Privacy Policy
Last updated: May 25, 2026
VideoBud (videobud.io), operated by Archieboy Holdings, LLC ("we"), respects your privacy. This policy explains what we collect, why, how long we keep it, and your rights. It supplements (does not replace) the Terms of Service.
1. What we collect
- Account data: email address, name, scrypt-hashed password (or OAuth provider linkage), access level, last-login timestamp, acquisition attribution (UTM parameters, referrer, landing page) captured on signup.
- Billing data: handled by Stripe. We store Stripe customer and subscription IDs and subscription state. We never see or store your card number, CVV, or full bank credentials.
- Project inputs: URLs you submit, video name, brief, target length, voice/music preferences, optional login URL + username hint for live demos.
- Captured content: screenshots of pages the agent walked, text excerpts from the visible DOM at each capture point, generated voiceover text, rendered MP3 audio per scene, and rendered MP4 videos in each requested format (16:9, 9:16, 1:1, 4:5).
- Hosted-video analytics: for videos you opt to host at public URLs, we record view counts per format, embed-vs-direct splits, and a salted SHA-256 hash of viewer IP for deduplication. We do not store raw viewer IP addresses.
- Operational logs: standard web access logs (nginx), application error logs, render-job progress and outcome. Retained for operational debugging; rotated regularly.
- Optional analytics: if Google Analytics 4, Facebook Pixel, Google Ads, or Microsoft UET tags are enabled, those vendors process your browsing under their own terms.
2. What we DON'T collect or store
- Third-party login credentials you provide for live demos are held in an in-memory vault for the duration of one discovery run, then atomically purged. They are not written to disk, not committed to the database, not logged, and not transmitted anywhere except into the headless browser session that uses them once. Tracebacks have any substring matching the username or password redacted before being recorded.
- Card details — Stripe iframes handle the form; no card data touches our servers.
- The content of your captured screens for AI training. Your screenshots, voiceovers, and rendered videos are never used to train AI models (ours or any third party's).
3. Live-demo captures — what they may contain
When you authorize VideoBud to log into a third-party application, the screenshots the agent captures will reflect whatever your account shows at the moment of capture. That may include:
- Personal data (names, emails, phone numbers) of your customers or end-users visible in lists, tables, or detail panes.
- Internal pricing, project names, customer counts, financial figures.
- Comments, messages, or notes visible in the UI.
You are responsible for what's visible during a walk. We recommend creating a sanitized demo account for live-demo videos you intend to publish. Our Terms of Service prohibit pointing the agent at applications containing PHI (HIPAA), payment card data, or other regulated information that would create compliance scope for us.
4. How long we keep things
| Data | Retention |
|---|---|
| Account record | Until you delete the account |
| Project inputs + captured screenshots | Until you delete the project (or 30 days after account deletion) |
| Rendered videos | Same as project; hosted public videos remain accessible while the slug is active |
| Stripe customer + subscription state | Per Stripe's retention; we delete our pointer on account deletion |
| Billing records (invoices) | 7 years (US tax reporting requirement) |
| OAuth refresh tokens (YouTube, etc.) | Until you disconnect or delete the account |
| Web access logs | 30 days, then aggregated |
| Error logs | 30 days |
| Hosted-video view records | 365 days for per-event detail, indefinite for aggregate counts |
5. Where the data lives
All servers are hosted on AWS in the us-east-1 region (Virginia, USA). Data is not replicated outside the US except in the form of operational backups (encrypted, stored in a separate AWS account). We use HTTPS (TLS 1.2+) for all in-transit data. Database and disk storage on the application server are encrypted via the underlying EBS volume.
Private project artifacts (raw screenshots, scene audio, draft and unhosted MP4s) sit behind an owner-only authentication gate; only the account that created a project can fetch its files. Public hosted videos are served through a separate slug-based route that can be revoked instantly.
6. Sub-processors
The third parties below process data on our behalf:
- AWS — server hosting, file storage, transactional email delivery via SES (US-East).
- Stripe — payment processing. Receives your name, email, and billing details that you enter into Stripe's form.
- Anthropic (Claude) — script generation, agent reasoning, voiceover rewrites. Receives project inputs (brief, URLs) and DOM text excerpts captured during walks. Does not receive your screenshots.
- Google Gemini Live — voiceover synthesis. Receives the text of voiceover lines.
- Cloudflare — Turnstile bot-protection on registration and login. Receives a token from your browser used only for the challenge.
- Google (OAuth, Ads, YouTube Data API) — sign-in, ad conversion tracking, YouTube uploads when you authorize them.
- Optional analytics — Google Analytics 4, Facebook Pixel, Microsoft UET if the corresponding env vars are configured.
7. Your rights
You can:
- Export your project list and rendered videos by downloading the MP4 files from each project page.
- Delete individual projects via the "Delete project" action; the on-disk files and database rows are removed immediately.
- Delete your account by emailing hello@videobud.io. Account deletion cascades to all projects, all rendered videos, and any stored OAuth tokens. Billing records are retained per US tax requirements but contain no project content.
- Request a copy of personal data we hold about you at the same email address; we respond within 30 days.
If you're an EU/UK or California resident, you have additional rights under GDPR / CCPA (access, rectification, erasure, restriction, portability, objection, no-discrimination for exercising rights). We honor those requests for any user regardless of residency.
8. Cookies & tracking
- Session cookie — required to keep you logged in. Cleared on logout.
- CSRF / state cookies — required for security on OAuth flows.
- Analytics cookies — optional, set only when GA4 / Pixel / UET tags are enabled.
You can opt out of GA4 / Facebook Pixel / Microsoft UET via the standard browser controls (DNT, ad-blockers, "Limit ad tracking" in browser settings). Opting out doesn't affect the service's functionality.
9. Security incidents
If we become aware of unauthorized access to personal data, we will notify affected account holders by email within 72 hours of discovery, with details of the incident scope and the steps we're taking.
10. Children
VideoBud is not directed at children under 13 (under 16 in EU/UK). We do not knowingly collect data from anyone under those ages. If you believe a child has created an account, email hello@videobud.io and we will delete it.
11. Changes
We may update this policy. Material changes will be announced via email to your account address at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
Contact
Privacy questions, data requests:
hello@videobud.io
Security disclosures:
security@videobud.io
Mailing address: Archieboy Holdings, LLC, #1006, 771 Boston Post Rd STE 11,
Marlborough, MA 01752 USA