Privacy Policy
Last updated: March 6, 2026
This Privacy Policy describes how CJ Studio LLC ("Viral.ad", "we", "us") collects, uses, and shares your information when you use our AI video ad generation platform at viral.ad (the "Service").
1. Information We Collect
Account Data
When you create an account, we collect your email address. If you sign up via Google OAuth, we receive your name and email from Google. Passwords are hashed by our authentication provider (Supabase) and are never stored in plaintext.
Payment Data
Payments are processed by Stripe. We never receive or store your full credit card number. We store your Stripe customer ID and subscription ID to manage your account.
Product URLs & Generated Content
When you submit a product URL, we scrape the page to extract product information. We store the URL, the AI-generated script, voiceover audio, and the final video in your account. Uploaded images (e.g., product overlays) are also stored.
Usage & Device Data
We automatically collect information about how you use the Service, including pages visited, features used, video generation pipeline events, and credit transactions. We also collect device information such as browser type, operating system, IP address, and screen resolution through our analytics providers.
Session Recordings
We use Microsoft Clarity to record anonymized user sessions, including mouse movements, clicks, and scroll behavior. These recordings help us understand how users interact with the Service and identify usability issues. Clarity does not capture text you type into form fields.
2. How We Use Your Data
- Provide, maintain, and improve the Service.
- Process payments and manage your subscription.
- Generate AI video ads from the product URLs you submit.
- Analyze usage patterns to improve user experience (via PostHog, Microsoft Clarity, DataFast, and Vercel Analytics).
- Communicate with you about your account (email verification, password resets).
- Detect and prevent fraud, abuse, and automated bot activity.
- Comply with legal obligations.
3. Third-Party Data Processors
We share data with the following third-party services to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Email, hashed password, all project data, uploaded files |
| Stripe | Payment processing | Email, Stripe customer ID; card data stays with Stripe |
| Anthropic (Claude) | AI script generation | Product metadata (name, description, price, images) |
| OpenAI (GPT-4o) | AI script generation (fallback) | Product metadata (when Anthropic is unavailable) |
| fal.ai | AI video/image generation, lip-sync, subtitles | Product images, script text, avatar selections |
| ElevenLabs | AI voice synthesis (TTS) | Ad script text |
| Cloudinary | Image/video compositing | Product image URLs, video URLs (via URL-based API) |
| Shotstack | Video rendering/assembly | Timeline JSON, asset URLs |
| Jina AI | Web page scraping | Product URL |
| Microsoft Clarity | Session analytics, heatmaps | Anonymized session recordings, device info, IP-based geolocation |
| PostHog | Product analytics | Page views, identified user profiles, custom events |
| DataFast | Web analytics | Page views, referrer, browser/OS info |
| Vercel | Hosting, analytics, edge functions | Page views, server-side pipeline events |
| Cloudflare | CDN, DDoS protection, bot verification | IP address, request metadata, Turnstile verification tokens |
4. Cookies & Tracking Technologies
Essential Cookies
Supabase authentication cookies are required for login and session management. These are set automatically when you sign in.
Analytics Cookies
- Microsoft Clarity:
_clck,_clsk,CLID— session recording and heatmap tracking. - PostHog:
ph_*cookies — product analytics and user identification. - DataFast & Vercel Analytics: Privacy-focused analytics with minimal cookie usage.
No Advertising Cookies
We do not use advertising cookies, cross-site tracking pixels, or sell your data to advertisers.
Local Storage
We use browser localStorage to store your theme preference (light/dark), temporarily hold your product URL during the signup flow, and preserve your studio settings during payment. No personally identifiable information is stored in localStorage.
5. Data Retention
- Account data: Retained until you delete your account.
- Projects & generated content: Retained until you delete the project or your account. Account deletion cascade-deletes all projects, assets, and credit history.
- Analytics data: Subject to each analytics provider's retention policy (typically 12–26 months).
- Payment records: Retained as required by applicable tax and financial regulations (typically 7 years).
6. Your Rights
- Access: View your data through your dashboard and account settings.
- Deletion: Delete your account at any time from Settings. This permanently deletes all your projects, generated videos, assets, and credit history.
- Download: Download any of your generated videos at any time from the Studio or Dashboard.
- Correction: Update your email and password in your account settings.
- Data portability: Contact us at support@viral.ad to request an export of your data.
If you are located in the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us at support@viral.ad to exercise these rights.
7. Data Security
We implement the following security measures to protect your data:
- Row-Level Security (RLS) on all database tables — users can only access their own data.
- HTTPS/TLS encryption for all data in transit.
- All API keys and secrets are stored server-side only and never exposed to the client.
- Passwords are hashed using industry-standard algorithms (handled by Supabase Auth).
- Cloudflare DDoS protection and bot detection on all endpoints.
- Cloudflare Turnstile for human verification during account creation.
8. Children's Privacy
The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us at support@viral.ad and we will promptly delete it.
9. International Data Transfers
Your data may be processed in the United States, where our infrastructure is primarily hosted (Vercel US regions, Supabase, PostHog US datacenter). By using the Service, you consent to the transfer of your data to the United States. We rely on standard contractual clauses and our service providers' data processing agreements to ensure adequate protection.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or email. The "Last updated" date at the top will reflect the most recent revision. Your continued use of the Service after changes are posted constitutes acceptance.
11. Contact
For privacy-related questions or to exercise your data rights, contact us at:
CJ Studio LLC
Email: support@viral.ad
See also: Terms of Service