Privacy Policy
Effective date: 15 June 2026 · Last updated: 15 June 2026
Bc. Karel Granát (“ManifestReelAI,” “we,” “us,” or “our”) operates manifestreelai.com and the ManifestReelAI web application (collectively, the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data.
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
1. Who We Are (Data Controller)
Bc. Karel GranátU Stadionu 72, 266 01 Beroun 2, Czech Republic
Czech Republic
Contact: [email protected]
2. Information We Collect
2.1 Information You Provide
- Account data: name, email address, password (hashed).
- Billing data: processed by Stripe; we store only the last 4 digits of your card, billing country, and subscription status. We never store full card numbers.
- Content: scripts, prompts, uploaded images, voice samples (if you use voice cloning), Craft brand presets, and generated reels.
- Communications: support emails, feedback you submit.
2.2 Information Collected Automatically
- Usage data: pages viewed, features used, reels generated, timestamps, IP address, browser, device, and operating system.
- Cookies & similar technologies: essential cookies (authentication), analytics cookies (aggregated usage), and preference cookies. See Section 9.
2.3 Information From Third Parties
- OAuth platforms (TikTok, YouTube, Instagram, Facebook): when you connect a social account, we receive your platform username, profile/channel ID, and an access token scoped only to publishing content you explicitly create within ManifestReelAI. We do not read your existing posts, followers, DMs, or analytics unless required to confirm a publish succeeded.
3. How We Use Your Data (Legal Bases under GDPR)
| Purpose | Legal basis |
|---|---|
| Operate your account, deliver the Service | Contract (Art. 6(1)(b)) |
| Process payments via Stripe | Contract (Art. 6(1)(b)) |
| Generate reels using AI providers (OpenAI, fal.ai, ElevenLabs) | Contract |
| Send service emails (receipts, password resets, quota warnings) | Contract |
| Publish content to connected social platforms at your request | Consent |
| Improve and secure the Service | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Consent — opt-out anytime |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data. We do not use your content to train AI models without your explicit opt-in.
4. Third-Party Sub-Processors
We share data with the following providers strictly to deliver the Service:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payments | Name, email, billing info | USA (SCCs) |
| OpenAI, L.L.C. | Script generation, translation | Prompts | USA (SCCs) |
| fal.ai | Image & video generation | Prompts | USA (SCCs) |
| ElevenLabs Inc. | Voice synthesis & cloning | Scripts, voice samples | USA (SCCs) |
| Cloudflare | CDN, DDoS protection | IP, request metadata | Global |
| AWS / hosting provider | Application hosting & storage | All app data | EU/USA (SCCs) |
| PostHog / analytics | Aggregated usage analytics | Pseudonymous events | EU |
| TikTok, YouTube, Meta | Publishing reels (only when you connect) | Your reel content + caption | Per platform |
All non-EU providers operate under Standard Contractual Clauses (SCCs) and appropriate safeguards.
5. Social Platform Connections (TikTok, YouTube, Instagram, Facebook)
When you connect a social account:
- We request only the minimum scopes required to publish content you explicitly create:
- TikTok:
video.publish,user.info.basic - YouTube:
youtube.upload,youtube.readonly - Instagram & Facebook:
instagram_basic,instagram_content_publish,pages_show_list,pages_read_engagement,pages_manage_posts,business_management
- TikTok:
- We store an encrypted access token and refresh token.
- We never post without your explicit action.
- You can disconnect any platform at any time in Settings → Connected Accounts. Disconnecting immediately revokes our tokens.
- We do not download, read, or store your existing posts, followers, DMs, or audience analytics.
6. Data Retention
| Data | Retention |
|---|---|
| Account data | While your account is active + 30 days after deletion |
| Generated reels | While account active; deletable anytime |
| Billing records | 10 years (legal requirement) |
| OAuth tokens | Until you disconnect or delete the account |
| Server logs | 90 days |
| Backups | 30 days rolling |
When you delete your account (Section 8), we permanently erase all personal data within 30 days, except records we are legally required to retain.
7. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). We rely on the EU Standard Contractual Clauses (SCCs), the UK IDTA where applicable, and additional safeguards to ensure your data receives an equivalent level of protection.
8. Your Rights
Under GDPR, CCPA, and similar laws you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”) — request at manifestreelai.com/data-deletion.
- Restrict or object to processing.
- Data portability — export your data in machine-readable format.
- Withdraw consent at any time.
- Lodge a complaint with your local Data Protection Authority.
To exercise any right, email [email protected]. We respond within 30 days.
9. Cookies
We use:
- Strictly necessary cookies (authentication, security) — always on.
- Functional cookies (preferences) — opt-in.
- Analytics cookies (PostHog, aggregated) — opt-in.
You can manage cookies via your browser settings or our cookie banner. Refusal of non-essential cookies does not affect access to the Service.
10. Security
We implement industry-standard safeguards: encryption in transit (TLS 1.3), encryption at rest (AES-256), hashed passwords (bcrypt), encrypted OAuth tokens, role-based access control, and regular security audits. No system is 100% secure, but we work hard to protect your data.
11. Children
The Service is not directed to persons under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, email [email protected] and we will delete it immediately.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be announced via email and an in-app banner at least 30 days before taking effect. The “Last updated” date at the top reflects the latest revision.
13. Contact
Questions? Contact us at:
[email protected]Bc. Karel Granát, U Stadionu 72, 266 01 Beroun 2, Czech Republic
For Data Protection inquiries: [email protected]