Privacy Policy
Last updated: 27 May 2026
This Privacy Policy explains how PromptCut (operated by Sebastian Kwasniok) collects, uses, and protects your personal data. We are the controller within the meaning of Art. 4 No. 7 GDPR.
1. Data we collect
- Account data — email, name, hashed password. For Google sign-in: email, name, Google account ID.
- Billing data — your Stripe customer ID and subscription status. We never see your card details; Stripe handles them directly.
- Content — videos you upload, processed outputs, AI prompts, and transcripts generated from your videos.
- Usage data — IP address (used for rate limiting and abuse prevention), API call timestamps, error logs.
- Cookies — a session cookie (NextAuth JWT) for authentication, and an optional analytics cookie (see section 5).
2. How we use it (legal basis)
- To provide the service (Art. 6(1)(b) GDPR — contract performance): processing your videos, managing your account, billing.
- To prevent abuse (Art. 6(1)(f) GDPR — legitimate interest): rate limiting, fraud detection, security logging.
- To send transactional email (Art. 6(1)(b)): password resets, email verification, billing receipts.
- To comply with law (Art. 6(1)(c)): tax records, DMCA responses.
We do not use your data for AI model training. We do not sell your data.
3. Sub-processors
We use the following third parties to operate the Service:
- Railway (USA, with EU regions) — container hosting + persistent storage for uploaded videos and outputs
- Vercel (USA / Frankfurt EU region) — historic hosting + analytics (Vercel Analytics, only with cookie consent)
- Supabase (EU region) — PostgreSQL database storing accounts + jobs metadata
- Anthropic (USA) — Claude AI for prompt interpretation (text only — no video content sent)
- AssemblyAI (USA) — speech-to-text for captions (only when you enable captions)
- Stripe (USA / Ireland) — payment processing (no card data ever touches our servers)
- Resend (USA) — transactional email delivery (verification, password reset, billing)
- Google (USA) — OAuth login (only if you sign in with Google)
Transfers to US providers are protected by Standard Contractual Clauses and (where applicable) the EU–US Data Privacy Framework.
4. Retention
- Account data — kept until you delete your account.
- Uploaded videos and outputs — automatically deleted 7 days after upload.
- Server logs — kept 30 days for security and debugging, then deleted.
- Billing records — retained for the period required by German tax law (currently 10 years).
5. Cookies and analytics
We use a single essential cookie (the NextAuth session JWT) which cannot be opted out of — it's required for login to work. Optional analytics (Vercel Analytics) only run if you accept cookies in the banner. Analytics data is aggregated and does not identify individual users.
6. Your rights (GDPR)
You have the right to:
- Access the data we hold about you (Art. 15)
- Correct inaccurate data (Art. 16)
- Delete your account and associated data (Art. 17) — available from the dashboard
- Export your data in a portable format (Art. 20) — request via email
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent (Art. 7(3)) — where processing is based on consent (e.g. analytics cookies), you can withdraw it any time without affecting the lawfulness of past processing. Clear the cookie banner choice via your browser's site-data settings to be re-asked.
- Lodge a complaint with your data protection authority. For German users: the Berliner Beauftragte für Datenschutz und Informationsfreiheit, or the authority in your federal state.
To exercise any right, email privacy@promptcut.online. We respond within 30 days.
7. Security
Passwords are hashed with bcrypt (cost factor 13). Connections use TLS 1.2+. API keys and webhook signatures are validated. Access to production data is restricted. No system is fully secure — if you discover a vulnerability, please email security@promptcut.online.
8. Changes
We'll notify you of material changes via email or in-app notice. Continued use after the effective date constitutes acceptance.
9. Contact
Privacy questions: privacy@promptcut.online
Controller details: see Impressum.