Privacy Policy
1. Overview
Cutflux offers browser-based tools to align video edits with music—including beat detection, previews, rendering, captions, and account features when you choose to register. Depending on what you click and which device you use, processing may occur entirely on your device, on Google Cloud-hosted backends (Firebase and Cloud Run), or through integrations such as Stripe and AssemblyAI. This policy describes categories of information that may be collected or generated and typical uses.
2. Information we collect
2.1 Account information
If you create an account, we use Google Firebase Authentication. Firebase may collect and store identifiers such as your email address, a unique user ID, sign-in timestamps, authentication provider (“password” vs. “Google.com”), and security-related signals required to operate sign-in.
2.2 Media and edits you initiate
To provide editing features, audio and/or video passes through workflows you start:
- Beat timeline experience (
beat-timeline.html): clip detection and tempo analysis largely run inside your browser. When you export, the app may POST your video, audio segment, edit plan, and quality settings (for example HD or 4K upscale parameters) to a Cloud Run render API (/api/render/*) for FFmpeg-based stitching, or capture output locally using browser recording when cloud export is unavailable or too large. - Upload-to-cloud flows (for example portions of our editor that upload inputs to Firebase Storage for processing): we store temporarily or until replaced the files associated with jobs you run, including video and backing music if you upload them.
- Captions: when caption or transcription endpoints are invoked, clipped or normalized portions of audio are sent server-side—when configured—to AssemblyAI speech-to-text endpoints to obtain word timings. Exported caption videos upload your rendered video and timing JSON via
/api/captions/export/starthelpers before returning an MP4 with burned-in captions. - Links you supply: if you initiate features that ingest third-party-hosted media (such as pasted URLs), operators may relay those requests via Cloud infrastructure to normalize or retrieve media strictly to fulfill your command.
We do not use your uploads to train generalized public models unless we separately disclose a different program.
2.3 Usage telemetry and diagnostics
Optional client instrumentation (vep-analytics-client.js) sends summaries to Cloud Run endpoints such as /api/analytics/ping, /api/analytics/identify, and /api/analytics/client-event when configured. Events may reference page URLs, referrer, coarse device context (timezone, browser language, screen size), hashed or truncated IP by the backend, signup/login funnel checkpoints, navigation errors we attempt to categorize, JavaScript failures, Stripe-related redirects, or custom feature tags. Administrators may correlate certain events with Firebase user IDs when authenticated users opt into flows requiring identification.
You can disable outbound analytics by executing window.VEP_ANALYTICS = false before analytics scripts bootstrap, or blocking our API origins—bearing in mind portions of rendering or captions rely on connectivity to servers regardless.
2.4 Billing
Payments or subscriptions may be facilitated by Stripe. We do not store full payment card numbers; Stripe collects them under its own privacy policy.
2.5 Server logs and metadata
Cloud hosts automatically record timestamps, IPs, URLs, payloads necessary for troubleshooting, throughput limits (for example burst protection on analytics ingestion), FFmpeg job durations, Stripe webhook validations, caption job statuses, storage signed URL usage, etc.
2.6 Local browser storage
We use cookies or storage APIs only minimally for auth flows; more commonly sessionStorage/localStorage persists UI selections (music start offset, editor preferences, attribution touchpoints including UTM snippets, Stripe-return markers). Clearing site data resets those caches.
3. How we use information
- Authenticate users, personalize sessions, and secure accounts;
- Fulfill audio/video processing jobs you expressly request;
- Monitor correctness, uptime, misuse, quota abuse, billing integrity;
- Improve reliability (including debugging crash-style events flagged by analytics pipelines);
- Comply with law, subpoenas where applicable, and enforce contractual terms.
4. Disclosure and subprocessors
To deliver the Service, information may transit or reside with:
- Google Firebase (Auth, Hosting, Storage, Functions or Admin SDK-managed Firestore) and Google Cloud Platform / Cloud Run for compute;
- Stripe for merchant-of-record tooling;
- AssemblyAI, when captions/transcription endpoints are deployed with valid API credentials;
- Open-source CDNs such as
gstatic.comfor Firebase SDK binaries, Stripe.js loaders, fonts from Google Fonts, or third-party WASM scripts referenced by the editors.
We instruct vendors pursuant to contractual confidentiality and security expectations; they may process globally located equipment.
5. Business transfers
If Cutflux merges, acquires financings, reorganizes, or sells assets—subject to lawful requirements—we may disclose information to successors under confidentiality obligations akin to those here.
6. Your choices and regional rights
You may uninstall or stop using the Service, delete browser storage or cookies tied to Firebase sessions, revoke Google OAuth tokens from Google account security pages, cancel Stripe subscriptions inside Stripe-hosted portals referenced from the UI, email data requests if operators publish contacts, request Firestore-derived analytics pruning when technically feasible at small scale, export finished videos manually from your device whenever download buttons persist, and escalate complaints to supervisory authorities depending on geography.
California residents obtain additional disclosures under CPRA-lite templates: categories align with Sections 2–5; disclosures are operational (no data sales compensated with money for unrelated ad profiles as of Effective Date); Shine-the-Light individualized marketing-sharing requests can be accommodated by contacting Cutflux administrators if monetization evolves.
EU/UK/EEA Switzerland visitors should consider transfer mechanisms inherent to GCP/Firebase; obtain Data Processing Agreements from Google Firebase when applicable contracts require them.
7. Age restrictions
The Service targets adults capable of agreeing to contractual terms online. Individuals under thirteen (13) residing in jurisdictions covering COPPA should not submit personal information; parents may contact administrators to remove mistakenly collected minors’ data.
8. International transfer
Servers underpinning Firebase and Render APIs may reside in the United States or other regions Google configures. Submitting media constitutes consent—where permissible—to cross-border transfers.
9. Security
We implement reasonable administrative and technical safeguards (TLS in transit where configured, JWT-based auth for privileged actions, quotas on ingestion routes, signed URLs limiting storage exposure durations). Absolute security cannot be guaranteed.
10. Retention
Ephemeral FFmpeg jobs purge files after renders complete or fail; captions jobs delete intermediate artifacts when workers finish normally. Analytics aggregates may linger for operational analytics unless operators rotate collections. Administrators may lengthen retention for disputed transactions or mandated legal preservation.
11. Updates
We may revise this Policy to reflect evolving features. Material changes merit republishing the Effective date and—where pragmatic—surfacing summaries in-application.
12. Contact
Until a dedicated inbox is announced, inquiries may route through publicly listed social channels reachable from our landing footer (for example the official TikTok profile linked near “Contact”). Replace this paragraph with statutory contact coordinates when your legal entity adopts them.