Privacy Policy
Effective Date: October 25, 2025
Last updated: October 25, 2025
1. Introduction
Welcome to 8frame Inc. ("8frame", "we", "our", "us"). This Privacy Policy describes how we collect, use, disclose, and protect personal data when you visit 8frame.coand use our web application to generate images and videos (the "Service"). By using the Service, you agree to this Policy. If any term conflicts with mandatory local law, that law controls for residents of that jurisdiction.
2. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | E‑mail address, password hash, social‑login ID (Google), magic‑link token | You / Auth provider |
| Payment & Billing Data | Stripe customer ID, payment method token, card brand/last 4/expiry, billing name & address, VAT ID (if provided), invoice history | Stripe (independent controller) |
| User Content | Text prompts, uploaded images/videos, node graphs, generated outputs, workflow metadata | You |
| Usage & Device Data | IP address, device/browser type, pages/actions, crash logs, approximate location (from IP) | Your device automatically |
| Communication Data | Support requests, feedback, newsletter preferences | You |
| Cookie & Analytics Data | GA4 and Beam pseudonymised event IDs, consent status, session cookies | Your device |
3. How & Why We Use Personal Data
| Purpose | Data Used | Legal Basis* |
|---|---|---|
| Provide, secure & maintain the Service (incl. node‑based workflows) | Account, Content, Usage | Contract (GDPR Art 6(1)(b)); Legitimate Interests |
| Process payments (Subscriptions & Credit Packs), issue invoices, calculate taxes, detect fraud (SCA/3‑D Secure) | Payment & Billing, Account, Usage | Contract / Legitimate Interests; Legal obligation (tax) |
| Abuse prevention & moderation (banned‑word/image checks) | Content, Usage | Legitimate Interests |
| Improve features & fix bugs | Usage, (pseudonymised) Content | Legitimate Interests |
| Analytics & product research | Cookie & Analytics Data | Consent (EU/EEA/UK/CH); Legitimate Interests (US) |
| Transactional e‑mails (password reset, billing, workflow status) | Account, Payment | Contract |
| Marketing newsletters | Account | Consent (opt‑in, unsubscribe anytime) |
| Legal compliance & disputes | Any necessary data | Legal obligation / Legitimate Interests |
* EU/UK/CH legal bases shown; US state privacy laws rely largely on contractual necessity and legitimate interests.
4. AI Input/Output & Human Review
Ownership & Licences
- You keep all rights in prompts and uploads.
- Generated outputs: Rights may be limited by the licence terms of the underlying model. 8frame cannot grant broader rights than those licences permit.
- You grant 8frame a non‑exclusive licence to store, transmit, transform and display your content solely to operate the Service.
Transfers to Model Providers
- Prompts and media may pass through EU‑hosted proxy functions that remove direct identifiers before transmission to third‑party AI model hosts, some outside the EEA.
- Where required, recognised cross‑border safeguards (e.g., SCCs) apply.
Provider Training / Benchmarking
Upstream providers may use de‑identified data to improve their models per their own policies. Re‑identification is prohibited.
Human Review
Automated filters handle most moderation; limited human review occurs to investigate abuse or debug failures. Reviewers operate under NDA and access‑controls.
5. Sharing & Disclosure
We do not sell personal data. We share it only with:
- Service Providers – Railway (DB in NL), Vercel (edge hosting), Cloudflare R2 (EEUR), Resend (e‑mail), Google Analytics, Beam Analytics, Stripe (payments & tax), and AI model hosts accessed via our EU proxy.
- Authorities & legal processes – when legally required or to protect rights.
- Corporate events – merger, acquisition, or asset sale (with notice).
- Aggregated/anonymous data – information that cannot identify you.
Stripe acts as an independent controller for payment data. See Stripe’s own privacy notices for details about how they process your data.
6. International Transfers
Primary storage is in the European Economic Area (Netherlands); media assets are stored in Cloudflare R2 (EEUR region). De‑identified AI‑generation data and limited analytics/support data may be processed outside your country under recognised safeguards (e.g., SCCs plus encryption and access controls).
7. Cookies & Similar Technologies
| Cookie type | Purpose | Consent Status |
|---|---|---|
| Essential | Session authentication, fraud prevention, Customer Portal redirects | Always on |
| Analytics (GA4, Beam) | Usage metrics, UX optimisation | Opt‑in banner for EU/EEA, UK, CH; opt‑out link for US |
You can withdraw consent anytime via “Cookie Settings” in the footer.
8. Data Retention
| Data set | Retention rule |
|---|---|
| Active accounts | While account is active |
| Inactive accounts | Delete/anonymise after 3 years of inactivity |
| Generated media & prompts | Until user deletes or account closes + 30 days |
| Server logs | 6 months, then aggregated |
| Back‑ups | Encrypted, retained 30 days |
| Payment & invoice records | As required by tax & accounting law (typically 7 years) |
9. Security
We use TLS 1.2+, AES‑256 at rest, role‑based access, regular testing, and continuous monitoring. No system is perfectly secure—contact us immediately if you suspect a breach.
10. Your Privacy Rights
| Region | Key rights & how to exercise |
|---|---|
| EU/EEA & UK (GDPR) | Access, rectify, erase, restrict, port, object. |
| Switzerland (revFADP) | Similar to GDPR rights. |
| United States (CA/CPRA etc.) | Know, delete, correct, opt‑out of “sale/share” & profiling. |
| Worldwide | Withdraw consent where applicable. |
To exercise any right, e‑mail hey@8frame.co. We will respond within the period mandated by your jurisdiction.
11. Children's Privacy
The Service is not directed to anyone under 16. If we learn that a child under 16 has provided personal data, we will delete it promptly.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced by a prominent notice on 8frame.co at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance.
13. Contact & Identity
8frame Inc. (Delaware, USA)
E‑mail: hey@8frame.co