Privacy Policy

Last updated: June 13, 2026

1. Data Controller

GrepCut is operated by Adam Ziółko, Warsaw, Poland. We act as the data controller for the purposes of GDPR.

Contact: privacy@grepcut.com | Supervisory authority: UODO, Warsaw, Poland.

2. Information We Collect

  • Account data: Name, email, and profile picture from Google OAuth.
  • User preferences: Theme, language, notification settings, keyboard shortcuts, and your selected AI agent.
  • Project data: Project names, descriptions, thumbnails, and media file metadata (format, resolution, duration).
  • AI-generated data: Transcription results and AI-powered editing metadata.
  • Agent chat data: Prompts, instructions, and project context you send to the AI agent, including when you choose a specific provider such as DeepSeek or Google Cloud Vertex AI.
  • Payment data: Transaction amounts, currency, AI usage balance, and payment status. We do not store card numbers or banking details — Paddle (our Merchant of Record) handles all payment processing and is responsible for storing payment information securely.
  • User content: Your media files are stored on your Google Drive or Cloudflare R2 cloud storage.
  • Usage & Technical data: IP addresses, error reports, performance metrics, and support or abuse-prevention logs. We also use masked session replay and error telemetry where configured for service diagnostics.
  • Cookies: Authentication cookies for login sessions and Google Drive connection.
  • Optional analytics data: On the landing page, Google Analytics 4 may collect limited, cookieless aggregate measurement before consent and fuller page-level usage after consent. If you consent, Contentsquare may also collect clicks, scroll depth, and session analytics related to the marketing site.
  • Local browser storage: Preferences such as theme, recent projects, and your cookie consent choice, stored in your browser.

3. Why We Process Your Data

  • To provide the service (contract): editing, project storage, payments, AI features you request.
  • With your consent: optional analytics cookies and Contentsquare session analytics on the landing page.
  • For aggregate landing-page measurement (legitimate interest): limited cookieless Google Analytics 4 signals before consent, without analytics cookies.
  • For service stability and security (legitimate interest): error monitoring, abuse prevention, fraud detection, infrastructure protection, and support diagnostics.
  • Legal obligations: Payment record retention for tax compliance.

4. Who We Share Your Data With (Processors)

We share the minimum data necessary with these providers. We have entered into Data Processing Agreements (DPAs) or equivalent terms with all our subprocessors as required by GDPR Art. 28:

  • Google — authentication and file storage (Drive)
  • Paddle — payment processing and billing (Merchant of Record). Paddle's privacy policy: paddle.com/legal/privacy
  • Groq — audio transcription
  • DeepSeek — AI agent (when you select DeepSeek in Agentic Chat). We send your prompts and the project context needed to fulfill your request.
  • Google Cloud Vertex AI — AI agent (when you select Vertex AI in Agentic Chat). We send your prompts and the project context needed to fulfill your request. Google's privacy policy: policies.google.com/privacy
  • ElevenLabs — voice generation
  • Cloudflare R2 — file storage
  • Sentry — error tracking and diagnostics
  • Google Analytics 4 — optional landing-page analytics after consent
  • Contentsquare — optional landing-page session analytics after consent
  • Pexels, Klipy — stock media search (only search queries are shared)
  • Gmail SMTP — transactional emails

We do not sell your data. GrepCut does not use your content to train AI models.

DeepSeek and model training: If you choose DeepSeek as your AI agent, your prompts and related context are processed by DeepSeek via their API. Under DeepSeek's privacy policy, they may use submitted data to improve and train their machine learning models by default. GrepCut does not control DeepSeek's retention or training practices. Do not send sensitive, confidential, or personal data through the DeepSeek agent unless you accept that risk. See DeepSeek's Privacy Policy.

Vertex AI: If you choose Vertex AI as your AI agent, your prompts and related context are processed by Google Cloud. Under Google's terms for Vertex AI, your API data is not used to train Google's foundation models. See Google Cloud data governance for Vertex AI.

5. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects for you (under GDPR Art. 22).

6. Cookies

We use two categories of cookies or similar browser technologies on this website:

  • Strictly necessary cookies — used for authentication and Google Drive connection in the studio application. These are always active and do not require your consent.
  • Analytics tools — we use Google Analytics 4 with Google Consent Mode on the grepcut.com landing page. Before you accept optional analytics, GA4 may send limited, cookieless measurement signals so aggregated traffic can be estimated without storing analytics cookies. After you accept, GA4 uses analytics cookies for full measurement. We also use Contentsquare for session analytics only after you give consent through the cookie banner. Legal basis: your consent for optional analytics cookies and Contentsquare (GDPR Art. 6(1)(a)); limited cookieless GA4 measurement before consent is based on our legitimate interest in understanding aggregate site traffic (GDPR Art. 6(1)(f)).

We do not use the landing page for ad personalization, advertising cookies, or cross-site ad targeting.

Your browser's local storage also stores preferences such as theme and your cookie choice. You can withdraw consent at any time by opening Cookie Settings in the footer and rejecting optional analytics. Rejecting consent stops analytics cookies and disables Contentsquare; GA4 may continue limited cookieless measurement for aggregate statistics.

Google Analytics data is processed by Google LLC — see Google's Privacy Policy. Contentsquare's privacy information is available at contentsquare.com/privacy-center.

7. Data Security

We protect your data with encryption in transit and at rest, secure authentication tokens, HTTP security headers, input validation, and access controls. Google Drive access is limited to files and folders created by our app.

8. Data Retention

  • Account & project data: Kept while your account is active; deleted within 30 days of account closure.
  • AI-generated data (e.g., transcripts): Kept while your account is active, deleted within 30 days of account closure, or when you explicitly delete the project/data.
  • Payment records: 7 years (legal requirement).
  • Error reports & diagnostics: Typically up to 90 days, unless a longer period is needed to investigate a security or abuse issue.
  • Optional landing-page analytics: Retained according to the settings of Google Analytics 4 and Contentsquare, or until earlier deletion where available.
  • Google Drive content: Remains on your Drive under your control.

9. International Data Transfers

Some providers operate in the United States and other countries outside the EEA. If you select the DeepSeek agent, your data may be processed in the People's Republic of China. Where required, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent transfer mechanisms offered by the provider. Contact us if you need more detail about a specific transfer.

10. Your Rights

Under GDPR you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (“right to be forgotten”)
  • Restrict processing
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent at any time for optional analytics and other consent-based processing

Contact privacy@grepcut.com to exercise these rights. We respond within 30 days. You may also lodge a complaint with your local data protection authority or UODO.

11. Children's Privacy

GrepCut is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Data Breach Notification

In the event of a data breach posing risk to your rights, we will notify the supervisory authority within 72 hours and inform affected users without undue delay.

13. Changes to This Policy

We may update this Policy from time to time. For material changes, we will provide reasonable notice before they take effect. Continued use after the effective date means the updated Policy applies.

14. Contact Us

Email: privacy@grepcut.com | Contact page