Privacy
Policy
Contents
4. Local Processing, AI Features & Your Footage
6. Social-Platform Connections
12. Telemetry, Crash Reports & Diagnostics
1. Who We Are
VLStudio is a two-product creator suite: VLStudio Desktop (a video editing application) and VLStudio Web at vlstudio.live (analytics, community, marketplace, jobs board, and token economy). A desktop login and a web login are the same account, sharing one subscription and one entitlement record.
The controller responsible for your personal data is Vladyslav Zhminko, operating as VLStudio, Carrer de Valencia 191, 6.1, 08011, Barcelona, Spain. Contact details are in Section 19.
We use Supabase as our backend provider for authentication, database storage, file storage, and real-time features, shared across both products.
2. What We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Username and display name
- Password, stored as a cryptographic hash, never in plain text
- Account creation timestamp and role (creator, admin, moderator)
- Optional profile avatar URL
If you sign in with Google OAuth, Google gives us your name, email address, and profile picture. We do not receive or store your Google password.
2.2 Usage Data
- Screens visited and features used in the web portal
- Project names and metadata
- Token and XP transaction history
- Support requests and bug reports you submit
2.3 Community Content
Content you choose to publish, community posts, comments, marketplace listings, job postings, and job applications, is stored on our servers and, depending on the feature, may be visible to other users or the public. See Section 9 and Section 11 for the specifics of who can see what.
2.4 Newsletter
If you subscribe to our newsletter, we store your email address to send product updates. See our Email & Marketing Consent Notice for how to unsubscribe and the current state of that mechanism, and our Cookie & Tracking Notice for browser storage generally.
3. How We Use Your Data
- Provide the service: run your account, sync projects, process orders, run the AI features you invoke
- Improve the product: understand which features are used, diagnose crashes
- Communications: transactional emails (password reset, billing receipts) and, if subscribed, newsletter updates
- Anti-fraud: detect trial and payment abuse, see Section 7
- Safety and moderation: detect abuse, respond to content reports, enforce our Terms
- Legal obligations: comply with applicable law, including tax record-keeping
We do not sell, rent, or trade your personal data to third parties for advertising purposes.
4. Local Processing, AI Features & Your Footage
Project metadata (names, durations, collaborator lists) may sync to our database to power collaboration and the web portal. The features below are the exceptions to local-only processing:
- AI chat (VLS-PRO only): your prompt, a serialized snapshot of your timeline (clips, tracks, markers, caption text, transforms), and chat history are sent to our backend, which forwards them to Google Gemini.
- AI Visuals (VLS-PRO only): raw JPEG frames extracted from your footage, up to six per turn, are sent to Google Gemini so the assistant can see what's in the shot. These frames may contain faces, locations, or third-party footage. See our AI Features Terms and Biometric Data Notice.
- Captions: one path runs fully on-device (a local Whisper model, which may download from Hugging Face the first time you use it); one path sends audio to Google Gemini via our backend; one path sends audio to Groq. The app tells you which path you're using.
- YouTube Coach: your video transcript and channel context are sent to Google Gemini using your own Google API key. This is governed by Google's consumer terms directly between you and Google; VLStudio does not receive this data.
- Review: if you use the Review/collaboration feature, the actual project video is uploaded to our Supabase storage bucket and made available to the project owner and moderators via a link that expires after 12 hours. Your name and email are shared with the project owner as part of this feature.
- Server-side interaction logging: when enabled on our backend, each AI turn (your message, the full timeline context, and the raw response) is stored as a dataset we may use to improve the AI features. Current status: [[AI_PROVIDER_RETENTION]], we will update this section once confirmed. If this logging is active, it is off by default for any given account; see AI Features Terms for how to check your status and request exclusion.
- AI long-term memory: the AI assistant may extract and remember your name, role, goals, and project preferences across sessions to personalize responses. You can ask the assistant to forget this or contact us to erase it, see Section 16.
All AI features above are gated behind the VLS-PRO subscription and only run when you actively use them.
5. Authentication & Sign-In
Authentication is handled by Supabase Auth. Your session token is stored in your browser's local storage (web) and used to authenticate your requests. A PKCE state value is stored temporarily in session storage during sign-in.
When you use Google Sign-In, you are also subject to Google's Privacy Policy. We receive only the minimum data required to create or link your account.
Password reset links are sent by email and expire after 24 hours.
6. Social-Platform Connections
VLStudio Web's analytics dashboard can connect to your YouTube, TikTok, and Instagram accounts. If you connect a platform:
- YouTube: we request read-only access (youtube.readonly) and store a long-lived refresh token plus channel and video statistics. See our Social-Platform Data-Use Disclosure for Google's required "Limited Use" notice.
- TikTok: we request basic profile access (user.info.basic) and store the resulting tokens.
- Instagram / Meta: we request analytics and page-management scopes and store a token valid for roughly 60 days, plus your profile and recent media metrics.
Disconnecting a platform in your account settings removes it from your dashboard. Today, YouTube's disconnect does not yet delete the stored token server-side, and TikTok and Instagram do not yet have a dedicated disconnect/revoke flow; we are working to close this gap, and until then you can also revoke VLStudio's access directly from each platform's own account settings. Full detail, including the platforms' own required disclosures, is in our Social-Platform Data-Use Disclosure.
7. Anti-Fraud Processing
To limit abuse of the VLS-PRO free trial, we process:
- A fingerprint of the payment card used at Stripe checkout, to detect the same card being used to claim more than one trial.
- A salted, one-way hash of the IP address used at signup, to cap the number of trials started from the same network to three per 30 days.
This processing is based on our legitimate interest in preventing abuse of a paid feature. If our systems detect a card already tied to a prior trial, the new trial is automatically cancelled. This is an automated decision under GDPR Article 22; you can contact us (Section 19) to ask a human to review it.
8. Marketplace & Payments
The VLStudio Marketplace lets users list and browse digital products (presets, templates, plugins). We store cart contents, order history, seller listings, and reviews you submit.
The VLS-PRO subscription and Power Token purchases, unlike the marketplace, are real charges processed by Stripe. VLStudio does not store your full card number; Stripe's handling of your payment data is governed by Stripe's own privacy policy.
9. Community Features
Community posts, comments, upvotes, and content reports are stored and linked to your account. Public posts are visible to all registered users, and the follower graph and your profile (including your email address) are currently readable by any authenticated user, and in some cases by anonymous visitors. Posts inside groups marked "private" are, today, also world-readable at the database level despite the "private" label. We are correcting this; until we do, treat any post, group membership, or profile field as potentially visible beyond its stated audience. You can delete your own posts and comments at any time.
10. Tokens & Rewards
VLStudio's reward system (Creator Points/XP, Power Tokens, achievements) logs every transaction against your account to calculate balances, display your activity feed, and prevent fraud. See our Virtual Currency & Tokens Terms for how tokens work.
11. Jobs Board
If you post a job listing or apply to one:
- Job postings store the title, description, budget, status, and your user ID.
- Applications store your uploaded CV file, cover letter, and the email address tied to your account, and these are disclosed to the employer who posted the job. The employer is an independent controller for how they use this data once received. Your CV may contain special-category data (for example, if it includes a photo or discloses health information); only include what you are comfortable sharing with the specific employer.
- Employers may record free-text notes about your application; these notes are visible to the employer, not to you.
- Your CV file is currently stored at a URL that is technically public if guessed or shared, even though the storage bucket is intended to be private; we are correcting this.
- Withdrawing an application does not currently delete your uploaded CV file. Contact us if you want it removed, see Section 19.
12. Telemetry, Crash Reports & Diagnostics
VLStudio Desktop uses Sentry for crash and error reporting, hosted in Sentry's EU region. Sentry is on by default in every packaged build; there is currently no in-app setting to turn it off, despite what earlier versions of this page said. Sentry receives stack traces, breadcrumbs, and, because file paths on your machine are sometimes included in error data, your operating-system username may be captured as part of a file path. We do not currently scrub this before it is sent. We are adding a real opt-out and reducing what is captured; until then, this is disclosed here rather than described as anonymized.
Separately, the desktop app keeps a local crash log on your own machine, appended to each time the app encounters an unhandled error. This file stays on your device and is not automatically uploaded, but it is not automatically cleared either.
An auto-update check happens periodically as an unauthenticated request to our update server; this request necessarily exposes your IP address and user agent to that server, the same as any web request would.
13. Cookies & Local Storage
The web portal uses browser local storage and session storage rather than traditional cookies for your authentication token and sign-in state, and loads Google Fonts and Stripe.js from their respective domains on every page, including this one. That is a cross-origin data transfer to Google and Stripe every time these pages load. We do not currently run third-party advertising trackers. Full detail and your choices are in our dedicated Cookie & Tracking Notice.
14. Sub-Processors & International Transfers
We share data with the following categories of service providers, each acting under our instructions:
| Provider | Role | Region |
|---|---|---|
| Supabase | Auth, database, storage, edge functions, realtime | US-hosted cloud |
| Stripe | Subscription and token payments | US |
| OAuth sign-in, Gemini AI, YouTube Data API, Fonts, Search | US | |
| Groq | AI chat and speech-to-text | US |
| Render | Hosts our AI backend | US |
| Hugging Face | Caption model download | US / CDN |
| Sentry | Crash and error telemetry | EU |
| Meta / Instagram | Analytics API | US |
| TikTok | Login and analytics API | US / global |
| Jamendo, Pixabay | In-app music libraries | EU |
| Microsoft Azure Trusted Signing | Windows code signing | US |
Where a provider processes personal data outside the EU/UK, that transfer relies on that provider's Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework. We are in the process of formalizing Article 28 data processing agreements with each processor above; our internal sub-processor register and DPA tracker is maintained alongside this policy and is available on request.
15. Data Retention
- Active accounts: retained for as long as your account exists.
- Account deletion: today, deleting your account is a manual process initiated via Settings and completed by our support team, aiming for removal within 30 days. It does not yet purge every store automatically: uploaded videos, OAuth tokens and cached analytics, community and marketplace and job records, CV files, and local AI memory or interaction logs may persist after a deletion request until removed manually. We are building an automated erasure pipeline to close this gap; until then, tell us in your deletion request which categories matter most to you and we will prioritize them.
- Subscription and payment records: retained for the period required by tax law even after account deletion.
- Newsletter: email address removed on unsubscribe.
- Support requests: retained for 2 years.
- Crash reports and telemetry: retained per Sentry's standard retention (see Sentry's own policy) for cloud telemetry; local crash logs remain on your device until you clear them.
16. Your Rights
Depending on your location, you may have the right to access, correct, delete, or export your personal data, object to or restrict certain processing, and withdraw consent where processing relies on it. To exercise any of these rights, contact us at [[CONTACT_EMAIL_PRIVACY]] (interim: vlstudiopartners@hotmail.com). We aim to respond within 30 days. See Section 15 for the current, honest state of how completely we can act on a deletion request today.
17. Children's Privacy
Our age requirements and how we handle under-18 users are set out in one place, our Minimum-Age & Children's Policy, so the rules stay consistent with our Terms of Service. If you believe a child has provided us personal information in a way that policy does not permit, contact us and we will address it.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we make a material change, we update the "Last updated" date above and, where appropriate, notify registered users. See our Terms Versioning Policy for how we capture your acceptance of updates. Continued use of the Service after a change takes effect is acceptance of the updated policy, except where law requires fresh consent.
19. Contact
For privacy questions, data requests, or to report a concern:
- Email: [[CONTACT_EMAIL_PRIVACY]], interim address: vlstudiopartners@hotmail.com
- Postal: Vladyslav Zhminko, Carrer de Valencia 191, 6.1, 08011, Barcelona, Spain
- Bug reports and public issues: github.com/vlad044-z/website_vls/issues
VLSTUDIO
← Back to site