Privacy Policy

Last updated: 2026-04-13

This Privacy Policy explains how Reelforges (operated by the data controller identified at the bottom of this page) collects, uses, and protects your personal information when you use our service at reelforges.com and related applications (the "Service").

1. Who we are

Reelforges is operated by IT42 d.o.o., a limited liability company registered in the Republic of Croatia. Contact details are listed under "Contact" below. We are the data controller for the personal data you provide to us.

2. What we collect

• Account data: email, name, and authentication provider ID when you sign up.
• API credentials (BYOK): third-party API keys you choose to store, encrypted with AES-256-GCM. We can never decrypt them without the user-derived master key.
• Connected Instagram data: when you connect an Instagram Business or Creator account, we store your Instagram User ID, a long-lived access token (encrypted), and publish metadata (container IDs, post IDs). We access this data only to publish content you explicitly instruct us to publish.
• Generated content: reels, scripts, images, and audio produced via the Service. Stored on your account until you delete them.
• Usage logs: job status, timestamps, provider routing decisions. Retained 90 days for debugging and abuse prevention.
• Payment data: handled entirely by Stripe. We only store a Stripe customer ID and subscription status.

3. How we use your data

• To run the reel generation pipeline you requested.
• To call the AI providers you selected, using the API keys you provided, on your behalf.
• To publish content to your connected social accounts, only when you explicitly trigger a publish action or enable auto-publishing for a scheduled job.
• To provide customer support.
• To enforce our Terms of Service and prevent abuse.

4. What we do NOT do

• We do not sell your data.
• We do not train models on your content.
• We do not read or analyse your generated content beyond delivering it to the destination you specify.
• We do not share your stored API keys with any third party.

5. Third-party providers you choose

When you use the Service, we forward the prompts and content you submit to the AI providers you select (e.g. Anthropic, OpenAI, Google, fal.ai, ElevenLabs, Microsoft Azure). Each provider processes that data under its own privacy policy. We do not control their practices. Using Reelforges means you accept the terms of any provider whose key you have connected.

When you publish to Instagram, your generated video is uploaded through Meta Platforms' Instagram API. Meta's data practices apply to all content passing through that API.

6. Legal basis (GDPR)

• Contract: to provide the Service you signed up for.
• Legitimate interests: abuse prevention, security, and service improvement.
• Consent: for optional features such as connecting a social account for publishing.

7. Your rights

You have the right to access, correct, export, restrict, and delete your personal data. You also have the right to withdraw consent and to lodge a complaint with your data protection authority. To exercise any right, email us or use the self-service tools in your account dashboard.

8. Data retention

• Account data: until you delete your account.
• API keys: until you delete them or delete your account.
• Generated reels and drafts: until you delete them.
• Job logs: 90 days rolling.
• Billing records: as required by applicable tax law (typically 10 years).

9. Security

We use AES-256-GCM envelope encryption for stored credentials, HTTPS/TLS 1.3 for all transport, and logical isolation between customer workloads. We do not log API keys, tokens, or generated content.

10. Data deletion

You can delete your data at any time:

• Individual API keys: from dashboard → keys.
• Full account and all associated data: follow the instructions at reelforges.com/data-deletion.

11. International transfers

The Service is hosted in the European Union (Fly.io Frankfurt region). When you use third-party AI providers, your requests may be transferred to wherever that provider operates, typically the United States. Such transfers are covered by the provider's own safeguards (Standard Contractual Clauses, adequacy decisions, etc.).

12. Cookies

We use only strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party tracking.

13. Children

The Service is not directed at children under 16. We do not knowingly collect data from children.

14. Changes

We may update this policy. Material changes will be notified by email at least 14 days before taking effect.

15. Contact

Data controller: IT42 d.o.o., [registered address, Croatia]. Email: [email protected].