Quick summary. We collect the minimum data needed to run your account and generate your videos. We never sell your data. We use Supabase (EU-hosted option available) as our primary database and auth provider, and a small set of named sub-processors listed below. You can export or delete everything at any time from your account — or by emailing hello@quakly.ai.
1. Who we are
The data controller is Quakly Labs, the operator of the Service reachable at https://quakly.ai. You can reach us at hello@quakly.ai. For data-protection matters specifically, use the subject line “Data Request”.
2. What we collect
2.1 Data you provide
- Account data: name, email address, hashed password (or SSO identifier for Google / GitHub sign-in), language preference.
- Billing data: plan selection, billing address, and payment method identifiers. Full card numbers are handled exclusively by Stripe; we only store the last four digits and card brand.
- Brand kit + content inputs: logos, colour palettes, voice samples (for cloning), prompts, scripts, and uploaded assets.
- Connected accounts: OAuth tokens for TikTok, Instagram, YouTube, and LinkedIn, limited to the scopes required to publish on your behalf.
- Communications: support tickets, feedback, survey responses.
2.2 Data we generate
- Generated videos, voiceovers, captions, and thumbnails.
- Publishing metadata (post status, scheduled times, platform IDs).
- Usage analytics: feature engagement, job counts, error logs, audit trails for account actions.
2.3 Data collected automatically
- IP address, approximate location (city / country), user-agent, device type, referrer URL.
- Cookies and similar technologies — see Section 6.
3. Why we collect it (legal bases)
We process your personal data under the following GDPR legal bases:
- Performance of a contract — to provide the Service, run billing, publish to your connected accounts.
- Legitimate interests — to secure the Service, detect fraud, improve features through aggregated analytics, and contact existing customers about material product changes.
- Consent — for marketing emails, non-essential cookies, and voice-cloning processing. You can withdraw consent at any time without affecting prior processing.
- Legal obligation — when required by tax, accounting, or law-enforcement requests we are legally compelled to comply with.
4. How we share data — sub-processors
We rely on a small set of vendors to run the Service. Each has a data processing agreement (DPA) in place and is bound to our security standards. Current sub-processors:
- Supabase — managed Postgres, authentication, and object storage. EU-hosted region available on request.
- Stripe — subscription billing and payment processing (PCI-DSS Level 1).
- OpenAI, Anthropic — script and copy generation. Prompts you submit may transit these providers; neither retains content for model-training purposes under our enterprise agreements.
- ElevenLabs — voice cloning and text-to-speech. Voice samples are stored under your account and deleted on request or when you cancel.
- Runway / Luma (or equivalent diffusion providers) — image and short video generation.
- AWS / Cloudflare — hosting, CDN, DDoS mitigation.
- TikTok, Instagram, YouTube, LinkedIn — where you connect accounts to auto-publish, we transmit your generated videos and post metadata under the scopes you authorised.
- Customer-support tooling — e.g. a helpdesk inbox provider; any messages you send us pass through it.
We maintain an up-to-date list at quakly.ai/privacy and will notify customers by email in advance of adding or replacing a sub-processor that materially changes how data is handled.
5. International transfers
Depending on your region and plan, data may be stored in the United States or the European Union. Transfers out of the EEA, UK, or Switzerland rely on the European Commission's Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical measures such as encryption in transit and at rest. Enterprise customers on the Whole Flock plan may request EU-only data residency.
6. Cookies and similar technologies
We use a minimal set of cookies:
- Strictly necessary — session cookies to keep you signed in and secure the account.
- Preferences — your language, timezone, and UI preferences.
- Analytics (opt-in) — privacy-respecting, aggregated usage analytics. You can opt out via the cookie banner.
We do not place advertising cookies on the Service.
7. How long we retain data
- Account data — for as long as your account is open, and up to 90 days after deletion (to allow recovery / disputes), unless a longer period is legally required.
- Generated videos and assets — 90 days after they are created, after which they are removed from active storage. Keep local copies if you need them longer.
- Billing records — up to 10 years, per applicable tax law.
- Support conversations — 3 years.
- Voice samples — deleted within 30 days of your request or account closure.
8. Your rights
Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, LGPD, or similar), you have the right to:
- Access the personal data we hold about you.
- Correct or update inaccurate data.
- Delete your data (right to erasure / right to deletion) — subject to lawful exceptions.
- Export your data in a portable format.
- Restrict or object to certain processing.
- Withdraw consent at any time.
- Opt out of the “sale” or “sharing” of personal information under CCPA (we do not sell personal information as defined under CCPA).
- Lodge a complaint with your local data-protection authority if you believe we are mishandling your data.
Exercise any of these rights via your account settings or by emailing hello@quakly.ai. We will respond within 30 days (or sooner where required).
9. Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256), enforce SSO and least-privilege access internally, run continuous dependency scanning, and maintain audit logs for privileged actions. SOC 2 Type II audit is in progress. No system is 100% secure — if you suspect unauthorised access to your account, email hello@quakly.ai immediately.
10. Children
The Service is not directed at children under 16 (under 13 in the United States). We do not knowingly collect personal data from children. If you believe a child has provided personal information, contact us and we will delete it.
11. AI disclosures
The Service uses generative models to produce text, voice, and visual content from prompts and brand data you provide. You are responsible for reviewing generated output before publication. Quakly does not grant rights to publish likenesses of real people without consent and prohibits impersonation — see our Terms & Conditions.
12. Changes to this Policy
When we materially change this Policy, we will update the “Last updated” date above and, for significant changes, email active account-holders at least 14 days in advance.
13. Contact
Questions, requests, or complaints? Email hello@quakly.ai. For EU/UK data subjects, you may also contact your local supervisory authority.
This Privacy Policy is a baseline tailored for Quakly Labs's current sub-processor stack. Jurisdiction-specific obligations (e.g. CPRA, HIPAA, appointed EU representative, children's data, sector-specific rules) may require further review with counsel before commercial launch.