Legal

Privacy Policy

Last updated: March 23, 2026

Data Controller

SkyClouds SRLs
Sole Shareholder Company
Corso del Popolo 161
45100 Rovigo (RO), Italy
VAT / P.IVA: 01634740292
info@skyclouds.co
PEC: skyclouds@pec.it

1. Introduction

Welcome to TuBoost ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.tuboost.io and use our AI-powered video clipping platform (collectively, the "Services").

This policy is compliant with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Italian Privacy Code (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018), and all applicable data protection laws. By using our Services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect personal information that you voluntarily provide to us, as well as information automatically collected when you use our Services.

2.1 Information You Provide

  • Account Information: Name, email address, password (hashed), username, company name, and account type (Creator or Business) when you register.
  • Payment Data: When you purchase credits, payment data is processed directly by Stripe. We store your Stripe Customer ID but never store credit card numbers on our servers. Stripe may collect your billing address, Codice Fiscale (Italian tax code), and SDI code for invoicing purposes.
  • Video Content: Videos you upload or provide via URL (YouTube, Vimeo, Loom, TikTok, Instagram, Facebook, Twitter/X) for processing.
  • Support Requests: Subject, message, category, priority, and any attachments you submit via support tickets.
  • Cookie Preferences: Your cookie consent choices as described in our Cookie Policy.

2.2 Information Collected Automatically

  • Session Data: Authentication tokens, CSRF tokens, and session identifiers managed by NextAuth.js.
  • Login Attempts: Email address, success/failure status, and timestamp of each login attempt for security monitoring.
  • Usage Analytics: Page views and performance data collected via Vercel Analytics and Microsoft Clarity (only with your consent — see Cookie Policy).
  • Device Information: Browser type, operating system, and device type (collected by analytics tools when consent is given).

2.3 AI-Processed Data

  • Video Analysis: When you submit a video, our AI models process frames for active speaker detection and extract audio for transcription. This processing is automated and used solely to generate clips.
  • Transcription Data: Audio from your videos is transcribed using WhisperX (based on OpenAI Whisper). Transcripts are stored temporarily to generate subtitles and are associated with your clips.
  • Video Classification: Google Gemini AI analyzes video metadata to classify content type (podcast, tutorial, interview, etc.) for optimal clip detection.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To create and manage your account, process your videos, generate clips, and provide the core functionality of TuBoost.
  • Payment Processing: To process credit purchases, manage billing, and issue invoices via Stripe.
  • Communication: To send transactional emails (analysis complete, clips ready notifications) via Resend, and to respond to support tickets.
  • Security: To monitor login attempts, prevent fraud, protect against unauthorized access, and maintain the security of our platform.
  • Improvement: To understand how users interact with our platform (with consent) via analytics tools, and to improve our AI models and user experience.
  • Referral Program: To track referrals, attribute credits, and manage the referral relationship between users.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Bases for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

Processing ActivityLegal Basis
Account creation & managementContract performance (Art. 6(1)(b))
Video processing & clip generationContract performance (Art. 6(1)(b))
Payment processing via StripeContract performance (Art. 6(1)(b))
Transactional emails via ResendContract performance (Art. 6(1)(b))
Login security monitoringLegitimate interest (Art. 6(1)(f))
Analytics (Clarity, Vercel Analytics)Consent (Art. 6(1)(a))
Cookie consent managementLegal obligation (Art. 6(1)(c))
Live chat support (Cassandra AI)Legitimate interest (Art. 6(1)(f))

5. Third-Party Data Processors

To provide our Services, we share data with the following third-party processors. Each acts as a data processor under Article 28 GDPR, and we have appropriate Data Processing Agreements (DPAs) in place.

Hosting & Infrastructure

ServicePurposeData Location
VercelWeb application hosting, edge functions, serverless APIGlobal CDN (EU preferred)
Neon (PostgreSQL)Primary database — stores user accounts, clips, tickets, preferences, and all application dataEU
Amazon Web Services (S3)Cloud storage for uploaded videos, processed clips, thumbnails, transcripts, and subtitle filesEU (eu-west-1)
Modal.comGPU cloud infrastructure — runs AI models for video analysis, transcription, active speaker detection, and clip processingUS (SCC)
InngestBackground job orchestration — schedules and manages video download, analysis, and processing pipelinesUS (SCC)

AI & Video Processing

ServicePurposeData Processed
Google Gemini APIVideo content classification — determines video type (podcast, tutorial, educational, etc.) for optimized clip detectionVideo metadata, audio transcripts
WhisperX (OpenAI Whisper)Speech-to-text transcription — generates accurate, time-aligned subtitles from video audioAudio extracted from videos (processed locally on Modal GPU)
Columbia ASD ModelActive Speaker Detection — identifies and tracks the speaking person in multi-person videos using computer visionVideo frames (processed locally on Modal GPU)

Note: WhisperX and the Columbia ASD model run on dedicated GPU infrastructure (Modal.com) — your video data is processed in isolated compute environments and is not shared with third-party AI providers for training purposes. Google Gemini processes only video metadata and transcripts for classification, subject to Google's Privacy Policy.

Payments

  • Stripe: Processes all payments. We transmit your email and Stripe Customer ID. Stripe may collect billing address, payment method details, and Italian tax information (Codice Fiscale, SDI Code). We never store credit card numbers. See Stripe's Privacy Policy.

Communication

  • Resend: Sends transactional emails on our behalf (analysis complete notifications, clips ready notifications). We share your email address with Resend solely for delivery purposes. See Resend's Privacy Policy.
  • Cassandra AI: Provides the AI-powered live chat and voice support widget on our website. Conversation data (messages, transcripts) is processed to answer your questions and provide support. See Cassandra AI's Privacy Policy.

Analytics (Consent-Based Only)

  • Microsoft Clarity: Heatmaps and session recordings to understand user behavior. Activated only with your consent. Data may be transferred to the US under the EU-US Data Privacy Framework. See Microsoft's Privacy Statement.
  • Vercel Analytics: Privacy-friendly, aggregated page view and performance analytics. No cookies used for individual tracking. Activated only with your consent. See Vercel's Analytics Privacy Policy.

6. International Data Transfers

Some of our third-party processors are located outside the European Economic Area (EEA). When transferring personal data outside the EEA, we ensure appropriate safeguards are in place pursuant to Chapter V of the GDPR:

  • EU-US Data Privacy Framework (DPF): For US-based providers that are certified under the DPF (e.g., Google, Microsoft) — Art. 45 GDPR adequacy decision.
  • Standard Contractual Clauses (SCC): For other US-based providers (e.g., Modal, Inngest, Resend, Stripe) — Art. 46(2)(c) GDPR.
  • EU-based storage: Where possible, we store data in EU regions (Neon database, AWS S3 eu-west-1).

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data TypeRetention Period
Account dataUntil account deletion or 3 years of inactivity
Uploaded videosUntil manually deleted by user or account deletion
Generated clips & transcriptsUntil manually deleted by user or account deletion
Payment records10 years (Italian tax law — Art. 2220 c.c.)
Login attempts12 months
Support ticketsUntil account deletion or resolved + 2 years
Cookie consent preferences12 months
Analytics dataAs per third-party retention policies

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: All data is transmitted over HTTPS/TLS. Passwords are hashed using bcrypt. Sensitive keys are stored in encrypted secrets management (Modal Secrets, environment variables).
  • Authentication: Secure session management via NextAuth.js with JWT tokens (3-day expiry). Optional two-factor authentication (MFA/TOTP) available for all accounts.
  • Access Control: Role-based access (User/Admin). Database queries are parameterized via Prisma ORM to prevent SQL injection. CSRF protection on all forms.
  • Infrastructure: Vercel's enterprise-grade hosting with DDoS protection. AWS S3 with server-side encryption. Isolated GPU compute environments on Modal.
  • Rate Limiting: Login attempt monitoring and brute-force protection.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but we continuously review and improve our security practices.

9. Your Rights Under GDPR

Under the GDPR and Italian Privacy Code, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Obtain confirmation of whether we process your data and receive a copy of it.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
  • Right to erasure ("Right to be forgotten") (Art. 17) — Request deletion of your personal data when it is no longer necessary, or withdraw consent.
  • Right to restrict processing (Art. 18) — Request limitation of processing in certain circumstances.
  • Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — With the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.

We will respond to your request within 30 days, as required by the GDPR. To exercise any of these rights, contact us at info@skyclouds.co or skyclouds@pec.it.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us immediately.

11. Automated Decision-Making

TuBoost uses AI to automatically analyze your videos and generate clips. This processing is not used for profiling or making decisions that produce legal effects concerning you. The AI is used solely to provide the technical service you have requested (clip generation, transcription, speaker detection). You always retain full control over which clips to use, edit, or delete.

12. Cookies

For detailed information about how we use cookies, what cookies we set, and how to manage your preferences, please refer to our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Where required by law, we will seek your consent to material changes. We recommend reviewing this page periodically.

14. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

Privacy Policy | TuBoost