Privacy Policy
Effective date: April 11, 2026
Cue ("we," "our," or "us") operates the AI-powered video editing platform available at https://playcue.ai (the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Account & Profile Data
When you create an account, we collect your email address and, optionally, a display name and profile avatar. Authentication is handled by our secure identity service, which may also store OAuth tokens if you sign in via a third-party provider (e.g., Google).
1.2 Content You Upload
Videos, audio files, images, and other media you upload are stored in Cloudflare R2 object storage. We also store project metadata (timeline structure, clip properties, text, captions, etc.) in our PostgreSQL database. This content remains yours — we process it solely to provide the Service.
1.3 AI Processing Data
To deliver AI editing features, portions of your media (audio, video frames, or transcripts) may be sent to third-party AI providers including Anthropic (Claude), Google (Gemini), OpenAI (including Whisper transcription), Groq (high-speed inference), and DeepInfra (text-to-speech). These providers process your data under their own privacy policies and, where applicable, data processing agreements with us. Transcripts and visual analysis metadata derived from your media are stored in our database to enable semantic search and smart editing suggestions.
1.4 Usage & Technical Data
- Vercel Analytics & Speed Insights — aggregate page-view metrics and performance data. No cross-site tracking or user-level identifiers are stored by us.
- Audit logs — we log significant account actions (e.g., project creation, export, login) for security purposes. Log entries store a SHA-256 hash of your IP address and user agent; raw PII is not retained in logs. Audit logs are automatically purged after 90 days.
- Browser storage — we use localStorage (for preferences and session data), IndexedDB (for locally cached media derivatives), and OPFS (for temporary large file handling). This data stays in your browser and is not transmitted to our servers except as part of normal project sync.
1.5 Support Communications
When you submit a support request through our contact form or by email, we collect your name (optional), email address, and the content of your message. If you are logged in, your account ID is associated with the ticket.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Service, including AI-powered editing features.
- Authenticate users and maintain account security.
- Enable real-time collaboration features (powered by Y-Sweet / Yjs CRDT).
- Process your media through AI services to generate captions, smart cuts, and other edits.
- Respond to support requests and communicate with you about your account.
- Monitor for abuse, enforce our Terms of Service, and prevent fraud.
- Analyze aggregate usage patterns to improve performance and user experience.
- Comply with legal obligations.
We do not sell your personal data to third parties. We do not use your media content to train our own AI models without your explicit consent.
3. Third-Party Service Providers
We share data with the following sub-processors only to the extent necessary to provide the Service. Each provider is bound by its own privacy policy and, where required, a Data Processing Agreement.
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication (email/password, OAuth). Stores session tokens and user account metadata. | Policy |
| Cloudflare R2 | Object storage for uploaded videos, audio, images, and rendered outputs. | Policy |
| Vercel | Application hosting, serverless functions, edge middleware, Analytics, and Speed Insights. | Policy |
| Anthropic (Claude) | AI natural-language understanding and editing commands. Media content may be processed. | Policy |
| Google (Gemini / AI Studio) | AI video understanding, visual analysis, and multimodal editing features. | Policy |
| OpenAI | AI transcription (Whisper), language model features, and embeddings. | Policy |
| Groq | High-speed AI inference for real-time editing and transcription features. | Policy |
| DeepInfra | Text-to-speech generation (Kokoro-82M model). Audio data is processed to produce voiceover. | Policy |
| Modal | Serverless cloud compute for video transcoding and proxy generation. | Policy |
| Resend | Transactional email delivery (account confirmations, support replies, system notifications). | Policy |
| Jamsocket (Y-Sweet) | Real-time collaborative editing using CRDTs. Sync data is encrypted in transit. | Policy |
| AWS (Remotion Lambda) | Cloud video rendering. Rendered projects are processed in AWS Lambda functions. | Policy |
| Pexels | Stock photo and video search results displayed within the editor. Search queries may be transmitted. | Policy |
| Pixabay | Stock photo and video search results displayed within the editor. Search queries may be transmitted. | Policy |
| Unsplash | Stock photo search results displayed within the editor. Search queries may be transmitted. | Policy |
| Freesound | Royalty-free sound effect search. API queries may include search terms. | Policy |
| Giphy | GIF search and insertion. API queries may include search terms. | Policy |
| VirusTotal | Malware scanning of uploaded marketplace assets. | Policy |
4. Cookies & Tracking Technologies
We use the following types of cookies and similar technologies:
- Strictly necessary cookies — session tokens set by our authentication service (httpOnly, Secure) to keep you logged in. These cannot be disabled without breaking core functionality.
- Preference cookies — a
NEXT_LOCALEcookie stores your language choice. Stored in localStorage as well. - Analytics — Vercel Analytics uses a privacy-preserving approach that does not set persistent tracking cookies and does not build cross-site behavioral profiles.
We do not use advertising cookies, retargeting pixels, or third-party trackers.
5. Data Retention
- Account data — retained for as long as your account is active. Upon account deletion, your personal data and project content are permanently deleted within 30 days, except where retention is required by law.
- Uploaded media — stored in Cloudflare R2. Deleted within 30 days of account deletion or sooner if you delete individual projects.
- Audit logs — automatically purged after 90 days.
- Support tickets — retained for 2 years to allow follow-up, then purged.
- Backups — encrypted backups may retain data for up to 30 additional days after deletion before being overwritten.
6. International Data Transfers
Cue is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your jurisdiction.
6.1 Transfer Safeguards
For transfers of personal data from the EEA, UK, or Switzerland to the United States or other countries, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) — We use the European Commission's Standard Contractual Clauses (2021/914) as the primary legal mechanism for transferring personal data to third-party service providers outside the EEA.
- EU-US Data Privacy Framework — Where applicable, we transfer data to recipients who have certified under the EU-U.S. Data Privacy Framework (DPF), which has been recognized as providing adequate protection by the European Commission.
- UK International Data Transfer Agreement (IDTA) — For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs as appropriate.
6.2 Data Processing Locations
The following table summarizes where our key service providers process your data:
| Provider | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Authentication & Database | US (us-east-1) |
| Cloudflare R2 | File Storage | US / Global Edge |
| Vercel | Hosting & Serverless | US (iad1) |
| Upstash | Rate Limiting & Cache | US |
| Anthropic | AI Analysis | US |
| Google (Gemini) | AI Vision & Embeddings | US |
| Groq | AI Inference & Transcription | US |
| DeepInfra | Text-to-Speech | US |
| Resend | Transactional Email | US |
| Jamsocket (Y-Sweet) | Real-time Collaboration | US |
By using the Service, you acknowledge that your data may be processed in the locations listed above. You may contact us at privacy@playcue.ai for more information about our transfer safeguards, including copies of relevant SCCs.
7. Your Rights
7.1 All Users
Regardless of where you live, you may at any time:
- Access, correct, or update your account data via Settings.
- Delete your account and all associated data via Settings → Account → Delete Account.
- Download your project data (export as file).
- Opt out of non-essential communications by emailing us.
7.2 EEA / UK Residents (GDPR)
Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the right to:
- Access the personal data we hold about you (Article 15).
- Rectify inaccurate personal data (Article 16).
- Erasure ("right to be forgotten") (Article 17).
- Restrict processing in certain circumstances (Article 18).
- Data portability (Article 20).
- Object to processing based on legitimate interests (Article 21).
- Lodge a complaint with your local supervisory authority.
Our legal bases for processing are: (a) performance of a contract (providing the Service); (b) legitimate interests (security, fraud prevention, service improvement); and (c) compliance with legal obligations. Where we rely on consent, you may withdraw it at any time.
7.3 California Residents (CCPA / CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:
- Know what personal information we collect, use, disclose, and sell.
- Delete personal information we have collected (with exceptions).
- Correct inaccurate personal information.
- Opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising.
- Limit use of sensitive personal information.
- Non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at privacy@playcue.ai. We will respond within 45 days (CCPA) or 30 days (GDPR).
8. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us at privacy@playcue.ai. Users between the ages of 13 and 18 should use the Service only with parental consent.
9. Data Security
We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for stored media, httpOnly and Secure session cookies, rate limiting on all API endpoints, and regular security reviews. However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security and encourage you to use a strong, unique password.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (at the address associated with your account) or by posting a prominent notice in the app at least 14 days before the changes take effect. The "Effective date" at the top of this page will always reflect the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Cue
Email: privacy@playcue.ai
Website: https://playcue.ai