Introduction

Exportlab ('we', 'us', or 'our') is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our Service. It applies to all users worldwide, including account holders and collaborators who interact with shared videos or galleries.

By using Exportlab, you agree to the practices described here. If you do not agree, please do not use the Service. We may update this Policy periodically; the date above reflects the latest revision.

Controller Information: Exportlab (Munich, Germany) acts as the data controller for information we collect directly. When customers upload personal data about others, the customer may be the controller and Exportlab acts as a data processor under their instructions.

1. Information We Collect

We collect several types of information to provide and improve the Service:

• Account Registration Information: Name, email address, username or tenant identifier, onboarding preferences (such as theme or referral details), and any profile or company information you supply.
• Authentication Data: Information from third-party identity providers (for example Google or Apple) when you choose those login methods, along with tokens stored in your browser to keep you signed in.
• Profile and Settings: Optional details like profile photos, organization names, branding assets, or integration IDs (e.g., Google Analytics tracking codes).
• Content and Uploads: Media files you upload (videos, images, etc.) plus related metadata such as titles, descriptions, tags, categories, client details, review data, comments, annotations, and automatically generated metadata (thumbnails, technical specs, AI-powered analysis).
• Usage Data: Log and device data (IP address, device, OS, browser, timestamps, pages visited, actions taken) and cookies or similar technologies for authentication and session management. Third-party cookies only appear if you enable integrations like Google Analytics for your own galleries.
• Support and Communication Data: Messages, attachments, or forms you submit for support, along with our correspondence.
• Payment Information: Billing name, billing address when needed, and payment method details handled securely by Stripe. We only receive limited references such as the last four digits of your card and your Stripe customer ID.
• Third-Party Data: Information received from others, such as invitations sent by existing customers, identity providers you authorize, or integrated services where you permit data sharing.

We do not intentionally collect special categories of personal data unless you or your users upload it as part of your content. Please avoid uploading sensitive information unless strictly necessary and lawful.

2. How We Use Your Information

We use collected information to:

Provide and maintain the Service, including processing media uploads (transcoding, thumbnails, automated tagging, AI-driven analysis), enabling collaboration, and operating core features.

Facilitate sharing by sending invitations or notifications to collaborators and displaying relevant information within shared workspaces.

Manage accounts, personalize experiences (e.g., theme preferences), and communicate regarding onboarding, billing, and product updates.

Process payments and subscriptions via Stripe, send invoices or renewal notices, and manage upgrades or downgrades.

Deliver support, respond to inquiries, and send optional product communications (you may opt out of non-essential messages).

Analyze usage trends, improve performance, troubleshoot issues, and develop new features using aggregated or de-identified data where possible.

Protect the Service through security monitoring, fraud prevention, and compliance with legal obligations.

Comply with applicable laws and respond to lawful requests. If we rely on consent for specific processing (such as marketing emails or optional integrations), you may withdraw consent at any time.

We base processing on contract performance (providing the Service), legitimate interests (improving and securing Exportlab), legal obligations, and consent where required.

3. How We Share or Disclose Information

We do not sell or rent personal data. We share information only in the circumstances below, and only with parties that protect it appropriately:

• Service Providers: Trusted processors that operate portions of the Service on our behalf, including Amazon Web Services (AWS) for infrastructure in the eu-central-1 (Frankfurt) region, Stripe for secure payment processing, OpenAI for optional AI-powered features (with minimized, task-specific content), communication tools such as AWS SES for email delivery, and optional analytics integrations like Google Analytics when you enable gallery tracking.
• Within a Tenant: Authorized members of the same organization (tenant) may access shared projects, content, and associated client data to support collaboration.
• Business Transfers: Information may be disclosed in connection with mergers, acquisitions, financing, bankruptcy, or other corporate transactions, subject to applicable law.
• Legal Requirements and Safety: We may disclose information to comply with legal obligations, enforce our Terms, investigate potential violations, prevent fraud or security incidents, or protect the rights, property, or safety of Exportlab, our users, or the public.
• With Your Consent: We will share data outside of the purposes above only when you instruct or consent, such as featuring a testimonial.

Third parties may process data outside the EU. When required, we implement safeguards such as Standard Contractual Clauses or ensure participation in recognized transfer frameworks.

4. International Data Transfers

Exportlab is based in the European Union, and we strive to keep storage within EU regions. However, cloud operations and support activities may involve access from other countries. Some service providers (for example Stripe, OpenAI, or Google) may process data in the United States or other jurisdictions.

When data leaves the EU or another region with data transfer rules, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful mechanisms, and we monitor legal developments to remain compliant. By using the Service, you understand that your data may be transferred internationally with these protections in place.

5. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or to comply with legal requirements:

• Account Data: Retained while your account is active. Limited records may be kept after deletion for legitimate business or legal reasons.
• Uploaded Content: Stored until you delete the content or your account. Deleted content is removed from active systems and later purged from backups.
• Inactive Accounts: We may contact you about prolonged inactivity and, after warning, deactivate or delete dormant accounts.
• Support Communications: Retained as needed to manage our relationship and improve support, typically for a limited number of years.
• Analytics and Logs: Raw logs are kept for a short period, while aggregated metrics may be retained longer. Google Analytics data follows the settings you configure within that service.
• Legal Obligations: Certain records (e.g., billing or tax data) may be retained for mandatory periods such as 7-10 years.

When we no longer need personal data, we delete or anonymize it. Aggregated insights may be retained without identifying individuals.

6. Data Security

We implement technical and organizational measures to safeguard your data:

• Encryption: TLS/HTTPS protects data in transit, and AWS encryption protects data at rest.
• Access Controls: Only authorized personnel can access production systems, following need-to-know principles with logging and key management.
• Secure Development: We review code, patch dependencies, and store secrets securely outside of source code.
• Monitoring and Incident Response: We monitor for vulnerabilities and maintain procedures to investigate and notify you of incidents when legally required.
• User Responsibilities: You must maintain the confidentiality of your credentials, enable strong authentication, and notify us of suspected compromise.

No system is completely secure, but we continuously improve our safeguards to mitigate risks.

7. Your Rights and Choices

Depending on your jurisdiction, you may have rights such as access, portability, correction, deletion, restriction, objection, and withdrawal of consent. EU and UK users may also object to processing based on legitimate interests or request copies of data under GDPR; California residents have rights under the CCPA, including the right to know, delete, and non-discrimination for exercising privacy rights.

You can update certain information directly in the product, delete content, or request assistance via the contact details below. We will verify your identity before fulfilling sensitive requests and respond within the timeframes required by law.

Exportlab does not perform automated decision-making that produces legal or similarly significant effects. We do not sell personal information.

8. Children's Privacy

The Service is not intended for children under 13 (or under 16 where applicable). We do not knowingly collect data from children without verifiable parental consent. If we learn that a child provided personal information without proper authorization, we will delete it promptly. Account holders are responsible for ensuring they do not invite minors in violation of applicable laws.

9. Changes to this Privacy Policy

We may update this Policy periodically to reflect changes in practices, technologies, or legal requirements. When we do, we will revise the 'Last updated' date and, if changes are material, provide prominent notice via email or within the Service. Continued use after updates constitutes acceptance of the revised Policy.

10. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, contact Exportlab - Privacy Office at hey@exportlab.io, Exportlab, Attn: Privacy, Adelgundenstrasse 1, 80538 Munich, Germany. EU and UK users may also lodge a complaint with their local supervisory authority (for example, BayLDA in Bavaria) if concerns remain unresolved.