1. Who We Are

MillionShorts ("Company", "we", "us") operates the platform at millionshorts.com. For the purposes of GDPR, MillionShorts is the data controller for the personal data described in this policy.

Contact: privacy@millionshorts.com

2. Data We Collect

2.1 Account Data

• Email address — required to create and manage your account
• Password — stored as a bcrypt hash; we never see your plaintext password
• Billing information — processed by our payment provider (Stripe); we do not store full card numbers

2.2 Channel Configuration Data

• Channel name, niche description, content pillars, voice style preferences
• OAuth tokens for YouTube and TikTok (encrypted at rest)

2.3 Usage Data

• Videos generated and published (count, timestamps, metadata)
• Platform activity logs for debugging and abuse prevention
• IP address and browser User-Agent (anonymized after 30 days)

2.4 Data We Do NOT Collect

• We do not collect viewing data or analytics from your YouTube/TikTok channels
• We do not store raw video files after successful publishing (videos are generated on-demand and not retained)
• We do not sell, rent, or trade your personal data to third parties

3. Legal Bases for Processing (GDPR)

Purpose	Legal Basis
Providing the Service (account, video generation, publishing)	Contract performance (Art. 6(1)(b))
Billing and payment processing	Contract performance (Art. 6(1)(b))
Security, fraud prevention, abuse detection	Legitimate interests (Art. 6(1)(f))
Transactional emails (invoices, account alerts)	Contract performance (Art. 6(1)(b))
Product newsletters and feature updates	Consent (Art. 6(1)(a)) — opt-in only
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

• To create and manage your account
• To generate and publish videos to your connected social media accounts
• To process payments and send billing receipts
• To send transactional emails related to your account (password resets, subscription alerts)
• To monitor for abuse, fraud, and terms violations
• To improve the Service (using aggregated, anonymized usage data)
• To send product updates and news, if you have opted in

5. Third-Party Services

We use the following third-party processors to operate the Service. Each is bound by a Data Processing Agreement:

Service	Purpose	Privacy Policy
Stripe	Payment processing	stripe.com/privacy
OpenAI	Script generation	openai.com/privacy
ElevenLabs	AI voiceover	elevenlabs.io/privacy
Pexels	Stock footage	pexels.com/privacy-policy
Google (YouTube API)	Video publishing	policies.google.com/privacy
TikTok API	Video publishing	tiktok.com/legal/privacy-policy

We transmit the minimum data necessary to each provider to perform the service (e.g., script text to OpenAI, audio to ElevenLabs). We do not share your personal account information with these providers beyond what is technically required.

6. Data Retention

• Active accounts: Data is retained for as long as your account is active.
• Cancelled accounts: Account data is deleted within 90 days of cancellation, except where required by law (e.g., billing records are retained for 7 years per EU tax regulations).
• Generated video files: Not retained after successful publishing (deleted from our servers within 24 hours of generation).
• OAuth tokens: Deleted immediately upon revoking the integration or deleting your account.

7. Your Rights (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Right to restriction: Request that we limit processing of your data in certain circumstances.
• Right to data portability: Request your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw marketing consent at any time via the unsubscribe link in emails or account settings.

To exercise any of these rights, contact us at privacy@millionshorts.com. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

8. Cookies

We use only strictly necessary cookies to operate the Service (session authentication). We do not use advertising or tracking cookies. No cookie consent banner is required as we do not deploy non-essential cookies.

9. Data Security

We implement industry-standard security measures including:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for OAuth tokens and sensitive credentials at rest
• Bcrypt password hashing
• Access controls and principle of least privilege for internal systems
• Regular security reviews

No method of transmission or storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.

10. International Transfers

Some of our third-party processors are located outside the EU/EEA (e.g., OpenAI, ElevenLabs in the United States). These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of data protection.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@millionshorts.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes, we will notify you by email. Continued use of the Service after the effective date constitutes acceptance.

13. Contact Us