Privacy Policy

1. Who we are

SmartUGC is operated by Silly Spider Ltd, a private limited company registered in England and Wales with company number 10723431 and registered office at 1 Railway Terrace, Sunderland, SR4 0PA, United Kingdom, trading as "smartUGC.ai". References to "we", "us" or "our" are to Silly Spider Ltd trading as smartUGC.ai.

For privacy questions or general support, contact us at [email protected].

2. The data we collect

We process the following categories of personal data.

• Account data. Your name, email address, hashed password, and timestamps of account creation and updates.
• Billing data. The plan you are on, your credit balance, subscription status, invoices and a customer identifier supplied by Stripe. We do not see or store your full card number — payment details are entered directly into Stripe.
• Content you provide. Prompts, scripts, reference images, brand assets, audio and video that you upload to or create within the Service (your "User Content").
• Generated outputs. Images, videos, audio and other media generated for you by the Service in response to your User Content.
• Usage and request logs. A record of each AI generation request, including the model used, the prompt sent, success or failure, and any error returned.
• Technical data. IP address, user-agent and request metadata captured by our hosting provider, our CDN (Cloudflare) and our application logs for security, abuse prevention and debugging.
• Communications. Emails or messages you send us, and our replies.

We do not knowingly collect data from anyone under 18. If you believe a child has provided personal data to us, contact us and we will delete it.

3. How we use your data and our lawful bases

We process personal data on the following lawful bases under Article 6 UK GDPR.

• Performance of a contract. To create and manage your account, generate outputs you request, take payment, allocate and debit credits, deliver receipts and provide support.
• Legitimate interests. To keep the Service secure, prevent fraud and abuse, debug failures, monitor capacity, enforce our Terms, and improve features. We balance these interests against your rights and only rely on them where the impact on you is limited.
• Legal obligation. To meet tax, accounting and other regulatory obligations (including retention of invoices), and to respond to lawful requests from authorities.
• Consent. Where we ask for it — for example, optional marketing emails. You can withdraw consent at any time without affecting earlier processing.

4. AI generation and your prompts

When you generate an image, video or voice clip, we send the necessary inputs (prompts, reference images, scripts, voice ids) to a third-party AI model provider on your behalf. We retain a record of the request and the resulting output in your account so you can return to it later.

We do not use your prompts, User Content or outputs to train our own models or general-purpose third-party models. We instruct our model providers to process content only to deliver your request. The providers' own retention and processing terms are summarised in the next section.

5. Service providers (processors)

We share personal data with the following providers, who process it on our behalf and under contract.

• Stripe — payments, subscriptions, invoices and tax handling. Stripe is a separate controller for some of its own anti-fraud purposes.
• Google (Vertex AI) — image and video generation.
• OpenRouter — routing of image and video generation requests to upstream models.
• fal.ai — lipsync and talking-actor video generation.
• ElevenLabs — text-to-speech voice generation.
• Cloudflare — DNS, TLS termination, CDN and edge security.
• Our hosting provider — to run the application servers and store uploaded files and generated outputs.
• Email and helpdesk providers — to send transactional emails and respond to support enquiries.

We may change providers from time to time. We will not add a provider whose handling of personal data is materially less protective than the providers listed above without updating this Policy.

6. International transfers

Some of our providers process personal data outside the United Kingdom, including in the European Economic Area and the United States. Where we transfer personal data outside the UK, we rely on one of the following safeguards: an adequacy decision by the UK government, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses. You can request a copy of the safeguards in place by emailing [email protected].

7. How long we keep data

• Account, User Content and outputs: for as long as your account is open. When you close your account, we delete or anonymise this data within 30 days, except where we need to retain it to comply with a legal obligation, resolve disputes, or enforce our agreements.
• Billing records and invoices: kept for at least six years to meet UK tax and accounting requirements.
• AI request logs: kept for up to 12 months for abuse prevention, capacity planning and debugging, then deleted or aggregated.
• Technical and security logs: typically kept for up to 90 days.
• Marketing preferences: kept until you unsubscribe and for a short period afterwards to honour your opt-out.

8. Cookies and similar technologies

Our marketing site (smartugc.ai) does not set tracking or advertising cookies. Our application (app.smartugc.ai) authenticates you using a token stored in your browser's local storage (not a cookie); you can clear it by signing out or by clearing site data in your browser. Stripe-hosted checkout and customer portal pages set their own cookies, which are governed by Stripe's privacy notice. Our hosting and CDN providers may set strictly necessary cookies for security and load balancing.

9. Security

We use technical and organisational measures appropriate to the risks of processing, including TLS for data in transit, hashed passwords, scoped access to production systems, audit logging, and contractual confidentiality with our providers. No system is perfectly secure: please use a strong, unique password and notify us immediately at [email protected] if you suspect your account has been compromised.

10. Your rights

Under UK data protection law you have the right to:

• access the personal data we hold about you;
• have inaccurate personal data corrected;
• have your personal data erased in certain circumstances (the "right to be forgotten");
• restrict or object to processing in certain circumstances, including processing for direct marketing;
• receive a copy of the personal data you have provided in a structured, commonly used format and have it transmitted to another controller (portability);
• withdraw consent at any time where we rely on consent (this does not affect the lawfulness of earlier processing); and
• lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (ico.org.uk). We would appreciate the opportunity to address your concerns first.

To exercise any of these rights, email [email protected]. We may need to verify your identity before responding and will reply within one month, or tell you if we need longer.

11. Automated decision-making

We do not use personal data to make decisions that produce legal or similarly significant effects on you by automated means alone. Generation of AI outputs in response to your prompts is not a decision about you for these purposes.

12. Marketing

We may send you transactional emails (such as receipts, security notices and material changes to the Service) on the basis that they are necessary for your account. We will only send you marketing emails where you have agreed, and you can unsubscribe at any time using the link in any marketing email or by contacting [email protected].

13. Changes to this Policy

We may update this Policy from time to time. If we make a material change, we will give you reasonable notice (for example by email or in-app notice) before the change takes effect. The "Last updated" date at the top tells you when this Policy was last revised.

14. Contact us

Questions about this Policy or about your personal data? Email [email protected], or write to Silly Spider Ltd (trading as smartUGC.ai), 1 Railway Terrace, Sunderland, SR4 0PA, United Kingdom.