• Account & contact: email address and basic account identifiers collected at sign-up.
• Usage & diagnostics: timestamps, feature usage, error reports, and IP address (for abuse prevention and rate limiting).
• User-submitted content: text, images, and video you upload or generate. This content is transmitted to third-party AI providers to fulfil your request (see §3).
• Biometric data (faces in uploaded photos): when you upload a reference photo containing a recognizable human face for image generation, that image is processed as biometric data under laws including the Illinois Biometric Information Privacy Act (BIPA). Face data is used only for the single generation request and is not stored separately, not used to build facial-recognition databases, and not used to train any model.
• Payments: payment processing is handled entirely by Stripe. We receive only limited billing metadata (status, plan, last-4 of card) and never store full card numbers or CVV.

• Provide and operate the Service (generation, storage, delivery, support)
• Security, fraud prevention, abuse detection, and policy enforcement
• Billing, receipts, tax reporting, and account administration
• Sending transactional notifications (login links, billing receipts, moderation notices). We do not send unsolicited marketing emails.
• Complying with legal obligations (tax, anti-money-laundering, law-enforcement requests)

We share information with trusted service providers that help operate CompMeIn. We do not sell your personal information to third parties.

Infrastructure subprocessors:

• Google Cloud Platform — object storage (Google Cloud Storage, us-central1, United States), AES-256 encryption at rest, TLS 1.3 in transit
• Supabase (Pro tier) — Postgres database and authentication
• Vercel — web hosting and edge functions
• Cloudflare — DNS, CDN, DDoS protection
• Stripe — payment processing
• Resend — transactional email delivery

AI generation providers:

Your submitted text, images, or videos are transmitted to one or more of the following AI providers to fulfil your generation requests:

• Google Cloud Vertex AI (Gemini, Imagen, Veo) — enterprise-tier endpoint, processed in Google Cloud isolated environment; not used to train or improve any foundation model per the Vertex AI Data Processing Addendum
• Anthropic (Claude API) — governed by Anthropic Commercial Terms of Service (applicable to all API access); inputs and outputs are not used to train Anthropic's models; logs retained by Anthropic for up to 30 days for trust & safety
• OpenAI (GPT API) — governed by OpenAI Business Terms; API inputs and outputs are not used to train OpenAI's models (OpenAI policy since March 2023)
• xAI (Grok API) — business API tier; inputs and outputs are not used to train xAI's models per xAI Enterprise Terms of Service; User Content deleted within 30 days unless flagged for safety, compliance, or moderation
• Kling (LOHAS GAMES PTE LTD., Singapore) — paid API tier, used for video generation only; not used for training per Kling API Terms §5.1; data stored in Singapore; logs retained 30 days; parent company is Kuaishou Technology
• Runway (Runway AI, Inc., United States) — optional video generation provider. Unlike our other AI providers, Runway Terms of Use §4.4 grants Runway a perpetual, irrevocable license to use your inputs (uploaded images and videos) and outputs (generated videos) to train and improve Runway's AI models. There is no opt-out on standard API access. Runway-powered features are disabled by default; when you first select a Runway model in the Video Creation Hub, you will be shown a separate consent prompt and may decline and use an alternative provider instead (Google Veo, Kling, or xAI Grok).
• DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) — optional text model for Novel Writer. Unlike our other providers, DeepSeek does not contractually guarantee no-training, and your text may be used for service improvement at their discretion. Data is processed on servers located in the People's Republic of China and DeepSeek is subject to PRC law, including the Data Security Law and Personal Information Protection Law. DeepSeek is disabled by default; you will be shown a separate consent prompt the first time you select it.

Because CompMeIn uses globally distributed service providers, your personal information and user-submitted content will be transferred across international borders for processing. Current processing locations include:

• United States — Google Cloud (us-central1), Vercel, Stripe, Anthropic, OpenAI, xAI, Runway (opt-in only), Cloudflare, Resend
• Singapore — Kling video generation (LOHAS GAMES PTE LTD.)
• People's Republic of China — DeepSeek (only if you explicitly opt in)

By using the Service you consent to these cross-border transfers, in accordance with PIPEDA.

• Data at rest is encrypted with AES-256 (Google Cloud Storage, Supabase Postgres)
• Data in transit uses TLS 1.3
• Our infrastructure inherits Google Cloud Platform's SOC 2 Type II and ISO 27001 certifications
• Service role credentials and API keys are stored as encrypted environment variables
• Row-Level Security (RLS) is enforced on all user-scoped database tables

In the event of a data breach that creates a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada as required by PIPEDA (within 72 hours where feasible).

• Active content: retained while your account is active
• Deleted content: removed from active storage within 7 days
• Backups: deleted content may persist in encrypted backups for up to 90 days
• Usage / diagnostic logs: retained up to 90 days (actual retention may be shorter based on hosting-provider defaults)
• Billing & tax records: retained for 7 years as required by Canadian tax law
• Moderation & violation records: retained as long as required by law or for legitimate safety purposes

Under PIPEDA and applicable Canadian privacy law, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Request deletion of your account and personal information
• Withdraw consent for optional processing (e.g. DeepSeek)
• File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, email privacy@compmein.com. We will respond within 30 days.

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn that a minor has provided us information, we will delete it and terminate the account.

We may update this Privacy Policy from time to time. When we make material changes, we will increment the version number and notify active users. Continued use of the Service after an update constitutes acceptance of the revised policy.

Privacy requests and questions: privacy@compmein.com
Abuse and takedown notices: abuse@compmein.com
General support: contact@compmein.com