Privacy Policy
Last Updated: April 5, 2026
1. Introduction and Data Controller
Re-create.ai ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect when you use our AI-powered YouTube content creation platform (the "Service"), how we use it, who we share it with, and what rights you have.
This policy complies with the EU General Data Protection Regulation (GDPR / DSGVO), the German Digitale-Dienste-Gesetz (DDG), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
Data Controller (Verantwortlicher):
[YOUR FULL NAME]
[YOUR STREET AND HOUSE NUMBER]
[YOUR POSTAL CODE AND CITY], Germany
Email: getrecreateai@gmail.com
For the full legally required contact details, see our Impressum.
2. What Data We Collect
2.1 Account Data
When you sign in via Google OAuth, we receive from Google and store in your profile: your full name, email address, and profile photo URL. We use this to create and manage your account.
2.2 Profile & Preferences Data
You can optionally provide additional profile information to personalize AI-generated content:
- YouTube channel URL, Instagram, X (Twitter), TikTok, and website URLs
- Content niche and business goals
- Tone preferences and example texts (for AI training on your style)
- Brand colors for AI thumbnail generation
- Timezone and onboarding preferences
This data is entirely voluntary and can be deleted at any time.
2.3 Content Data
When you use the core features of Re-create.ai, we store the following content you create or import:
- YouTube video URLs you save to the platform
- Video metadata fetched from YouTube (title, description, view count, thumbnails)
- Video transcripts automatically fetched from YouTube's public API
- AI-generated content (titles, hooks, descriptions, scripts, ICP analyses)
- Thumbnail images you upload as face references, and AI-generated thumbnails
- Diagrams and mind maps created using AI
- Chat conversation history with the AI assistant
- Content calendar entries and scheduling notes
- Inspiration library images and labels
- Community posts, comments, and poll votes
2.4 Payment Data
Payment processing is handled entirely by Stripe. We store in our database only: your Stripe customer ID and your current subscription plan. We do not store credit card numbers, CVV codes, bank account details, or any raw payment instrument data.
2.5 Usage & Technical Data
We automatically collect the following operational data to run and improve the Service:
- IP address and approximate geographic location (country/city level)
- Browser type, operating system, and device type
- Pages and features accessed within the app
- Credit consumption logs (which features you used, token usage, costs)
- Error logs and application crash reports
- Timestamps of actions
2.6 Optional Integrations
- OpenAI API Key (BYOK): If you choose to connect your own OpenAI API key, we store it encrypted in our database. This is entirely optional.
- Telegram Integration: If you link your Telegram account, we store your Telegram chat ID to enable notifications.
3. Legal Basis for Processing (GDPR Article 6)
| Legal Basis | Data Covered |
|---|---|
| Art. 6(1)(b) — Contract Performance | Account data, content data, payment data, and all data necessary to deliver the Service you subscribed to. |
| Art. 6(1)(f) — Legitimate Interests | Technical/usage data for security monitoring, fraud prevention, abuse detection, and service improvement. Our legitimate interests do not override your rights. |
| Art. 6(1)(c) — Legal Obligation | Payment records and invoices stored for statutory retention under German commercial law (§ 257 HGB) and tax law (§ 147 AO) — 10 years. |
| Art. 6(1)(a) — Consent | Marketing communications (if applicable). You may withdraw consent at any time. |
4. How We Use Your Data
We use your data exclusively to:
- Create and manage your account and authenticate you
- Provide AI content generation features (text, thumbnails, diagrams)
- Process your subscription payments and manage billing
- Send transactional emails (purchase confirmations, renewal notices, cancellation confirmations)
- Display your public community profile, posts, and leaderboard points
- Provide customer support and respond to feedback
- Detect and prevent fraud, abuse, and security threats
- Monitor and improve the reliability and performance of the Service
- Comply with legal obligations
We do NOT:
- Sell your personal data to third parties
- Use your data for advertising or marketing to third parties
- Use your content to train our own AI models
- Share your data with parties other than those listed in Section 5
5. Third-Party Data Processors
We share your data with the following service providers under Data Processing Agreements (DPAs) to operate the Service. All are bound by GDPR-compliant terms.
| Processor | Purpose | Location | DPA / Privacy |
|---|---|---|---|
| Supabase, Inc. | Database storage, user authentication, and session management | USA (AWS infrastructure; EU region available) | supabase.com/privacy |
| Stripe, Inc. | Payment processing, subscription billing, customer portal | USA | stripe.com/legal/dpa |
| OpenAI, LLC | AI text generation (content, scripts, chat assistant) | USA | openai.com/policies/dpa |
| Replicate, Inc. | AI image generation (thumbnail creation) | USA | replicate.com/privacy |
| Resend (WorkOS, Inc.) | Transactional email delivery | USA | resend.com/legal/dpa |
| Vercel, Inc. | Web hosting, server infrastructure, and CDN | USA (EU edge regions) | vercel.com/legal/dpa |
5.1 What Data Is Sent to AI Providers
OpenAI: When you use AI generation features, we send to OpenAI: excerpts of the YouTube video transcript, video metadata, and your knowledge base preferences (niche, goals, tone). We include a pseudonymous user identifier for abuse monitoring only. We do not send your email address, real name, or payment details. OpenAI does not use API inputs to train their models (effective May 2023 per OpenAI's API usage policy and DPA).
Replicate: When you generate AI thumbnails, we send to Replicate: your face reference image (if provided), brand colors, and text prompts. Images are processed transiently for the immediate generation request and are not persistently stored by Replicate beyond their standard retention window.
6. International Data Transfers
All third-party processors listed above are based in the United States. Transfers of personal data from the EEA/EU to the United States are protected by the following safeguards:
- EU-US Data Privacy Framework (DPF): Where the processor is self-certified under the DPF (e.g. Stripe, Vercel, OpenAI).
- Standard Contractual Clauses (SCCs): Pursuant to the European Commission Decision 2021/914 for all processors.
You may request a copy of the applicable SCCs by contacting us at getrecreateai@gmail.com.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & profile data | Until account deletion, then purged within 30 days |
| Content data (YouTube links, AI-generated content, chat history) | Until you delete it or delete your account, then within 30 days |
| Payment records & invoices | 10 years (§ 257 HGB, § 147 AO — German commercial and tax law) |
| Stripe subscription data | 7 years after subscription end (legal requirement) |
| Server access logs | 90 days (legitimate interest for security monitoring) |
| Database backups | Up to 30 days after the original data is deleted |
After account deletion, your data is removed from active databases within 30 days and from backup systems within a further 30 days, except where retention is required by law (e.g. payment records).
8. Your Rights Under GDPR
As a data subject, you have the following rights. To exercise any right, contact us at getrecreateai@gmail.com. We will respond within 30 days (extendable to 3 months for complex requests).
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a full copy of all personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten"). You can also delete your account directly in Profile → Settings. |
| Restriction (Art. 18) | Request that we temporarily stop processing your data. |
| Portability (Art. 20) | Request your data in a structured, machine-readable format (JSON/CSV). |
| Object (Art. 21) | Object to processing based on legitimate interests (Art. 6(1)(f)). |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time where processing is consent-based. This does not affect prior lawful processing. |
CCPA Rights (California Residents)
Under the California Consumer Privacy Act (CCPA), California residents have the right to: know what personal information is collected, request deletion, opt out of the sale of personal information (we do not sell personal information), and non-discrimination for exercising these rights. Contact us at getrecreateai@gmail.com.
9. Cookies and Local Storage
We use a minimal set of cookies and browser storage. For full details, see our Cookie Policy.
| Type | Technology | Purpose |
|---|---|---|
| Strictly Necessary | Session cookies (Supabase Auth) | Required to keep you authenticated. Cannot be disabled. |
| Functional | localStorage (theme) | Stores your light/dark theme preference. No personal data. |
| Marketing / Analytics | None | We do not use tracking, analytics, or advertising cookies. |
10. EU AI Act — Transparency Notice (Article 50)
In compliance with Article 50 of the EU AI Act (applicable from August 2026), we inform you that:
- All content generation features in Re-create.ai are powered by artificial intelligence (AI systems from OpenAI and Replicate).
- AI-generated content is clearly presented as AI-generated within the application interface.
- Re-create.ai is a tool that assists your creative workflow. You remain fully responsible for reviewing, editing, and deciding what content to publish.
- We do not use AI for automated decision-making that produces significant legal or similar effects on you as a person (Art. 22 GDPR).
11. Children's Privacy
Re-create.ai is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us immediately at getrecreateai@gmail.com and we will delete such data promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by email and/or in-app notification at least 30 days before the new policy takes effect. The "Last Updated" date at the top of this page reflects the most recent revision.
13. Contact & Supervisory Authority
Contact for Data Protection
For any data protection questions, requests, or complaints, contact us at:
Email: getrecreateai@gmail.com
We aim to respond within 5 business days.
Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection supervisory authority. For Germany, this is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Husarenstraße 30, 53117 Bonn, Germany
EU residents may also contact the supervisory authority in their member state of residence.