Privacy Policy

Last updated: April 2026 · Effective: April 2026

Plain-language summary. We collect your email when you join the waitlist. We store it locally on our server. We use it only to contact you about FramSHOT. We use third-party AI providers (fal.ai, Google AI, Atlas Cloud) to generate content inside the studio — they process the prompts you send but don't get your account or billing data. We don't sell data. We don't run tracking cookies. You can see, correct, or delete your data any time by emailing contact@framshot.com. The detailed version is below.

Who we are (the data controller)
What personal data we collect
Why we collect it (legal basis)
How long we keep it
Where it's stored and who processes it
Third-party AI providers & subprocessors
International data transfers
Cookies & tracking technologies
Children's privacy
Automated decision-making & profiling
Security measures & breach notification
Your rights
EU / UK visitors (GDPR)
California residents (CCPA/CPRA)
AI-generated content disclosure
Changes to this policy
Contact us

1. Who we are (the data controller)

FramSHOT is built and operated by Jean F., an independent software developer based in Madagascar. For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws, Jean F. (trading as FramSHOT) is the data controller for personal data collected through this website, the FramSHOT Studio web application, and future FramSHOT Desktop software.

You can contact us for any privacy-related matter at contact@framshot.com. We are not large enough to be required to appoint a Data Protection Officer (DPO) under GDPR Article 37, but Jean F. handles all data protection matters personally and responds within 7 days.

2. What personal data we collect

We only collect what we need. Here's the full list by collection context:

When you join the early-access waitlist

Data	Required?	Source
Email address	Required	You provide it directly
Name	Optional	You provide it directly
Plan interest (Hobbyist / Pro / Studio / BYOK Creator / BYOK Team)	Optional	You select from a dropdown
Message describing your project	Optional	You provide it directly
Language preference	Auto-detected	Your browser's `Accept-Language` header
IP address	Auto-detected	Your HTTP connection metadata
Browser user-agent	Auto-detected	Your HTTP request headers
Referring page	Auto-detected	Your HTTP `Referer` header (if any)
UTM campaign tags	Auto-detected	URL query parameters (if any)
Marketing consent flag	Optional	You tick a checkbox

When you subscribe to the "notify me when we launch" email list

We collect your email address plus the same auto-detected metadata (IP, user-agent, referrer, language) as above.

When you use FramSHOT Studio (after onboarding)

Once you have an account, we additionally process the content you generate — character descriptions, location prompts, scene descriptions, project structure, and the resulting images/videos. This data is stored in your project folder and associated database records on our server (Hosted plan) or on your own machine (future BYOK/Desktop plan). We do not data-mine your project content. We do not train AI models on it. It is yours, it remains yours, and it leaves our systems when you delete your account.

Billing data (when you have a paid plan)

When paid plans launch, we'll use a PCI-compliant third-party payment processor (likely Stripe, Paddle, or Lemon Squeezy). We do not store full card numbers on our servers. We store: your email, subscription tier, last 4 digits of your card (for reference), billing country (for tax compliance), and transaction history. The payment processor's own privacy policy governs the card data itself — we'll update this section with the specific provider and their DPA link when we go live.

3. Why we collect it (legal basis under GDPR Article 6)

Purpose	Data used	Legal basis (GDPR Art 6)
Contact you when early access opens	Email, name, plan interest, message	Consent (Art 6(1)(a)) — you submit the form
Prevent abuse & spam signups	IP address, user-agent	Legitimate interest (Art 6(1)(f)) — protecting our service from fraud
Geographic understanding of our audience	IP (country-level only), language	Legitimate interest (Art 6(1)(f)) — understanding where our users are
Prioritize feature work	Project descriptions, plan interest	Legitimate interest (Art 6(1)(f)) — building the right product
Provide the FramSHOT Studio service	Account data, project content	Contract performance (Art 6(1)(b)) — delivering the service you pay for
Process payments	Email, billing info, transaction history	Contract performance (Art 6(1)(b))
Comply with tax & accounting law	Billing info, transaction history	Legal obligation (Art 6(1)(c))
Defend against legal claims	Any relevant data	Legitimate interest (Art 6(1)(f))

4. How long we keep it

We keep personal data only as long as needed for the purpose we collected it for. Specific retention periods:

Waitlist entries: until you ask us to delete them, or 24 months after your last interaction with us, whichever comes first. After that we delete automatically.
Newsletter subscribers: until you unsubscribe, or 24 months after your last email interaction.
Active subscriber account data: for the life of your subscription plus 30 days after cancellation (to let you export projects).
Financial records (invoices, payment history): 7 years after the transaction, as required by Malagasy and international tax law.
Server logs (IP addresses, user-agents): 90 days, then deleted.
Data retained for legal defense: if there's an active legal claim or dispute, data relevant to that claim may be kept until the claim is resolved, even past the normal retention periods above.

5. Where it's stored and who processes it

Waitlist data and project data is stored in a local SQLite database on a VPS (virtual private server) controlled directly by FramSHOT. The server is currently hosted with a commercial hosting provider — we'll disclose the specific provider here when we've picked a long-term hosting vendor. Access to the server is restricted to Jean F. personally via SSH key authentication.

We do not use third-party CRM platforms (HubSpot, Mailchimp, ActiveCampaign, etc.) to store your data. We do not sync waitlist entries to any marketing or sales automation tool.

6. Third-party AI providers & subprocessors

FramSHOT Studio uses third-party AI providers to generate content when you click "Generate" inside the app. These providers act as subprocessors under GDPR. Here is the complete, current list:

Subprocessor	Purpose	Data shared	Privacy policy
fal.ai, Inc. (United States)	Image generation (Nano Banana), image editing, wardrobe extraction, location sheets, character sheets	Your generation prompts and reference images. No account data, no email, no billing info.	fal.ai/privacy-policy
Google LLC (United States) via Google AI / Gemini API	Text generation (loglines, episode synopses, story audits, dialogue), vision analysis (wardrobe detection)	Your text prompts, sometimes with image inputs. No account data, no email, no billing info.	policies.google.com/privacy
Atlas Cloud (operator of Seedance 2.0)	Video generation from scenes	Your generation prompts and reference images. No account data, no email, no billing info.	atlascloud.ai

For BYOK users: if you bring your own API keys (FramSHOT Desktop, future BYOK plans), your generation requests go directly from your machine to the provider using your own account. FramSHOT servers never see your prompts or outputs in that flow. You should review each provider's privacy policy separately because you're their customer, not us.

We maintain a real-time list of subprocessors on this page. If we add, remove, or change a subprocessor, we'll update this list and notify active subscribers by email within 30 days of the change.

7. International data transfers

Because FramSHOT is operated from Madagascar and our subprocessors are based in the United States, personal data may be transferred from the European Economic Area, the United Kingdom, or other jurisdictions to the United States and Madagascar when you use our services.

For transfers to our U.S. subprocessors (fal.ai, Google, Atlas Cloud), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated via the Data Processing Agreements (DPAs) we maintain with each provider. Where a provider participates in the EU–US Data Privacy Framework, we also rely on that adequacy decision.

For the FramSHOT server itself (hosted in a yet-to-be-finalized jurisdiction), we will ensure the hosting location either has an adequacy decision from the European Commission, or we use SCCs with the hosting provider.

You can request a copy of the safeguards in place by emailing contact@framshot.com.

8. Cookies & tracking technologies

We do not use tracking cookies on this website. We do not run Google Analytics, Facebook Pixel, Hotjar, or any similar third-party tracking script. We do not use advertising cookies. We do not use social media embeds that track visitors.

The FramSHOT Studio web application (at /app) uses a single essential session cookie to keep you logged in when authentication ships. That cookie is functional, not tracking, and does not require a consent banner under EU law.

Your browser's localStorage may be used to remember small UI preferences (last-opened project, sidebar state). This is stored on your device only — we never read it server-side.

9. Children's privacy

FramSHOT is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If you are under 16, please do not submit any information to us.

If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete that data immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact contact@framshot.com and we will delete it promptly.

Under California's CCPA (effective 2026), personal data of any individual under 16 is automatically classified as sensitive personal information and we treat it accordingly.

10. Automated decision-making & profiling

We do not subject you to any automated decision-making that produces legal effects or similarly significantly affects you as defined in GDPR Article 22. Specifically:

We do not use AI to automatically approve or reject waitlist entries — Jean F. reviews each manually.
We do not use AI to set your pricing individually.
We do not build behavioral profiles of you or sell them.
We do not use automated credit scoring or creditworthiness algorithms.

The AI you interact with inside the FramSHOT Studio (generating images, writing scene descriptions) is creative-output AI, not decision-making AI. It does not make decisions about you.

11. Security measures & breach notification

We take reasonable and proportionate security measures given our scale as a small indie developer:

Server access restricted to SSH key authentication (no passwords)
All traffic encrypted with TLS 1.2+ (HTTPS)
Passwords (when authentication ships) stored as bcrypt hashes with per-user salts — never in plain text
Database backed up daily, backups encrypted at rest
Regular security patching of operating system and runtime dependencies
Principle of least privilege: we only collect data we actually need

Breach notification. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, in line with GDPR Article 34.

12. Your rights

You have the following rights over your personal data. These rights apply to everyone globally, regardless of where you live. EU/UK visitors and California residents have additional rights described in the sections below.

Right of access — ask us what personal data we have about you.
Right to rectification — ask us to correct inaccurate data.
Right to erasure ("right to be forgotten") — ask us to delete all your data.
Right to restrict processing — ask us to stop using your data without deleting it.
Right to data portability — ask us to export your data in a machine-readable format (JSON).
Right to object — object to any processing based on legitimate interest.
Right to withdraw consent — where we rely on consent, you can withdraw it at any time with no effect on processing done before withdrawal.
Right to stop receiving marketing — you can unsubscribe from any promotional email at any time.

How to exercise your rights. Email contact@framshot.com from the email address you signed up with. We will respond within 7 calendar days for simple requests, and within a maximum of 30 days for complex ones (GDPR allows up to 30 days with a possible 60-day extension for complex cases — we aim for 7). We will not charge you for exercising these rights. We will not discriminate against you for exercising these rights.

To protect your privacy, we may ask you to confirm your identity before acting on a request — typically by asking you to reply from the email address on file.

13. EU / UK visitors (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have all the rights listed above plus the following GDPR-specific rights:

Right to lodge a complaint with a supervisory authority. If you believe we have mishandled your personal data, you can complain to your local Data Protection Authority. You can find yours here:
- EU member states: edpb.europa.eu/about-edpb/board/members_en
- United Kingdom: the Information Commissioner's Office (ICO) at ico.org.uk
- Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch
You do not lose your right to complain even if you have already contacted us. You can contact us first, the authority first, or both at the same time.

EU representative. We are not currently required to appoint an EU representative under GDPR Article 27 because our data processing is small-scale, non-regular, and does not involve special categories of data. If our operations grow to the point where Article 27 applies, we will appoint a representative and update this policy within 30 days.

14. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights over your personal information. This section applies to you even if you live outside California but are a California resident.

Categories of personal information we collect

In the past 12 months, we have collected the following categories of personal information as defined by Cal. Civ. Code § 1798.140:

Identifiers — email address, name (if you provide it), IP address
Commercial information — plan interest, project description you submit
Internet or other electronic network activity information — browser user-agent, referring page, UTM tags
Geolocation data — approximate (country-level) location derived from IP address

We do not collect: biometric information, precise geolocation (street-level or GPS), sensitive personal information (SSN, government ID, financial account, health info, genetic data, racial or ethnic origin, religion, union membership, communications content, sexual orientation, or immigration status).

Sources of personal information

All personal information we collect comes directly from you when you submit a form, or is automatically derived from your browser request. We do not buy personal information from data brokers. We do not scrape social media or other sources.

Business purposes for collection

Same as described in Section 3 of this policy (contact, abuse prevention, service delivery, billing, legal compliance).

Categories of third parties

Same as described in Section 6 (fal.ai, Google, Atlas Cloud — all acting as service providers under the CCPA).

Your California rights

Right to know what personal information we have about you, where it came from, why we collect it, and who we share it with.
Right to delete personal information we have collected from you.
Right to correct inaccurate personal information.
Right to opt-out of the sale or sharing of personal information — but note: we do not sell or share personal information for cross-context behavioral advertising purposes. There is nothing to opt out of because we don't do it in the first place. We have not sold or shared personal information in the past 12 months, and we have no plans to.
Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CCPA, so this right does not practically apply.
Right to non-discrimination — we will not charge you more, give you worse service, or deny you service for exercising your CCPA rights.

How to exercise California rights. Email contact@framshot.com. We will verify your identity (typically by asking you to confirm the email address on file) and respond within 45 days. If you have an authorized agent, we can require written proof of authorization.

"Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request information about our disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes, so there is nothing to disclose.

15. AI-generated content disclosure

Important under the EU AI Act (applicable August 2026). FramSHOT Studio is a generative AI system that produces synthetic images, video, and text. Article 50 of the EU AI Act requires that outputs of generative AI be marked as machine-readable AI-generated content. Our AI provider subprocessors implement this marking at the model level. When you use FramSHOT Studio to generate content, you should assume the outputs are detectable as AI-generated by content-authentication tools (C2PA, SynthID, etc.).

Your obligations as a deployer under Article 50(4). If you use FramSHOT-generated content to produce a deepfake of a real person, or to produce text published on matters of public interest, you are legally required to disclose that the content is AI-generated at the moment your audience encounters it. That obligation falls on you as the deployer, not on FramSHOT as the tool provider. Please comply with it.

We do not generate content on your behalf unsolicited. Everything FramSHOT creates is the result of prompts you supply. We are not liable for content you choose to generate using the tool — see our Terms of Service, Sections 3, 10, and 12 for details.

16. Changes to this policy

If we change this policy in a way that reduces your rights or materially changes how we use your data, we will:

Update the "Last updated" date at the top of this page
Notify everyone on our waitlist and all active subscribers by email at least 30 days before the changes take effect
For significant changes, display a notice on the FramSHOT homepage for at least 30 days

For trivial changes (typo fixes, clarifications, new subprocessor additions), we will update the page but may not send a notification. The "Last updated" date always reflects the most recent modification.

17. Contact us

For any question, concern, complaint, or rights request related to this privacy policy, contact:

Jean F. · FramSHOT
Email: contact@framshot.com
Based in: Madagascar

We respond within 7 days for standard inquiries.

Back to FramSHOT · Terms of Service · Pricing · Contact