Privacy Policy
Last updated: April 2026
1. Data Controller
Vosmotion ("we", "us", "our") is the data controller responsible for your personal data. For privacy inquiries, contact us at privacy@vosmotion.com.
2. Personal Data We Collect
- Account data: email address, name, and profile picture from your Google account when you sign in.
- Uploaded content: pictures and videos you upload to the service.
- Biometric data: facial images contained in uploaded pictures, which are processed by AI to generate animated videos. This is special category data under GDPR Article 9.
- Generated content: video outputs produced by our AI animation service.
- Technical data: IP addresses, browser type, and access timestamps collected automatically via server logs.
3. How We Use Your Data
| Purpose | Data | Legal Basis |
|---|---|---|
| Provide the service (account, uploads, creations) | Account data, uploaded content, generated content | Contract performance (Art. 6(1)(b)) |
| AI animation of facial images | Biometric data (face pictures) | Explicit consent (Art. 9(2)(a)) |
| Security and abuse prevention | Technical data | Legitimate interest (Art. 6(1)(f)) |
4. Biometric Data and Consent
When you upload pictures containing faces, these images are processed by AI models to generate animated videos. This constitutes processing of biometric data under GDPR.
Before uploading facial images, you will be asked to provide explicit consent for this specific processing. You can withdraw this consent at any time from your account settings, which will prevent future processing of facial images. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. Third-Party Processors
We share your data with the following processors, all of whom have signed Data Processing Agreements:
- Supabase — database hosting and authentication
- Cloudflare — file storage (R2) and content delivery
- Google — application hosting, authentication (OAuth)
- GPU compute providers — AI video generation processing
6. International Data Transfers
Your data may be transferred to and processed in the United States and other countries outside the EU/EEA. These transfers are protected by Standard Contractual Clauses (SCCs) included in our Data Processing Agreements with each provider.
7. AI Provenance Manifests (C2PA)
In compliance with the EU AI Act Article 50 and as disclosed in our Terms of Service, every video or audio output generated by the Service is accompanied by a signed C2PA provenance manifest stored alongside the output. The manifest is machine-readable metadata and contains:
- The workflow type (e.g. lipsync, speak, puppet, clone, studio export).
- The model name and version used.
- UTC timestamps for when the output was generated.
- A fingerprint of the Vosmotion signing certificate.
- For multi-stage jobs (voice clone + lipsync, studio exports), the manifest chain of upstream outputs via C2PA “ingredients”.
The manifest does not contain your name, email address, IP address, prompts, original uploaded images, or any other user-identifying data. It is not a searchable index of user content. Manifests are retained alongside their associated output for as long as the output itself is retained (see Section 8 below); when you delete a creation, its manifest sidecar is deleted with it.
Vosmotion signs manifests with a self-signed certificate. Article 50(2) requires the marking to be machine-readable and the AI origin to be detectable by anyone; it does not require a commercial trust-list CA. Consumers can still parse the manifest and verify AI origin with any C2PA-aware tool.
8. Data Retention
- Account data: retained while your account is active. Deleted when you delete your account.
- Uploaded assets: retained while your account is active. Rejected assets are deleted after 30 days.
- Generated videos: retained while your account is active.
- Failed generation records: metadata retained for 90 days for debugging, then deleted.
- Server logs: retained for up to 30 days.
9. Your Rights
Under GDPR, you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate personal data.
- Erasure — delete your account and all associated data.
- Data portability — export your data in a machine-readable format.
- Withdraw consent — withdraw biometric data processing consent at any time.
- Restriction — request we restrict processing of your data.
- Object — object to processing based on legitimate interest.
- Complaint — lodge a complaint with your local data protection supervisory authority.
You can exercise your rights to access, export, and delete your data from your account settings. For other requests, contact us at privacy@vosmotion.com.
10. Cookies
We use strictly necessary cookies for authentication. These are exempt from consent requirements as the service cannot function without them. We do not use tracking or advertising cookies.
11. Children
Our service is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
13. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised date.
See also our Terms of Service for the full terms governing your use of Vosmotion.