GDPR Commitment
Last updated: April 2026
VideoToReels is committed to complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR. This page summarises how we meet those obligations as a data controller for our own users and as a data processor on behalf of business customers. It is intended as a plain-English companion to our Privacy Policy.
1. Our role under GDPR
Depending on the relationship, VideoToReels is either:
- Data controller for the account and billing data of the natural persons who sign up for VideoToReels (name, email, password hash, payment metadata, support correspondence).
- Data processor for the content our customers upload or schedule through the service (videos, thumbnails, captions, post drafts, analytics) and for any personal data contained inside that content.
2. Lawful basis for processing
| Activity | Lawful basis (Art. 6) |
|---|---|
| Operating the service for paying and free users | Contract (Art. 6(1)(b)) |
| Sending transactional email (verification, billing) | Contract / Legitimate interest (Art. 6(1)(b)/(f)) |
| Marketing emails & product updates | Consent (Art. 6(1)(a)) — opt-in only |
| Fraud prevention, billing reconciliation, audit logs | Legitimate interest (Art. 6(1)(f)) |
| Tax records, regulatory retention | Legal obligation (Art. 6(1)(c)) |
| AI features (captions, chat, B-roll prompts) | Contract (Art. 6(1)(b)) — feature requested by user |
3. Your rights
If you are an EU, EEA, UK, or Swiss data subject, you have the following rights with respect to personal data we hold about you:
- Access — request a copy of the personal data we hold about you (Art. 15).
- Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
- Erasure (“right to be forgotten”) — request deletion of your personal data, subject to legal retention duties (Art. 17). See our data-deletion page.
- Restriction — limit how we process your data while a dispute is resolved (Art. 18).
- Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible (Art. 20). Available via Settings → Privacy & Data → View / Download My Data.
- Objection — object to processing based on legitimate interests, including profiling (Art. 21).
- Withdraw consent — at any time, where processing is based on consent (Art. 7(3)).
- Lodge a complaint with your local supervisory authority (Art. 77).
To exercise any of these rights, email security@videotoreels.com from the address on file. We respond within one month, extendable by two further months for complex requests, and we will tell you within the first month if we need the extension. We do not charge a fee for the first request in any twelve-month period.
4. International data transfers
Customer Data is stored in the AWS Ireland region (eu-west-1) by default. Some sub-processors (for example Anthropic, OpenAI, Stripe, Resend) operate in the United States or other third countries. For each such transfer, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and supplementary measures including encryption in transit and at rest. The complete list of sub-processors and their locations is published at /sub-processors.
5. Security measures (Art. 32)
- Encryption in transit (TLS 1.2+) and at rest (AES-256, AWS-managed keys).
- OAuth tokens for connected social accounts wrapped with AWS KMS customer-managed keys.
- Production access restricted to a small set of engineers via IAM with MFA, audited via AWS CloudTrail.
- Role-based access control (RBAC) on all application-level resources, plus row-level ownership checks.
- Secrets stored in AWS Secrets Manager / parameter store; not in source control.
- Off-site, encrypted backups with a 30-day rotation.
- Continuous dependency vulnerability scanning and a documented patch cadence.
- Optional error monitoring and product analytics (Sentry, PostHog) scrub PII before transmission.
6. Retention
We retain personal data only as long as needed to provide the service or comply with a legal obligation. When you delete your account, live records are removed immediately and encrypted backups age out within 30 days, after which the data is unrecoverable. Aggregated, non-identifying metrics may be retained for billing reconciliation. Detailed retention windows are listed in the data deletion page.
7. Data processing agreement (DPA)
Business customers acting as data controllers can enter into our Data Processing Agreement, which incorporates the European Commission Standard Contractual Clauses. Email security@videotoreels.com from your billing address to request a copy. Once countersigned, the DPA forms part of your subscription contract.
8. Personal data breach (Art. 33–34)
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we notify the relevant supervisory authority within 72 hours of becoming aware. Where the breach is likely to result in a high risk, we also notify affected users without undue delay, with a description of the breach, its likely consequences, the measures we have taken, and the contact point for further information.
9. Children
VideoToReels is not directed at children under 16 (or such other age as set by your EU member state under Art. 8(1)). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact security@videotoreels.com and we will delete it.
10. Contact
Data protection enquiries: security@videotoreels.com
General support: support@videotoreels.com
Postal address available on request to security@videotoreels.com.
Users in the EU/EEA, UK, or Switzerland may also contact their local supervisory authority. A list of EU authorities is maintained at edpb.europa.eu.
© 2026 VideoToReels. All rights reserved.