Privacy Policy

1. Introduction

This Privacy Policy explains how Cinematic Autobiography (“we”, “us”, “our”, or the “Company”) collects, uses, shares, and protects your personal information when you use our website, mobile applications, and related services (collectively, the “Service”).

We are committed to protecting your privacy and handling your data transparently. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

If you have any questions about this Privacy Policy or our data practices, please contact our privacy team at the email address above.

3. Data We Collect

We collect different categories of personal data depending on how you interact with the Service:

3.1 Account Information

• Full name
• Email address
• Date of birth (to verify age eligibility)
• Profile photograph (optional)
• Authentication credentials (managed via Supabase Auth; we do not store passwords in plaintext)

3.2 Interview Recordings

• Audio recordings of interview sessions
• Video recordings of interview sessions
• Transcriptions generated from recordings
• AI-extracted story narratives and summaries

3.3 Family Tree Data

• Names, dates, and relationships of family members you add
• Family photographs you upload
• Biographical notes and annotations

3.4 Photographs and Media

• Photos you upload for inclusion in your documentary
• Enhanced and processed versions of your photos
• Final documentary video files

3.5 Payment Information

• Billing name and address
• Payment method details (processed entirely by Stripe; we never receive, store, or have access to full card numbers, CVVs, or complete payment credentials)
• Transaction history, amounts, and subscription status

3.6 Usage and Analytics Data

• Pages visited and features used
• Device type, operating system, and browser
• IP address (anonymized for analytics)
• Session duration and interaction patterns
• Error and crash reports (via Sentry)

3.7 Cookies and Tracking Technologies

We use cookies and similar technologies as described in Section 12 and our Cookie Policy.

4. Lawful Basis for Processing (GDPR Article 6)

Under the GDPR, we must have a lawful basis for each type of processing. The table below sets out the lawful basis we rely on for each purpose:

Where we rely on consent, you may withdraw your consent at any time by contacting us at privacy@cinematicautobiography.com or through the relevant settings in the Service. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. How We Use Your Data

We use the personal data we collect to:

• Create and manage your account
• Process your interview recordings through our AI video pipeline (transcription, audio enhancement, story extraction, photo animation, video assembly)
• Deliver your completed documentary films via streaming
• Process payments and manage subscriptions
• Store and organize your family tree data
• Send you service-related communications (e.g., processing status updates, account notifications)
• Send marketing communications where you have opted in
• Analyze usage patterns to improve our Service (only with consent-based analytics)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations, including tax reporting
• Respond to your support requests and inquiries

6. Third-Party Data Processors

We share your personal data with the following third-party service providers who process data on our behalf. Each processor is bound by a Data Processing Agreement (DPA) and processes data only for the purposes described below:

We do not sell your personal information to any third party. We only share data with processors as necessary to provide the Service and as described in this policy.

7. Data Retention

We retain your data only for as long as necessary for the purposes for which it was collected, or as required by law. The specific retention periods are:

When data is no longer needed, it is securely deleted or anonymized. Account deletion initiates a 30-day grace period during which you may recover your account. After this period, personal data is permanently deleted except where retention is required by law (e.g., payment records for tax compliance).

8. International Data Transfers

Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) and the United Kingdom. Many of our third-party processors are based in or operate infrastructure in the United States.

Where we transfer personal data outside the EEA/UK, we ensure appropriate safeguards are in place, including:

• EU-US Data Privacy Framework (DPF):Where the recipient is certified under the DPF, as recognized by the European Commission’s adequacy decision.
• Standard Contractual Clauses (SCCs): We enter into EU-approved SCCs with processors not covered by an adequacy decision or the DPF.
• Supplementary measures: Where necessary, we implement additional technical and organizational measures such as encryption in transit and at rest.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@cinematicautobiography.com.

9. Your Rights Under the GDPR

If you are located in the EEA or the UK, you have the following rights under the GDPR:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and to have incomplete data completed.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected or when you withdraw consent.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or direct marketing at any time.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Our AI processing of recordings is always initiated by your explicit request and does not produce legal effects.

To exercise any of these rights, please contact us at privacy@cinematicautobiography.com. We will respond within 30 days. If we need additional time, we will inform you within the initial 30-day period and explain the reason for the delay.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data infringes the GDPR. A list of EEA supervisory authorities is available at edpb.europa.eu.

10. Your Rights Under the CCPA/CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our purposes for collecting the data, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions (e.g., data needed to complete a transaction, comply with legal obligations, or detect security incidents).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor such requests regardless.
• Right to Limit Use of Sensitive Personal Information: Where we process sensitive personal information (such as biometric data derived from recordings), we limit its use to what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, quality, or service levels based on your exercise of these rights.

To exercise your CCPA/CPRA rights, email us at privacy@cinematicautobiography.com with the subject line “CCPA Request”. We will verify your identity before processing the request and respond within 45 days.

11. Biometric and Recording Data

Our Service processes audio and video recordings of interviews that you initiate. This processing involves:

• Recording: Audio and video are captured on your device and uploaded via encrypted chunked transfer (TUS protocol) to our secure storage.
• Transcription: Recordings are processed by AssemblyAI to generate text transcripts. Recordings are not retained by AssemblyAI after processing.
• Audio Enhancement: ElevenLabs processes audio to improve clarity and quality. Data is processed in accordance with their DPA and not used for model training.
• Story Extraction: AI models analyze transcripts to identify key narratives and emotional themes for documentary creation.
• Storage: All recordings and processed media are stored in encrypted Cloudflare R2 buckets with access restricted to your account.
• Access: Only you and authorized family members within your family group can access your recordings and documentary content.

Face detection and recognition may be used for photo matching and documentary creation as part of the Service. This processing constitutes biometric data under applicable law and is classified as special category data under GDPR Article 9. We rely on your explicit consent as the legal basis for any such processing — biometric analysis is never performed unless you actively opt in. You may withdraw your consent at any time through your account settings, which immediately halts all biometric processing and triggers deletion of any stored biometric data. Your recordings and photos are processed solely for the purpose of creating your documentary and are not used to identify individuals in other contexts.

You may request deletion of all recordings at any time through your account settings or by contacting us.

12. Cookies and Tracking Technologies

We use cookies and similar technologies in three categories:

• Essential Cookies: Required for core functionality such as authentication, session management, and security. These cannot be disabled as the Service cannot function without them. Lawful basis: legitimate interest.
• Analytics Cookies: Used to understand how you interact with the Service so we can improve it. Powered by PostHog. These are only set with your explicit consent. Lawful basis: consent.
• Preference Cookies: Remember your settings such as language, accessibility preferences (e.g., reduced motion), and display options. These are only set with your consent. Lawful basis: consent.

We do not use advertising or marketing cookies. For detailed information about the specific cookies we use, please see our Cookie Policy.

You can manage your cookie preferences at any time through the cookie consent banner or your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

13. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as soon as possible.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at privacy@cinematicautobiography.com.

14. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) in our database ensuring users can only access their own data
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Automated vulnerability scanning in our CI/CD pipeline
• Rate limiting and API key authentication on all endpoints
• Audit logging of all data access and modifications
• Principle of least privilege for all system access

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach, we will notify affected users and relevant supervisory authorities as required by applicable law, within 72 hours of becoming aware of the breach where feasible.

15. Other Circumstances in Which We May Share Data

In addition to sharing with our processors, we may disclose your personal data:

• Legal requirements: When required by law, court order, or governmental regulation.
• Safety and security: When we believe disclosure is necessary to protect the safety, rights, or property of our users, the public, or Cinematic Autobiography.
• Business transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, with appropriate notice and protections.
• With your consent: In any other circumstances where you have given explicit consent.

16. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

17. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no common industry standard for DNT, we do not currently respond to DNT signals. However, we respect your privacy preferences and provide opt-out mechanisms for analytics tracking through our cookie consent controls and the Global Privacy Control (GPC) signal, which we do honor.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the “Version” identifier and “Last updated” date at the top of this page
• Notify you via email or a prominent notice within the Service at least 30 days before the changes take effect
• Where required by law, obtain your consent to material changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Policy version: v2026.02.22 — Effective: February 22, 2026