VideoGenAI
Legal

Privacy Policy.

Last updated 2026-04-26 · Effective 2026-04-26

This Privacy Policy explains how Halo sp. z o.o. ("we", the "Controller") collects, uses and protects your personal data when you use the VideoGenAI website and Service. This Policy is written to comply with Regulation (EU) 2016/679 (GDPR) and the Polish Personal Data Protection Act.

1. Data controller

Halo sp. z o.o.
ul. Warszawska 40/2A, 40-008 Katowice, Poland
KRS 0001145505 · NIP 9542880835
Privacy contact: privacy@videogenai.io

2. What we collect

  • Account data: email address, name (optional), company (optional).
  • Usage and analytics data: pages visited, clicks, scroll depth, dwell time, form-field interaction (field names and input length, never the raw values you type), pricing-tier clicks.
  • Device and network data: user-agent, browser, OS, device type, referrer, UTM parameters, approximate geo (country/region/city) derived from IP.
  • IP address: stored only as a salted SHA-256 hash (not the raw IP) for abuse prevention and geo inference.
  • Render inputs and outputs: prompts, uploaded references, and generated clips you create.
  • Billing data: billing name, email, billing address, and (for B2B invoices) company name and tax ID (NIP/VAT). Card details, BLIK, Apple Pay, Google Pay and any other payment-method credentials are entered on Stripe's hosted checkout and are never sent to or stored by us; we only receive non-sensitive transaction identifiers, the last four digits of the card, the card brand, and the country of issue.

3. Why we process it (legal basis)

  • Performance of a contract (Art. 6(1)(b) GDPR): to operate your account, process renders and bill you.
  • Legitimate interests (Art. 6(1)(f)): product analytics, security, abuse prevention, service improvement. We balance these against your rights.
  • Consent (Art. 6(1)(a)): optional marketing communications, where applicable.
  • Legal obligation (Art. 6(1)(c)): accounting and tax records as required by Polish law.

4. Retention

  • Account data: until you delete your account.
  • Render inputs and outputs: 90 days after deletion request, then purged from backups within an additional 30 days.
  • Analytics events: 24 months, then aggregated irreversibly.
  • IP-hash records: 12 months.
  • Invoices and accounting records: 5 years from the end of the tax year, per Polish law.

5. Who we share data with

We share personal data only with carefully selected processors that help us run the Service. Categories of processors include:

  • Cloud hosting and database providers (EU region).
  • Transactional email providers.
  • Payment processing: Stripe Payments Europe, Limited (Dublin, Ireland) acts as an independent controller for the payment information you enter on its checkout page. When you buy a pack, your billing details (name, email, address, company name and tax ID for B2B) and the order amount are shared with Stripe; Stripe sends us back the transaction outcome, an invoice number and a PDF, and the masked card metadata listed in section 2.
  • Product analytics and error monitoring.
  • GPU inference partners for rendering.

A current list of sub-processors is available in our Data Processing Agreement.

5a. Payments and invoices

Payments on VideoGenAI are processed by Stripe. Depending on your region and Stripe configuration, supported payment methods may include credit and debit cards (Visa, Mastercard, American Express), BLIK, Apple Pay, Google Pay, Link by Stripe and SEPA bank debit. Stripe is PCI-DSS Level 1 certified; we never see, transmit or store full card numbers, CVCs or banking credentials.

For every successful payment Stripe issues a receipt and an invoice (PDF) and emails them to the address you provided. We keep a copy of the invoice metadata - billing entity, NIP/VAT where applicable, amount, currency and tax breakdown - in our own database to fulfil our legal accounting and bookkeeping obligations under Polish tax law (Ustawa o rachunkowości, Ordynacja podatkowa). These records are retained for 5 years from the end of the relevant tax year, after which they are irreversibly deleted.

Stripe may use the data it collects for fraud prevention and for the legitimate interests described in its own privacy policy. Where Stripe transfers personal data outside the EEA, the transfer is governed by EU Standard Contractual Clauses.

6. International transfers

Personal data is primarily processed within the EEA. Where a processor is located outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) and, where required, supplementary measures.

7. Your rights

You have the right to access, rectify, erase, restrict or object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time where processing is based on consent. You may exercise these rights by emailing privacy@videogenai.io. You also have the right to lodge a complaint with the Polish supervisory authority (UODO) or with the supervisory authority of your habitual residence.

8. Cookies

We use a small number of first-party cookies, all of them functionally necessary or used for privacy-safe product analytics:

  • Anonymous visitor identifier, a random UUID set on first visit so we can aggregate page-level usage without linking it to your identity. Expires after 1 year.
  • Session cookies for signed-in users - required to keep you logged into your workspace. Expire when you sign out or when the session expires.

We do not use third-party advertising cookies, cross-site tracking pixels, or social-media retargeting tags.

9. Security

We follow industry-standard practices: HTTPS everywhere, data-at- rest encryption for databases and backups, least-privilege access, rotated secrets, and regular dependency patching.

10. Changes to this Policy

We may update this Policy. Material changes are communicated by email at least 14 days before they take effect.