Privacy policy

This Privacy Policy explains how Orbioom LLC (“Clipioom,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you visit clipioom.com or use the Clipioom service (the “Service”).

We are the data controller for the personal information processed under this Policy. Capitalized terms not defined here have the meanings given in our Terms of Service. By using the Service, you acknowledge that you have read this Policy and that the practices described are consistent with the terms on which you have engaged us.

We collect the categories of personal information described below:

• Account information. Name, email address, profile image, password credential (hashed and managed by our authentication provider), authentication tokens, user identifier, and account preferences.
• Billing information. Subscription tier, billing history, transaction identifiers, country, and tax information. Payment card numbers are collected and stored by our PCI-compliant payment processor (Stripe). We do not store full card numbers on our systems.
• User Content. Source media you upload, URLs you submit (including YouTube, Instagram, TikTok, X, and similar links), transcripts, generated clips, captions you author or edit, brand-kit assets, project metadata, and prompts.
• Usage data. Pages viewed, features used, jobs submitted, render durations, error events, referring URL, timestamps, and aggregate engagement metrics.
• Technical data. IP address, browser type and version, operating system, device type, language preference, and approximate location derived from IP.
• Communications. Email correspondence, support tickets, survey responses, and any feedback you voluntarily provide.
• Cookies and similar technologies. Session and authentication cookies (strictly necessary), preference cookies (functional), and limited first-party analytics cookies. We do not use third-party advertising trackers.

We collect information (a) directly from you when you create an account, submit content, contact support, or otherwise interact with the Service; (b) automatically through server logs, cookies, and similar technologies when you use the Service; and (c) from third parties such as our authentication provider, payment processor, and (where you have authorized it) social-platform integrations.

We use personal information to:

• Provide, maintain, and operate the Service and its features.
• Process payments, manage subscriptions, and prevent fraud.
• Generate clips, captions, transcripts, thumbnails, and other derivative outputs that you request.
• Communicate with you about your account, transactions, security alerts, product updates, and support requests.
• Investigate, detect, and prevent abuse, security incidents, and violations of our Terms of Service or Acceptable Use Policy.
• Improve the Service, including by analyzing aggregate usage patterns. We do not use your User Content to train, fine-tune, or otherwise improve our own or any third party's artificial-intelligence models.
• Comply with legal obligations and respond to lawful requests from authorities.
• Send marketing communications, but only with your prior consent where required by law, and you may opt out at any time.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following lawful bases under the GDPR or UK GDPR:

• Performance of a contract — to provide the Service you have requested.
• Legitimate interests — for security, fraud prevention, service improvement, and limited first-party analytics, balanced against your rights and freedoms.
• Consent — for marketing communications and any optional analytics or functionality that requires it. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Compliance with a legal obligation — for tax, accounting, regulatory, and law-enforcement requirements.

You retain ownership of all User Content you upload or generate using the Service. By submitting User Content you grant us a worldwide, royalty-free, non-exclusive license to host, store, transmit, transcode, modify (solely for the purposes of producing the outputs you have requested), and display that content for the limited purpose of operating, providing, and improving the Service for you. This license terminates when you delete the content, subject to the retention windows described in Section 11.

You represent and warrant that, for every piece of User Content you submit, you (i) own the content or have obtained all rights, licenses, consents, releases, and permissions necessary to use, reproduce, transmit, and process it through the Service; (ii) have the legal right to authorize Clipioom and its sub-processors to perform the operations described in this Policy on that content; and (iii) will not submit content that infringes any third-party copyright, trademark, right of publicity, privacy right, or other intellectual-property or proprietary right.

You are solely responsible for the User Content you submit and for ensuring that your use of the Service complies with applicable law. We do not pre-screen User Content, and we make no representation that User Content received from you is non-infringing. We may remove or refuse to process content that we believe, in our sole discretion, violates this Policy, our Terms of Service, our Acceptable Use Policy, or any law.

Rights-holders who believe their work has been infringed should follow the takedown process at our DMCA page.

To produce the outputs you request, we transmit limited User Content (audio extracts, transcripts, prompts, and image frames) to third-party AI providers including OpenAI, Anthropic, AssemblyAI, and (where you have enabled it) Deepgram. These providers process the content solely to return their output to us and, per their public commitments to enterprise customers, do not use your content to train their models.

We do not transmit your account credentials, billing information, or content from other projects to AI providers. A complete and current list of AI and other sub-processors is maintained at our Sub-processors page.

We share personal information only as follows:

• Sub-processors and service providers who provide infrastructure, payment processing, email delivery, error monitoring, AI processing, customer support, and analytics under written agreements that limit their use of personal information to the services they provide to us. The current list is at /subprocessors.
• Legal compliance and protection. We may disclose personal information when required by law, subpoena, court order, or other valid legal process, or when we have a good-faith belief that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud or security incidents.
• Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity under terms consistent with this Policy.
• With your consent. We may share information for any other purpose disclosed to you and to which you consent.
• Aggregated or de-identified data that cannot reasonably be used to identify you may be shared without restriction.

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or any analogous state law.

We use cookies and similar technologies in three categories:

• Strictly necessary — required for authentication, session persistence, and security. These cannot be disabled while using the Service.
• Functional — remember your preferences (theme, last-viewed project, consent choices).
• Analytics (first-party) — limited usage analytics to understand feature engagement. We do not use third-party advertising trackers, fingerprinting, or cross-site tracking.

You can control cookies through your browser settings. We honor the Global Privacy Control (GPC) signal as a request to opt out of any “sale” or “sharing” of personal information under the CCPA. We do not currently respond to Do Not Track headers because no consensus standard for their interpretation exists.

We are based in the United States, and our infrastructure providers (including Cloudflare, Supabase, Stripe, and our AI processors) operate in multiple jurisdictions. When we transfer personal information from the EEA, the UK, or Switzerland to the United States or other countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) and require recipients to maintain protections essentially equivalent to those of GDPR / UK GDPR.

You may request a copy of the relevant transfer mechanism by emailing support@clipioom.com.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy and to comply with legal, accounting, or reporting requirements. Specifically:

• Account information is retained while your account is active and for up to 30 days after you delete your account, after which it is purged from production systems.
• User Content (source uploads, generated clips, transcripts) is retained according to your subscription tier's retention window — 7 days on Free, 30 days on Pro, 90 days on Max — and is automatically deleted thereafter.
• Server and security logs are retained for up to 90 days for incident response and abuse prevention.
• Billing records are retained for up to seven (7) years to satisfy tax, accounting, and audit obligations.
• Backups may persist for up to 35 days beyond the windows above and are encrypted at rest.

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Measures include:

• Encryption in transit (TLS 1.2 or higher) and at rest for stored data.
• Hashed passwords, scoped API tokens, and short-lived signed URLs for downloads.
• Role-based access controls and the principle of least privilege for internal access to production systems.
• Regular security review of dependencies, infrastructure, and access patterns.
• Audit logging of administrative actions.

No method of transmission over the Internet or method of electronic storage is completely secure. We cannot and do not guarantee absolute security. In the event of a personal data breach affecting you, we will notify you and, where applicable, the relevant supervisory authority within the timeframes required by law (including, where applicable, within 72 hours for GDPR-covered breaches).

Depending on your location, you may have the following rights regarding your personal information:

• Access — to obtain a copy of the personal information we hold about you.
• Rectification — to correct inaccurate or incomplete information.
• Erasure — to request deletion of your personal information, subject to legal retention requirements.
• Restriction — to limit the processing of your personal information in certain circumstances.
• Portability — to receive your personal information in a structured, machine-readable format and to transmit it to another controller.
• Objection — to object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent — where processing is based on consent, you may withdraw consent at any time.
• Not be subject to fully automated decision-making with legal or similarly significant effects, except where authorized by law.

You can exercise most rights directly from the Settings area of your account (export, deletion, communication preferences). For any other request, email support@clipioom.com. We will respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA, extendable as permitted). We may need to verify your identity before fulfilling certain requests. You may use an authorized agent to submit a request on your behalf where the law permits, with appropriate proof of authorization.

You also have the right to lodge a complaint with a supervisory authority — your local data-protection authority in the EEA/UK, the California Attorney General in California, or the equivalent regulator in your jurisdiction.

If you are a California resident, the CCPA and CPRA grant you the rights described in Section 13, plus the following additional disclosures:

• Categories of personal information collected in the past twelve (12) months: identifiers (name, email, IP address, account ID); commercial information (subscription, transaction history); internet activity (usage logs, device info); geolocation (approximate, from IP); audio and visual information (User Content); inferences (preferences derived from usage).
• Sources: directly from you, automatically from your use of the Service, and from third-party service providers acting on our behalf.
• Business and commercial purposes: providing and operating the Service; security and fraud prevention; legal compliance; communications; product improvement.
• Categories disclosed to service providers: identifiers, commercial information, internet activity, audio and visual information, all under contracts limiting their use to performing services for us.
• Sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Sensitive personal information: We do not collect or process sensitive personal information (as defined by the CPRA) for the purpose of inferring characteristics about you.

California residents also have the right to non-discrimination for exercising any of the rights granted by the CCPA / CPRA. We will not deny services, charge a different price, or provide a different level of quality solely because you exercised a privacy right.

The Service is not directed to and not intended for use by children. We do not knowingly collect personal information from anyone under 13 years of age (or under 16 in the EEA / UK, or any higher minimum age required by your jurisdiction). If you believe a minor has provided personal information to us, please contact support@clipioom.com and we will promptly delete it.

The Service may contain links to or integrations with third-party websites and services (including the platforms you submit URLs from, such as YouTube, Instagram, TikTok, and X). Their privacy practices are governed by their own policies, and we are not responsible for them. We recommend you review the privacy policy of any third-party service you interact with.

You may delete your account at any time from Settings → Account. Upon deletion we will (i) immediately cease processing of your personal information for any purpose other than retention required by law; (ii) delete your account credentials and User Content from production systems within 30 days; and (iii) purge backup copies within the backup retention window.

Information we are required to retain for legal, accounting, tax, or fraud-prevention reasons (such as billing records) will be retained for the periods required by law.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The “Last updated” date at the top of this page indicates when the most recent revision took effect. For material changes, we will provide notice through the Service or by email at least 14 days before the change becomes effective. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

If you have questions, concerns, or requests regarding this Policy or our processing of your personal information, please contact us at:

Orbioom LLC
Privacy & Data Protection
Email: support@clipioom.com

For the avoidance of doubt, this Policy is intended to be read together with our Terms of Service, Acceptable Use Policy, DMCA Policy, and Sub-processors list, each of which is incorporated herein by reference.