Privacy Policy

1. Introduction

This Privacy Policy describes how CreatorShorts ("we," "us," "our") collects, uses, and protects your personal data when you use our video script generator (the "Service").

We are committed to respecting your privacy and protecting your data in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

2. Personal data collected

In accordance with Article 13 of the GDPR, we transparently inform you of all the personal data we collect when you use CreatorShorts.

2.1 Identity and account data

When you create an account on CreatorShorts, we collect:

• Email address: Unique identifier for your account, used for login, transactional emails (registration confirmation, password reset), and marketing emails if you have given your consent.Legal basis: Performance of a contract (Art. 6.1.b GDPR)
• Password: Stored in hashed (encrypted) form by Supabase Auth. We can never see your password in plain text.Legal basis: Performance of a contract (Art. 6.1.b GDPR)
• Unique identifier (UUID): Generated automatically when you create your account, used to link your scripts and quotas to your profile.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Technical management of the service
• Subscription plan (Tier): Your access level (FREE, RANK1, RANK2) determines your quotas and available features.Legal basis: Performance of a contract (Art. 6.1.b GDPR)
• Account creation date: Timestamp of your registration, used to calculate seniority and apply data retention policies.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Account management
• Last modification date: Timestamp of the last update to your profile (password change, plan update, etc.).Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Traceability

2.2 Marketing consent (emails and newsletters)

To manage your consent to marketing communications (see Section 6.3 for details), we record:

• Consent status: Boolean (Yes/No) indicating whether you agree to receive marketing emails.Legal basis: Consent (Art. 6.1.a GDPR) - Proof of consent
• Date of consent: Exact timestamp of when you checked the box during registration or in your settings.Legal basis: Consent (Art. 6.1.a GDPR) - Traceability of consent (Art. 7.1 GDPR)
• Unsubscription date: If you unsubscribe, we record the date and time to respect your choice and prove that it has been taken into account.Legal basis: Consent (Art. 6.1.a GDPR) - Withdrawal of consent (Art. 7.3 GDPR)

2.3 Generated scripts and created content

Each script you generate via artificial intelligence is recorded in your personal history (accessible in your dashboard). The following data is collected:

• Your prompt (subject): The text you enter in the generation form (e.g., "Make a video about productivity tips").Legal basis: Performance of a contract (Art. 6.1.b GDPR) - Necessary to generate the script
• Target platform: Your choice of platform (TikTok, Instagram Reels, YouTube Shorts). Allows the script to be optimized for the chosen platform.Legal basis: Performance of a contract (Art. 6.1.b GDPR)
• Script format (Variation): The type of script selected (Standard, Listicle, Tutorial, Storytelling, Product Review, Before/After).Legal basis: Performance of a contract (Art. 6.1.b GDPR)
• AI-generated script: The complete generated content, which may include: Hook, Scenes, CTA (Call-to-Action), Hashtags, and variation-specific content.Legal basis: Performance of a contract (Art. 6.1.b GDPR) - Provision of the service
• Date and time of generation: Precise timestamp of script creation.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Organization of your history
• Feedback (optional): If you click on the "👍 Good script" or "👎 Needs improvement" buttons, your opinion is recorded to improve the AI.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Service improvement

2.4 Usage quotas and statistics

To apply the quotas for your plan (2 scripts/day for FREE, 100/month for RANK1, 400/month for RANK2), we record:

• Date of use: Day on which you generated scripts (YYYY-MM-DD format).Legal basis: Performance of the contract (Art. 6.1.b GDPR) - Application of quotas
• Number of scripts generated: Counter for the number of new scripts created on that day.Legal basis: Performance of the contract (Art. 6.1.b GDPR)
• Number of regenerations: Counter of the number of times you clicked on "Regenerate" (Premium feature only).Legal basis: Performance of a contract (Art. 6.1.b GDPR)

2.5 Technical and security data

To protect the service from abuse, detect bugs, and ensure security, we collect:

A. Device identifiers

• Device ID: UUID generated locally in your browser, used to manage quotas for anonymous (unlogged-in) users.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Protection against abuse

B. IP address and User-Agent

• IP address: Collected temporarily (in memory only) for rate limiting (15 requests/minute). Never stored in a database, automatically deleted after 5-10 minutes.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Anti-abuse protection and security
• User-Agent (Browser type): Information about your browser (Chrome, Firefox, Safari) and operating system.Legal basis: Legitimate interest (Art. 6.1.f GDPR) - Technical improvement

3. Recipients of data (Subcontractors)

We do not sell, rent, or trade your personal data. We only share it with the following subcontractors to ensure the operation of the Service:

4. Use of Cookies

We use a strict minimum number of cookies. We do not use any advertising or tracking cookies (no Google Analytics, no Facebook Pixel).

4.1 Strictly necessary cookies (Exempt from consent)

These cookies are essential for the operation of the site. According to the CNIL guidelines, they do not require your prior consent.

• sb-access-token, sb-refresh-token (Supabase): Allows you to remain logged in. (Duration: 1 week to 1 month)
• cs-device-id: Ensures the application of quotas for anonymous users. (Duration: 1 year)
• NEXT_LOCALE: Remembers your language preference (EN/FR). (Duration: 1 year)

5. International Transfers

Some of our sub-processors (Supabase, OpenAI, Anthropic, Vercel, Google) are located in the United States.

5.1 Data Privacy Framework (DPF) & SCCs

Transfers are secured by the following mechanisms:

• Data Privacy Framework (EU-US DPF): The European Commission has recognized the US as providing an adequate level of protection for certified companies (decision of July 10, 2023). Our main partners (Google, OpenAI, Anthropic, Vercel) are certified or in the process of certification.
• Standard Contractual Clauses (SCCs): In the absence of DPF, we sign the European Commission's standard contractual clauses with our service providers to ensure GDPR compliance.

6. Emails and Communications

6.1 Transactional emails (Service)

You will receive emails strictly necessary for the service (signup, password reset, important account notifications). You cannot unsubscribe from these lists unless you delete your account.

6.2 Anti-spam protection

We use Google reCAPTCHA v3 on our forms to prevent automated spam. Use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

6.3 Marketing emails & Newsletters

If you choose to receive our updates (new features, tips), you can:

• Change your mind at any time via your account settings.
• Click on the "Unsubscribe" link present at the bottom of each marketing email.

7. Your Rights (GDPR)

In accordance with GDPR, you have the following rights over your data. To exercise them, contact us at: support@creatorshorts.fr.

7.1 Right of access (Art. 15 GDPR)

You have the right to ask us if we hold data about you and to obtain a copy of it in a comprehensible format.

7.2 Right of rectification (Art. 16 GDPR)

You can ask us to correct inaccurate data (e.g. change of email) or complete incomplete data.

7.3 Right to erasure ("Right to be forgotten" - Art. 17 GDPR)

You can request the deletion of your account and all associated data at any time.
Immediate effect: Deletion is irreversible and leads to the loss of all your generated scripts and unused credits.

7.8 Right to lodge a complaint with the CNIL (Art. 77 GDPR)

If you believe that we are not respecting your rights or the GDPR, you can lodge a complaint with the French supervisory authority:

8. Data retention period

In accordance with the storage limitation principle (Art. 5.1.e GDPR), we only keep your data for as long as is strictly necessary for the purposes for which it was collected.

8.1 Account data

8.2 Generated scripts

All scripts are kept until manual deletion or account deletion.

8.3 Technical logs

• IP Address (rate limiting): 5-10 minutes (memory only)
• Auth logs: 90 days
• Technical logs: 30 days

9. Security

We implement appropriate technical and organizational security measures to protect your data against unauthorized access, loss, or alteration. Passwords are hashed and secured by Supabase.

Anti-abuse measures: Rate limiting per IP, daily limits per device, progressive cooldowns. No permanent bans (only temporary blocks).

9bis. Protection of minors

In accordance with Article 8 of the GDPR, we take the protection of minors' personal data very seriously.

Minors benefit from enhanced rights, including priority erasure of their data (processed within 7 days instead of 1 month).

10. Data Breaches

In accordance with Articles 33 and 34 of the GDPR, in the event of a data breach presenting a risk to your rights, we undertake to:

• Notify the CNIL within 72 hours.
• Inform you directly if the risk is high.
• Document the incident.

11. Changes to Privacy Policy

We notify you of any substantial changes by email at least 30 days before they come into effect.

12. Applicable Law

This Privacy Policy is governed by French law. Any dispute shall be subject to the exclusive jurisdiction of the French courts.