Privacy Policy
Last updated: 03.06.2026
1. General provisions
This Privacy Policy (the «Policy») describes how we collect, process, store and protect personal data of users of the cut.inventa.solutions website (the «Service», «Content Factory»).
The Policy is based on:
- Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR);
- Slovenian Personal Data Protection Act (ZVOP-2);
- ePrivacy Directive 2002/58/EC (cookies).
By using the Service, you confirm that you have read this Policy and agree to the stated terms of personal data processing.
2. Data controller
The data controller within the meaning of Article 4(7) and Article 13(1)(a) GDPR is:
Mykhailo Koblychenko s.p.
Registered address: Dimičeva ulica 9, 1000 Ljubljana, Slovenia
Tax number: SI40790215
Registration number (matična): 7522967000
Email: media4estate@gmail.com
Website: cut.inventa.solutions
A Data Protection Officer (DPO) has not been appointed, since the processing does not require regular and systematic monitoring of data subjects on a large scale (Article 37 GDPR).
3. Categories of personal data and purposes of processing
In accordance with Articles 13(1)(c) and 13(1)(d) GDPR we process the following categories of personal data:
a) Account data
| Data | Email address (required), name (optional), password hash |
| Purpose | Account creation and management, authentication, communication |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | For the duration of the account + 30 days after deletion request |
b) User content
| Data | Uploaded videos, generated clips, transcriptions, subtitles, covers |
| Purpose | Providing the AI clip generation service |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract |
| Retention | Until the job is deleted by the user or account is closed + 30 days |
c) Payment data
| Data | Transaction amount, date, status, order ID, token amount |
| Purpose | Payment processing, billing, fraud prevention, accounting |
| Legal basis | Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) — legal obligation |
| Retention | 10 years (Slovenian VAT Act and accounting rules) |
Please note: payments are currently disabled. We do NOT collect or store payment card data.
d) Technical data
| Data | IP address, browser type (User-Agent), language preferences |
| Purpose | Security, rate-limiting, language detection |
| Legal basis | Art. 6(1)(f) GDPR — legitimate interest (security) |
| Retention | IP address is not stored on disk (only in memory for rate-limiting); language — localStorage with no fixed term |
e) Cookies
| Data | Session identifier, email verification status |
| Purpose | Authentication, caching email verification status |
| Legal basis | Art. 6(1)(b) GDPR — necessary for providing the service |
| Retention | See Cookie Policy |
4. Legal bases for processing
Under Article 6 GDPR we process personal data on the following grounds:
| Legal basis | Data categories |
|---|---|
| Performance of a contract — Art. 6(1)(b) | Account, content, payments, cookies |
| Legal obligation — Art. 6(1)(c) | Payment and financial records (accounting) |
| Legitimate interest — Art. 6(1)(f) | Technical data (security, rate-limiting) |
| Consent — Art. 6(1)(a) | Optional analytics cookies (Google Analytics) |
5. Subprocessors and third-party data transfers
In accordance with Articles 13(1)(e) and 13(1)(f) GDPR, we share personal data with the following subprocessors solely for the purpose of providing the Service:
| Subprocessor | Country | Purpose | Data | Transfer basis (Ch. V GDPR) |
|---|---|---|---|---|
| AssemblyAI, Inc. | USA | Audio transcription (speech-to-text with word-level timestamps) | Audio track of the uploaded video | Art. 45 GDPR — EU-US Data Privacy Framework (DPF-certified); SCCs (Decision (EU) 2021/914, Module 2) as fallback |
| Anthropic, PBC | USA | AI analysis of transcription, viral moment detection, cover prompt generation | Text of transcription | Art. 46 GDPR — Standard Contractual Clauses (Decision (EU) 2021/914, Module 2 controller→processor) under Anthropic's commercial terms |
| Kie.ai | USA | Cover image generation (Nano Banana 2 / Gemini 3.1 Flash Image) | Text prompt only (no personal data of users) | Art. 46 GDPR — SCCs under provider DPA |
| Resend, Inc. | USA | Transactional email delivery (verification, password reset, notifications) | Email address, email content | Art. 45 GDPR — EU-US Data Privacy Framework (DPF-certified since 13 Mar 2025); SCCs as fallback |
| Google LLC (Google Analytics 4) | USA | Aggregated website usage analytics (consent-based, Consent Mode v2 default-denied) | IP address (anonymised by GA4), browser data, page views, GA client ID | Art. 6(1)(a) consent + Art. 45 GDPR — EU-US Data Privacy Framework (DPF-certified) |
| Hostinger International Ltd | EU (Lithuania) / global | Server hosting, infrastructure | All processed personal data (at rest and in transit on our server) | EU/EEA — no third-country transfer required for hosting in the EU |
Per EDPB Guidelines 2/2018, Art. 49(1)(b) is reserved for occasional, non-repetitive transfers and is not relied upon as a general basis for routine processing. DPF-certified status of US recipients is verified at dataprivacyframework.gov/list.
We do not sell, exchange or transfer personal data to third parties for marketing purposes.
6. Retention periods
In accordance with Article 13(2)(a) GDPR:
| Category | Retention |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Content (videos, clips, covers) | Until job or account deletion + 30 days |
| Payment records | 10 years (Slovenian accounting / VAT rules) |
| Session cookies | 30 days |
| Verification cookies | 1 hour |
| IP addresses (rate-limiting) | Memory only, not persisted to disk |
7. Data subject rights
Under Articles 15–22 GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15) — obtain a copy of all personal data we process about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of the account and related data.
- Right to restrict processing (Art. 18) — restrict processing in certain situations.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right not to be subject to automated decision-making (Art. 22) — see Section 8.
How to exercise your rights
To exercise any of the rights above, contact us at media4estate@gmail.com.
- Response time: 30 calendar days from receipt. The period may be extended by 60 days for complex requests with prior notice (Art. 12(3) GDPR).
- Identity verification: we may ask you to confirm ownership of the email address.
- Free of charge: exercising your rights is free of charge (Art. 12(5) GDPR), except for manifestly unfounded or excessive requests.
8. Automated processing and profiling
The Service uses AI technologies to process user-uploaded content: transcription of video recordings, analysis of text to detect viral moments, automatic clip cutting, subtitles and cover generation.
These AI tools are used solely to process content upon user request and do NOT:
- Make automated decisions producing legal effects for the user;
- Carry out profiling of users;
- Affect service access, pricing or terms.
9. International data transfers
Some of our subprocessors are located in the United States. Transfers of personal data outside the EU/EEA comply with Chapter V GDPR (Articles 44–49). We apply the following hierarchy:
- Art. 45 — adequacy. For US recipients that are DPF-certified under the EU–US Data Privacy Framework (adequacy decision of 10 July 2023), transfers rely on the adequacy decision. Currently this covers AssemblyAI, Resend and Google.
- Art. 46 — appropriate safeguards. For non-DPF US recipients, we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914, Module 2 controller→processor) included in the vendor's data-processing agreement. Currently this covers Anthropicand Kie.ai. SCCs also serve as a fallback for the DPF-covered recipients above.
- Art. 49 — derogations. Per EDPB Guidelines 2/2018, Art. 49(1)(b) is reserved for occasional, non-repetitive transfers and is not relied upon as a general basis for routine processing in our Service.
You can verify a vendor's DPF certification at dataprivacyframework.gov/list. Only text prompts (without personal data) are sent to Kie.ai; no transcripts or media are sent to Google.
10. Data security
Under Article 32 GDPR we apply the following technical and organisational safeguards:
- Password hashing using bcrypt (12 rounds);
- HMAC-SHA256 signed session tokens with server-side expiration checks;
- HTTPS encryption for all connections;
- Rate-limiting on authentication endpoints;
- HttpOnly, Secure, SameSite cookies against XSS and CSRF;
- Email address verification with a 6-digit code;
- Atomic transactions to prevent double token crediting;
- Server access restricted to authorised personnel;
- Uploaded files accessible only to the account owner.
11. Data breach notification
Under Articles 33 and 34 GDPR:
- In case of a personal data breach, the controller will notify the supervisory authority within 72 hours of becoming aware (Art. 33).
- If the breach is likely to result in a high risk to the rights and freedoms of individuals, affected users will be notified without undue delay (Art. 34).
- The notification will describe the nature of the breach, contact information, likely consequences and measures taken.
12. Children's data
The Service is intended for users 18 years and older. We do not knowingly collect personal data from persons under 18. If we become aware of such collection, the data will be deleted immediately.
13. Cookies
The Service uses strictly necessary cookies (session authentication and email verification status) and optional analytics cookies (Google Analytics, only after explicit consent). Full details are available in our Cookie Policy.
14. Third-party privacy policies
Privacy policies of our subprocessors:
- AssemblyAI: assemblyai.com/legal/privacy-policy
- Anthropic: anthropic.com/privacy
- Kie.ai: kie.ai/privacy
- Resend: resend.com/legal/privacy-policy
- Google: policies.google.com/privacy
15. Right to lodge a complaint
Under Article 13(2)(d) GDPR you have the right to lodge a complaint with a supervisory authority:
- Slovenia: Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec RS) — ip-rs.si
- Other EU residents: the data protection authority of your country of residence.
16. Changes to this Policy
We may update this Policy from time to time. The current version is always available on this page with the last updated date. We will notify users of material changes by email.
17. Contact
Mykhailo Koblychenko s.p.
Dimičeva ulica 9, 1000 Ljubljana, Slovenia
Tax number: SI40790215
Registration number (matična): 7522967000
Email: media4estate@gmail.com
Website: cut.inventa.solutions