Privacy Policy
Last updated: May 24, 2026 · Effective: May 24, 2026
This Privacy Policy explains how tryugcai ("we", "us", "our") collects, uses, retains, and discloses personal information when you visit tryugcai.com or use our AI video generation service (the "Service"). By using the Service, you agree to this Policy. If you do not agree, do not use the Service.
1. Who we are (Data Controller)
tryugcai operates the Service. For the purposes of the EU/UK GDPR, the data controller is tryugcai. To exercise your rights or ask a privacy question, contact [email protected].
2. Information we collect
We collect only the information needed to operate the Service:
- Account information: email address, hashed password (bcrypt — we never store your plain password), workspace name, and the IP address you signed up from.
- Identity provider data: if you sign in with Google, we receive your email, your name as it appears in your Google account, and a stable Google account identifier. We never receive your Google password.
- Content you submit: video briefs, optional pre-written scripts, product images and other assets you upload.
- Generated content: AI-generated scripts, voice-overs, avatar videos, captions, and final rendered MP4 files we produce on your behalf.
- Billing information: subscription tier, Stripe customer ID, invoice metadata. Card and bank details are processed and stored by Stripe, never by us.
- Service usage data: video render counts, error events, feature usage events, IP address and user-agent at each sign-in (used for "new device" security notifications).
- Cookies and similar technologies: see Section 9.
3. How we use your information
We use your information to:
- Provide the Service: authenticate you, generate videos in response to your briefs, deliver rendered files, charge for your subscription.
- Maintain and secure the Service: detect abuse, enforce rate limits, prevent account takeover, send "new device" sign-in alerts, recover from incidents.
- Improve the Service: analyze aggregated usage (which features get used, where users drop off) to prioritize product work. We do not use your video content to train AI models.
- Communicate with you: transactional emails (email verification, password reset, billing receipts, security alerts, service-status notifications). We will not send marketing email without your separate opt-in.
- Comply with the law: respond to lawful requests, maintain tax-required records, defend our rights in disputes.
4. Legal bases (GDPR / UK GDPR)
If you are in the EU/EEA or UK, we rely on the following bases:
- Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent fraud and abuse, debug, and improve.
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and lawful-disclosure obligations.
- Consent (Art. 6(1)(a)) — where required, e.g. marketing email if/when you opt in.
5. Sharing your information
We do not sell your personal information. We do not share your information for cross-context behavioral advertising. We share information only with:
- Service providers (sub-processors): vendors that help us run the Service — hosting, payment processing, AI model providers, email delivery, error monitoring. Each is bound by a data-processing agreement. The complete current list is at /legal/subprocessors.
- Legal authorities: where required by valid legal process, or to protect rights, property, or safety.
- Successor entity: in connection with a merger, acquisition, or asset sale — you will be notified and given a chance to delete your account before any transfer.
6. International data transfers
Your information is processed primarily in the United States and in regions selected by our cloud and AI sub-processors (see the sub-processor list for specifics). For transfers from the EEA, UK, or Switzerland we rely on the European Commission's Standard Contractual Clauses (2021/914/EU), the UK International Data Transfer Addendum, or the EU-US Data Privacy Framework where the recipient is certified. A copy of the relevant transfer mechanism is available on request to [email protected].
7. Retention
- Account and content: kept while your account is active. After you delete your account, content is removed within 30 days (see Section 8). Billing records (invoices, payment metadata) are retained for up to 7 years to meet tax and accounting obligations.
- Operational logs: 30 days rolling.
- Aggregated analytics: indefinite, but never tied back to an individual once aggregated.
- Backups: encrypted, 30-day rolling retention.
8. Your rights
Depending on your jurisdiction (EU/UK GDPR, California CCPA/CPRA, and similar) you have the following rights. We honor these requests free of charge unless they are manifestly unfounded or excessive:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate information.
- Erasure ("right to be forgotten") — delete your account from Settings or by emailing us. We schedule the deletion and complete it within 30 days; tax-required records are retained per Section 7. You will receive an email confirmation when the purge runs.
- Restriction and objection — ask us to limit processing, or object to processing based on legitimate interests.
- Portability — request your data in a structured, commonly-used, machine-readable format.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Lodge a complaint — with your local supervisory authority (in the EU/UK) or your state attorney general (US).
To exercise any right, email [email protected] from the address associated with your account. We verify identity before responding.
California residents (CCPA/CPRA)
We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. The categories of personal information we collect are described in Section 2; the purposes in Section 3; the disclosures in Section 5. You have the right to know, delete, correct, and non-discrimination. We do not use sensitive personal information for purposes other than as permitted by law.
9. Cookies
We use a small number of first-party cookies, all strictly necessary or functional:
- Session cookies — keep you signed in. Required to use the Service.
- CSRF cookies — protect against cross-site request forgery. Required for any state-changing action.
- Analytics cookies (anonymous) — measure aggregate feature usage to improve the product. No third-party advertising cookies are set.
10. Security
We encrypt your data in transit (TLS 1.2+) and at rest (AES-256 on managed Postgres + S3). Passwords are stored as bcrypt hashes. We enforce rate limits and per-account lockout to deter credential stuffing. Administrative access requires SSO with multi-factor authentication. Vulnerability scans run on every dependency change; incident-response procedures are documented internally. Despite our best efforts, no Internet transmission is 100% secure — please choose a strong, unique password and notify us immediately if you suspect unauthorized account activity.
11. Children
The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact [email protected] and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email and posted here at least 30 days before they take effect. Continued use after the effective date constitutes acceptance of the updated Policy.
13. Contact
Data Protection Officer / Privacy Contact: [email protected]
General support: [email protected]