Privacy Policy

Last updated: May 18, 2026

1. About this policy

This Privacy Policy explains how LeadShark OÜ (the "data controller", "we", "us", "our") collects, uses, and shares personal data when you use VidShark, available at vidshark.ai. We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Estonian Personal Data Protection Act.

2. Data controller

LeadShark OÜ

Registry code: 16981081

Sepapaja tn 6, 15551 Tallinn, Estonia

info@leadshark.io

3. What data we collect

We collect personal data only to operate the Service. The categories are:

Account data

•Email address (required for sign-in).
•Display name and profile picture (when you sign in via an OAuth provider such as Google).
•Supabase user ID (internal identifier).

Generated content

•The prompts, ideas, and style hints you submit.
•The cinematic prompt expansions produced by our Gemini-based expander.
•The video scenes, stitched final MP4, and narration MP3 we render for you, plus the metadata about each render (length, status, errors).
•Webhook subscription URLs and the signing secrets you create.

Billing data

•Your Stripe customer ID and subscription ID.
•Billing cycle dates and plan tier.
•We do NOT store full payment card details — those are handled directly by Stripe under their own terms.

Usage and telemetry

•Credit ledger entries (grants, consumption, refunds, top-ups).
•API request logs (endpoint, status, latency).
•Server logs containing your IP address and user agent, retained for security and abuse-detection.
•Product analytics events through PostHog (page views, feature usage).

Cookies and similar technologies

•See the Cookie Policy for the specifics of each cookie. We use only what's necessary for authentication, plus opt-out-able product analytics.

4. Why we use it and on what legal basis

Under Article 6 GDPR, we rely on the following bases:

Purpose	Legal basis
Providing the Service: account creation, authentication, video rendering, narration synthesis, storing your outputs, applying credit logic.	Performance of a contract (Art. 6(1)(b)).
Billing, invoicing, fraud prevention.	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).
Security, abuse detection, system administration.	Legitimate interests (Art. 6(1)(f)) in keeping the Service safe.
Product analytics and improvement.	Legitimate interests (Art. 6(1)(f)) — you can opt out (see Section 9).
Transactional emails (account, billing).	Performance of a contract (Art. 6(1)(b)).
Marketing emails (if we ever send them).	Consent (Art. 6(1)(a)) — withdrawable at any time.

5. Who we share data with (sub-processors)

VidShark is a thin layer over specialized AI and infrastructure providers. To operate the Service we share the minimum personal data necessary with the following sub-processors. Each is bound by an appropriate data-processing agreement and, for those located outside the European Economic Area, by EU Standard Contractual Clauses or equivalent transfer safeguards.

Provider	Purpose	Location	Data
Supabase, Inc.	Authentication, application database (Postgres).	EU (Frankfurt — eu-central-1)	Account, generated-content metadata, credit ledger.
Vercel Inc.	Application hosting and serverless functions.	US / EU (Frankfurt edge preferred — fra1).	All request/response data in transit.
Cloudflare, Inc.	Object storage (R2) for rendered videos and narration audio.	EU jurisdiction bucket	Rendered video files, narration MP3s.
fal.ai (FAL OÜ / FAL Inc.)	Video generation (Google Veo model).	US	Scene prompts sent to the model.
ElevenLabs, Inc.	Text-to-speech narration synthesis.	US	Narration text and voice configuration.
Google LLC	Gemini API for prompt expansion.	US	Your original idea text.
Stripe, Inc.	Payments and subscription billing.	US / Ireland	Name, billing address, email, payment card (handled directly by Stripe).
PostHog, Inc.	Product analytics.	US / EU	Anonymized usage events tied to your Supabase user ID.

We do not sell your personal data. We do not use your prompts or outputs to train our own or third-party models.

6. International transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, on additional safeguards such as supplementary technical and contractual measures, in accordance with the requirements set out by the Court of Justice of the European Union in Schrems II.

7. How long we keep data

•Account data: for as long as your account exists, plus up to 90 days after deletion to settle billing, fraud, and security matters.
•Generated content (videos, narration): stored in your account until you delete it or until 12 months after account closure.
•Billing records: retained for 7 years as required by Estonian accounting law (Accounting Act §12).
•Server logs: 30 days, then deleted.
•Stripe events log: retained for as long as the underlying Stripe transaction is reachable through Stripe (typically 7 years for accounting purposes).

8. Your rights under the GDPR

You have the following rights with respect to your personal data:

•Access — request a copy of the personal data we hold about you.
•Rectification — ask us to correct inaccurate or incomplete data.
•Erasure ("right to be forgotten") — ask us to delete your data, subject to legal-retention obligations listed above.
•Restriction of processing — ask us to temporarily pause processing while a dispute or accuracy check is resolved.
•Data portability — receive your data in a structured, commonly used, machine-readable format.
•Object — object to processing based on legitimate interests (in which case we will stop unless we can show overriding grounds).
•Withdraw consent — for any processing based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any right, email info@leadshark.io. We will respond within one month, extendable by a further two months for complex requests.

You also have the right to lodge a complaint with a supervisory authority — in Estonia, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

9. Opt-outs and choices

•Product analytics: enable Do Not Track in your browser, or use a content blocker — we honour both.
•Marketing emails: every marketing email (if any) contains an unsubscribe link.
•Cookies: see the Cookie Policy for browser-level controls.
•Account deletion: contact us by email or use the in-app deletion flow once available.

10. Security

We protect your data using industry-standard measures: encryption in transit (TLS), encrypted backups, server-side hashing of API keys (SHA-256), HMAC-signed webhook deliveries, row-level security on the database, and the principle of least privilege for operational access. No system is perfectly secure; if you suspect a breach, contact us immediately.

11. Children

VidShark is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. AI-specific notes

Prompts you submit are transmitted to third-party AI providers (currently Gemini, Veo via fal.ai, ElevenLabs) for the sole purpose of generating the output you requested. These providers are contractually prohibited from using your inputs for model training on our account (subject to their own published terms; we recommend you review the linked policies). Generated outputs are not guaranteed to be unique, accurate, or free of similarity to third-party works — see our Terms of Service for the full disclaimer.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify you by email or via the Service before the change takes effect.

14. Contact

Questions, requests, or complaints about your data:

LeadShark OÜ

Registry code: 16981081

Sepapaja tn 6, 15551 Tallinn, Estonia

info@leadshark.io