Skip to main content
VidPal
Sign Up
Privacy & Security

Privacy Notice

How VidPal collects, uses, shares, and protects personal data when you visit our sites, create an account, or watch videos shared by our users.

Last updated: April 11, 2026

1. Who This Notice Covers

This Privacy Notice explains how PepoCloud LLC (“PepoCloud LLC,” “we,” “us,” or “our”) handles personal data for our VidPal websites (vidpal.ai), applications, Chrome extension, and video services (collectively, the “Services”). It applies to:

  • Users: account owners and team members who record, upload, edit, and share videos through the Services.
  • Viewers: people who watch shared videos, visit video landing pages, or interact with video content created through the Services.
  • Visitors: anyone who browses our marketing sites, support pages, or interacts with our promotional materials.

By using the Services, you consent to the practices described here. If you do not agree, please discontinue use of the Services.

2. Personal Data We Collect

Data you provide to us

We collect the personal data you choose to share, including:

  • Account and profile details such as name, email address, password, and profile photo.
  • Video content you upload, record, or create through the Services, including screen recordings, camera recordings, and edited video projects.
  • Campaign recipient data, including names, email addresses, and custom personalization tokens you provide for video campaigns.
  • Payment and billing information (e.g., billing contact details, billing address). Payment card data is processed by Dodo Payments and not stored by VidPal.
  • Support requests, feedback, and any other information you provide when you contact us.

Data we collect automatically

When you use the Services, we automatically collect certain information, including:

  • Usage and log data such as the pages you view, features you use, actions you take, timestamps, referring/exit pages, and session IDs.
  • Device and browser information including IP address, browser type, operating system, device identifiers, language settings, and approximate geolocation derived from your IP address.
  • Cookies and similar technologies used to operate and improve the Services.
  • Video engagement data such as views, watch time, percentage watched, click-through actions, and viewer interaction metrics.

Chrome Extension

Our Chrome extension enables screen recording, tab recording, and camera recording directly from your browser. When you use the extension:

  • Screen and tab recordings are captured locally in your browser using browser APIs (getDisplayMedia, tabCapture, desktopCapture). Recordings are uploaded to our servers (Cloudflare R2) for storage and playback only after you complete a recording.
  • Camera and microphone access is requested only when you choose to record with camera or microphone enabled. This data is not accessed unless you initiate a recording.
  • Authentication tokens are stored locally in your browser (chrome.storage) to keep you signed in. These tokens are sent to our servers to authenticate API requests.
  • Google Drive integration (optional): If you choose to save recordings to Google Drive, the extension requests access to the Google Drive API with the drive.file scope, which only allows access to files created by the extension. No other files in your Google Drive are accessed or read.
  • Tab and display information (such as active tab URL and display dimensions) is accessed locally to facilitate recording and is not transmitted to our servers.

The extension does not collect browsing history, read page content, or track your activity outside of the recording features you initiate.

3. How We Use Personal Data

We use personal data for the following purposes:

  • Provide, operate, and maintain the Services, including video recording, editing, hosting, sharing, and analytics.
  • Process video recordings and deliver AI-powered features such as automatic captions, dubbing, voice change, summarization, and chat-with-video.
  • Create and manage accounts, authenticate users, and process payments or subscription charges.
  • Send notifications, service announcements, video-ready alerts, and support responses.
  • Personalize experiences, recommend configurations, and remember your preferences.
  • Monitor and analyze usage, trends, and activities to improve the Services and develop new features.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful activity.
  • Comply with legal obligations, enforce our agreements, and protect our rights, users, and the public.

Where required by law, we will obtain your consent before using personal data for certain purposes, and you may withdraw consent at any time.

4. Legal Bases for EEA/UK/Swiss Personal Data

When the GDPR, UK GDPR, or Swiss data protection laws apply, we process personal data under these legal bases:

  • Contract: To provide the Services and fulfill our agreements with you.
  • Legitimate interests: To secure and improve the Services, respond to inquiries, deliver video analytics, and prevent misuse, provided these interests are not overridden by your rights.
  • Consent: For certain marketing, analytics, or optional integrations; you may withdraw consent at any time.
  • Legal obligations: To comply with applicable laws, regulations, and lawful requests.

5. How We Share Personal Data

We do not sell personal data. We may share personal data in these circumstances:

Service providers

Vendors and subprocessors that help us deliver the Services access personal data only to perform work on our behalf. Key service providers include:

ProviderPurpose
Cloudflare R2Long-term storage of generated videos, images, audio, and uploaded assets.
AWS (Lambda, S3)Video composition (Remotion Lambda) and temporary render output. Files are migrated to R2 immediately after rendering and removed from S3.
OpenAIScript generation (GPT-4o), text-to-speech narration (tts-1-hd / gpt-4o-mini-tts), and content classification.
ReplicateHosted AI models — image generation (Flux Schnell) and alternative TTS providers (Kokoro-82m, Qwen3-TTS).
AssemblyAIWord-level transcription used to time on-screen captions for generated videos.
PexelsRoyalty-free stock video clips used in AI-generated content. Photographer attribution is shown in the editor where each clip surfaces.
PixabayRoyalty-free stock video clips (secondary fallback when Pexels has no match). Photographer attribution is shown in the editor where each clip surfaces.
TavilyPublic web search used as a fallback source by the automated content curation pipeline.
Meta Platforms (Facebook & Instagram Graph API)Publishing user-reviewed content and reading post performance data on behalf of users who connect their Instagram Business or Creator accounts.
Dodo PaymentsSubscription and one-time payment processing. Card data is handled directly by Dodo and never stored by VidPal.
InngestDurable background job orchestration for the content pipelines (curation, render, publish).
ResendTransactional email delivery (auth verification, password reset, render-ready notifications).
NeonManaged PostgreSQL database hosting for application data.

User-directed sharing

When you share videos publicly, publish video landing pages, or distribute campaign links, your video content and associated metadata become accessible to viewers. You control who can access your videos through sharing settings and password protection.

Legal compliance and protection

We may disclose information if required by law, subpoena, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

Business transfers

If we engage in a merger, acquisition, financing, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate confidentiality protections.

6. Cookies and Similar Technologies

We use cookies, pixel tags, local storage, and similar technologies to operate and improve the Services. These technologies help us remember preferences, keep you signed in, understand usage, and deliver relevant content.

Types of cookies we use

  • Essential: Required for core functionality, authentication, and security.
  • Performance and analytics: Help us understand how the Services are used to improve performance and user experience.
  • Functional: Enable enhanced features, such as remembering your recording preferences or editor settings.
  • Marketing: Used to deliver relevant marketing and measure campaign effectiveness, where permitted.

Managing preferences

You can manage cookies through your browser settings or our cookie banner (where available). Blocking some cookies may affect how the Services function.

7. Data Retention

We keep personal data only as long as needed for the purposes described in this Notice. Specific retention practices include:

  • Video content: Retained while your account is active and you choose to keep the content. Deleted videos are removed from our storage systems.
  • Engagement analytics: Video view data, watch time metrics, and CTA click data are retained for reporting and analytics purposes while your account is active.
  • Account data: Deleted upon account closure, subject to any legal or regulatory retention requirements.

When data is no longer needed, we will delete or de-identify it in accordance with our retention policies, unless we need to keep it to comply with legal or regulatory requirements.

8. Data Security

We implement technical, administrative, and organizational measures designed to protect personal data, including:

  • Encryption in transit (TLS) and at rest for stored data.
  • AES-256-GCM encryption for integration credentials and OAuth tokens.
  • Regular security audits and vulnerability assessments.
  • Access controls and least-privilege principles for internal systems.

Despite these efforts, no security controls are infallible, and we cannot guarantee absolute security. If you have reason to believe your account or interaction with us is no longer secure, please contact us immediately using the details in Section 34.

9. International Data Transfers

VidPal is operated by PepoCloud LLC. Your personal data may be transferred to and processed in countries other than where you live, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

When transferring personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses, reliance on adequacy decisions, or other lawful transfer mechanisms, and we take additional measures as needed to protect personal data.

10. Your Privacy Rights and Choices

Depending on where you live, you may have rights regarding your personal data, including:

  • Access and portability: Request a copy of your personal data in a structured, machine-readable format.
  • Correction and deletion: Request correction of inaccurate data or deletion of your personal data, subject to legal exceptions.
  • Opt-out: Object to certain processing activities or withdraw consent where processing is based on consent.

You can exercise these rights by contacting us at privacy@vidpal.ai or using in-product settings where available. We may request information to verify your identity before fulfilling your request.

11. Marketing and Communication Preferences

You can opt out of promotional emails at any time by clicking the unsubscribe link in the email or contacting us. Even if you opt out, we may still send you non-promotional messages about your account, transactions, or service updates.

Transactional emails — such as video-ready notifications, account confirmations, and security alerts — will continue regardless of your marketing preferences.

12. Third-Party Services and Integrations

The Services may contain links to or integrations with third-party sites, tools, or services. Your use of those services is subject to their terms and privacy policies, which we do not control. We encourage you to review those policies to understand how they handle your data.

VidPal's content pipeline relies on a handful of AI and content providers (OpenAI, Replicate, AssemblyAI, Pexels, Pixabay, Tavily) plus payment, infrastructure, and social-publishing partners (Dodo Payments, Meta Graph API). Detailed per-integration disclosures are provided in Sections 13 through 15 below. Sub-processor summary table is in Section 21. If you connect a third-party social account (e.g. Instagram via Meta Login), data may flow between VidPal and that provider as directed by you. Disconnecting an integration will stop new data sharing but may not delete data already shared with that provider.

13. Use of AssemblyAI Data

Data we share

  • We send video audio to AssemblyAI for transcription and automatic caption generation.

How AssemblyAI processes data

  • Audio is processed for transcription and is not stored by AssemblyAI after processing is complete.
  • The resulting transcripts are stored in our database and associated with your video.

14. Use of Stock Footage Providers (Pexels & Pixabay)

What we send

  • Topic keywords derived from your script's visual cues (e.g. “airline cockpit”, “sunset beach”) — never personal data, never the full narration text.

How we use the results

  • Selected clips are composited server-side into your final rendered video. The contributing photographer's name is displayed in the editor where each clip surfaces, in compliance with each platform's attribution requirements.
  • Raw stock clips are not redistributed to end users as standalone files; only the rendered video derivative is delivered to the user's account.
  • Pexels content is provided under the Pexels License and Pixabay content under the Pixabay Content License.

15. Use of Dodo Payments Data

Data we share

  • We share billing information (name, email, billing address) with Dodo Payments for payment processing.

How Dodo Payments processes data

  • Payment card data is processed directly by Dodo Payments and is never stored by VidPal.
  • Dodo Payments handles payment data in accordance with their privacy policy and applicable payment card industry standards.

16. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides specific rights regarding your personal information.

Your California rights

  • Request to know the categories or specific pieces of personal information we collect, use, disclose, or share.
  • Request deletion of personal information, subject to legal exceptions.
  • Opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell personal information.
  • Be free from discrimination for exercising your rights.

To exercise your rights, contact us at privacy@vidpal.ai. We will verify your request and respond as required by law. You may use an authorized agent to submit a request; we may require proof of authorization and confirmation of your identity.

17. U.S. State Privacy Rights (Virginia, Colorado, Connecticut, and Similar Laws)

Residents of certain U.S. states have rights such as confirming whether we process personal data, accessing and obtaining a copy of personal data, requesting deletion, correcting inaccuracies, and opting out of targeted advertising, the sale of personal data, or certain profiling.

You can exercise these rights by contacting privacy@vidpal.ai and specifying your state of residence. If we decline to act on a request, you may appeal by replying to our decision with “Appeal” in the subject line. We will respond to appeals within the timeframe required by applicable law.

To opt out of targeted advertising via cookies, adjust your browser settings or use our cookie banner (where available).

18. EEA, UK, and Swiss Residents

If you are located in the EEA, UK, or Switzerland, PepoCloud LLC is the controller of your personal data unless we process it on behalf of a customer as their processor. You may contact our Data Protection Officer at dpo@vidpal.ai.

Under the GDPR, you have the right to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with your local data protection authority and may request information about cross-border transfer safeguards (see Section 9).

If we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

19. Children's Privacy

The Services are not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps to delete it.

If we learn that we have collected personal data from a child without appropriate consent, we will delete that information promptly.

20. Changes to This Privacy Notice

We may update this Notice to reflect changes in our practices, technologies, legal requirements, or other factors. When we do, we will update the “Last updated” date at the top of the Notice. In some cases, we may provide additional notice (such as a banner or email).

Your continued use of the Services after an update means you acknowledge the revised Notice.

21. Sub-Processors

We use the following third-party service providers (sub-processors) to process data on our behalf. We ensure all sub-processors maintain appropriate security and privacy standards.

Sub-ProcessorPurposeLocation
Cloudflare R2Long-term video and asset storageGlobal
AWS (Lambda, S3)Video composition (Remotion Lambda) & temporary render outputUS
OpenAIScript generation, text-to-speech narration, classificationUS
ReplicateAI image generation (Flux) and alternative TTS models (Kokoro, Qwen3-TTS)US
AssemblyAIWord-level transcription for caption timingsUS
PexelsRoyalty-free stock video clips (with photographer attribution shown in the editor)US/Global
PixabayRoyalty-free stock video clips, secondary fallback (with photographer attribution shown in the editor)EU/Global
TavilyPublic web search for content curation fallbackUS
Meta PlatformsFacebook & Instagram Graph API for user-authorized content publishing and insightsUS/Global
Dodo PaymentsSubscription & one-time payment processingUS
InngestDurable background job orchestrationUS
ResendTransactional email deliveryUS
NeonManaged PostgreSQL hosting for application dataUS

This list may be updated from time to time. We recommend checking this section periodically for any changes.

22. Automated Content Generation and AI Features

Some portions of the Services include automated content generation features that use artificial intelligence to draft short-form videos, carousel posts, voiceovers, captions, and accompanying imagery based on topics you select or configure. This section explains how these features process data.

How the automated content pipeline works

When you enable automated content generation, the Services periodically aggregate publicly available information (such as news articles, RSS feeds, and publicly accessible social media posts), summarize and rank topics relevant to the preferences you configure, and use large language models and generative image models to produce a draft video or carousel post. Every draft lands in a review queue where you preview and explicitly approve it before anything is published. We do not autonomously publish content to any social platform without your explicit review and approval.

Data processed by AI subprocessors

To produce a draft, the Services send the following data to AI subprocessors listed in Section 5:

  • OpenAI receives topic keywords, brand-voice instructions you configure, and publicly available source text (such as the title and summary of a news article) in order to generate scripts, captions, and text-to-speech narration. OpenAI does not use this data to train its foundation models for accounts on zero-data-retention plans.
  • Replicate receives short descriptive prompts generated by the pipeline in order to produce accompanying images (Flux Schnell) and, for users who pick a non-OpenAI voice, narration audio (Kokoro, Qwen3-TTS). Prompts do not contain personal information about you or third parties.
  • Pexels and Pixabay receive search queries generated from the draft script in order to return royalty-free stock video clips. The contributing photographer's name is shown in the editor wherever a clip surfaces, in line with each platform's attribution requirements.
  • AssemblyAI receives the audio generated by the text-to-speech step in order to produce word-level caption timings for on-screen subtitles.
  • Tavily executes public web search queries to enrich the content-curation pipeline when scraped RSS / Hacker News sources don't cover a user's topic. We submit only the user's topic keywords; no personal data is sent.

Labeling of AI-generated content

Every caption produced by the automated pipeline is automatically labeled as AI-assisted and, where applicable, includes an attribution link to the public source material that informed the draft. These labels are visible in the review queue and are carried through to the caption published on external platforms. You agree not to remove or materially alter these labels before publishing. See our Terms of Service for the corresponding user obligations.

Retention of generated content

Drafts, final videos, and accompanying assets produced by the automated pipeline are stored in Cloudflare R2 and linked to your account. Drafts you delete from the review queue are purged within thirty (30) days. You can request deletion of all content generated on your behalf at any time using the contact details in Section 37.

23. Connecting Third-Party Social Accounts (Instagram and Others)

To enable publishing to external platforms such as Instagram, Facebook, TikTok, YouTube, or LinkedIn, you may choose to connect one or more third-party accounts to the Services. This section explains what data we collect, how we store it, and what we do with it.

OAuth authorization

Connecting a third-party account uses the standard OAuth 2.0 authorization flow provided by that platform. You log in directly with the platform (for example, at instagram.com for Instagram Business and Creator accounts) and explicitly grant the Services a scoped set of permissions. We never see, store, or request your platform password. You can revoke the connection at any time, either from your account dashboard on our Services or from the connected platform's own security settings.

What we store, and how

For each connected account we persist the following:

  • The long-lived access token issued by the platform, encrypted at rest with AES-256-GCM using a master key held separately from the database. Tokens are never logged, never returned in API responses, and never exposed to client-side code.
  • The platform-scoped user or account ID and your public display name (for example, your Instagram username), used to label the connection in the dashboard.
  • The token expiration timestamp, so we can refresh the token before it expires.

What we do with the access

We use a connected token only to perform actions you have explicitly authorized, namely:

  • Publish content items that you have personally reviewed and approved in the Services review queue.
  • Read post performance data (such as reach, plays, likes, and comments) for content published through the Services, which feeds back into the content quality analytics we show you.
  • Refresh the token periodically so the connection remains active until you revoke it.

We do not read private messages, we do not follow or unfollow other users, we do not interact with other users' content, and we do not perform any action that was not initiated by a logged-in session on the Services.

Disconnecting an account

You can disconnect a connected account at any time from your dashboard. When you do, we immediately delete the stored encrypted access token and stop making any API calls on your behalf. Content that was already published remains on the third-party platform; disconnecting does not retroactively delete it.

24. Automated Data Ingestion from Public Sources

To generate timely drafts in the automated content pipeline, the Services periodically aggregate publicly available information from sources such as public news websites, RSS feeds, Reddit, Hacker News, and public posts on supported social networks. We collect only information that is publicly accessible without authentication or circumvention of technical controls.

We store a deduplicated record of each source item (URL, title, short summary, and publication timestamp) in a shared catalog that the per-user curation step reads from. This catalog contains no personal data about you. Your personal data is never combined with source items during ingestion.

We honor takedown requests from publishers who believe content has been collected in error. Please see Section 37 for contact details.

25. Contact Us

If you have questions about this Privacy Notice or our privacy practices, please contact us:

Email: privacy@vidpal.ai

Data Protection Officer: dpo@vidpal.ai

Support: support@vidpal.ai

Address: PepoCloud LLC, 16192 Coastal Highway, Lewes, DE 19958, United States

Your Privacy Matters

We value your trust and are committed to transparency. If you have questions about your data or need to exercise your privacy rights, reach out and our team will respond promptly.