1. Data Controller & Introduction

This Privacy Policy explains how Crabcut AI ("Crabcut," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use our platform, websites (including crabcut.ai), APIs, and related services (collectively, the "Services").

The data controller responsible for your personal data is:

Crabcut AI
Registered with the Dutch Chamber of Commerce (KVK): 98839586
VAT (BTW): NL005356958B40
The Netherlands
Email: info@crabcut.ai

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.

2. What Personal Data We Collect

2.1 Data You Provide Directly

Account Information: Name, email address, and authentication data (e.g., Google account identifier or magic link tokens)
User Content: Videos, images, audio files, and any other media you upload for processing
Brand Settings: Logos, custom caption styles, music, and branding templates you configure
Feedback: Ratings, comments, and feature requests you submit
Communications: Messages sent to our support team

2.2 Data Collected Automatically

Device & Browser Data: IP address, browser type, operating system, device identifier, and screen resolution
Usage Data: Pages visited, features used, click patterns, session duration, and referring URLs
Geolocation: Approximate location derived from your IP address at registration (country level)
Cookies & Similar Technologies: See Section 8 below

2.3 Data from Third-Party Integrations

Google Sign-In: Name, email address, and profile picture (if you choose to sign in with Google)
YouTube: Channel name, channel ID, and OAuth access/refresh tokens (when you connect your YouTube account for publishing)
TikTok: Username, user ID, and OAuth access/refresh tokens (when you connect your TikTok account for publishing)
Stripe: Payment status, subscription details, and customer ID (Stripe handles your payment card information directly — we never store your full card number)

2.4 AI-Generated Data

Transcripts: Word-level and segment-level transcriptions generated from your audio
Clip Metadata: Titles, descriptions, hook text, virality scores, and tags generated by AI models
Subtitles & Captions: Timed subtitle data generated for your clips

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Processing Activity	Legal Basis
Providing the Services (video processing, AI analysis, rendering, publishing)	Performance of contract (Art. 6(1)(b))
Account creation and management	Performance of contract (Art. 6(1)(b))
Payment processing and billing	Performance of contract (Art. 6(1)(b))
Sending transactional emails (e.g., "clips ready" notifications)	Performance of contract (Art. 6(1)(b))
Analytics and service improvement	Legitimate interest (Art. 6(1)(f))
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. How We Use Your Personal Data

We use your personal data for the following purposes:

Service Delivery: Processing your videos, generating transcripts, detecting highlights, rendering clips, and publishing to connected platforms
Account Management: Creating and maintaining your account, managing subscriptions and credits
Payment Processing: Processing transactions and managing billing through Stripe
Communications: Sending transactional emails (e.g., account verification, clips-ready notifications) and, with your consent, marketing communications
Service Improvement: Analyzing aggregate, anonymized usage patterns to improve platform performance and features
Security: Detecting and preventing fraud, abuse, and unauthorized access
Legal Compliance: Fulfilling legal obligations, responding to lawful requests, and protecting our rights

Important: We do not use your User Content (videos, audio, transcripts, or clips) to train AI or machine learning models. Your content is processed exclusively to deliver the Services to you.

5. AI Processing & Third-Party AI Providers

Our Services use artificial intelligence to process your content. This section details what data is sent to AI providers and how it is handled.

5.1 Deepgram (Speech-to-Text)

Data sent: Audio extracted from your uploaded videos
Purpose: Generating word-level transcriptions with speaker identification and timing data
Data retention by Deepgram: Processed via their API under their data processing terms; audio is not retained after processing
More info: Deepgram Privacy Policy

5.2 OpenAI (Language Models)

Data sent: Text transcripts and video metadata (titles, descriptions) — we do not send raw video or audio to OpenAI
Purpose: Highlight detection (identifying the most engaging segments), generating hook text, and suggesting SEO metadata for clips
Data retention by OpenAI: We use OpenAI's API services, which do not use customer API data for training models. Data is retained for up to 30 days for abuse monitoring per their API data usage policy, then deleted
More info: OpenAI Privacy Policy

5.3 Automated Decision-Making

Our AI systems automatically select which segments of your video to highlight as clips, assign virality scores, and generate captions. These are automated processes that produce suggestions for your review. You retain full control to edit, modify, delete, or override any AI-generated selection or output before exporting or publishing. No automated decisions with legal or similarly significant effects are made about you as an individual.

6. Third-Party Service Providers (Sub-Processors)

We share personal data with the following categories of service providers, who process data on our behalf under appropriate data processing agreements:

Provider	Purpose	Data Shared
Deepgram	Audio transcription	Audio data
OpenAI	AI text analysis and generation	Transcripts, video metadata
Stripe	Payment processing	Payment details, email, billing info
Cloudflare (R2)	Object storage and CDN	Uploaded videos, rendered clips, assets
Microsoft Azure	Queue processing and compute	Processing job metadata
MailerSend	Transactional email	Email address, notification content
Google Analytics	Website analytics	Usage data, anonymized IP
Pexels	Stock media search	Search queries

We also share data with YouTube and TikTok when you choose to connect your accounts and publish content through the Services. This sharing is initiated by you and governed by each platform's own privacy policy.

7. International Data Transfers

Crabcut is based in The Netherlands (EU/EEA). Some of our service providers are located outside the EEA, including in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

EU-U.S. Data Privacy Framework: Where applicable, we rely on providers that participate in the EU-U.S. Data Privacy Framework
Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with providers where the Data Privacy Framework does not apply
Adequacy Decisions: Where the European Commission has determined that a country provides adequate data protection

You may request a copy of the relevant transfer safeguards by contacting us at info@crabcut.ai.

8. Cookies & Tracking Technologies

We use cookies and similar technologies on our Services. These fall into the following categories:

8.1 Essential Cookies

Required for the Services to function (e.g., authentication session cookies, CSRF protection). These cannot be disabled as they are necessary for core functionality.

8.2 Analytics Cookies

Used to understand how visitors interact with our website (e.g., Google Analytics). These collect anonymized usage data and are only set with your consent.

8.3 Preference Cookies

Remember your settings and preferences (e.g., language, cookie consent choice) to improve your experience.

You can manage your cookie preferences through the cookie consent banner displayed on your first visit, or through your browser settings. Note that disabling essential cookies may affect the functionality of the Services.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data Type	Retention Period
Account data	Duration of your account, plus 30 days after deletion request
User Content (videos, clips, transcripts)	Duration of your account; deleted within 30 days of account deletion
Backup copies	Up to 90 days after deletion from active systems
Payment and billing records	7 years (legal/tax obligation)
OAuth tokens (YouTube, TikTok)	Until you disconnect the account or delete your Crabcut account
Server logs and analytics	Up to 12 months
Deleted account email hashes	Retained indefinitely to prevent re-registration abuse

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of Access (Art. 15): Request a copy of the personal data we hold about you
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
Right to Restriction (Art. 18): Request that we limit the processing of your data
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests, including for direct marketing
Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
Right Related to Automated Decision-Making (Art. 22): The right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects — see Section 5.3 for how this applies to our AI features

To exercise any of these rights, contact us at info@crabcut.ai. We will respond within 30 days. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with your local data protection authority. In The Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

Right to Know: You may request the categories and specific pieces of personal information we have collected about you
Right to Delete: You may request deletion of your personal information, subject to certain exceptions
Right to Opt-Out of Sale: We do not sell your personal information to third parties
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at info@crabcut.ai.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure authentication mechanisms (hashed credentials, OAuth 2.0)
API keys stored in hashed form
Access controls limiting employee access to personal data on a need-to-know basis
Regular security assessments of our infrastructure and services

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
Document all breaches and remedial actions taken

14. Children's Privacy

The Services are not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If we learn that we have collected personal data from a child under 16 without proper consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at info@crabcut.ai.

15. Account Deletion

You may delete your account at any time through your account settings in the application. When you delete your account:

Your profile information, projects, clips, transcripts, and brand templates are removed from active systems within 30 days
Your uploaded videos and rendered clips are deleted from object storage
Connected social media accounts (YouTube, TikTok) are disconnected and OAuth tokens are deleted
A hash of your email address is retained to prevent abuse (this hash cannot be reversed to recover your email)
Backup copies may persist for up to 90 days
Billing records are retained as required by Dutch tax law (up to 7 years)
Content already published to third-party platforms (YouTube, TikTok) is not affected — you must remove it directly on those platforms

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on the Services at least 30 days before the changes take effect. We encourage you to review this policy periodically.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about our data practices, please contact us:

Crabcut AI
Data Protection Contact
KVK: 98839586
BTW: NL005356958B40
The Netherlands
Email: info@crabcut.ai

You may also lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl

Last updated: April 8, 2026