Privacy Policy

1. Introduction

MotionMax ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the MotionMax platform. Please read this policy carefully. By using the Service, you consent to the practices described herein.

2. Information We Collect

Account Information: When you register, we collect your email address and a hashed password. We do not store plaintext passwords.

Content You Provide: We store the text, documents, and scripts you submit to generate content, as well as the outputs produced (images, video, audio). This data is stored to power your project history and allow you to revisit past generations.

Voice Data: If you use the voice cloning feature, we collect voice recordings you upload. These recordings are processed by our third-party voice synthesis provider and stored as voice models associated with your account. You can delete cloned voices at any time from your settings.

Usage Data: We collect information about how you use the Service, including generation history, credit consumption, feature usage, and session activity. This data is used to improve the platform and prevent abuse.

Payment Information: Payment processing is handled by Stripe. We do not store your full credit card details. We receive and store a Stripe customer ID and subscription status to manage your billing.

Technical Data: We automatically collect IP addresses, browser type, operating system, and device identifiers for security and analytics purposes.

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To process your content generation requests
• To manage your account, subscription, and credit balance
• To send transactional emails (email verification, password reset, billing receipts)
• To detect and prevent fraud, abuse, and violations of our Terms of Service
• To comply with legal obligations
• To analyze aggregate usage patterns to improve the platform (using anonymized data)

We do not sell your personal data to third parties. We do not use your generated content to train AI models without explicit opt-in consent.

4. Legal Basis for Processing (GDPR Art. 6)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing your account information, content, credits, and billing data to provide the Service you have subscribed to.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, error logging, and aggregate analytics that do not override your fundamental rights.
• Compliance with legal obligations (Art. 6(1)(c)): Retaining financial records, responding to lawful data requests, and complying with applicable law.
• Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics 4), session replay (Sentry), and AI training opt-in (if you explicitly enable it). You may withdraw consent at any time via the cookie banner or by contacting us.

5. Third-Party Services & Subprocessors

We use the following third-party services to operate the platform. Your data is transmitted securely and only as necessary for service delivery:

• AI Generation: Hypereal (US), Google Gemini (US), Anthropic Claude via OpenRouter (US), Replicate (US). We send your text prompts, uploaded content, and scene descriptions to these providers.
• Video Generation: Kling by Kuaishou (CN/US). Image-to-video conversion is processed via Kling's API. Scene images and motion parameters are transmitted to their servers.
• Voice Synthesis: ElevenLabs (US — voice cloning, TTS), Fish Audio, LemonFox, Google Cloud TTS. Voice recordings and cloned models are stored on the respective provider and deleted when you remove the voice from your Voice Lab.
• Payment Processing: Stripe (US) handles all payment and subscription data. We do not store credit card numbers. See stripe.com/privacy.
• Analytics: Google Analytics 4 (US) — only if you consent via our cookie banner. Collects anonymized usage data. You may withdraw consent at any time.
• Error Monitoring: Sentry (US) collects error reports, stack traces, and browser information. Session replay is only activated with your analytics consent. No generated content or passwords are captured in error reports.
• Cloud Infrastructure: Supabase (US — database, authentication, file storage), Vercel (US — frontend hosting and edge network), Render (US — background video processing). Data is encrypted at rest and in transit.

Enterprise customers may request a complete, up-to-date subprocessor list by contacting privacy@motionmax.io. We will notify enterprise customers at least 10 business days before adding or replacing a subprocessor that processes personal data.

6. International Data Transfers

MotionMax is operated from the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Where required, we rely on the EU–US Data Privacy Framework, Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. Our key subprocessors (Supabase, Vercel, Stripe, ElevenLabs) maintain SCCs or equivalent safeguards. You may request copies of applicable safeguards by contacting us at privacy@motionmax.io.

7. Data Retention

We retain your account data for as long as your account is active. Generated projects and content are retained for the duration of your account. If you delete a project, its content is removed from active storage; backups may persist for up to 30 days before permanent deletion.

Voice clones are retained until you explicitly delete them from the Voice Lab. Deleted voice data is removed from our systems within 30 days.

If you close your account, we will delete your personal data within 90 days, except where we are required to retain it for legal or financial compliance purposes.

The following specific data categories are automatically purged on a nightly schedule:

• Activity & security logs: automatically deleted after 90 days.
• Video generation job records (completed and failed jobs): automatically deleted after 30 days.
• Generation archives: automatically deleted after 1 year.
• Payment webhook records (idempotency keys): automatically deleted after 7 days.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated personal data
• Portability: Request an export of your generated content in a machine-readable format
• Objection: Object to certain processing activities

To exercise any of these rights, contact us at support@motionmax.io. We will respond to verified requests within 30 days.

If you are in the EEA and believe your data has been processed unlawfully, you have the right to lodge a complaint with your national supervisory authority.

9. Security

We implement industry-standard security measures including encryption at rest and in transit (TLS/HTTPS), access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or a prominent notice within the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Opt Out of Sale or Sharing: MotionMax does not sell or share your personal information with third parties for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, please contact us at privacy@motionmax.io. We will respond to verified requests within 45 days as required by the CCPA.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at support@motionmax.io.