Privacy Policy
Effective Date: October 25, 2025
Last updated: March 11, 2026
1. Introduction
Welcome to Eight Tech ("8frame", "we", "our", "us"). This Privacy Policy describes how we collect, use, disclose, and protect personal data when you visit 8frame.coand use our web application to generate images and videos (the "Service"). By using the Service, you agree to this Policy. If any term conflicts with mandatory local law, that law controls for residents of that jurisdiction.
2. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | E‑mail address, password hash, social‑login ID (Google), magic‑link token | You / Auth provider |
| Payment & Billing Data | Stripe customer ID, payment method token, card brand/last 4/expiry, billing name & address, VAT ID (if provided), invoice history | Stripe (independent controller) |
| User Content | Text prompts, uploaded images/videos, node graphs, generated outputs, workflow metadata | You |
| Usage & Device Data | IP address, device/browser type, pages/actions, crash logs, approximate location (from IP) | Your device automatically |
| Communication Data | Support requests, feedback, newsletter preferences | You |
| Cookie & Analytics Data | GA4, GTM, Beam pseudonymised event IDs, Microsoft Clarity session recordings and heatmaps, PostHog product analytics events and user properties, Meta Pixel conversion events, Sentry error reports and performance traces, internal session tracking (UTM parameters, referrer, page views), consent status, session cookies | Your device |
3. How & Why We Use Personal Data
| Purpose | Data Used | Legal Basis* |
|---|---|---|
| Provide, secure & maintain the Service (incl. node‑based workflows) | Account, Content, Usage | Contract (GDPR Art 6(1)(b)); Legitimate Interests |
| Process payments (Subscriptions & Credit Packs), issue invoices, calculate taxes, detect fraud (SCA/3‑D Secure) | Payment & Billing, Account, Usage | Contract / Legitimate Interests; Legal obligation (tax) |
| Abuse prevention & moderation (banned‑word/image checks) | Content, Usage | Legitimate Interests |
| Improve features & fix bugs | Usage, (pseudonymised) Content | Legitimate Interests |
| Analytics & product research | Cookie & Analytics Data | Consent (EU/EEA/UK/CH); Legitimate Interests (US) |
| Transactional e‑mails (password reset, billing, workflow status) | Account, Payment | Contract |
| Marketing newsletters | Account | Consent (opt‑in, unsubscribe anytime) |
| Legal compliance & disputes | Any necessary data | Legal obligation / Legitimate Interests |
* EU/UK/CH legal bases shown; US state privacy laws rely largely on contractual necessity and legitimate interests.
4. AI Input/Output & Human Review
Ownership & Licences
- You keep all rights in prompts and uploads.
- Generated outputs: Rights may be limited by the licence terms of the underlying model. 8frame cannot grant broader rights than those licences permit.
- You grant 8frame a non‑exclusive licence to store, transmit, transform and display your content solely to operate the Service.
Transfers to Model Providers
- Prompts and media may pass through EU‑hosted proxy functions that remove direct identifiers before transmission to third‑party AI model hosts, some outside the EEA.
- Where required, recognised cross‑border safeguards (e.g., SCCs) apply.
Provider Training / Benchmarking
Upstream providers may use de‑identified data to improve their models per their own policies. Re‑identification is prohibited.
Human Review
Automated filters handle most moderation; limited human review occurs to investigate abuse or debug failures. Reviewers operate under NDA and access‑controls.
5. Sharing & Disclosure
We do not sell personal data. We share it only with:
- Service Providers – Railway (DB in NL), Vercel (edge hosting), Cloudflare R2 (EEUR), Resend (e‑mail), Google Analytics, Beam Analytics, Microsoft Clarity (behavioral analytics), PostHog (product analytics), Sentry (error monitoring), Meta / Facebook (conversion tracking), Stripe (payments & tax), and AI model hosts accessed via our EU proxy.
- Authorities & legal processes – when legally required or to protect rights.
- Corporate events – merger, acquisition, or asset sale (with notice).
- Aggregated/anonymous data – information that cannot identify you.
Stripe acts as an independent controller for payment data. See Stripe’s own privacy notices for details about how they process your data.
6. International Transfers
Primary storage is in the European Economic Area (Netherlands); media assets are stored in Cloudflare R2 (EEUR region). De‑identified AI‑generation data and limited analytics/support data may be processed outside your country under recognised safeguards (e.g., SCCs plus encryption and access controls).
7. Cookies & Similar Technologies
| Cookie type | Purpose | Consent Status |
|---|---|---|
| Essential | Session authentication, fraud prevention, Customer Portal redirects | Always on |
| Analytics (GA4, Beam, Microsoft Clarity, PostHog) | Usage metrics, UX optimisation, session replay, heatmaps | Opt‑in banner for EU/EEA, UK, CH; opt‑out link for US |
| Marketing (Meta Pixel) | Conversion tracking, advertising attribution | Opt‑in banner for EU/EEA, UK, CH; opt‑out link for US |
You can withdraw consent anytime via “Cookie Settings” in the footer.
7a. Microsoft Clarity & Behavioral Analytics
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third‑party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimisation, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
7b. Meta (Facebook) Pixel
We use the Meta Pixel (formerly Facebook Pixel) to measure the effectiveness of our advertising campaigns and to understand actions people take on our website. The Meta Pixel collects data about your interactions with our site, including page views and conversion events (such as sign‑ups and purchases), which may be used by Meta to deliver targeted advertisements on Facebook, Instagram, and the Meta Audience Network. This data is processed by Meta as an independent controller. For more information, see the Meta Privacy Policy. You can opt out of interest‑based advertising through your Meta ad preferences or via "Cookie Settings" in our footer.
7c. PostHog Product Analytics
We use PostHog to understand how users interact with 8frame, measure feature adoption, and improve the product. PostHog collects event data (such as page views, button clicks, and feature usage), device and browser information, and user properties linked to your account (such as subscription plan and credit balance). Analytics data is collected both client‑side (in your browser) and server‑side (from our backend). Data is processed and stored by PostHog, Inc. in the United States. For more information, see the PostHog Privacy Policy.
7d. Sentry Error & Performance Monitoring
We use Sentry to detect, diagnose, and fix errors and performance issues in real time. When an error occurs, Sentry may collect error details (stack traces, error messages, breadcrumbs), device and browser information, IP address (anonymised after processing), and performance data (page load times, API response times). This data is used solely for debugging and improving service reliability. Data is processed and stored by Functional Software, Inc. (Sentry) in the United States. For more information, see the Sentry Privacy Policy.
8. Data Retention
| Data set | Retention rule |
|---|---|
| Active accounts | While account is active |
| Inactive accounts | Delete/anonymise after 3 years of inactivity |
| Generated media & prompts | Until user deletes or account closes + 30 days |
| Server logs | 6 months, then aggregated |
| Back‑ups | Encrypted, retained 30 days |
| Payment & invoice records | As required by tax & accounting law (typically 7 years) |
9. Security
We use TLS 1.2+, AES‑256 at rest, role‑based access, regular testing, and continuous monitoring. No system is perfectly secure—contact us immediately if you suspect a breach.
10. Your Privacy Rights
| Region | Key rights & how to exercise |
|---|---|
| EU/EEA & UK (GDPR) | Access, rectify, erase, restrict, port, object. |
| Switzerland (revFADP) | Similar to GDPR rights. |
| United States (CA/CPRA etc.) | Know, delete, correct, opt‑out of “sale/share” & profiling. |
| Worldwide | Withdraw consent where applicable. |
To exercise any right, e‑mail hey@8frame.co. We will respond within the period mandated by your jurisdiction.
11. Children's Privacy
The Service is not directed to anyone under 16. If we learn that a child under 16 has provided personal data, we will delete it promptly.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced by a prominent notice on 8frame.co at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance.
13. Contact & Identity
Eight Tech (Delaware, USA)
E‑mail: hey@8frame.co