Privacy notice.
This Notice explains what personal data CopyThumb collects when you use copythumb.com, why we collect it, how we share it, how long we keep it, and the rights you have over it. CopyThumb is operated as a sole trader registered in Morocco. The data controller (under GDPR) is CopyThumb; full controller-identity details are available on request to support@copythumb.com.
1. What data we collect
1.1 You give us directly
- Account data — email address, password (stored hashed), display name, optional YouTube channel URL.
- Payment data — name, billing address, and payment-method details required by our payment processor. Card numbers themselves are never stored on our servers; they are tokenised by the payment provider (PayPal, and eventually Paddle).
- Content you submit — channel URLs you reference, video titles you type, optional uploaded reference images, sketches, and prompts you provide for generation.
- Support correspondence — any message you send via the in-app support form or to support@copythumb.com.
1.2 We collect automatically
- Usage data — pages visited, features used, number of generations, error events. Helps us improve the product and bill correctly against your plan.
- Device/connection data — IP address, browser type, operating system, referrer URL. Used for security (fraud detection, abuse mitigation) and aggregate analytics.
- Cookies and similar — strictly-necessary session cookies that keep you logged in, plus a small set of first-party functional cookies. We do not run third-party advertising cookies.
1.3 We generate about you
- Generated outputs — the thumbnails our system produces from your inputs, stored in your account so you can re-download them and so we can show history.
- Account state — current plan, token balance, payment history, audit log of significant account events.
2. Why we use it (legal basis under GDPR)
| Purpose | Legal basis |
|---|---|
| Operating the Service (login, generating thumbnails, storing your work) | Performance of contract (Art. 6(1)(b) GDPR) |
| Processing payments and preventing fraud | Performance of contract + legitimate interest (Art. 6(1)(b) + (f)) |
| Sending transactional emails (signup, billing, support) | Performance of contract |
| Security, abuse monitoring, rate-limiting | Legitimate interest (Art. 6(1)(f)) |
| Aggregate analytics to improve the Service | Legitimate interest |
| Sending product updates or marketing emails | Consent (which you can withdraw at any time) |
| Complying with tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |
3. Who we share data with
We share data only with the third-party processors strictly needed to run the Service. We never sell your data to anyone.
| Processor | What for | Data shared |
|---|---|---|
| Payment provider (PayPal, transitioning to Paddle) | Processing your subscription and one-off charges | Name, email, billing address, transaction amount |
| Hosting provider (Fly.io) | Running the application and storing your account data | All account and content data |
| Email delivery (Resend) | Sending transactional emails (signup, receipts, support replies) | Email address, message content |
| AI providers (image and language model APIs) | Generating thumbnails from your inputs | Channel URL, video title, prompt content, reference images |
| YouTube Data API | Reading publicly available channel metadata | Channel URLs you submit (not your personal data) |
Our AI providers' API terms forbid training on customer data by default, and we never opt in. Prompts and renders are never used to train AI models — ours, theirs, or anyone else's.
4. How long we keep it
- Account data: as long as your account is open, plus up to 30 days after closure to allow account recovery, then deleted.
- Generated thumbnails: while the account is open; you can delete individual generations from the account page at any time.
- Payment records: retained for the period required by tax and accounting law (typically 5–10 years depending on jurisdiction), in anonymised form where possible.
- Support emails: retained for 24 months for quality and dispute resolution.
- Server logs: rotated after 30 days.
5. Your rights (GDPR, CCPA, others)
Depending on where you live, you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Delete your account and the associated data ("right to be forgotten")
- Export your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent for any consent-based processing (e.g. marketing emails) at any time
- Lodge a complaint with your local data protection authority. EU residents may contact their national DPA.
To exercise any of these rights, email support@copythumb.com from the account email address. We will respond within 30 days. Most requests are resolved within a few business days.
6. International transfers
Our hosting is in the EU (Fly.io Paris region). Some of our processors (notably AI providers and the payment provider) are based outside the EU. Where data is transferred outside the EU/EEA, we rely on the Standard Contractual Clauses published by the European Commission, or equivalent safeguards.
7. Children
The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you become aware that a child has provided data to us, please email us and we will delete it.
8. Cookies
We use only the cookies strictly necessary for the Service to work (login session, CSRF protection, preferences). We do not use third-party advertising trackers or cross-site profiling cookies. Because none of our cookies are non-essential, no consent banner is required under the ePrivacy Directive; we still publish this list for transparency.
9. Security
We protect your data with HTTPS in transit, encryption at rest for sensitive fields, hashed passwords, principle-of-least-privilege access controls, rate-limiting, and routine security review. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you and the relevant authorities per applicable law (within 72 hours where GDPR applies).
10. Changes to this Notice
We may update this Notice from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced by email at least 14 days before they take effect.
11. Contact
Data controller: CopyThumb, operating as a sole trader registered
in Morocco.
Email: support@copythumb.com.
Full controller-identity details (legal name and registered
address) are provided on request to the email above.