Privacy Policy

Last updated: May 2, 2026

Phantoma.ai ("Phantoma," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, applications, and services (collectively, the "Services").

1. Information We Collect

Information You Provide

• Account data: Name, email address, and password when you create an account.
• Project data: Topics, settings, scripts, and other content you provide when using the Services.
• Communication data: Messages, feedback, and support requests you send us.

Information Collected Automatically

• Usage data: Features used, pages visited, actions taken, and interaction patterns within the Services.
• Technical data: IP address, browser type and version, device type, operating system, and referring URLs.
• Cookie data: Session and persistent cookies used for authentication, preferences, and analytics. See Section 10 for details.

Information from Third Parties

• Payment data: Our payment processor collects and processes your payment information (e.g., payment card details, billing address). We receive transaction confirmations and subscription status but do not store your full payment card details.
• Social platform data: When you connect a social account (e.g., YouTube, TikTok, Instagram) to publish videos, we receive OAuth tokens and basic account information from that platform. See Section 5 for details.
• Authentication providers: If you sign in through a third-party provider (e.g., Google), we receive your name and email address as permitted by your account settings with that provider.

2. How We Use Your Information

We use your personal information for the following purposes:

• Service delivery: To create and manage your account, process your projects, and generate AI content.
• AI content generation: To process your prompts, topics, and settings through our AI pipeline (script generation, image generation, video generation). Your inputs are sent to our AI processing partners solely to generate the requested output and are not retained by those partners for model training.
• Billing: To process subscriptions, manage payments, and send transaction-related communications.
• Improvement: To analyze usage patterns and improve the features, performance, and reliability of the Services.
• Security: To detect and prevent fraud, abuse, and unauthorized access.
• Support: To respond to your inquiries and provide customer assistance.
• Communications: To send service updates and, with your consent, marketing communications. You can opt out of marketing emails at any time.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, our legal bases for processing your data include:

• Contract performance: Processing necessary to provide the Services you requested (account management, content generation, billing).
• Legitimate interests: Analytics, security, service improvement, and fraud prevention, where these interests are not overridden by your rights.
• Consent: Marketing communications and optional analytics cookies.
• Legal obligation: Where required by applicable law.

4. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

• Service providers: We use trusted third-party services to operate the platform:
  • Supabase - Authentication and database hosting
  • Payment processor - Payment processing (Merchant of Record)
  • fal.ai - AI image/thumbnail generation
  • Amazon Web Services - Video rendering (Lambda + S3 temporary asset storage)
  • Vercel - Application hosting
  • Google (YouTube Data API) - Video upload on your behalf when you connect your YouTube channel. See Section 5 for details.
  • TikTok (Content Posting API) - Direct video publishing to your TikTok account when you connect it. See Section 5 for details.
  • Meta (Instagram Graph API) - Direct video publishing to your Instagram account when you connect it. See Section 5 for details.
  These providers process data on our behalf and are contractually obligated to protect it.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
• With your consent: We may share information for other purposes when you give us explicit consent.

AI model training commitment: Neither Phantoma nor any of our AI processing partners (fal.ai, our language-model providers) use your personal data, Content, prompts, or Output to train, fine-tune, or improve machine learning models. Your data is processed solely to deliver the Services you request.

5. Connected Social Accounts

Phantoma lets you connect third-party social accounts (currently YouTube, TikTok, and Instagram) so you can publish videos directly from the platform. This section explains how that works for each provider.

YouTube Data via Google OAuth

When you connect your YouTube channel to Phantoma, we request access through Google OAuth using the following scopes:

• https://www.googleapis.com/auth/youtube.upload - to upload videos to your channel at your explicit request.
• https://www.googleapis.com/auth/youtube.readonly - to read your channel name and ID so we can display which channel you have connected.

From Google we store only:

• The OAuth access token (short-lived, used to perform the uploads you initiate)
• The OAuth refresh token (so you do not have to reconnect your channel every hour)
• Your YouTube channel ID and channel name (to display the connected channel in your Phantoma account)

We use this information solelyto upload a video to your channel when you click the “Upload” button in Phantoma. We do not read, analyse, or share the contents of your channel. We never use Google user data to serve advertisements, and we never use it to train machine-learning models.

You can revoke Phantoma's access at any time by either:

• Disconnecting YouTube from your Phantoma Account → Integrations page, or
• Removing Phantoma at https://myaccount.google.com/permissions

When you disconnect, we delete the stored OAuth tokens immediately. Videos you have already uploaded remain on YouTube under your control.

Limited Use of Google User Data

Phantoma's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We use Google user data only to provide and improve user-facing features that are prominent in the Phantoma user interface (uploading videos to your YouTube channel at your request).
• We do not transfer Google user data to third parties except as necessary to provide the Services (for example, our cloud hosting and database providers listed in Section 4), for security purposes, or to comply with applicable law.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data unless we have your explicit consent for specific data, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and anonymised for internal operations.

TikTok Data via TikTok OAuth

When you connect your TikTok account to Phantoma, we request access through TikTok's Login Kit (OAuth 2.0 with PKCE) using the following scopes:

• user.info.basic - to read your TikTok account identifier (open_id), display name, and avatar so we can show which account you have connected and render the publish form with your current TikTok profile information.
• video.publish - to publish a video directly to your TikTok account at your explicit request, with the caption, privacy setting, and other publishing options you choose inside Phantoma.

From TikTok we store only:

• The OAuth access token (24-hour lifetime, used to perform the uploads you initiate)
• The OAuth refresh token (rotates on every refresh, 365-day lifetime - used to renew access without you reconnecting daily)
• Your TikTok open_id and display name (to identify and show the connected account in your Phantoma account)
• A publish identifierfor each video we publish (so we can record success or failure status returned by TikTok's webhook)

Each time you open the publish form, Phantoma fetches your current TikTok creator information (display name, avatar, the privacy levels TikTok currently allows for your account, the maximum video duration permitted, and whether comments, duet, or stitch are disabled on your account) so the form reflects your account's up-to-date state. This information is not stored beyond the publish session. Phantoma also shows a preview of the video inside the publish form and a notice that posts may take a few minutes to appear on your TikTok profile after publishing. When you click publish, Phantoma sends the video file together with the caption, privacy setting, interaction toggles (comments, duet, stitch), and any commercial-content disclosure (“Your brand” for promotional content and/or “Branded content” for paid partnerships) that you selected, and marks the upload as AI-generated content per TikTok's AIGC disclosure rules.

We use this connection solely to publish your videos to TikTok when you click the publish button in Phantoma. We do not read, analyse, or share any other data from your TikTok account, we never use TikTok user data to serve advertisements, and we never use it to train machine-learning models.

You can revoke Phantoma's access at any time by either:

• Disconnecting TikTok from your Phantoma Account → Integrations page, or
• Removing Phantoma in the TikTok mobile app→ Profile → Settings and privacy → Security & permissions → Apps with access(label may also appear as “Connected apps” or “Manage app permissions” depending on your app version), then tap Phantoma → Remove. TikTok currently manages connected-app permissions through its mobile app rather than the web settings.

When you disconnect, we delete the stored OAuth tokens immediately. Videos you have already published to TikTok remain on TikTok under your control.

Instagram Data via Meta OAuth

When you connect your Instagram account to Phantoma, we use the Instagram API with Instagram Login path (you sign in directly with Instagram - no Facebook Page link is required). Instagram Professional accounts (Business or Creator) are required to publish via the API; personal Instagram accounts cannot be used for publishing. We request the following permissions:

• instagram_business_basic - to read your Instagram account identifier, username, and account type so we can show which account you have connected and confirm it is a Professional account eligible for API publishing.
• instagram_business_content_publish - to publish a Reel directly to your Instagram account at your explicit request, with the caption and other publishing options you choose inside Phantoma, and to read the resulting post link.

From Instagram (via Meta) we store only:

• The OAuth long-lived access token (valid for approximately 60 days, used to perform the uploads you initiate and refreshable while still valid)
• Your Instagram user ID, username, and account type (to identify and show the connected account in your Phantoma account)
• A container identifier and media identifier for each video we publish (so we can poll Instagram for upload status and record success or failure)

When you click publish, Phantoma sends Instagram the URL of the rendered video file together with the caption you selected. Instagram fetches the video from our storage server-side and creates a Reel on your account. Instagram's API does not expose a per-post privacy or comment-control parameter for Reels; published Reels follow your account-level privacy and interaction settings, which you can manage inside the Instagram app. Phantoma marks all generated videos as AI-generated content in the publish UI; Meta's platforms apply AI labels to media via their own detection pipeline.

We use this connection solely to publish your videos to Instagram when you click the publish button in Phantoma. We do not read, analyse, or share any other data from your Instagram account, we never use Instagram user data to serve advertisements, and we never use it to train machine-learning models.

Because Instagram access tokens are valid for approximately 60 days, you may be prompted to reconnect your Instagram account periodically. You can revoke Phantoma's access at any time by either:

• Disconnecting Instagram from your Phantoma Account → Integrations page, or
• Removing Phantoma in the Instagram app→ Profile → Settings and privacy → Apps and websites → Active → Phantoma → Remove (label may vary by app version).

When you disconnect, we delete the stored OAuth tokens immediately. Videos you have already published to Instagram remain on Instagram under your control.

Future Integrations

When we add additional publishing integrations, we will update this Policy to describe the specific scopes, stored data, and revocation options for each provider. The same principles above apply: data is used only for the publishing feature you requested, is never sold or used for advertising, and can be revoked at any time.

6. AI-Specific Data Processing

Our Services involve processing your data through multiple AI systems. Here is how your data flows through each stage:

• Script generation: Your topic, tone preferences, and settings are sent to our AI language model provider to generate scripts. Inputs and outputs are not retained by the provider after generation is complete.
• Image and thumbnail generation: Text prompts derived from your script are sent to fal.ai to generate images. fal.ai processes these prompts solely for image generation and does not retain them for model training.
• Video generation: Your script, voice selection, and generated images are rendered into video content on our own AWS Lambda pipeline using Remotion. The audio is synthesised via ElevenLabs text-to-speech, and stock footage is sourced from Pexels and Pixabay. No video-generation partner receives or retains your data for model training.
• Voice synthesis:All voices are selected from a library of pre-built, generic synthetic voices. We do not collect voice samples, support voice cloning, or create synthetic replicas of any real person's voice.
• Content moderation data: We may log metadata about flagged or rejected content (such as the category of violation and timestamp) for safety and compliance purposes. This metadata is retained for up to 12 months.

7. Data Retention

• Account data: Retained while your account is active and for a reasonable period after deletion to fulfil legal obligations.
• Project and content data: Retained while your account is active. Deleted upon account deletion.
• Payment records: Retained as required by tax and financial regulations (typically up to 7 years).
• Usage and analytics data: Retained in anonymized or aggregated form for product improvement. Identifiable usage data is deleted or anonymized within 24 months.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
• AI output deletion: You may request that we delete all AI-generated Output associated with your account. Note that once Output is downloaded and published by you, we cannot control copies that exist outside our Services.

To exercise any of these rights, contact us at support@phantoma.ai. We will respond within 30 days.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information.

9. International Data Transfers

Your data may be processed in countries outside your own, including the United States, where our service providers operate. When we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms to ensure your data is protected.

10. Cookies

We use the following types of cookies:

• Essential cookies: Required for authentication and core functionality. These cannot be disabled.
• Analytics cookies: Help us understand how visitors use the Services. You can opt out through your browser settings.

We do not use advertising or tracking cookies. Third-party services we integrate with may set their own cookies subject to their own policies.

11. Security

We implement industry-standard security measures to protect your data, including:

• TLS/SSL encryption for all data in transit
• Encrypted database storage via Supabase
• Row-level security policies to isolate user data
• Secure authentication with hashed passwords
• Regular security reviews
• API-level authentication and encryption for all communications with AI processing partners
• Data minimization: only the data necessary for content generation is shared with AI providers
• No persistent storage of your Content on AI provider infrastructure after generation is complete

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

The Services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the "Last updated" date. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at support@phantoma.ai.