email, name, password hash, preferences)	Until you delete your account, plus 30 days for technical deletion from active systems	Contract performance
Media files and derived files	Until you delete the file or your account, whichever is first	Contract performance
Session data (IP, User-Agent, device info)	30 days after the session becomes inactive (no activity), or upon logout	Legitimate interest (security)
Activity logs (actions, IP address)	90 days from creation	Legitimate interest (security, abuse prevention)
Usage statistics (aggregated daily metrics)	1 year from creation, then anonymized or deleted	Legitimate interest (service improvement)
Invalidated authentication tokens	Until the token's original expiry time (maximum 24 hours)	Contract performance (security)
Encrypted backups	Purged within 90 days after deletion from active systems	Legitimate interest (disaster recovery)
Server logs (web server access and error logs)	90 days	Legitimate interest (security, troubleshooting)

After account deletion:

When you delete your account:

Your account is deactivated immediately (within seconds)
All active sessions are terminated
Your Content (media files, projects, derived files) is queued for deletion from active storage
All Content is removed from active storage within 30 days
Content persisting in encrypted backups is purged within 90 days of account deletion
After 90 days, no recoverable copy of your data exists in our systems

9. Your Rights

Depending on your location and applicable law, you have the following rights regarding your Personal Data.

9.1 Rights Under the GDPR (EU/EEA Residents)

If you are located in the European Union or the European Economic Area, you have the following rights under the General Data Protection Regulation (Articles 15 through 22):

Right of Access (Article 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and, if so, to access that data and receive information about the processing.
Right to Rectification (Article 16): You have the right to have inaccurate Personal Data corrected. You can update your email, name, and other account information directly through the Service settings.
Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to have your Personal Data deleted. You can request account deletion by contacting us at privacy@vcecloud.com, which triggers deletion of all your data as described in Section 8. We may retain certain data where we have a legal obligation or legitimate ground to do so (for example, records of legal requests).
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not want erasure.
Right to Data Portability (Article 20): You have the right to receive the Personal Data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You can download your media files and export your project data through the Service interface. For a full data export, contact us at privacy@vcecloud.com.
Right to Object (Article 21): You have the right to object to processing based on our legitimate interests (Section 5.2). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. If you are in Germany, the competent authority is the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter fur den Datenschutz und die Informationsfreiheit, BfDI) or the data protection authority of your German federal state. If you are in another EU/EEA member state, you may contact the supervisory authority in your country of habitual residence.

9.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code Section 1798.100 et seq.), as amended by the California Privacy Rights Act:

Right to Know (Section 1798.100): You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the business purposes for collecting the data, and the categories of third parties with whom we share it.
Right to Delete (Section 1798.105): You have the right to request deletion of your Personal Data. Upon a verified request, we will delete your Personal Data and direct our Processors to do the same, subject to certain exceptions permitted by law.
Right to Opt-Out of Sale/Sharing (Section 1798.120): We do not sell or share your Personal Data. Therefore, no opt-out mechanism is required. If our practices change in the future, we will provide a clear "Do Not Sell or Share My Personal Information" link and update this Policy.
Right to Non-Discrimination (Section 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different quality of service for exercising your rights.
Right to Correct (Section 1798.106): You have the right to request correction of inaccurate Personal Data. You can correct most data directly through your account settings.
Right to Limit Use of Sensitive Personal Information (Section 1798.121): We do not collect sensitive personal information as defined under the CPRA.

California "Shine the Light" Law (Cal. Civ. Code Section 1798.83): We do not disclose personal information to third parties for their direct marketing purposes. Therefore, no further action is required under this provision.

9.3 Rights Under 152-FZ (Russian Federation)

If you are a citizen of the Russian Federation, you have the following rights under Federal Law No. 152-FZ "On Personal Data":

Right of Access (Article 14): You have the right to receive information about the processing of your personal data, including the legal basis, purposes, methods of processing, and the personal data itself.
Right to Rectification (Article 14(3)): You have the right to demand rectification of inaccurate or incomplete personal data.
Right to Blocking and Deletion (Article 14(3), Article 21): You have the right to demand blocking or deletion of personal data that was collected unlawfully or is no longer necessary for the stated purpose.
Right to Withdraw Consent (Article 9(2)): You have the right to withdraw your consent to the processing of personal data at any time by providing a written notice (or electronic equivalent) to the Controller.

Note regarding data localization: As stated in Section 7.3, VCE does not currently maintain servers in the Russian Federation. Your data is stored in Germany (EU). Please see Section 7.3 for details.

9.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

Email: privacy@vcecloud.com

When submitting a request, please include:

Your full name and email address associated with your VCE account
The specific right you wish to exercise
Any additional information that may help us verify your identity and process your request

Verification: To protect your privacy, we may need to verify your identity before fulfilling your request. We will ask you to confirm your identity through your registered email address. We will not require you to create an account solely for the purpose of making a request.

Response Times:

Jurisdiction	Response Time	Extension
EU/EEA (GDPR)	Within 30 days of receiving the request (GDPR Article 12(3))	Up to 60 additional days for complex requests, with notification
California (CCPA/CPRA)	Within 45 days of receiving a verifiable request (Cal. Civ. Code Section 1798.130(a)(2))	Up to 45 additional days with notification
Russia (152-FZ)	Within 30 days of receiving the request (152-FZ Article 14(4)), or within 10 business days for blocking/deletion (Article 21(3))	As specified by law

Cost: We do not charge a fee for processing your requests. If requests are manifestly unfounded or excessive (GDPR Article 12(5)), we reserve the right to charge a reasonable fee or refuse the request, with justification.

Appeals: If you are unsatisfied with our response, you may lodge a complaint with the relevant supervisory authority (see Section 9.1 for EU, your state attorney general for California, or Roskomnadzor for Russia).

10. Cookies and Similar Technologies

10.1 Current Cookie Usage

VCE does not currently set any cookies. Authentication is handled via tokens stored in your browser's session storage (not cookies). Client-side preferences are stored in local storage. These storage mechanisms are local to your browser and are not transmitted to third parties.

We do not use:

Analytics cookies
Advertising or marketing cookies
Third-party tracking cookies
Social media cookies
Cross-site tracking technologies

10.2 Consent for Cookies

Under the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) and GDPR, consent is not required for cookies that are strictly necessary for the provision of a service explicitly requested by the user. Since we only use strictly necessary cookies, we do not currently display a cookie consent banner.

10.3 Future Changes

If we introduce non-essential cookies in the future (for example, analytics or marketing cookies), we will:

Update this Privacy Policy and our Cookie Policy before deploying such cookies
Implement a cookie consent mechanism that provides granular, per-category control
Ensure consent is obtained through an opt-in mechanism (not pre-checked boxes) before any non-essential cookies are set
Provide the ability to withdraw consent at any time

11. Children's Privacy

11.1 Age Requirement

VCE is not directed at or intended for use by children. You must be at least 16 years old to create an account and use VCE. This minimum age is set in accordance with GDPR Article 8, which establishes 16 as the default age of digital consent (unless lowered by an EU member state).

We do not knowingly collect Personal Data from children under the age of 16. We do not knowingly collect Personal Data from children under 13 in the United States, as prohibited by the Children's Online Privacy Protection Act (COPPA, 15 USC Section 6501 et seq.).

11.2 If We Discover a Child's Data

If we become aware that we have collected Personal Data from a child under the applicable minimum age without verified parental consent, we will take immediate steps to:

Disable the child's account
Delete all Personal Data and Content associated with that account
Notify the parent or guardian if contact information is available

11.3 Reporting

If you believe that a child under 16 (or under 13 in the United States) has created an account on VCE, please contact us immediately at privacy@vcecloud.com so that we can take appropriate action.

12. Security Measures

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32 and Federal Law 152-FZ Article 19. These measures include, but are not limited to:

Encryption:

In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and implement HTTP Strict Transport Security (HSTS) headers.
At rest: Media files stored in our cloud storage infrastructure are encrypted using industry-standard server-side encryption. Database connections use encrypted channels.

Authentication and Access Control:

Passwords are hashed using industry-standard cryptographic algorithms. We never store plaintext passwords.
Authentication uses time-limited tokens with support for immediate logout and session revocation.
Rate limiting protects against brute-force attacks.

Infrastructure Security:

Application containers run with restricted privileges
Firewall restricting network access to essential ports only
Automated blocking of suspicious IP addresses
Hardened remote access controls
Regular security audits of code and infrastructure

Application Security:

Input sanitization and cross-site scripting (XSS) protection
Path traversal protection for file operations
File type validation on upload
Storage isolation between users (cross-user access is prevented by authorization checks)
SQL injection prevention through parameterized queries

Organizational Measures:

Access to production systems is restricted to essential personnel
Security incident response procedures are documented and tested

While we strive to protect your Personal Data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incidents.

13. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will take the following steps:

13.1 GDPR Requirements (EU/EEA)

In accordance with GDPR Articles 33 and 34:

Notification to supervisory authority: We will notify the competent data protection authority (in Germany, the BfDI or the relevant state authority) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (Article 33).
Notification to affected users: Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Article 34). This notification will describe the nature of the breach, the likely consequences, the measures we have taken or propose to take, and the contact point for further information.

13.2 CCPA Requirements (California)

In accordance with California Civil Code Section 1798.82, we will notify affected California residents of any breach of security involving their unencrypted Personal Data in the most expedient time possible and without unreasonable delay.

13.3 152-FZ Requirements (Russia)

In accordance with applicable Russian law and Roskomnadzor requirements, we will notify the relevant authorities and affected users of personal data breaches as required.

13.4 Notification Method

Breach notifications will be sent via email to the address associated with your account. If email is not feasible (for example, if we do not have a current email address), we will provide notice through a prominent posting on the Service. We may also post a notice on our website at vcecloud.com.

14. Changes to This Privacy Policy

14.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, legal requirements, or for other operational, legal, or regulatory reasons.

14.2 Notification of Changes

When we make changes to this Privacy Policy:

We will update the "Last Updated" date at the top of this page
For material changes (changes that affect your rights, the categories of data collected, or how we use or share your data), we will provide at least 30 days' prior notice via:
- Email to the address associated with your account
- A prominent notice within the Service interface
The notice will describe the nature of the changes and their effective date

14.3 Your Choices

If you disagree with any changes to this Privacy Policy, you may:

Stop using the Service
Delete your account before the changes take effect
Contact us at privacy@vcecloud.com to discuss your concerns

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes, to the extent permitted by applicable law. Where GDPR or other applicable law requires your active consent to material changes, we will seek that consent before the changes take effect.

14.4 Archive of Previous Versions

We maintain an archive of previous versions of this Privacy Policy. You may request any prior version by contacting us at privacy@vcecloud.com.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Data Controller: Konstantin White

Email: privacy@vcecloud.com

Mailing Address: (To be provided upon entity formation)

For specific matters:

Topic	Contact
Privacy rights and data requests	privacy@vcecloud.com
General support	support@vcecloud.com
Legal matters	legal@vcecloud.com
Copyright / DMCA	dmca@vcecloud.com

EU Supervisory Authority:

If you are in the European Union and wish to lodge a complaint about our data processing practices, you may contact the data protection authority in your country of habitual residence, your place of work, or the place of the alleged infringement. As VCE's infrastructure is located in Germany, the relevant German authorities include:

Federal Commissioner for Data Protection and Freedom of Information (BfDI): www.bfdi.bund.de
The data protection authority of the German federal state where the server is located

Russian Federation:

If you are a citizen of the Russian Federation, you may also contact:

Roskomnadzor (Federal Service for Supervision of Communications, Information Technology, and Mass Communications): rkn.gov.ru

Summary of Data Processing Activities

For transparency, the following table provides a summary of our data processing activities as required by GDPR Article 30:

Category	Data	Purpose	Legal Basis	Retention	Recipients
Account	Email, name, password hash	Service provision	Contract (Art. 6(1)(b))	Until deletion + 30 days	Contabo (hosting)
Account	Avatar, timezone, locale	Personalization	Contract (Art. 6(1)(b))	Until deletion + 30 days	Contabo (hosting)
Session	IP, User-Agent, device info	Security	Legitimate interest (Art. 6(1)(f))	30 days inactivity	Contabo (hosting)
Activity	Actions, IP, timestamps	Audit trail, security	Legitimate interest (Art. 6(1)(f))	90 days	Contabo (hosting)
Usage	Aggregated daily statistics	Service improvement	Legitimate interest (Art. 6(1)(f))	1 year	Contabo (hosting)
Content	Media files, metadata	Service provision	Contract (Art. 6(1)(b))	Until deletion by user	Contabo, Cloudflare R2
Derived	Thumbnails, waveforms, exports	Service provision	Contract (Art. 6(1)(b))	Until source deletion	Contabo, Cloudflare R2

This Privacy Policy was last reviewed on February 6, 2026.

IMPORTANT DISCLAIMER: This Privacy Policy is a draft document prepared based on a review of the VCE codebase and infrastructure. It has NOT been reviewed by a licensed attorney. Before publishing this document on vcecloud.com or relying on it for legal compliance:

This document must be reviewed and approved by a qualified data protection attorney licensed in the European Union (particularly Germany), the United States (particularly California), and the Russian Federation.
A physical mailing address must be added to Sections 1 and 15 before publication.
Data Processing Agreements (DPAs) must be executed with Contabo GmbH and Cloudflare, Inc. before launch.
The Russian data localization question (Section 7.3) requires legal counsel to determine whether the service can legally operate in Russia without local data storage infrastructure.
If the service will be offered to Russian users, Roskomnadzor registration as a personal data operator under 152-FZ Article 22 may be required.
A Data Protection Impact Assessment (DPIA) should be considered under GDPR Article 35, particularly for the AI subtitle generation feature.
This analysis identifies potential compliance risks based on code review. It is not legal advice. Consult a licensed attorney in each jurisdiction before launch.

Effective Date: February 6, 2026 Last Updated: February 6, 2026

1. Introduction and Data Controller

Data Controller:

Konstantin White Email: privacy@vcecloud.com Address: (To be provided upon entity formation)

If you have questions about this Privacy Policy or wish to exercise any of your rights described in Section 9, please contact us at privacy@vcecloud.com.

2. Definitions

The following definitions apply throughout this Privacy Policy:

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1). This includes, but is not limited to, names, email addresses, IP addresses, and device identifiers.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Article 4(2). This includes collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, and destruction.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (GDPR Article 4(7)). For this Service, the Controller is Konstantin White.
"Processor" means a natural or legal person which processes Personal Data on behalf of the Controller (GDPR Article 4(8)). Our Processors include our hosting provider and cloud storage provider.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates. In the context of this Privacy Policy, this is you, the user.
"Service" means the VCE web application, API, and all related features available at vcecloud.com and api.vcecloud.com.
"Content" or "User Content" means any media files (video, audio, images), project data, subtitles, or other materials that you upload to, create with, or store on the Service.

3. Information We Collect

3.1 Information You Provide Directly

When you create an account and use VCE, you provide the following Personal Data:

Account Information:

Data	Purpose	Required
Email address	Account identification, authentication, and communication	Yes
Display name	User identification within the Service	Yes
Password	Account authentication (stored only as a secure, industry-standard cryptographic hash; we never store your plaintext password)	Yes
Avatar URL	Profile personalization	No
Timezone	Displaying correct timestamps in the interface	No (defaults to UTC)
Locale/language preference	Interface language	No (defaults to English)

User Preferences:

3.2 Information Collected Automatically

When you access and use the Service, we automatically collect the following technical data:

Session Information:

Data	Purpose	Retention
IP address (IPv4 or IPv6)	Security, abuse prevention, session management	Duration of session + 30 days
User-Agent string	Device identification, compatibility, security	Duration of session + 30 days
Device name (if provided by your browser)	Session management, allowing you to identify your active sessions	Duration of session + 30 days
Device type	Session management	Duration of session + 30 days
Session creation timestamp	Security audit trail	Duration of session + 30 days
Last activity timestamp	Session timeout management	Duration of session + 30 days

Activity Logs:

We log certain user actions for security monitoring, abuse prevention, and service improvement purposes:

Login and logout events (with IP address)
Project creation, opening, and saving
Media file uploads and deletions
Export operations (start and completion)
Template applications
Batch processing operations

Usage Statistics:

3.3 Content You Upload

When you use VCE, you may upload media files and create projects. We process and store the following:

Media Files:

The media files themselves (video, audio, images, subtitles, fonts, and other supported formats), stored on our cloud storage infrastructure
File metadata extracted during processing: original filename, file type, file size, checksum, and technical properties relevant to media processing (such as duration, resolution, and codec information)
Derived files generated by the Service: thumbnails, proxy files for editing, audio waveform visualizations, and exported output files Project Data:
Project structure, timeline data, effect settings, and other editing configurations
Associations between projects and media files

3.4 Information We Do NOT Collect

To be transparent about the boundaries of our data collection, we explicitly state that VCE does not collect or process:

Biometric data. Our AI subtitle generation feature processes audio solely to produce text transcriptions. It does not perform speaker identification, voice profiling, facial recognition, or any biometric analysis.
Payment or financial data. VCE is currently a free service. We do not collect credit card numbers, bank account details, or any financial information. If paid features are introduced in the future, we will update this Privacy Policy before collecting any payment data.
Third-party tracking data. We do not use third-party analytics services (such as Google Analytics), advertising networks, or social media tracking pixels. We do not track you across other websites.
Social media account data. We do not offer social login (OAuth) and do not access any data from social media platforms.
Location data. We do not use GPS, Wi-Fi, or Bluetooth signals to determine your precise location. IP addresses may indicate an approximate geographic area but are not used by us for geolocation purposes.
Third-party cookies. We do not set or use any third-party cookies.

4. How We Use Your Information

We use the Personal Data we collect for the following purposes:

4.1 Providing and Maintaining the Service

Creating and managing your user account
Authenticating your identity when you log in
Storing and serving your media files and projects
Processing your media files (encoding, transcoding, thumbnail generation, waveform generation, rendering, and exporting)
Delivering AI-powered features (automatic subtitle generation, silence detection)
Maintaining your preferences and settings
Tracking your storage usage against your account quota

4.2 Security and Abuse Prevention

Detecting and preventing unauthorized access to your account
Implementing rate limiting to protect against brute-force attacks
Maintaining session records so you can review and revoke active sessions
Logging user activity for security audit trails
Identifying and blocking abusive behavior

4.3 Communication

Sending account-related notifications (password changes, security alerts, session activity)
Responding to your support requests and inquiries
Notifying you of material changes to this Privacy Policy or our Terms of Service (with at least 30 days' notice)

4.4 Service Improvement

Analyzing aggregated usage statistics to understand how the Service is used and to identify areas for improvement
Monitoring service performance and reliability
Diagnosing technical issues

4.5 Legal Compliance

Responding to valid legal requests from law enforcement or regulatory authorities
Complying with applicable laws and regulations
Enforcing our Terms of Service

Important: We do NOT use your Personal Data or Content for:

Training, fine-tuning, or improving any artificial intelligence or machine learning models
Advertising or targeted marketing
Selling to or sharing with third parties for their marketing purposes
Building user profiles for commercial exploitation
Automated decision-making that produces legal or similarly significant effects on you

5. Legal Basis for Processing (GDPR Article 6)

For users in the European Union and the European Economic Area, we process your Personal Data under the following legal bases:

5.1 Performance of a Contract (Article 6(1)(b))

Processing that is necessary for the performance of our contract with you (the Terms of Service):

Account creation and management (email, name, password hash)
Media file storage and processing
Delivering the video editing service and its features
Managing your storage quota
Providing AI-powered features you request

5.2 Legitimate Interests (Article 6(1)(f))

Processing that is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms:

Security: Collecting IP addresses, User-Agent strings, and session data to protect your account and the Service from unauthorized access, fraud, and abuse. Implementing rate limiting and maintaining activity logs.
Service improvement: Analyzing aggregated usage statistics to improve the Service.
Technical operation: Maintaining server logs for operational purposes and troubleshooting.

5.3 Consent (Article 6(1)(a))

Where we process your data based on consent, that consent is:

Freely given, specific, informed, and unambiguous (GDPR Article 7)
Withdrawable at any time by contacting privacy@vcecloud.com or through the Service settings
Not a precondition for accessing the Service, unless the processing is essential to the service itself

Currently, we rely on consent for:

Receiving optional communications beyond essential service notifications (if introduced in the future)

5.4 Legal Obligation (Article 6(1)(c))

We may process your data when required by law, for example:

Responding to valid court orders, subpoenas, or regulatory requests
Complying with mandatory reporting obligations (such as CSAM reporting under 18 USC Section 2258A)
Retaining certain records as required by applicable tax, commercial, or criminal law

6. How We Share Your Information

6.1 Service Providers (Data Processors)

Service Provider	Role	Data Shared	Location	DPA Status
Contabo GmbH	Hosting provider (VPS)	All data (database, application data, server logs)	Munich, Germany (EU)	Required before launch
Cloudflare, Inc.	Object storage (R2)	Media files, derived files (thumbnails, waveforms, proxies, exports)	Automatic region selection (EU region expected based on server location)	Required before launch
Let's Encrypt (ISRG)	TLS certificate authority	Domain names (vcecloud.com, api.vcecloud.com) only	United States	Not required (no Personal Data processed)

Our Processors are contractually bound to:

Process your data only on our documented instructions
Ensure confidentiality of your data
Implement appropriate technical and organizational security measures
Assist us in fulfilling our obligations regarding your data protection rights
Delete or return all Personal Data upon termination of the service agreement
Make available all information necessary to demonstrate compliance

6.2 Legal Requirements

We may disclose your Personal Data if we are required to do so by law, or if we believe in good faith that such disclosure is necessary to:

Comply with a legal obligation, court order, or legal process served on us
Protect and defend our rights or property
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

Where permitted by law, we will notify you of any legal request for your data unless we are legally prohibited from doing so.

6.3 Business Transfers

6.4 We Do NOT Sell Your Data

6.5 We Do NOT Use Your Content for AI Training

7. International Data Transfers

7.1 Primary Data Location

Your Personal Data and Content are primarily stored on servers located in Germany (European Union):

Application server, database, and cache: Contabo VPS, Germany
Object storage (media files): Cloudflare R2, EU region

Because Germany is an EU member state, storage of your data in Germany is compliant with GDPR data residency expectations for EU users.

7.2 Transfers Outside the EU/EEA

For any transfers of Personal Data to countries outside the EU/EEA that have not received an adequacy decision from the European Commission, we rely on:

Standard Contractual Clauses (SCCs) as adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, included in our Data Processing Agreement with Cloudflare
EU-US Data Privacy Framework, where the recipient is a certified participant under the Framework (Executive Order 14086)
Supplementary technical measures, including encryption in transit and at rest

7.3 Data Localization (Russia, 152-FZ)

8. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table describes our retention periods:

Data Category	Retention Period	Basis
Account data (email, name, password hash, preferences)	Until you delete your account, plus 30 days for technical deletion from active systems	Contract performance
Media files and derived files	Until you delete the file or your account, whichever is first	Contract performance
Session data (IP, User-Agent, device info)	30 days after the session becomes inactive (no activity), or upon logout	Legitimate interest (security)
Activity logs (actions, IP address)	90 days from creation	Legitimate interest (security, abuse prevention)
Usage statistics (aggregated daily metrics)	1 year from creation, then anonymized or deleted	Legitimate interest (service improvement)
Invalidated authentication tokens	Until the token's original expiry time (maximum 24 hours)	Contract performance (security)
Encrypted backups	Purged within 90 days after deletion from active systems	Legitimate interest (disaster recovery)
Server logs (web server access and error logs)	90 days	Legitimate interest (security, troubleshooting)

After account deletion:

When you delete your account:

Your account is deactivated immediately (within seconds)
All active sessions are terminated
Your Content (media files, projects, derived files) is queued for deletion from active storage
All Content is removed from active storage within 30 days
Content persisting in encrypted backups is purged within 90 days of account deletion
After 90 days, no recoverable copy of your data exists in our systems

9. Your Rights

Depending on your location and applicable law, you have the following rights regarding your Personal Data.

9.1 Rights Under the GDPR (EU/EEA Residents)

If you are located in the European Union or the European Economic Area, you have the following rights under the General Data Protection Regulation (Articles 15 through 22):

Right of Access (Article 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and, if so, to access that data and receive information about the processing.
Right to Rectification (Article 16): You have the right to have inaccurate Personal Data corrected. You can update your email, name, and other account information directly through the Service settings.
Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to have your Personal Data deleted. You can request account deletion by contacting us at privacy@vcecloud.com, which triggers deletion of all your data as described in Section 8. We may retain certain data where we have a legal obligation or legitimate ground to do so (for example, records of legal requests).
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not want erasure.
Right to Data Portability (Article 20): You have the right to receive the Personal Data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You can download your media files and export your project data through the Service interface. For a full data export, contact us at privacy@vcecloud.com.
Right to Object (Article 21): You have the right to object to processing based on our legitimate interests (Section 5.2). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. If you are in Germany, the competent authority is the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter fur den Datenschutz und die Informationsfreiheit, BfDI) or the data protection authority of your German federal state. If you are in another EU/EEA member state, you may contact the supervisory authority in your country of habitual residence.

9.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code Section 1798.100 et seq.), as amended by the California Privacy Rights Act:

Right to Know (Section 1798.100): You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the business purposes for collecting the data, and the categories of third parties with whom we share it.
Right to Delete (Section 1798.105): You have the right to request deletion of your Personal Data. Upon a verified request, we will delete your Personal Data and direct our Processors to do the same, subject to certain exceptions permitted by law.
Right to Opt-Out of Sale/Sharing (Section 1798.120): We do not sell or share your Personal Data. Therefore, no opt-out mechanism is required. If our practices change in the future, we will provide a clear "Do Not Sell or Share My Personal Information" link and update this Policy.
Right to Non-Discrimination (Section 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different quality of service for exercising your rights.
Right to Correct (Section 1798.106): You have the right to request correction of inaccurate Personal Data. You can correct most data directly through your account settings.
Right to Limit Use of Sensitive Personal Information (Section 1798.121): We do not collect sensitive personal information as defined under the CPRA.

9.3 Rights Under 152-FZ (Russian Federation)

If you are a citizen of the Russian Federation, you have the following rights under Federal Law No. 152-FZ "On Personal Data":

Right of Access (Article 14): You have the right to receive information about the processing of your personal data, including the legal basis, purposes, methods of processing, and the personal data itself.
Right to Rectification (Article 14(3)): You have the right to demand rectification of inaccurate or incomplete personal data.
Right to Blocking and Deletion (Article 14(3), Article 21): You have the right to demand blocking or deletion of personal data that was collected unlawfully or is no longer necessary for the stated purpose.
Right to Withdraw Consent (Article 9(2)): You have the right to withdraw your consent to the processing of personal data at any time by providing a written notice (or electronic equivalent) to the Controller.

9.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

Email: privacy@vcecloud.com

When submitting a request, please include:

Your full name and email address associated with your VCE account
The specific right you wish to exercise
Any additional information that may help us verify your identity and process your request

Response Times:

Jurisdiction	Response Time	Extension
EU/EEA (GDPR)	Within 30 days of receiving the request (GDPR Article 12(3))	Up to 60 additional days for complex requests, with notification
California (CCPA/CPRA)	Within 45 days of receiving a verifiable request (Cal. Civ. Code Section 1798.130(a)(2))	Up to 45 additional days with notification
Russia (152-FZ)	Within 30 days of receiving the request (152-FZ Article 14(4)), or within 10 business days for blocking/deletion (Article 21(3))	As specified by law

10. Cookies and Similar Technologies

10.1 Current Cookie Usage

We do not use:

Analytics cookies
Advertising or marketing cookies
Third-party tracking cookies
Social media cookies
Cross-site tracking technologies

10.2 Consent for Cookies

10.3 Future Changes

If we introduce non-essential cookies in the future (for example, analytics or marketing cookies), we will:

Update this Privacy Policy and our Cookie Policy before deploying such cookies
Implement a cookie consent mechanism that provides granular, per-category control
Ensure consent is obtained through an opt-in mechanism (not pre-checked boxes) before any non-essential cookies are set
Provide the ability to withdraw consent at any time

11. Children's Privacy

11.1 Age Requirement

11.2 If We Discover a Child's Data

If we become aware that we have collected Personal Data from a child under the applicable minimum age without verified parental consent, we will take immediate steps to:

Disable the child's account
Delete all Personal Data and Content associated with that account
Notify the parent or guardian if contact information is available

11.3 Reporting

If you believe that a child under 16 (or under 13 in the United States) has created an account on VCE, please contact us immediately at privacy@vcecloud.com so that we can take appropriate action.

12. Security Measures

Encryption:

In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and implement HTTP Strict Transport Security (HSTS) headers.
At rest: Media files stored in our cloud storage infrastructure are encrypted using industry-standard server-side encryption. Database connections use encrypted channels.

Authentication and Access Control:

Passwords are hashed using industry-standard cryptographic algorithms. We never store plaintext passwords.
Authentication uses time-limited tokens with support for immediate logout and session revocation.
Rate limiting protects against brute-force attacks.

Infrastructure Security:

Application containers run with restricted privileges
Firewall restricting network access to essential ports only
Automated blocking of suspicious IP addresses
Hardened remote access controls
Regular security audits of code and infrastructure

Application Security:

Input sanitization and cross-site scripting (XSS) protection
Path traversal protection for file operations
File type validation on upload
Storage isolation between users (cross-user access is prevented by authorization checks)
SQL injection prevention through parameterized queries

Organizational Measures:

Access to production systems is restricted to essential personnel
Security incident response procedures are documented and tested

13. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will take the following steps:

13.1 GDPR Requirements (EU/EEA)

In accordance with GDPR Articles 33 and 34:

Notification to supervisory authority: We will notify the competent data protection authority (in Germany, the BfDI or the relevant state authority) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (Article 33).
Notification to affected users: Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Article 34). This notification will describe the nature of the breach, the likely consequences, the measures we have taken or propose to take, and the contact point for further information.

13.2 CCPA Requirements (California)

13.3 152-FZ Requirements (Russia)

In accordance with applicable Russian law and Roskomnadzor requirements, we will notify the relevant authorities and affected users of personal data breaches as required.

13.4 Notification Method

14. Changes to This Privacy Policy

14.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, legal requirements, or for other operational, legal, or regulatory reasons.

14.2 Notification of Changes

When we make changes to this Privacy Policy:

We will update the "Last Updated" date at the top of this page
For material changes (changes that affect your rights, the categories of data collected, or how we use or share your data), we will provide at least 30 days' prior notice via:
- Email to the address associated with your account
- A prominent notice within the Service interface
The notice will describe the nature of the changes and their effective date

14.3 Your Choices

If you disagree with any changes to this Privacy Policy, you may:

Stop using the Service
Delete your account before the changes take effect
Contact us at privacy@vcecloud.com to discuss your concerns

14.4 Archive of Previous Versions

We maintain an archive of previous versions of this Privacy Policy. You may request any prior version by contacting us at privacy@vcecloud.com.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Data Controller: Konstantin White

Email: privacy@vcecloud.com

Mailing Address: (To be provided upon entity formation)

For specific matters:

Topic	Contact
Privacy rights and data requests	privacy@vcecloud.com
General support	support@vcecloud.com
Legal matters	legal@vcecloud.com
Copyright / DMCA	dmca@vcecloud.com

EU Supervisory Authority:

Federal Commissioner for Data Protection and Freedom of Information (BfDI): www.bfdi.bund.de
The data protection authority of the German federal state where the server is located

Russian Federation:

If you are a citizen of the Russian Federation, you may also contact:

Roskomnadzor (Federal Service for Supervision of Communications, Information Technology, and Mass Communications): rkn.gov.ru

Summary of Data Processing Activities

For transparency, the following table provides a summary of our data processing activities as required by GDPR Article 30:

Category	Data	Purpose	Legal Basis	Retention	Recipients
Account	Email, name, password hash	Service provision	Contract (Art. 6(1)(b))	Until deletion + 30 days	Contabo (hosting)
Account	Avatar, timezone, locale	Personalization	Contract (Art. 6(1)(b))	Until deletion + 30 days	Contabo (hosting)
Session	IP, User-Agent, device info	Security	Legitimate interest (Art. 6(1)(f))	30 days inactivity	Contabo (hosting)
Activity	Actions, IP, timestamps	Audit trail, security	Legitimate interest (Art. 6(1)(f))	90 days	Contabo (hosting)
Usage	Aggregated daily statistics	Service improvement	Legitimate interest (Art. 6(1)(f))	1 year	Contabo (hosting)
Content	Media files, metadata	Service provision	Contract (Art. 6(1)(b))	Until deletion by user	Contabo, Cloudflare R2
Derived	Thumbnails, waveforms, exports	Service provision	Contract (Art. 6(1)(b))	Until source deletion	Contabo, Cloudflare R2

This Privacy Policy was last reviewed on February 6, 2026.

This document must be reviewed and approved by a qualified data protection attorney licensed in the European Union (particularly Germany), the United States (particularly California), and the Russian Federation.
A physical mailing address must be added to Sections 1 and 15 before publication.
Data Processing Agreements (DPAs) must be executed with Contabo GmbH and Cloudflare, Inc. before launch.
The Russian data localization question (Section 7.3) requires legal counsel to determine whether the service can legally operate in Russia without local data storage infrastructure.
If the service will be offered to Russian users, Roskomnadzor registration as a personal data operator under 152-FZ Article 22 may be required.
A Data Protection Impact Assessment (DPIA) should be considered under GDPR Article 35, particularly for the AI subtitle generation feature.
This analysis identifies potential compliance risks based on code review. It is not legal advice. Consult a licensed attorney in each jurisdiction before launch.