Privacy
Privacy policy
Sofuto Solutions LLP(“we”, “our”) takes the protection of your personal data seriously. This policy explains what we collect, why, and how you can exercise your rights under the UK GDPR and the Data Protection Act 2018.
1. Controller
Sofuto Solutions LLP — TO FILL, TO FILL, United Kingdom.
Contact: hendylplm@outlook.fr
2. Data we collect
- Account data: email address, user ID, and Google SSO metadata (name, profile picture) when you sign in with Google.
- Payment data: Stripe customer ID and payment method ID (non-sensitive tokens). Full card numbers never touch our servers — Stripe collects and stores them directly.
- User content: TikTok/Instagram video URLs you submit, face photos you upload for face swap, workspace logos, custom scripts, and the final rendered videos.
- Technical data: IP address, user-agent, API access logs used for security and abuse prevention.
- Workspace data: the name, default language and logo of each workspace you create.
3. Purposes and lawful basis
| Purpose | Lawful basis | Retention |
|---|---|---|
| Operating the service (account, pipelines, delivery) | Performance of a contract | While your account is active |
| Processing payments and auto top-ups | Performance of a contract | 6 years (UK accounting records) |
| Fraud prevention and security | Legitimate interest | 12 months (access logs) |
| Customer support and transactional communication | Performance of a contract | Duration of the relationship + 3 years |
| Product improvement (aggregated usage analytics) | Legitimate interest | 24 months |
4. Sub-processors and international transfers
We rely on the following sub-processors to operate the service. Some are located outside the UK; where that is the case the transfer is based on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.
| Sub-processor | Role | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Payment processing (Checkout, recurring billing, card storage) | Ireland (EU) |
| Supabase Inc. | Authentication, database, file storage (workspace logos, etc.) | United States (with optional EU region) |
| Vercel Inc. | Application hosting and content delivery (CDN) | United States |
| Kie.ai | AI face swap models (Nano Banana 2 + Kling Motion Control) | Hong Kong / International |
| Deepgram Inc. | Video audio transcription (Deepgram Nova-2) | United States |
| ElevenLabs Inc. | AI-generated voice synthesis (voiceovers) | United States |
| OpenRouter | Access to AI models (Claude Sonnet for scripts, Gemini for clip analysis) | United States |
| Twilio SendGrid | Transactional email delivery (final videos, receipts) | United States |
| Amazon Web Services (S3) | Temporary storage of final rendered videos before delivery | EU and/or US regions depending on configuration |
5. Video content and AI processing
Videos you submit are downloaded, transcribed, and processed by our AI models to produce the final output. Intermediate and final files are stored temporarily (up to 30 days after generation) and then deleted automatically. We do not use your content to train third-party models unless stated otherwise in the relevant sub-processor's policy.
6. Cookies
We use only strictly necessary cookies needed for the service to work (Supabase session, active workspace preference). We do not set advertising or tracking cookies without your explicit consent.
7. Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you
- Request rectification of inaccurate data
- Request erasure (“right to be forgotten”)
- Restrict or object to processing
- Data portability
- Withdraw consent at any time, where processing relies on consent
- Complain to the UK Information Commissioner's Office (ICO) — ico.org.uk
To exercise any of these rights, write to hendylplm@outlook.fr. We respond within 30 days.
8. Security
We apply appropriate technical and organisational measures to protect your data: TLS encryption in transit, encryption at rest on our database (Supabase), strong authentication (Google SSO), environment isolation, logging of sensitive operations, and least-privilege access to API keys.
9. Changes to this policy
We may update this policy to reflect changes to the service or to the applicable legal framework. When the change is material we will notify you by email. The last-updated date appears at the bottom of this page.
10. Contact
For any question about how we handle your personal data: hendylplm@outlook.fr.