Last Updated: June 1, 2026
Effective Date: June 1, 2026
INTRODUCTION
Aktion Film AI, LLC ("Aktion," "we," "our," "us") operates the Aktion Film AI platform at aktionfilmai.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service, and describes your rights with respect to your personal data.
This Privacy Policy applies to all users worldwide. Specific sections describe additional rights available to residents of California, Illinois, Oregon, the European Union/EEA, the United Kingdom, Canada, and other jurisdictions.
BY USING THE SERVICE, YOU AGREE TO THE COLLECTION AND USE OF INFORMATION IN ACCORDANCE WITH THIS POLICY.
SECTION 1 — INFORMATION WE COLLECT
1.1 Information You Provide Directly
Account Information: When you create an account, we collect your name, email address, password (hashed), and any profile information you choose to provide.
Payment Information: Paid subscription purchases are processed through our third-party payment processor Stripe. We do not store full payment card numbers. We receive and retain a transaction record including last-four digits, card type, billing country, and transaction amount for our records.
User Inputs: Content you submit to generate AI outputs, including text prompts, scripts, uploaded images, audio files, and other creative materials. See Section 2 for how we use these.
Communications: Emails, support requests, and other communications you send to us.
Consent Records: Records of your agreement to model-specific Terms of Service Disclosure Cards, Face Swap consent, and other feature-specific consents. These records are retained for legal compliance purposes.
1.2 Information Collected Automatically
Usage Data: Pages visited, features used, generation requests submitted (including model selection, credit usage, generation time), error logs, and session data.
Device and Connection Information: IP address, browser type and version, operating system, device identifiers, and referring URL.
Cookies and Tracking Technologies: We use cookies and similar technologies for authentication, session management, and analytics. See Section 1.4 for details.
Generation Logs: Metadata about your generation sessions including timestamp, model used, credits consumed, and whether the session completed successfully. Prompt text submitted during generation sessions is transmitted through Aktion's servers to our model partners and is retained in our database (generations and generated_outputs tables). Prompt logs are retained indefinitely unless you request deletion. (See Your Rights below.)
1.3 Information from Third Parties
Third-Party Model Providers: When your generation requests are processed by third-party model providers (Kling, Wan, Flux, Seedance, Veo, LLM), those providers receive and process your User Inputs. Their processing of your data is governed by their own privacy policies. Aktion receives the generated output and relevant metadata from those providers. We are not responsible for third-party providers' data practices beyond what is disclosed in their terms.
Social Login / OAuth: If you sign in using a third-party identity provider (e.g., Google), we receive your name, email address, and profile picture from that provider as authorized by you during the OAuth flow.
Analytics Providers: We use [Google Analytics / Mixpanel / TBD] for usage analytics. These providers may set their own cookies.
1.4 Cookies
We use the following categories of cookies:
| Category | Purpose | Required |
|---|---|---|
| Essential | Authentication, session management, security | Yes |
| Functional | User preferences, language settings | No |
| Analytics | Usage statistics, feature performance | No |
You may opt out of non-essential cookies through our cookie preference center at [aktionfilmai.com/privacy/cookies]. Note that disabling essential cookies will prevent you from logging in.
1.5 Biometric Data (Face Swap Feature)
[ARCH-DEPENDENT — PARTIAL] The Face Swap feature processes facial image data. Facial geometry is processed transiently and is not stored as a biometric template (confirmed June 2025). Source images submitted for Face Swap are transmitted through Aktion's servers to our processing partner and are not retained after the generation is complete. (See Illinois BIPA notice in Section 8 below.)
- If facial geometry templates are extracted and stored: This constitutes biometric data under the Illinois Biometric Information Privacy Act (BIPA), Oregon SB 619, Washington My Health MY Data Act, and other state biometric laws. Explicit, written, informed consent is required before collection; a Biometric Data Retention Policy is required; and deletion upon account termination or within 3 years (whichever is sooner) is required under BIPA.
- If facial processing is transient (geometry is processed in memory only and not stored in any database): The BIPA and similar storage-based obligations may not apply, but we will disclose this clearly in the Face Swap consent flow.
We will update this section once the architecture is confirmed. If you are an Illinois resident with questions about facial data processing, contact [privacy@aktionfilmai.com] immediately.
SECTION 2 — HOW WE USE YOUR INFORMATION
We use personal information for the following purposes, each grounded in a lawful basis:
| Purpose | Data Used | Lawful Basis (GDPR) |
|---|---|---|
| Providing the Service | Account info, User Inputs, usage data | Performance of contract |
| Processing generation requests | User Inputs, model selection | Performance of contract |
| Payment processing | Payment info | Performance of contract |
| Customer support | Account info, communications | Legitimate interest |
| Safety and fraud prevention | IP address, usage data, device info | Legitimate interest |
| Legal compliance (NCII removal, CSAM reporting, breach notification) | Relevant user data as required | Legal obligation |
| Analytics and service improvement | Aggregated usage data | Legitimate interest |
| Marketing communications (if opted in) | Email address | Consent |
| Model training (only if separately opted in via Data Sharing program) | User Inputs and outputs | Consent (explicit, separate, withdrawable) |
We never use your personal information or User Inputs to train AI models without your separate, explicit consent. The Creator Pledge is a binding commitment and is incorporated by reference into our Terms of Service.
SECTION 3 — HOW WE SHARE YOUR INFORMATION
3.1 Third-Party AI Model Providers
When you use a generation feature, your User Inputs are transmitted to the applicable third-party model provider (Kling/Kuaishou, Wan/Alibaba, Flux/Black Forest Labs, Seedance/ByteDance, Veo/Google, Happy Horse/Alibaba, GLM/Zhipu AI). Those providers' terms and privacy policies govern their handling of your data. Relevant terms are disclosed at first use of each model.
Data jurisdiction disclosures by model tier:
| Provider / Route | Legal Entity | Data Location | Jurisdiction |
|---|---|---|---|
| Kling (via AtlasCloud or Wavespeed) | Kuaishou Technology Co. Ltd — Beijing, PRC | US (AtlasCloud NYC) / Singapore+HK (Wavespeed) | PRC law applies to model; aggregator laws vary |
| Wan 2.x / Happy Horse (via Wavespeed or fal.ai) | Alibaba Group — Hangzhou, PRC | Singapore+HK (Wavespeed) / US (fal.ai) | PRC law applies to model |
| Seedance (via Wavespeed) | ByteDance Ltd — Beijing, PRC | Singapore+HK | PRC law applies to model |
| Flux (via Runware or AtlasCloud) | Black Forest Labs GmbH — Freiburg, Germany | US + Germany + Romania (Runware) / US (AtlasCloud) | EU/German law for model creator |
| Veo (via Google) | Google LLC — Mountain View, CA | US | US/California law |
| SwitchX (via Beeble) | Beeble AI Inc. — Wilmington, DE | US + Korea | US/Korean law |
| GLM / z.ai storyboard | JINGSHENG HENGXING TECHNOLOGY PTE.LTD — Singapore (Zhipu AI affiliate) | Singapore | Singapore law; Zhipu AI model is PRC-developed |
Note on China-based model providers: Data transmitted to Kling (Kuaishou), Wan and Happy Horse (Alibaba), and Seedance (ByteDance) is transferred to entities whose underlying models were developed by companies incorporated or based in the People's Republic of China. The EU has not issued an adequacy decision for China. These transfers currently rely on your consent at the point of model selection (acknowledged via the model ToS Disclosure Card).
Note on Wavespeed §11.2 license: When your User Inputs are processed by Wavespeed AI Ltd, Wavespeed's Terms of Service §11.2 grant Wavespeed a license to use, copy, store, and process your inputs for service delivery purposes. Aktion routes certain model requests through Wavespeed. This license grant is disclosed at first use of Wavespeed-routed models. Aktion does not independently grant Wavespeed any rights beyond what Wavespeed's own terms require.
Note on Runware multi-jurisdiction processing: Runware Ltd (UK) processes data on infrastructure located in the United States, Germany, and Romania. Your User Inputs processed through Runware-routed models may reside in any of these jurisdictions. This is relevant if you are an EU/EEA resident.
Vadoo AI / Muapi: Vadoo AI (Hyderabad, India) operates the Muapi.ai API service. Vadoo's sub-processors include Replicate (US) and fal.ai (US). Data transmitted through Muapi-routed models is processed by Vadoo in India and may be further processed by US-based sub-processors.
3.2 Service Providers
We share data with third-party service providers who assist us in operating the Service, including:
- Cloud hosting and infrastructure: Vercel (app server, US-based edge network); Supabase (database and storage, us-east-2 Ohio, US)
- Payment processing: Stripe
- Email communications: [SendGrid / Mailchimp / TBD — confirm with Adam]
- Analytics: [Google Analytics / Mixpanel / TBD — confirm retargeting/pixel decision]
- Content delivery network (CDN): Vercel edge network
- Customer support: [TBD]
- AI model aggregators: AtlasCloud (New York, NY, USA), Wavespeed AI Ltd (Singapore / Hong Kong), Runware Ltd (United Kingdom), Vadoo AI (Hyderabad, India — formerly marketed as "Muapi.ai")
- Direct AI providers: fal.ai / Happy Horse 1.0 (San Francisco, CA, USA — Alibaba model), Beeble AI Inc. (Wilmington, DE, USA — SwitchX relighting), JINGSHENG HENGXING TECHNOLOGY PTE.LTD / z.ai (Singapore — Zhipu AI GLM model), Anthropic (Claude)
These service providers are contractually obligated to use your data only for the purpose of providing services to Aktion and not to use it for their own marketing or to sell it to third parties.
3.3 Legal Requirements
We may disclose your information to law enforcement, courts, or government agencies when required to do so by law or legal process, including: responding to lawful court orders and subpoenas; complying with DMCA takedown requirements; reporting CSAM to the NCMEC CyberTipline (mandatory under 18 U.S.C. § 2258A); cooperating with TAKE IT DOWN Act enforcement; and responding to emergency requests involving risk of death or serious physical injury.
3.4 Business Transfers
If Aktion is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you by email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
3.5 Data Sharing Programs (Optional, Consent-Based)
If Aktion offers a Data Sharing program (e.g., a discounted subscription in exchange for sharing data), participation is entirely voluntary. We will provide a separate, specific disclosure describing exactly what data is shared, with whom, for what purpose, and how to withdraw consent. We do not and will not sell your personal information in the traditional sense. Any "sharing" in a Data Sharing program will be disclosed with the specificity required by CCPA's "sharing for cross-context behavioral advertising" definition and GDPR's consent requirements.
3.6 What We Do Not Do
- We do not sell your personal information for monetary consideration.
- We do not share your personal information with advertisers for behavioral advertising without your explicit opt-in consent.
- We do not use your creative content to train AI models without your explicit, separate consent.
- We do not transmit biometric data to third parties without disclosure and, where required, consent.
SECTION 4 — DATA RETENTION
We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this Policy, subject to the following:
| Data Category | Default Retention | Legal Minimum / Maximum |
|---|---|---|
| Account information | Duration of account + 30 days after deletion | Deletion on request (30-day processing) |
| User Inputs / Prompts | Retained in Supabase DB (us-east-2, Ohio); transmitted to model aggregators during generation | User-controlled where possible |
| Generated outputs | Retained in Supabase DB + Storage buckets (us-east-2, Ohio); video files in Storage | User-controlled where possible |
| Consent records (model ToS, face swap) | 5 years after last use | Recommended for legal defensibility |
| NCII takedown records | 5 years | TAKE IT DOWN Act compliance |
| CSAM reporting records | 7 years | Law enforcement cooperation requirements |
| Payment records | 7 years | IRS / tax compliance |
| Biometric data (if applicable) | Not longer than 3 years or account deletion, whichever is sooner | BIPA §15(a) |
| Breach notification records | 5 years | State breach notification laws |
| Support communications | 3 years | Legitimate interest |
SECTION 5 — SECURITY
We implement technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+), access controls, regular security assessments, and incident response procedures.
No security system is impenetrable. In the event of a data breach involving your personal information:
- We will notify affected users and relevant regulators as required by applicable law, including:
- Oregon OCIPA: Within 30 days of discovery
- GDPR: Within 72 hours of discovery to relevant Data Protection Authority
- State breach notification laws: As required (30–90 days depending on state)
- FTC: For breaches affecting 500+ users
If you discover a security vulnerability, please report it responsibly to [security@aktionfilmai.com].
SECTION 6 — YOUR RIGHTS AND CHOICES
6.1 Rights Available to All Users
All users may:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your account and personal data
- Opt-Out: Opt out of marketing communications at any time
- Portability: Request your data in a portable format
- Withdraw Consent: Withdraw consent for any processing based on consent (including Data Sharing programs)
To exercise any of these rights, contact [privacy@aktionfilmai.com] or use the self-service tools at [aktionfilmai.com/account/privacy].
6.2 California Residents (CCPA / CPRA)
California residents have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: What personal information we collect, use, disclose, and sell/share
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising. [Do Not Sell or Share My Personal Information — aktionfilmai.com/privacy/optout]
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information (including biometric data, precise geolocation) to what is necessary to provide the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights
Categories of Personal Information Collected (as defined by CCPA):
- Identifiers (name, email, IP address, account ID)
- Commercial information (subscription tier, transaction history)
- Internet/electronic activity (usage data, generation history)
- Biometric information (facial geometry, if applicable — see Section 1.5)
- Audio/visual information (uploaded images, voice inputs)
- Inferences drawn from personal information (usage patterns, preferences)
We do not knowingly sell or share the personal information of minors under 16 without affirmative opt-in consent.
6.3 Illinois Residents (BIPA)
If you are an Illinois resident and have used the Face Swap feature, you may have rights under the Illinois Biometric Information Privacy Act. To request a copy of our Biometric Data Retention Policy, or to request deletion of any biometric data we may hold, contact [privacy@aktionfilmai.com] with subject line "BIPA Request." We will respond within 30 days.
6.4 Oregon Residents (OCIPA / SB 619)
Oregon residents have rights under the Oregon Consumer Information Protection Act (OCIPA) and Oregon SB 619 (biometric data protections). Oregon residents may request access, correction, deletion, and portability of personal data, and may opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions with significant effects.
To exercise Oregon privacy rights: [privacy@aktionfilmai.com].
6.5 European Economic Area and UK Residents (GDPR / UK GDPR)
If you are located in the EEA or UK, the following additional rights apply under GDPR / UK GDPR:
- Right to Object: Object to processing based on legitimate interests
- Right to Restrict Processing: Request restriction of processing in certain circumstances
- Right to Lodge a Complaint: Lodge a complaint with your national Data Protection Authority (e.g., CNIL, ICO, BfDI)
Data Controller: Aktion Film AI, LLC [address TBD — confirm registered address with Adam]
Legal Bases for Processing: See Section 2 table above.
International Transfers: Data may be transferred from the EEA/UK to the United States. These transfers are conducted pursuant to Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by GDPR Chapter V.
Note on International Transfers to AI Model Providers: User Inputs processed by AI model providers may be transferred to multiple jurisdictions. Relevant transfer destinations include:
- PRC (China): Kling (Kuaishou), Wan and Happy Horse (Alibaba), Seedance (ByteDance) — no EU adequacy decision; consent-based transfer via model ToS Disclosure Card acceptance.
- Singapore: z.ai / GLM (JINGSHENG HENGXING TECHNOLOGY PTE.LTD, Zhipu AI affiliate) — no EU adequacy decision; Singapore PDPA applies; consent-based transfer.
- Germany + Romania + US: Flux via Runware Ltd (UK) — Germany and Romania are EU member states (adequate); US processing relies on SCCs or consent.
- US + Korea: Beeble SwitchX (Beeble AI Inc.) — US and Korea; Korean PIPA applies; no EU adequacy decision for Korea; consent-based transfer.
For all international transfers not covered by adequacy decisions, Aktion relies on Standard Contractual Clauses (where in place with the relevant provider) or explicit user consent via the model ToS Disclosure Card acceptance flow.
6.6 Canadian Residents (PIPEDA / CASL)
Canadian residents have rights under PIPEDA including the right to access and correct personal information. We will respond to Canadian privacy requests within 30 days. For commercial electronic communications, you may unsubscribe at any time using the unsubscribe link in any email or by contacting [privacy@aktionfilmai.com].
6.7 Response Timeframes
We respond to all verified privacy requests within 30 days (or 45 days for complex requests with notice). We may require identity verification before processing requests. We do not charge a fee for initial requests unless they are manifestly unfounded or excessive.
SECTION 7 — CHILDREN'S PRIVACY
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided us with personal information, we will promptly delete that information and terminate the child's account.
For users between 13 and 17, we collect only the minimum personal information necessary to provide the Service, do not engage in behavioral advertising, and implement enhanced content restrictions on age-gated features.
If you are a parent or guardian and believe your child under 13 has used the Service, contact [privacy@aktionfilmai.com] immediately.
SECTION 8 — CHANGES TO THIS POLICY
We may update this Privacy Policy periodically. We will notify you of material changes by email (to your registered address) and by posting the revised Policy with an updated "Last Updated" date. We will provide at least 30 days advance notice of material changes before they take effect. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.
SECTION 9 — CONTACT US
Privacy inquiries and rights requests:
Security vulnerabilities:
GDPR Article 27 Representative (EU/UK):
[TBD]
EU/UK Data Protection Authority Complaint Links:
- UK ICO: ico.org.uk/make-a-complaint
- France CNIL: cnil.fr/en/complaints
- Germany BfDI: bfdi.bund.de
California Privacy Rights (CCPA):
[aktionfilmai.com/privacy/optout]
This Privacy Policy was prepared for attorney review and is not legal advice. Aktion Film AI should obtain qualified legal counsel review, particularly regarding GDPR international transfer mechanisms, BIPA biometric consent flows, and CCPA "sale/sharing" definitions, before publication.