Privacy Policy

1. Overview

We built ClipWith to help creators and founders edit video faster. To do that, we process the videos, audio, and prompts you provide — sometimes routing them through third-party AI services. This policy tells you exactly what happens to your data at each step.

If anything here doesn’t make sense or you want specific data handled differently, email [email protected] and we’ll work with you.

2. Who we are

ClipWith is operated by Clarity Digital Development. For privacy purposes, we are the data controller for information collected through the service. Our business address is available on request to [email protected].

3. What we collect

Account info: email address, display name, password hash (via NextAuth), and optional brand context you provide.

Uploaded content: videos, audio files, images, and screenshots you upload or capture through the service, plus any reference URLs you paste for brand research.

Editing inputs: text prompts, chat history, composition JSON, template and palette selections, and segment selections from automated content analysis.

Billing info: we use Stripe for payments. Stripe collects your card/payment data directly — we never see your full card number. We store a Stripe customer id, subscription status, credit balance, and a history of credit-transaction events tied to your account.

Technical info: IP address (used for rate limiting + abuse prevention), browser headers, timestamps of requests, and error logs. We do not run fingerprinting or advertising SDKs.

4. Why we collect it

• To provide the service. Running AI pipelines, rendering compositions, storing your projects, and responding to your edit prompts.
• To bill you accurately. Tracking credit balance, processing Stripe payments, handling refunds and disputes.
• To prevent abuse. Rate limiting, logging breaches of acceptable use, and investigating fraud or security incidents.
• To improve the product. Aggregated usage statistics to understand which features work. We do not use your uploaded content to train our own AI models.
• To communicate. Transactional emails (account, billing), support responses, occasional product updates (opt-out at any time).

5. Legal basis (EU/UK)

If you’re in the European Economic Area or the United Kingdom, we rely on these legal bases under GDPR / UK GDPR:

• Contract: processing account info, uploaded content, and billing data is necessary to provide the service you signed up for.
• Legitimate interests: abuse prevention, rate limiting, security logging, and improving the product.
• Consent: for optional features like marketing emails or third-party platform publishing (YouTube, TikTok, etc.) — you can withdraw at any time.
• Legal obligation: responding to lawful requests from authorities, retaining records for tax/accounting purposes.

6. Who we share with

We share data only with vendors (“sub-processors”) who help us run the service. Each processes what’s necessary for their specific role. We disclose categories of recipients here; the full list of named vendors is available on request to enterprise customers under a Data Processing Agreement.

• AI / large-language-model providers — process your text prompts and composition JSON to plan and apply edits.
• Visual-AI / video-understanding providers — index and analyze video content for semantic search, scene understanding, and structural segmentation. Indexed copies are retained on the provider until you delete the source project.
• Speech-to-text providers — transcribe audio you submit for caption generation, voice prompts, and analysis.
• Audio-AI providers — generate text-to-speech, sound effects, music, voice isolation, and dubbing from inputs you submit.
• Visual / video-effects providers — eye-contact correction, background-noise removal, green-screen, and lip-sync dubbing.
• Stock-media providers — public-API queries for royalty-free footage and photos. No personal data transferred.
• Cloud infrastructure providers — object storage for uploaded media and generated outputs, application hosting, and managed database for account data.
• Email / transactional-messaging providers — deliver account, billing, and product emails to your inbox.
• Stripe — payment processing. Handles all card data directly; we receive only a customer id and transaction status. We name Stripe specifically because card-handling transparency is a security expectation, not a marketing claim. Their policy →

We do not sell your personal information to anyone. We do not share your data with advertisers. We may disclose data if required by law (e.g., valid subpoena) or to protect rights and safety.

Our sub-processor list may change as we add or replace vendors. Each vendor is contractually bound to process data only on our instructions and to maintain confidentiality and security commensurate with industry standards. Material changes to the categories above will be reflected in this policy.

7. Connected social accounts

ClipWith lets you publish videos you create in our editor directly to your own connected social accounts on TikTok, Instagram, and YouTube. This section describes exactly how we handle the data and access tokens involved.

User-initiated only. Every publish action is initiated by you — you click “Publish to TikTok” (or Instagram, or YouTube) on a specific video you rendered in ClipWith, review the title/caption/description, and confirm. We do not bulk-publish, schedule without your action, re-publish your existing platform content, or post any content you did not create in ClipWith.

What we receive from each platform. When you connect an account via OAuth, we receive: an access token, a refresh token (where the platform issues one), the platform-side user identifier (e.g. TikTok open_id, Instagram Business user id, YouTube channel id), and your handle/channel name for display purposes. We do not access your content library, follower lists, direct messages, analytics, monetization data, or any signal beyond what the publish endpoint requires.

How tokens are stored. Access tokens and refresh tokens are stored encrypted at rest in our database. They are never logged, never sent to third parties, never shared between users, and never returned to client-side code. Refresh tokens are rotated on use where the platform supports rotation. The only system that reads these tokens is our publish endpoint.

What we send to each platform. On publish, we forward your rendered video file (or a URL pointing to it on our cloud storage), the caption / title / description text you entered, and any platform-specific options you selected (privacy level, comment toggles, scheduled time). We send only what each platform’s publish endpoint requires.

Data retention after publish. Once a publish completes, we retain only: a record that you published to that platform on that timestamp (for support and audit), and the platform-side post URL/ID returned by the publish API (so you can find your post). We do not retain a copy of the video on our servers for the purpose of re-publishing or training. The original rendered file remains in your ClipWith project until you delete it.

Revoking a connected account. You can disconnect any connected social account from Settings → Publishing at any time. Disconnecting calls each platform’s token-revocation endpoint, deletes our stored tokens for that platform within 24 hours, and stops any future publishing on your behalf. You can also revoke ClipWith’s access directly from each platform’s own settings (TikTok app management, Meta’s Apps and Websites, Google Account permissions).

Platform-specific notes.

• TikTok: we use the Content Posting API. Privacy level (public / friends / only-me) is set by you in our publish UI and pulled from TikTok’s own creator-info endpoint with no pre-selected default. Comment, Duet, and Stitch interactions default to off and are toggled by you. We honor TikTok’s Music Usage Confirmation requirement and surface the relevant consent before publish. Use of TikTok data is governed by TikTok’s Privacy Policy.
• Instagram (Meta): we use the Instagram Graph API and require an Instagram Business account on your side (Creator accounts are not supported by the API). Reels are published via the two-step create-container then publish flow. Use of Meta data is governed by Instagram’s Privacy Policy.
• YouTube: we use YouTube Data API v3 videos.insert. We request only the youtube.upload scope — the minimum needed to upload a video on your behalf. We do not access your channel analytics, comments, subscriber list, or any other channel data. Use of YouTube data is governed by YouTube’s Terms of Service and the Google Privacy Policy. You can revoke ClipWith’s access at any time via Google Account permissions.

No automated bulk publishing. ClipWith is not a scheduler-bot, drip-publisher, or auto-poster. Each publish is a one-shot, user-confirmed action against a specific video the user just rendered. Where we offer simple scheduling (e.g. a delayed publish time picked by the user at publish time), that is a single deferred action, not an ongoing automation.

8. AI training policy

We do not train our own AI models on your uploaded content or prompts. ClipWith uses models provided by third parties; we do not have our own model training pipeline.

Each third-party AI vendor we route through has its own retention and training policies, governed by their own terms of service. In general:

• We select vendors whose enterprise / paid API tiers commit to NOT training on customer-submitted content by default.
• Visual-AI providers that index video may retain your indexed copy until you delete the project that owns it. Deletion requests are honored within 30 days.
• Retention windows for transcription, audio-AI, and effects vendors are governed by each vendor’s published policy. Most are short-lived (request-scoped or 30 days).

We cannot guarantee third-party vendor behavior beyond what their published policies and our contracts with them specify. For the highest level of privacy, avoid uploading content you don’t want passed to AI services. Enterprise customers can request our current sub-processor list and the corresponding policy links under a Data Processing Agreement.

9. Data retention

• Account data: retained until you delete your account or request deletion.
• Uploaded content: stored until you delete the project or your account. Some content is cached on cloud storage and on visual-AI indexing services; we remove on deletion request within 30 days.
• Billing records: retained for 7 years to comply with tax and accounting regulations, then deleted.
• Security logs (IPs, error logs): retained 90 days, then deleted or aggregated.
• Automated content-analysis results: cached up to 24 hours by default; cleared on project deletion.

10. Your rights

Subject to your jurisdiction, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correct — update inaccurate information.
• Delete — request deletion of your account and associated data.
• Port — receive your data in a machine-readable format.
• Object — stop certain processing (marketing, profiling).
• Withdraw consent — for processing based on consent, revoke it at any time.

To exercise any of these rights, email [email protected]. We respond within 30 days. You also have the right to file a complaint with your local data protection authority.

11. California privacy rights

California residents have the rights described in Section 9, plus:

• Right to know what personal information we collect, use, and share.
• Right to request deletion of personal information.
• Right to opt out of the “sale” or “sharing” of personal information — we don’t sell or share for behavioral advertising, so there’s nothing to opt out of.
• Right to non-discrimination for exercising your privacy rights.

12. Children’s privacy

ClipWith is not directed at children under 13 (or 16 in some jurisdictions). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact [email protected] and we’ll delete it promptly.

13. Cookies + tracking

We use a small number of cookies, all essential to the service:

• Session cookie (NextAuth): keeps you signed in. Expires on logout or session timeout.
• CSRF token: prevents cross-site request forgery.

We do not use third-party advertising trackers, analytics fingerprinting, or cookies for behavioral targeting. If we add analytics in the future (e.g., a privacy-respecting tool like Plausible), we’ll update this policy.

14. Security

We use industry-standard protections including encryption in transit (HTTPS/TLS), encryption at rest for database storage, hashed password storage, rate limiting on all paid endpoints, and limited-access credentials for internal systems. No method is 100% secure; we cannot guarantee absolute security, but we work hard to protect your data.

If you discover a security issue, please report it to [email protected] — we appreciate responsible disclosure.

15. International transfers

Our hosting is primarily in the United States. If you’re outside the US, your data will be transferred to and processed in the US and other countries where our vendors operate. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms for cross-border transfers.

16. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app banner. Continued use of the service after an update means you accept the revised policy.

17. Contact

Privacy questions, requests, or complaints: [email protected]

For legal notices: [email protected]

For security issues: [email protected]