Privacy Policy

This Privacy Policy explains how Exendor Oy(“Exendor Oy”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use UGCWiz (the “Service”), available through our website and related applications.

We are committed to protecting your privacy and handling your personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable data protection laws. The Service is available globally, and this policy applies to all users wherever they are located.

Please read this policy carefully. By creating an account or using the Service, you acknowledge that you have read and understood it.

The data controller responsible for your personal data is:

We collect the following categories of personal data, depending on how you use the Service:

a) Account data

When you create an account, we collect your email address and a securely hashed password. If you sign in with Google, we receive your email address and basic profile information (such as your name) from Google. You may optionally provide a display name.

b) Prompt and content data

When you use the preflight and prompt-refinement features, we process the prompt text and related settings you submit (such as target model, video duration, aspect ratio, product or app name, and any “what failed last time” notes). This content is sent to a third-party AI provider to generate your score and refined prompt. Your prompts, results, and history are stored locally in your browser; we do not retain the contents of your prompts on our servers after processing.

c) Reference images

If you add reference images in the interface, the image files themselves are processed locally in your browser and are not uploaded to or stored on our servers, and the image content is not sent to the AI provider. Only limited information about a reference — such as the file name and whether a reference was added — is transmitted as part of your request. Image data is stripped before anything is saved to your browser history.

d) Payment and transaction data

When you purchase credits, payments are processed by Stripe. We do not collect or store your full card number or payment card details — these are handled directly by Stripe. We store a record of your purchases, including the checkout session identifier, the plan purchased, the number of credits granted, and your account’s credit balance.

e) Usage and abuse-prevention data

To operate the Service fairly and prevent abuse, we keep a log of API usage associated with your account, including the feature used (e.g. preflight or dialogue fix), the tier (free or paid), and timestamps. We also record whether you have used your free preflight.

f) Technical data

Like most online services, our infrastructure providers automatically process limited technical data necessary to deliver and secure the Service, such as IP address and basic device/browser information contained in server logs. This is used for security, fraud prevention, and reliability.

We process your personal data for the purposes below, relying on the following GDPR legal bases:

• Providing the Service — creating and managing your account, processing your prompts, and delivering results. Legal basis: performance of a contract (Art. 6(1)(b)).
• Processing payments — handling credit purchases and maintaining your balance. Legal basis: performance of a contract (Art. 6(1)(b)).
• Security and abuse prevention — applying rate limits, detecting misuse, and protecting the Service and our users. Legal basis: legitimate interests (Art. 6(1)(f)).
• Legal compliance — meeting accounting, tax, and other legal obligations. Legal basis: legal obligation (Art. 6(1)(c)).
• Communications — sending you service-related messages, such as account verification and password resets. Legal basis: performance of a contract and legitimate interests.

The Service uses a third-party AI provider to analyze and refine the prompts you submit. The text you submit is sent to this provider for processing in order to return your score and refined prompt.

Please do not include personal data or sensitive information (such as real names, contact details, health, or financial information about yourself or others) in your prompts. Prompts are intended to describe video creative concepts, not to carry personal data.

We use only strictly necessary cookies and similar technologies. Specifically:

• Authentication cookies set by our authentication provider to keep you signed in and secure your session.
• Browser local storage used to save your drafts, preflight history, and results on your own device so you don’t lose your work. This data stays in your browser and you can clear it at any time from within the app or your browser settings.

We do not use advertising or third-party tracking cookies, so no cookie consent banner is required for non-essential tracking.

We do not sell your personal data. We share data only with trusted service providers (processors) who help us operate the Service, and only as necessary. Our key processors are:

• Supabase — authentication, database, and backend hosting.
• Stripe — payment processing.
• Third-party AI provider — AI processing of the prompts you submit.
• Google — Google sign-in, only if you choose to sign in with Google.

These providers process data on our behalf under data processing agreements. We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the Service.

Because the Service is offered globally and some of our providers operate outside the European Economic Area (“EEA”), your personal data may be transferred to and processed in countries outside the EEA, including the United States.

Where we transfer personal data outside the EEA, we rely on appropriate safeguards as required by the GDPR, such as the European Commission’s Standard Contractual Clauses or adequacy decisions, to ensure your data receives an equivalent level of protection.

We keep your personal data only for as long as necessary for the purposes described in this policy:

• Account data is kept while your account is active and for a reasonable period afterwards.
• Payment and transaction records are kept as required by applicable accounting and tax laws.
• Usage and abuse-prevention logs are kept for a limited period necessary for security purposes.
• Prompt content sent for AI processing is not retained on our servers after processing; locally stored drafts and history remain on your device until you delete them.

When data is no longer needed, we delete or anonymize it.

If you are in the EEA (and, where applicable, elsewhere), you have the following rights regarding your personal data:

• The right to access your personal data.
• The right to rectify inaccurate or incomplete data.
• The right to erasure (“right to be forgotten”).
• The right to restrict processing.
• The right to data portability.
• The right to object to processing based on legitimate interests.
• The right to withdraw consent at any time, where processing is based on consent.

You can exercise many of these rights directly in your account settings, or by contacting us at contact@exendor.com. We will respond to your request within the timeframes required by law.

You also have the right to lodge a complaint with your local data protection supervisory authority, in particular in the EEA country where you live or work or where an alleged infringement occurred.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. This includes encrypted connections, hashed passwords, access controls, and restricting backend data access to authorized systems. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The Service is not directed to children. You must be at least 16 years old (or the minimum age of digital consent in your country) to use the Service. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

The Service may contain links to third-party websites or services that we do not operate. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: