Privacy Policy

Last updated:

1. Summary

We collect only what we need to run Haze Clips: an email address to create your account, the videos and prompts you submit so we can process them, and basic usage analytics so we can fix bugs and improve the product. We do not sell your data and we do not train AI models on your User Content.

2. Data we collect

  • Account data. Email address, hashed password (or OAuth token), display name. Stored in Supabase Auth.
  • Uploaded content. Source videos, audio, images, transcripts, and the clips we generate from them. Stored in Cloudflare R2 in a private bucket; accessed only via signed URLs.
  • Billing data. Stripe customer ID and subscription status. We do not store full credit-card numbers — Stripe does.
  • Publishing tokens. OAuth tokens for TikTok, YouTube, and Instagram, encrypted at rest with AES-256-GCM.
  • Product analytics. Page views, feature events, and anonymized session replays via PostHog.
  • Error telemetry. Stack traces and request metadata via Sentry. We scrub email and tokens from breadcrumbs.
  • Logs. IP address, user-agent, and request paths for security and abuse prevention; retained for 30 days.

3. How we use your data

  • To provide the Service: transcribe, analyze, render, publish.
  • To bill you and prevent fraud (via Stripe).
  • To send transactional email (renders complete, payment failed).
  • To improve the product and prioritize bug fixes.
  • To comply with legal obligations.

4. Google + YouTube user data

When you connect a YouTube account to Haze Clips, you authorize us via Google's OAuth 2.0 flow. We request only the minimum scopes required to publish short videos to your own YouTube channel and to display your account name in our UI.

Scopes we request

  • https://www.googleapis.com/auth/youtube.upload — required so you can publish AI-generated short clips from Haze Clips directly to your YouTube channel via the YouTube Data API v3videos.insert endpoint.
  • https://www.googleapis.com/auth/userinfo.profile— used once at connection time to fetch your Google account display name so we can show “Connected as <name>” in your publishing settings.
  • https://www.googleapis.com/auth/userinfo.email — used once at connection time to associate the connection with your Google email for audit logs and support.

How we use Google data

  • YouTube upload: when you click “Publish to YouTube” on a clip, we call videos.insert to upload the clip MP4 to your own YouTube channel, with the title, description, hashtags, and visibility you chose in the publish dialog. We do not upload to any other channel.
  • Account display: we store your Google account display name and email and a stable Google account ID. We do not read your subscriptions, watch history, playlists, comments, or any other YouTube data.

How we store Google data

  • OAuth access and refresh tokens are encrypted at rest with AES-256-GCM in our Supabase Postgres database. Encryption keys are stored separately from the database.
  • We never log raw OAuth tokens to console output, telemetry, or error tracking. Sentry breadcrumbs are scrubbed for token strings.
  • Tokens are transmitted only between our backend and Google's OAuth and Data API endpoints, always over TLS.

Disconnecting + deletion

You can disconnect YouTube at any time from Settings → Publishing. When you click Disconnect, we (a) call Google's https://oauth2.googleapis.com/revokeendpoint to revoke the refresh token on Google's side, and (b) delete the local encrypted token and account row from our database. You can also revoke our access directly at myaccount.google.com/permissions.

Limited Use compliance

Haze Clips's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Google user data for serving advertisements.
  • We do not use Google user data to train, fine-tune, or develop AI models. The clips we generate are created from your own uploaded videos and YouTube URLs you submit, not from any data obtained via Google APIs.
  • We do not sell or transfer Google user data to third parties for purposes other than providing or improving Haze Clips's user-facing features.
  • Human review of Google user data is performed only with your explicit consent for support purposes, when required by law, for security investigations, or in aggregated/anonymized form.

5. Third-party processors

We share the minimum data necessary with the following sub-processors:

  • Supabase — Postgres database and authentication.
  • Cloudflare R2 — object storage for videos and renders.
  • Stripe — payment processing and customer portal.
  • OpenAI — image and text generation models for AI b-roll and conversational features.
  • Anthropic — language models for clip ranking and caption generation.
  • Google DeepMind — generative-music models for AI background music.
  • Replicate — model hosting for hosted inference.
  • Deepgram — automatic speech recognition.
  • PostHog — product analytics and session replay.
  • Sentry — error monitoring.
  • Hostinger SMTP — transactional email delivery.
  • Vercel — web hosting (US region).

6. Data retention and deletion

Videos, transcripts, and renders are retained until you delete them or close your account. When you close your account, we permanently delete your User Content and identifying data within 30 days, subject to legal retention obligations (such as Stripe invoice records). Server logs are kept for 30 days.

7. Your rights (GDPR + CCPA)

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (“right to be forgotten”).
  • Receive your data in a portable format.
  • Object to processing or withdraw consent.
  • Opt out of the sale of personal information (we don't sell).

To exercise any of these rights, email mail@hazeclips.com. We will respond within 30 days.

8. Security

We use TLS for data in transit, encryption at rest for OAuth tokens (AES-256-GCM), private R2 buckets with signed-URL access, and server-side enforcement of plan and quota gates. No system is perfectly secure — please report suspected vulnerabilities to mail@hazeclips.com.

9. Children

Haze Clips is not directed at children under 13 (or 16 in the EU). We do not knowingly collect their data. If you believe a child has provided us with data, contact us and we will delete it.

10. International transfers

We are based in the United States; our infrastructure is hosted in US regions. If you access the Service from outside the US, your data will be transferred to and processed in the United States.

11. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email or in-app notice at least 14 days before they take effect.

12. Contact

Questions about this policy? Email mail@hazeclips.com.