Epic Transformations

Privacy Policy

Last updated: 24 June 2026 · Version: 1.0

1. Introduction

This Privacy Policy explains how Epic Transformations collects, uses, stores and shares personal data when you use our website and services. We are committed to protecting your personal data and handling it in accordance with applicable data-protection law, including the EU General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for your personal data is Viktor Kovryzhenko, an individual entrepreneur (FOP) registered in Ukraine, Kyiv, Ukraine. For any privacy-related question you can contact us at privacy@epic-transformations.com.

3. What Data We Collect

3.1 Data you provide

  • Account data: your email address and, if you sign in with Google, basic profile information provided by Google (such as name and profile image).
  • Generation input: the topics, scripts and settings you submit in order to generate videos.
  • Communications: information you provide if you contact us for support.

3.2 Data created by your use of the Service

  • Account and subscription records, token balance and token transaction history.
  • Records of videos you have generated, including metadata such as duration and tokens spent.
  • Technical and usage data, such as log data, device and browser information and IP address.

3.3 Payment data

Payments are handled by Paddle as Merchant of Record. Paddle processes your payment details directly. We receive limited transaction information (such as plan, status and billing dates) but we do not receive or store your full card number.

3.4 Files you upload to the editor

If you upload your own files (such as images, video or audio) into the editor, those files are processed locally in your browser, using your device’s local storage (for example OPFS and IndexedDB). They are not uploaded to, transmitted to, or stored on our servers, and we do not receive their contents. Because we do not receive these files, we do not act as a controller of the personal data they may contain, and they are not shared with our AI providers.

4. How We Use Your Data and Legal Bases

We process your personal data on the following legal bases under the GDPR:

  • Performance of a contract: to create and manage your account, to operate the Service, to generate videos you request, and to manage tokens, subscriptions and payments.
  • Legitimate interests: to secure and improve the Service, to prevent fraud and abuse, and to communicate with you about the Service.
  • Legal obligation: to comply with legal obligations that apply to us, for example responding to lawful requests from authorities. Because Paddle acts as Merchant of Record, the tax and payment records for your purchases are held by Paddle, not by us, so our own legal-retention obligations rarely require us to keep your personal data.
  • Consent: for non-essential cookies and similar technologies, and for any optional marketing communications, where consent is required. You may withdraw consent at any time.

Consent to marketing communications is separate from, and not a condition of, creating an account or using the Service. You can use the Service, including any free tokens, without giving marketing consent, and withdrawing marketing consent does not affect your access to the Service.

5. Third Parties and Sub-Processors

To operate the Service we share personal data with third-party providers who act as our processors or as independent controllers. These currently include:

  • Clerk (account authentication and sign-in) – United States.
  • Supabase (database) – European Union (Frankfurt).
  • Hetzner (hosting infrastructure) – European Union (Frankfurt).
  • Cloudflare, Inc. (United States) – multiple services:
    • R2 storage of generated video files (EU/Frankfurt region)
    • Email Routing for our support@, privacy@, abuse@ and contact@ addresses
  • Anthropic (language model, script generation) – United States.
  • OpenAI (text-to-speech and transcription of generated voice) – United States.
  • fal.ai (AI image and video generation) – United States.
  • WaveSpeed (AI music generation) – United States.
  • Resend (transactional email delivery) – United States. Used to send feedback acknowledgements and service notifications to your registered email address.
  • Pexels (stock footage) – provider of stock media incorporated into generated videos.
  • Paddle (payment processing as Merchant of Record) – acting as an independent controller, not as our processor (see below).

Most of these providers act as our processors, processing personal data only on our instructions under a data processing agreement. Paddle is different: as Merchant of Record it acts as an independent controller of the payment and billing data it processes, under its own privacy policy. We may add or change providers over time and will keep this list up to date.

Our AI providers receive only the generated text prompts and parameters needed to produce your video; they do not receive the files you upload to the editor, which are processed locally on your device. Where speech transcription is used, it is applied to AI-generated voice for subtitle synchronisation, not to any audio you upload.

The text prompts and generation settings you submit are transmitted to our AI providers in order to produce your video; the files you upload to the editor are not (see Sections 3.4 and 5). You should not include personal data of other people, or confidential information, in the prompts and text you submit.

6. International Data Transfers

Some of our providers process personal data outside the European Economic Area, in particular the United States. Where this happens, we rely on the transfer mechanisms recognised under the GDPR. For providers in the EEA, no transfer mechanism beyond a data processing agreement is required. For US providers, we rely on the EU–US Data Privacy Framework where the provider is certified, or otherwise on the European Commission’s Standard Contractual Clauses (together with the UK Addendum where UK users’ data is transferred), supported where appropriate by a transfer impact assessment. You can ask us for more information about the safeguards that apply to a specific provider.

7. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy or as required by law. In particular:

  • Account data is kept for as long as your account exists.
  • Generated video files are stored only temporarily on our cloud storage (Cloudflare R2, EU region) and are automatically deleted approximately 48 hours after generation. This temporary storage is used only to deliver the generated media to you and applies to AI-generated content, not to files you upload to the editor.
  • Account, subscription and token-transaction records: kept for the duration of your account in order to provide the Service. The tax and payment records for your purchases are held by Paddle as Merchant of Record under its own retention obligations, not by us.
  • Technical and usage data (such as log data and IP address): kept for the duration of your account and then deleted or anonymised, except where we must retain it for a limited period to comply with a legal obligation or to establish, exercise or defend legal claims.
  • When you delete your account, we delete or anonymise the personal data we hold, except where we must retain limited information to comply with a legal obligation or to establish, exercise or defend legal claims.

8. Your Rights

Subject to applicable law, you have the right to access your personal data, to request correction or deletion, to restrict or object to certain processing, to data portability, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a data-protection supervisory authority.

To exercise your rights, contact us at privacy@epic-transformations.com. We may need to verify your identity before responding.

We will respond to a request without undue delay and within one month of receiving it. Where a request is complex or where we receive a number of requests, we may extend this period by up to two further months and will let you know within the first month if we do. If your data also contains personal data of other people, we will remove or redact their information before providing your data to you. If a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or decline to act on it, and we will explain our reasons.

9. Security

We take reasonable technical and organisational measures to protect personal data against loss, misuse and unauthorised access. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Children

The Service is not directed to children. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone below that age; if we become aware that we have, we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date and, where changes are material, take reasonable steps to notify you.

12. Contact

For any question about this Privacy Policy, contact us at privacy@epic-transformations.com.