Privacy Policy

Last Updated: August 13, 2025

Effective Date: August 13, 2025

1. Introduction & Scope

This policy applies to users of SparkFlowAI ("Platform"), an AI-driven video remixing service that:

p
  • Processes user-uploaded videos/images/audio ("Source Media")
  • Generates AI content (e.g., translated subtitles, synthetic voices, visual effects)
  • Outputs remixed videos ("Output Media")

Regional Addendum Notice: Location-specific addendums (e.g., EU, California, China) override conflicting terms in this main policy.

2. Data Controller & Contact

Controller

SparkFlowAI

Zhengzhou,CN

3. Data Collected & Purpose

Data CategoryPurposeLegal Basis (GDPR)
Account Data (email, name)User authentication, service deliveryContractual necessity
Source Media (videos, images, audio)AI remixing, subtitle generation, voice synthesisConsent (explicit for biometric/health data)
Usage Data (clip edits, template choices)Service optimization, fraud preventionLegitimate interests
AI Outputs (synthetic voices, translated text)Delivering remixed videosConsent
Technical Logs (IP, device ID)Security, complianceLegal obligation

Sensitive Data Alert

  • Biometric data (e.g., voiceprints) requires explicit consent in the EU/China
  • Children's data (under 13/16) is not knowingly collected

4. Data Sharing & Transfers

Third Parties

  • Cloud Providers (AWS/GCP): Storage/processing under DPAs
  • AI Model Vendors (e.g., OpenAI Whisper): Anonymized data only
  • Payment Processors (Stripe): Tokenized financial data

Cross-Border Transfers

  • EU → US: Relies on SCCs + AES-256 encryption
  • China → Global: Complies with PIPL Chapter 3 (security reviews + user consent)

5. User Rights

Submit requests via rights@qlxxkj.eu.org

RightGDPRCCPAChina PIPL
Access/Portability
Deletion
Opt-out of profiling/sale✅ (Do Not Sell)
Restrict processing
Object to automated decisions

Response Time: 30 days (45 for complex CCPA requests)

6. Data Security & Retention

Encryption

AES-256 for storage, TLS 1.3+ for transit

Retention

  • Source Media: Deleted after 6 months (configurable to 30 days)
  • Output Media: Retained until user deletion

Breach Response

Notify regulators (72hrs under GDPR) and users (high-risk cases)

8. Policy Updates & Consent

  • Updates notified via email/platform banner 30 days pre-effective date
  • Continued use = acceptance of revised terms

Implementation Guidance

  • Host policy at https://sparkflowai.vercel.app/privacy with version history
  • EU: Granular checkboxes for specific consent (e.g., "Enable AI voice synthesis")
  • CCPA: "Do Not Sell My Personal Information" link in footer
  • Auto-redirect users to relevant addendum based on IP/geo-settings
  • Maintain audit trail for all consent actions and data requests