Privacy Policy

Last Updated: February 26, 2026

Your Privacy Matters: This Privacy Policy explains how ViralPilot ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use our website at getviralpilot.com and our services (collectively, "the Service"). ViralPilot uses YouTube API Services. By using ViralPilot, you are also agreeing to the Google Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account through our authentication provider (Clerk), we collect:

  • Email address
  • Name or display name
  • Profile photo (if provided via social login)
  • Account preferences and settings

1.2 Social Media Integration Data

When you connect social media accounts (TikTok, Instagram, YouTube), we collect and store:

  • OAuth Access Tokens: Securely encrypted tokens that allow us to post content on your behalf
  • Refresh Tokens: To maintain your connection without requiring repeated logins
  • Profile Information: Your username, profile ID, and avatar from connected platforms
  • Scope Permissions: A record of what permissions you have granted (e.g., video.upload, content_publish)

We request only the minimum permissions needed to publish videos to your accounts. The specific permissions for each platform are listed in Sections 11–13 below.

1.3 Content and Usage Data

We collect information about how you use the Service:

  • Video topics, scripts, and generated content (images, audio, video files)
  • Customization preferences (voice, art style, caption style, language)
  • Upload history and publishing logs
  • Series configurations and schedules
  • Credit consumption and usage events
  • Error logs generated during video creation or publishing

1.4 Payment Information

When you subscribe to a paid plan, payment information is collected and processed by Stripe. We do not store your credit card number, CVV, or full payment card details on our servers. We receive from Stripe:

  • Subscription status and plan tier
  • Billing cycle and payment history
  • Last four digits of your payment method (for display purposes only)
  • Stripe customer ID (to link your ViralPilot account to your Stripe record)

1.5 Technical Data

We automatically collect:

  • IP address and approximate geolocation (country/region level)
  • Device type and browser information
  • Usage analytics and performance metrics
  • Error reports and debugging logs

2. How We Use Your Information

2.1 Core Service Functions

  • Video Generation: Process your inputs (topic, style, voice preferences) to create AI-generated videos including scripts, images, voiceover, captions, and AI animation
  • Social Media Publishing: Use your OAuth tokens to upload and publish videos to your connected accounts on your behalf, only when you authorize it
  • Content Management: Store and organize your video series, schedules, and publishing history
  • Authentication: Verify your identity and maintain secure access via Clerk
  • Billing: Process subscriptions, track credit usage, enforce plan limits, and manage billing through Stripe

2.2 Service Improvement

  • Analyze usage patterns to improve features and performance
  • Debug errors and optimize video generation quality
  • Develop new features based on how the Service is used
  • Monitor system health and prevent abuse

2.3 Communication

  • Send service updates and important notifications (e.g., billing issues, scheduled maintenance)
  • Respond to support requests
  • Notify you about account activity or security issues
  • Share product updates (you may opt out of non-essential emails at any time)

3. How We Store and Protect Your Data

3.1 Data Storage

Your data is stored using the following infrastructure:

  • Supabase (PostgreSQL): Account data, series configurations, video metadata, and usage records — hosted in the United States
  • Supabase Storage: Generated videos, images, and audio files
  • Google Cloud Run: API processing — hosted in us-central1 (Iowa, USA)
  • Vercel: Frontend hosting with global CDN distribution

All sensitive data is encrypted at rest in the database and encrypted in transit using HTTPS/TLS.

3.2 Security Measures

  • OAuth tokens are encrypted before storage using industry-standard encryption
  • Authentication is managed by Clerk with enterprise-grade security controls
  • All API endpoints require authentication and enforce access controls
  • Rate limiting is applied to prevent abuse and brute-force attacks
  • Webhook payloads are verified using platform-specific verification tokens

3.3 Data Retention

  • Account data: Retained while your account is active
  • Generated videos: Stored according to your subscription plan
  • Logs and analytics: Retained for up to 90 days
  • After account deletion: Personal data is removed within 30 days; backups containing deleted data are purged within 90 days

4. Sharing Your Information

4.1 Third-Party Services We Use

We share limited data with the following third parties to provide the Service:

AI Content Generation (no personal identifiers sent):

  • OpenAI: Receives text prompts (your topic and instructions) for script generation. No account data, email, or personal identifiers are included in API calls.
  • ElevenLabs: Receives generated script text for voice synthesis. No personal identifiers are sent.
  • Replicate: Receives text prompts for AI image generation. No personal identifiers are sent.
  • AIML API: Receives generated images for AI image-to-video animation. No personal identifiers are sent.

Authentication and Payments:

  • Clerk: Authentication and identity management (receives your email, name, and login data)
  • Stripe: Payment processing and subscription management (receives your payment method and billing details)

Social Media Platforms (only when you authorize publishing):

  • TikTok: Video files and metadata
  • Instagram / Meta: Video URLs and captions
  • YouTube / Google: Video files and metadata

Infrastructure:

  • Supabase: Database and file storage
  • Google Cloud: API hosting
  • Vercel: Frontend hosting

4.2 What We Do NOT Do

  • We do not sell your personal information to third parties
  • We do not share your OAuth tokens with anyone outside of direct API calls to the respective platform
  • We do not use your content to train AI models
  • We do not share analytics data that identifies individual users
  • We do not share your payment details beyond what Stripe requires to process your subscription

4.3 Legal Requirements

We may disclose your information if required by law, or in good faith belief that such action is necessary to:

  • Comply with legal processes or government requests
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of ViralPilot or its users
  • Investigate fraud or security incidents

5. Your Rights and Choices

5.1 Access and Control

You have the right to:

  • Access Your Data: Request a copy of all personal data we hold about you
  • Update Information: Modify your account details and preferences at any time
  • Delete Your Account: Request permanent deletion of your account and associated data
  • Revoke OAuth Access: Disconnect social media accounts at any time from your dashboard
  • Export Your Content: Download videos you have created
  • Opt Out of Marketing: Unsubscribe from promotional emails at any time

5.2 Social Media Permissions

You can manage social media permissions by:

  • Disconnecting accounts in your ViralPilot dashboard settings
  • Revoking access directly in TikTok, Instagram, or YouTube account settings
  • Choosing which platforms to publish to for each video or series

When you disconnect a social media account, we delete the stored OAuth tokens for that account. We will no longer be able to post to that account unless you reconnect it.

6. Cookies and Tracking

6.1 Cookies We Use

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional Cookies: Remember your preferences such as theme, language, and dashboard settings.
  • Analytics Cookies: Help us understand how you use the Service so we can improve it. You can opt out of these.

6.2 Third-Party Cookies

  • Clerk: Sets authentication cookies to keep you signed in
  • Vercel Analytics: Collects anonymous performance metrics

6.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service. Refer to your browser's help documentation for instructions on blocking or deleting cookies.

7. Children's Privacy

The Service is not intended for users under 13 years of age (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@getviralpilot.com and we will delete it promptly.

8. International Data Transfers

Your data is primarily stored and processed in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) with our processors where applicable
  • Encryption of data in transit and at rest
  • Compliance with applicable data protection laws

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request restriction of processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

Legal Basis for Processing: We process your data based on:

  • Contract Performance: To provide the Service you signed up for
  • Legitimate Interest: To improve our Service, prevent fraud, and ensure security
  • Consent: For marketing communications and optional analytics
  • Legal Obligation: To comply with applicable laws

To exercise your GDPR rights, contact us at privacy@getviralpilot.com. We will respond within 30 days.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: What personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information — we do not sell or share your data for advertising purposes
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.

11. TikTok-Specific Privacy Information

When you connect your TikTok account, we request the following permissions:

  • user.info.basic — to read your TikTok username and profile information
  • video.upload — to upload video files to your TikTok account
  • video.publish — to publish uploaded videos to your TikTok profile

How we use your TikTok connection:

  • We store your TikTok access token securely encrypted in our database
  • We only access your TikTok account when you explicitly authorize video uploads (through series scheduling or manual publishing)
  • We do not access your TikTok messages, followers list, likes, or other private data
  • You can revoke our access at any time in TikTok Settings > Security and login > Manage app permissions

12. Instagram-Specific Privacy Information

When you connect your Instagram Business account, we request the following permissions:

  • instagram_business_basic — to read your profile information (username, profile picture)
  • instagram_business_content_publish — to publish Reels to your account on your behalf
  • instagram_business_manage_comments — to read comments on your posts for engagement analysis and content suggestions

How we use your Instagram connection:

  • We use long-lived tokens (60-day expiry) that refresh automatically to maintain your connection
  • We only upload videos that you explicitly authorize through series scheduling or manual publishing
  • Comment data is analyzed in real-time for content suggestions and is not permanently stored beyond the analysis session
  • You can disconnect via your ViralPilot dashboard, Instagram Settings, or Facebook App Settings at any time

13. YouTube-Specific Privacy Information

ViralPilot uses YouTube API Services to provide YouTube integration features. By using these features, you agree to the YouTube Terms of Service. You can learn about how Google handles your data by reviewing the Google Privacy Policy.

When you connect your YouTube/Google account, we request the following permissions:

  • youtube.upload — to upload videos to your YouTube channel
  • youtube.readonly — to read your channel information (channel name, subscriber count)
  • youtube.force-ssl — to ensure all API communication is encrypted

How we use your YouTube connection:

  • We store your Google OAuth refresh token securely encrypted
  • We only upload videos that you explicitly authorize
  • We do not access your YouTube comments, subscribers list, or revenue data
  • Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements

13.1 Revoking YouTube Access

You can revoke ViralPilot's access to your YouTube/Google data at any time by:

13.2 Deleting Your YouTube Data

When you disconnect your YouTube account or delete your ViralPilot account, we will:

  • Delete your stored Google OAuth tokens (access token and refresh token) immediately
  • Delete your YouTube channel metadata (channel name, channel ID) within 30 days
  • Delete any YouTube video performance data (views, likes, comments counts) associated with your account within 30 days

To request immediate deletion of all YouTube-related data, contact us at privacy@getviralpilot.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make changes:

  • We will update the "Last Updated" date at the top of this page
  • For significant changes, we will notify you via email before the changes take effect
  • Continued use of the Service after changes take effect constitutes acceptance of the updated policy

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

We will respond to privacy inquiries within 30 days.

← Back to Home