Privacy Policy

Spoolio("Spoolio," "we," "us," or "our") operates the Spoolio AI video studio platform at spoolio.ai and related products (Content Studio, Ad Studio, Marketing Hub). This Privacy Policy describes how we collect, use, share, retain, and protect personal data when you interact with the service.

Controller of your personal data. Unless explicitly stated otherwise, Spoolio is the controller of personal data collected through the service.

Contact.

• General privacy questions: privacy@spoolio.ai
• Data Protection Officer (EU/UK): dpo@spoolio.ai
• Legal: legal@spoolio.ai
• Security incidents: security@spoolio.ai

We collect personal data in the following categories. The amount and type collected depends on which features of the service you use.

Special-category and sensitive data

Voice samples and voiceprint embeddingsqualify as biometric data under the EU GDPR (Article 9(1)), the UK GDPR, the Illinois Biometric Information Privacy Act (BIPA), the Texas CUBI statute, the Washington My Health My Data Act, and similar laws. Face reference uploads may qualify as biometric data depending on jurisdiction. We process this data only with your explicit consent and apply the additional safeguards described in "Biometric data and voice cloning" below.

We use personal data for the following purposes:

• Provide the service. Create your account, run the AI generation pipeline (script → visuals → voice → music → assembly), schedule and publish videos to connected platforms, store your projects, render previews.
• Process payments. Manage your subscription tier and token balance, send invoices and receipts via Stripe, prevent payment fraud.
• Improve quality. Aggregate and analyse pipeline telemetry to improve generation quality. We do nottrain third-party foundation models on your content. See "AI training and automated decisions" below.
• Security and abuse prevention. Detect impersonation attempts (e.g. celebrity-voice cloning), prevent prohibited content generation, investigate platform abuse, enforce our Terms and Acceptable Use Policy.
• Communication. Send transactional emails (sign-in, receipt, render-complete), product announcements you opted into, and required legal notices (policy updates, security incidents).
• Legal compliance. Respond to lawful requests from authorities, enforce our Terms, comply with tax, accounting, and consumer-protection law.

If you are in the EU, UK, EEA, or Switzerland, the lawful basis under GDPR Article 6 / UK GDPR for each processing activity is:

Where we rely on legitimate interest, we have completed a balancing test and you have the right to object — contact privacy@spoolio.ai.

Voice cloning and face-reference upload are opt-in features. Spoolio does not collect biometric data unless you actively choose to enable a feature that requires it.

What we collect and process

• Voice samples you record or upload (typically 30 seconds to 2 minutes) to train a voice clone.
• Voiceprint embeddings generated by ElevenLabs from your samples and stored against your account as an ElevenLabs voice ID.
• Face reference images you upload to give consistency to characters in generated videos. These may include your face or a face you have a documented right to use.

Consent

Before we accept any biometric upload you must:

1. Tick the consent checkbox attesting that the voice or face is yours or that you have explicit, documented written permission from the person depicted.
2. Attest that you are over the minimum age in your jurisdiction (13 in the US under COPPA; 16 in the EU under GDPR-K, unless your country has set a lower threshold of 13). Underage biometric upload is blocked.
3. Read our Voice Clone Acceptable Use Policy at /acceptable-use.

Misuse prevention

Every voice sample uploaded for cloning is screened against a celebrity / public-figure voice-match service. Samples that match a recognised public voice are blocked from training, flagged for human review, or rejected. Repeated misuse leads to account termination.

Storage and retention

• Voice samples stored encrypted at rest on Cloudflare R2 (SSE-S3, AES-256).
• Voiceprint embeddings stored at our voice-AI provider (ElevenLabs) under your account's voice ID. We never share your voice samples or embeddings with other Spoolio users.
• Default retention while your account is active and the asset is in use. On deletion (see "Your rights") we soft-delete for 30 days then hard-delete from R2, request deletion from ElevenLabs, and request deletion of any biometric data held by fal.ai for face references.

Your rights regarding biometric data

You can revoke biometric consent at any time in Settings → Privacy. Revocation deletes the voiceprint and any face references associated with the revoked asset and prevents future generation runs from using them. Already-rendered videos that used the asset are not retroactively deleted unless you also request deletion of those videos.

We use the following sub-processors to operate the service. Each is contractually bound to confidentiality and appropriate security measures, and we maintain Data Processing Agreements with each.

A current sub-processor list is maintained at /dpa. We will notify customers of material sub-processor changes via in-product notice at least 30 days before they take effect, except when a change is required to address a security or legal issue, in which case we may act sooner and notify promptly thereafter.

Spoolio does not sell your personal data. We share data only:

• With sub-processors who operate the service on our behalf under data-processing terms (see preceding section).
• With third-party platforms you connect. When you connect TikTok, YouTube, Instagram, etc., and post content, we transmit that content (and metadata) to those platforms per your explicit instruction. Their privacy policies apply to data they collect.
• For legal reasons. When required by law, court order, or to investigate fraud, security incidents, or violations of our Terms.
• Business transfers. If Spoolio is acquired or merged, your data may transfer to the successor entity. We will notify you in advance and you will retain all your rights.
• With your consent. For any other sharing not described above.

Spoolio is operated from the United States and uses sub-processors in the United States and other countries. When personal data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs) — module 2 (controller to processor) executed with each sub-processor, with the 2021 EU SCCs and the UK International Data Transfer Addendum where applicable.
• Supplementary measures — encryption at rest (AES-256), encryption in transit (TLS 1.2+), strict access control, and minimum-necessary data exposure to sub-processors.
• Transfer Impact Assessments (TIAs) completed for material transfers and reviewed annually.

You can request a copy of the SCCs or our TIA summary at dpo@spoolio.ai.

We retain personal data only as long as needed for the purposes described in this Policy, our contractual obligations, and our legal obligations.

You have a range of rights over your personal data. These rights may vary by jurisdiction, but Spoolio extends them to all users where operationally feasible.

Universal rights

• Access. Request a copy of the personal data we hold about you. Use Settings → Privacy → Export my data or email privacy@spoolio.ai.
• Rectification. Correct inaccurate or incomplete data. Most fields are self-service in Settings.
• Erasure ("right to be forgotten"). Delete your account and associated data. Use Settings → Account → Delete account or email privacy@spoolio.ai. See "Account deletion" below.
• Portability. Receive your data in a structured, machine-readable format (JSON + media). Available via the export flow.
• Restrict processing. Ask us to pause certain uses of your data while we resolve a complaint.
• Object to processing. Especially to direct marketing and any processing based on legitimate interest.
• Withdraw consent. For processing we rely on consent (biometric, marketing, optional analytics). Withdrawal does not affect processing that already occurred.
• Lodge a complaintwith your supervisory authority (e.g. the UK ICO, your national EU Data Protection Authority, or in the US your state Attorney General). We'd appreciate the chance to resolve it first via privacy@spoolio.ai.

How to exercise rights

Use the self-service tools in Settings → Privacy where available, or email privacy@spoolio.ai. We respond within 30 days (extendable to 60 days for complex requests under GDPR Art. 12(3)) and free of charge. We may ask for verification of identity to protect you from impersonated requests.

You can delete your account from Settings → Account. Deletion works as follows:

1. Soft delete (immediate). Your account is deactivated, login is blocked, projects are removed from queues, scheduled posts are cancelled, social account tokens are revoked at the platform where supported.
2. 30-day grace period. Data remains recoverable. Email privacy@spoolio.ai within 30 days to restore.
3. Hard delete (Day 30). A cron sweep permanently deletes account, profile, projects, generated videos, voice samples, voiceprint references, face references, and brand assets from our systems. Deletion requests are sent to ElevenLabs (voice embeddings) and fal.ai (biometric references) where applicable.

What we keep after hard delete

• Invoice and tax records for the legally-required period (typically 7 years).
• Anonymised aggregate analytics that cannot be linked to you.
• Records necessary to evidence consent or contractual performance during a relevant statutory limitation period.

Spoolio is not directed at children. You must be at least 13 years old to create an account (16 in the EU/EEA unless your country has set a lower threshold of 13 per GDPR-K).

Biometric features (voice cloning, face reference upload) require additional age attestation. Underage attempts are blocked at the point of upload.

If you believe a child under 13 has provided personal data to Spoolio without verifiable parental consent under COPPA, contact privacy@spoolio.ai and we will delete the data and the account.

We use cookies and similar technologies. The full list and configuration is in our Cookie Policy. Categories:

• Strictly necessary. Auth session, CSRF, security. Cannot be disabled.
• Preferences. Theme, language, dismissed notifications. Set after you save a preference.
• Analytics. Aggregate usage analytics. Set only with your consent via the cookie banner.
• Marketing. Conversion tracking for our own ads. Set only with your consent.

You can manage your preferences any time at Settings → Privacyor by clicking "Cookies" in the footer.

Training data

Spoolio does not train third-party foundation models on your content. Your scripts, video frames, voice samples, face references, and prompts are processed by AI sub-processors (Anthropic, fal.ai, ElevenLabs, MiniMax, Mubert) per their published policies. We use sub-processors that contractually commit to not training on customer data:

• Anthropic Claude.Per Anthropic's API terms, inputs and outputs are not used to train models.
• ElevenLabs. Per ElevenLabs Enterprise/Pro DPA, voice samples are not used for general model training; voiceprints are stored only against your voice ID.
• fal.ai (Wan 2.6 Flash). We use theX-Fal-Store-IO: 0header for biometric uploads to prevent payload persistence, and have engaged fal.ai legal for written confirmation that customer data is not used for upstream training. See "International data transfers" above.

Automated decisions

Spoolio uses automated systems to (a) detect prohibited content at the prompt and output stage; (b) detect celebrity voice impersonation in cloning uploads; (c) score and route content for editorial review on sensitive niches. These automated systems can block a generation or flag your account. You have the right to request human review of any automated decision that produces a significant effect on you. Contact trust@spoolio.ai.

AI-generated content provenance

Generated videos may include content provenance metadata (e.g. C2PA where available) indicating they are AI-generated. This is required by some platforms (e.g. EU AI Act Art. 50 transparency obligations for synthetic media). You retain copyright in the prompts and inputs you provide; commercial rights in outputs vary by tier (see our Terms).

We use industry-standard security measures to protect personal data. Detailed in our Security Practices Disclosure:

• Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM, SSE-S3 for object storage).
• OAuth tokens for connected social accounts encrypted at rest with AES-256-GCM.
• Row-level security (RLS) on every database table; least-privilege access.
• Rate limiting on all public endpoints.
• Verified Stripe webhook signatures, signed background-job dispatch.
• Annual penetration tests (post-launch).
• Incident response per "Data breach notification" below.

Data breach notification

We will notify affected users and the relevant supervisory authority (where required) within 72 hours of becoming aware of a breach likely to result in a risk to your rights and freedoms (GDPR Art. 33 + 34; US state breach laws).

We may update this Policy from time to time. Material changes will be notified via in-product notice and email at least 30 days before they take effect. The "Effective" date at the top of this page indicates when the current version became active. Previous versions are available at privacy@spoolio.ai on request.

Contact us at privacy@spoolio.ai for any privacy question or to exercise a right. Our Data Protection Officer for EU/UK matters is reachable at dpo@spoolio.ai.

You also have the right to lodge a complaint with a supervisory authority:

• EU: the Data Protection Authority of your country of residence.
• UK: the Information Commissioner's Office (ICO).
• California: the California Attorney General; the California Privacy Protection Agency for CPRA matters.
• Canada: the Office of the Privacy Commissioner of Canada; the CAI for Quebec residents.
• Australia: the Office of the Australian Information Commissioner.