Privacy Policy

Last updated: March 31, 2026

Phantoma.ai ("Phantoma," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, applications, and services (collectively, the "Services").

1. Information We Collect

Information You Provide

• Account data: Name, email address, and password when you create an account.
• Project data: Topics, settings, scripts, and other content you provide when using the Services.
• Communication data: Messages, feedback, and support requests you send us.

Information Collected Automatically

• Usage data: Features used, pages visited, actions taken, and interaction patterns within the Services.
• Technical data: IP address, browser type and version, device type, operating system, and referring URLs.
• Cookie data: Session and persistent cookies used for authentication, preferences, and analytics. See Section 8 for details.

Information from Third Parties

• Payment data: Paddle, our payment processor, collects and processes your payment information (e.g., payment card details, billing address). We receive transaction confirmations and subscription status but do not store your full payment card details.
• Authentication providers: If you sign in through a third-party provider (e.g., Google), we receive your name and email address as permitted by your account settings with that provider.

2. How We Use Your Information

We use your personal information for the following purposes:

• Service delivery: To create and manage your account, process your projects, and generate AI content.
• Billing: To process subscriptions, manage payments, and send transaction-related communications.
• Improvement: To analyze usage patterns and improve the features, performance, and reliability of the Services.
• Security: To detect and prevent fraud, abuse, and unauthorized access.
• Support: To respond to your inquiries and provide customer assistance.
• Communications: To send service updates and, with your consent, marketing communications. You can opt out of marketing emails at any time.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, our legal bases for processing your data include:

• Contract performance: Processing necessary to provide the Services you requested (account management, content generation, billing).
• Legitimate interests: Analytics, security, service improvement, and fraud prevention, where these interests are not overridden by your rights.
• Consent: Marketing communications and optional analytics cookies.
• Legal obligation: Where required by applicable law.

4. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

• Service providers: We use trusted third-party services to operate the platform:
  • Supabase— Authentication and database hosting
  • Paddle— Payment processing (Merchant of Record)
  • HeyGen— AI video generation
  • fal.ai— AI image/thumbnail generation
  • Vercel— Application hosting
  These providers process data on our behalf and are contractually obligated to protect it.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
• With your consent: We may share information for other purposes when you give us explicit consent.

5. Data Retention

• Account data: Retained while your account is active and for a reasonable period after deletion to fulfil legal obligations.
• Project and content data: Retained while your account is active. Deleted upon account deletion.
• Payment records: Retained as required by tax and financial regulations (typically up to 7 years).
• Usage and analytics data: Retained in anonymized or aggregated form for product improvement. Identifiable usage data is deleted or anonymized within 24 months.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at support@phantoma.ai. We will respond within 30 days.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information.

7. International Data Transfers

Your data may be processed in countries outside your own, including the United States, where our service providers operate. When we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms to ensure your data is protected.

8. Cookies

We use the following types of cookies:

• Essential cookies: Required for authentication and core functionality. These cannot be disabled.
• Analytics cookies: Help us understand how visitors use the Services. You can opt out through your browser settings.

We do not use advertising or tracking cookies. Third-party services we integrate with may set their own cookies subject to their own policies.

9. Security

We implement industry-standard security measures to protect your data, including:

• TLS/SSL encryption for all data in transit
• Encrypted database storage via Supabase
• Row-level security policies to isolate user data
• Secure authentication with hashed passwords
• Regular security reviews

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The Services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the "Last updated" date. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at support@phantoma.ai.