Privacy Policy

We collect information you provide directly, information generated when you use the service, and certain technical data from your device and browser.

• Account information: email address, display name, and profile data from sign-in (including Google or Apple OAuth when you choose those options).
• Billing information: subscription tier, credit balance, and payment-related identifiers managed by Stripe. We do not store full payment card numbers on our servers.
• Generation data: prompts, model settings, reference uploads, generated outputs, run status, errors, and credit usage associated with your account.
• Uploads: files you upload (images, videos, audio) plus metadata such as file type, size, and dimensions.
• Abuse-prevention signals: signup IP address and a hashed device fingerprint used to detect duplicate accounts and referral fraud. We do not store raw browser fingerprint signals.
• Communications: messages you send to us (for example, support email).
• Analytics and marketing data: product usage events, page views, and conversion-related data described in the Cookies & tracking section below.

We use the information we collect for the following purposes:

• Provide, operate, and improve the service, including AI generation, storage of your outputs, and account management.
• Process subscriptions, credit purchases, refunds, and billing through Stripe.
• Prevent fraud, abuse, and unauthorized access (including signup-bonus and referral protections).
• Measure product usage and diagnose errors to improve reliability.
• Attribute advertising performance when you arrive from a marketing campaign.
• Respond to your requests and provide customer support.
• Comply with legal obligations and enforce our Terms of Service.

We share information with service providers and partners who help us operate the service. We do not sell your personal information. Categories of recipients include:

• Supabase — authentication, database hosting, file storage, and realtime updates.
• Stripe — payment processing, subscription management, and billing webhooks.
• PostHog — product analytics (user ID, email, plan traits, and usage events when you are signed in).
• Meta (Facebook) — advertising attribution via browser pixel and server-side conversion API, using hashed identifiers where applicable.
• Sentry — error monitoring and performance diagnostics (default PII collection is disabled).
• Inngest — background job orchestration for generation workflows.
• AI model providers — including Google (Gemini, Veo), OpenAI (Sora), Fal.ai (Kling), and ByteDance (Seedance) when you use those models. These providers receive your prompts and, when applicable, temporary access to reference media to fulfill your generation request.
• YouTube transcript services — when you use Automated Video with a YouTube source, we fetch publicly available caption data server-side to build your scene plan.

Disclosure to the parties above occurs through secure, industry-standard channels:

• HTTPS API calls between our servers and third-party services.
• Signed, time-limited URLs that grant AI providers temporary read access to your uploaded reference files without making your private storage bucket public.
• Signed webhooks (for example, Stripe and Inngest) verified with cryptographic signatures before we act on them.
• A first-party analytics proxy that forwards product events to PostHog without passing your session cookies to the analytics host.
• Hashed or pseudonymous identifiers sent to Meta's Conversions API (email and user ID are hashed before transmission).

We and our partners use cookies and similar technologies:

• Essential cookies: Supabase authentication cookies that keep you signed in.
• Functional cookies: short-lived cookies for post-sign-in redirects and referral attribution.
• Marketing cookies: Meta browser cookies (_fbp, _fbc) used for ad attribution when our marketing integrations are enabled.
• Local storage: your browser may store draft funnel answers, UI preferences, and dismissed collage items locally. This data stays on your device unless you submit it as part of a generation or account action.

We retain account and generation data for as long as your account is active or as needed to provide the service. Generated outputs and run history remain associated with your account until you request deletion or we remove them under our retention policy.

Chat messages sent through our chat feature are processed in real time and are not stored on our servers after the conversation ends.

Short-lived technical records (such as API idempotency keys) are purged automatically on a rolling basis.

To request access to or deletion of your data, contact us at the email below. We will respond within a reasonable timeframe.

We implement technical and organizational measures designed to protect your information, including:

• Encryption in transit (TLS) for all connections between your browser, our servers, and integrated services.
• Row-level security in our database so each user can access only their own runs, outputs, and billing records.
• Private object storage with owner-scoped paths; media is served via signed URLs with limited expiry.
• Server-only storage of API keys and service credentials; they are never exposed to the browser.
• Webhook signature verification for payment and job events.
• Verified JWT checks on sensitive API routes rather than trusting cookie presence alone.
• Error monitoring configured without sending default personally identifiable information to Sentry.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from signing in.

You may opt out of certain marketing cookies through your browser or platform ad settings.

You can update your account email and display name through your account settings where available.

For data access, correction, or deletion requests, email us at the contact address below.

swagga.ai is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us and we will delete it.

We operate from the United States. If you access the service from outside the U.S., your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes may also be communicated by email or in-app notice where appropriate.

Effective date: June 10, 2026.

If you have questions about this Privacy Policy or our data practices, contact Rainey LLC at hello@swagga.ai.