Privacy Policy

This policy explains what data we collect when you use Thumbnailed, how we use it, who we share it with, and your rights under the GDPR.

1. Data Controller

Findoria UG (haftungsbeschränkt)
Kolonnenstraße 8, 10827 Berlin, Germany
Email: [email protected]
Managing Director: Daniel Alexander Oquelis Leon

2. Data We Collect

When you use Thumbnailed we collect:

• Account data: name, email address, password hash, email verification status.
• Run data: the videos you upload, the thumbnails we generate from them, run metadata (duration, status), and any filenames you provide.
• Usage data: IP address, browser type, access times, rate-limit counters.
• Payment data: processed securely by Stripe — we never see or store your card details. We retain Stripe customer and checkout-session identifiers for billing reconciliation.

3. How We Use Your Data

We use your data exclusively to operate the service:

• Generate thumbnails from your uploaded videos.
• Manage your account, credits, and billing.
• Send transactional emails (verification, completion, failure notifications).
• Detect abuse and enforce rate limits.
• Provide customer support.

We do not sell your data to third parties, and we do not use it for advertising.

4. AI Processing

Thumbnailed sends portions of your video to third-party AI providers, each handling a specific step:

• Groq — receives the audio track only, transcribes it via Whisper-large-v3-turbo, returns text and discards the audio.
• Google (Gemini) — receives short (10-second) video clips for semantic embedding. No human access; embeddings are vectors of numbers, not viewable footage.
• Anthropic (Claude) — receives the transcript and a small set of frames (a contact sheet) for reasoning and visual question-answering.
• OpenAI (gpt-image-2) — receives one identity frame from your video plus our own style references, and produces three thumbnail PNGs.

These providers process your data under their respective enterprise agreements with us and do not use it to train their models. Each provider operates its own content-moderation classifier; if any classifier blocks your content, the run will fail and you will be notified.

5. Data Retention

• Source videos: automatically deleted within 24 hours of upload.
• Generated thumbnails and run metadata: kept while your account is active so you can re-download them.
• Account data: retained until you delete your account.

6. Storage and Security

Your data is stored on EU infrastructure. We employ:

• Encrypted transmission (HTTPS) end-to-end.
• Hashed passwords (we never store plaintext).
• Per-account session and rate-limit isolation.
• Object storage with private access — videos are never public.

7. Sub-processors

We share the minimum data required with the following processors:

• Fly.io (EU region: Frankfurt) — application + worker hosting.
• Neon (EU region: Frankfurt) — PostgreSQL database for accounts, runs, and credit ledger.
• AWS S3 (EU region: Frankfurt) — video and thumbnail storage. Source videos are auto-deleted within 24 hours.
• Upstash Redis (EU region) — rate-limit counters only; no personal data.
• Stripe (US/EU) — payment processing. Card data never reaches our systems.
• Resend (US) — transactional email delivery.
• Anthropic(US) — Claude AI for reasoning and vision Q&A; receives transcript + selected frames.
• OpenAI (US) — gpt-image-2 for thumbnail generation; receives one identity frame plus our style references.
• Google (US) — Gemini Embedding for semantic search; receives 10-second video clips.
• Groq (US) — Whisper for transcription; receives audio only.

Transfers to US-based providers occur under EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. Each provider acts as a data processor on our behalf.

8. Your Rights (GDPR)

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Lodge a complaint with your local data protection authority.

Contact us at [email protected] to exercise any of these rights.

9. Cookies

We use only technically necessary cookies — primarily a signed session cookie used to keep you logged in. We do not use tracking, analytics, or advertising cookies.

10. Contact

For privacy questions, write to [email protected], or by post to Findoria UG, Kolonnenstraße 8, 10827 Berlin, Germany.