Privacy Policy

Last Updated: 13.05.2026

This Privacy Policy ("Policy") explains how ViralUp ("Company", "we", "our", or "us") collects, uses, and protects personal information from users ("Users") of the ViralUp AI application ("Application").

By downloading, accessing, or using the Application, you agree to the practices described in this Policy.

1. Data We Collect

ViralUp AI is designed to minimize the collection of personal data. The Application may collect the following information:

Account Information

  • Email address (if the user creates an account)

User Generated Content

  • Text prompts entered by users
  • Video generation settings
  • Content generated through the AI video generation features

Technical Information

  • Device type
  • Operating system version
  • App performance data
  • Crash reports

No sensitive personal information such as identity numbers, payment card details, or precise location data is collected by the Application.

2. How We Use Collected Data

The collected data may be used for the following purposes:

  • Creating and managing user accounts
  • Generating AI videos based on user prompts
  • Improving AI model performance and application features
  • Analyzing app performance and fixing technical issues
  • Providing user support
  • Preventing abuse, fraud, or misuse of the Application

3. AI Processing

The Application allows users to generate videos using artificial intelligence technologies.

User prompts, generation settings, and related data may be temporarily processed by AI systems to generate requested videos.

This data is used only for processing the requested generation task and improving service performance.

4. Data Sharing

ViralUp AI does not sell or rent user personal data.

User data may be shared only in the following circumstances:

  • With trusted third-party service providers required to operate the Application (such as cloud infrastructure or AI processing services)
  • When required to comply with legal obligations or law enforcement requests
  • To protect the security and integrity of the Application or its users

5. Third Party Services (Sub-Processors)

The Application relies on the following sub-processors to function. Each is listed with its purpose, hosting region, and the safeguard relied on for international transfers where applicable. ViralUp maintains a Data Processing Addendum (DPA) on file with each named processor or relies on the processor's standard Terms of Service where a DPA is not separately negotiated (as noted).

Hosting and Infrastructure

  • Vercel Inc. (USA) - Application hosting, edge network, CDN, serverless functions. Processes IP address, User-Agent, request payloads, server logs. Safeguard: Standard Contractual Clauses (SCCs); Vercel DPA on file.
  • Google Cloud / Firebase (USA, EU multi-region) - Authentication, Firestore database, Cloud Storage, Cloud Functions. Processes account credentials, user profile data, application state, video assets. Safeguard: SCCs; Google Cloud DPA on file.

Payments and Billing

  • LemonSqueezy (Paddle Inc.) (USA, merchant of record) - Subscription billing, payment processing, tax handling, refunds. Processes payment method, billing address, transaction history, customer email. Safeguard: SCCs; LemonSqueezy DPA on file.

Analytics and Attribution

  • PostHog Inc. (EU region: eu.i.posthog.com) - Product analytics, session replay, feature flags. Processes user actions, page views, device fingerprint (anonymized), hashed identifiers. Safeguard: EU data residency; PostHog DPA on file.
  • Google Analytics 4 (Google LLC) (USA) - Web analytics, conversion attribution. Processes IP address (truncated), client identifiers, conversion events. Safeguard: SCCs; Google Ads Data Processing Terms on file. Consent-gated per Consent Mode v2 for EU/EEA/UK/CH visitors.
  • Meta Platforms (Facebook Pixel + Conversions API) (USA / EU mixed) - Conversion tracking, lookalike audience seeding for Meta ads. Processes hashed email, client identifiers (fbp/fbc cookies), conversion events. Safeguard: SCCs; Meta Business Tools Terms of Service. Consent-gated for EU/EEA/UK/CH visitors.
  • TikTok (ByteDance Ltd. - Pixel + Events API) (USA / Singapore / Ireland) - Conversion tracking, lookalike audience seeding for TikTok ads. Processes hashed email, client identifiers (ttp/ttclid), conversion events. Safeguard: SCCs; TikTok Business Tools Terms of Service. Consent-gated for EU/EEA/UK/CH visitors.

Observability and Operations

  • Sentry (Functional Software Inc.) (EU region: de.sentry.io) - Error tracking, performance monitoring, optional error-linked session replay. Processes error stack traces, user uid (no email), browser metadata. Safeguard: EU data residency; Sentry DPA on file.
  • Resend Inc. (USA) - Transactional email delivery (verification, receipts, dunning, lifecycle). Processes email address, subject, body. Safeguard: SCCs; Resend DPA on file.
  • Slack Technologies (Salesforce Inc.) (USA) - Internal operations alerting (refund alerts, error noise, user feedback notifications). Processes only internal context payloads; never user-identifying free-text fields. Safeguard: SCCs; Salesforce DPA on file.
  • Telegram Messenger Inc. (UK / various) - Operator-only revenue mirror for internal monitoring (best-effort, not user-facing). Processes only internal context; never user-identifying free-text fields. Safeguard: standard Terms of Service; no DPA (internal-tool usage only).

AI and Video Generation

  • OpenAI L.L.C. (USA) - Text generation, script processing for video concept synthesis. Processes prompts (user-supplied content), generated text outputs. Safeguard: SCCs; OpenAI Enterprise DPA on file. OpenAI does not train on API data per their policy.
  • Google AI (Gemini) (USA) - Image generation, multi-modal AI processing. Processes prompts (user-supplied content), generated image outputs. Safeguard: SCCs; Google Cloud Vertex AI DPA on file. Gemini API does not train on customer data per Google policy.
  • ElevenLabs Inc. (USA) - Voice generation (text-to-speech). Processes text prompts and voice IDs. Generated audio is returned to ViralUp; ElevenLabs retains usage logs per their privacy policy. Safeguard: SCCs; ElevenLabs DPA on file.
  • Kling AI (Kuaishou Technology Co., Ltd.) (China) - AI video generation (the core scene-rendering pipeline). Processes text prompts, reference images (user-uploaded or sample-content), returns generated video. Hosted in China. EU users: data is transferred to China; safeguard relies on Kling AI's standard terms (no SCC-equivalent available). ViralUp does NOT send user-identifying fields (no email, uid, or account context) to Kling AI; only the prompt + image payload. See Section 4 for the lawful basis (legitimate interest in providing the requested service). Users who object can disable video generation by not invoking the trial or create flow.
  • ZapCap Ltd. (UK) - Automated caption generation for generated videos. Processes audio track and returns SRT/VTT caption file. Safeguard: UK GDPR adequacy decision (no SCCs required for UK transfers); ZapCap standard terms.
  • Fal AI (fal.ai) (USA) - Auxiliary AI processing pipeline. Processes prompts and reference assets. Safeguard: SCCs; Fal AI standard terms.

Connected Platform APIs (user-initiated)

When a user opts in (Section 6) ViralUp also interacts with YouTube (Google LLC), TikTok for Developers, and Meta Graph API (Instagram) on behalf of the user. These are not sub-processors of ViralUp in the GDPR sense, but data controllers in their own right. See Section 6 for the OAuth-scoped data ViralUp accesses on the user's behalf.

All sub-processors operate under their own privacy policies. ViralUp maintains a Data Processor Register (see docs/processors-registry.md in our public repository) and updates this list when a sub-processor is added, replaced, or retired. Material changes are surfaced via the "Last Updated" date at the top of this page.

6. Connected Social Media Accounts (YouTube, TikTok, Instagram)

ViralUp lets users optionally connect their own social media accounts (YouTube, TikTok, Instagram) so that AI-generated videos can be published to those channels on the user's behalf. Connection is initiated by the user via OAuth and can be revoked at any time.

YouTube

ViralUp's use of information received from YouTube APIs, and any other Google APIs, will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When a user connects a YouTube channel, ViralUp accesses:

  • The channel ID, channel title, and channel avatar (used only to display the connected channel in the ViralUp dashboard).
  • Permission to upload videos to the connected channel as YouTube Shorts on the user's behalf.

YouTube user data accessed through this integration is used only to display connected-channel information and to upload user-initiated content. ViralUp does not:

  • Transfer YouTube user data to third parties except as required to provide the service to the user who connected the channel.
  • Use YouTube user data for advertising or behavioral targeting.
  • Allow humans to read YouTube user data except for security or abuse investigation, support requests, or legal compliance.

Storage: OAuth refresh tokens for connected YouTube channels are stored encrypted at rest (AES-256-GCM) in our database. They are used solely to refresh access tokens when uploading videos the user has scheduled in ViralUp.

How to revoke access: Users can revoke ViralUp's access to their YouTube channel at any time via the Google Permissions page or the "Disconnect" button on the ViralUp Settings > Social Accounts page. Upon revocation, ViralUp deletes the stored access tokens and channel metadata. Videos already uploaded to YouTube are not affected and remain owned by the user on their channel.

Use of the YouTube integration is additionally subject to the YouTube Terms of Service.

TikTok

When a user connects a TikTok account, ViralUp accesses the user's display name and avatar (for dashboard display) and the permission to publish videos on the user's behalf (scopes: user.info.basic, video.publish, video.upload). OAuth tokens are stored encrypted at rest. Revoke access via TikTok account settings or the "Disconnect" button in ViralUp.

Instagram

When a user connects an Instagram account (Business or Creator account, linked to a Facebook Page), ViralUp accesses the linked Instagram username, avatar, and the permission to publish content on the user's behalf via the Meta Graph API. OAuth tokens are stored encrypted at rest. Revoke access via Meta Business Settings or the "Disconnect" button in ViralUp.

7. Data Retention

Personal data is retained only as long as necessary to provide the services of the Application.

If a user deletes their account or requests deletion, associated personal data will be removed unless retention is required by law.

Generated AI content may be stored temporarily for processing and service improvement.

8. User Rights

Users have the following rights regarding their personal data:

  • Right of Access – Request information about collected data
  • Right of Correction – Request corrections to inaccurate data
  • Right of Deletion – Request deletion of personal data

Users may exercise these rights by contacting: contact@viralup.ai

9. Data Security

ViralUp uses commercially reasonable security measures to protect user data. However, no method of transmission or storage over the internet can be guaranteed to be completely secure.

Users acknowledge this risk when using the Application.

10. Children's Privacy

ViralUp AI is not intended for individuals under the age of 13.

We do not knowingly collect personal information from children under 13. If such data is discovered, it will be deleted promptly.

11. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in the Application or legal requirements.

Updates will be published within the Application or on the relevant distribution platform.

Continued use of the Application after updates constitutes acceptance of the revised Policy.

12. Contact Information

For any questions regarding this Privacy Policy, please contact:

ViralUp
Email: contact@viralup.ai