Last updated 2026-05-19
Privacy Policy
1. Who is responsible for your data
The data controller for Kashi.mov is:
Jan RothmannSebastian-Bach-Str. 18
31141 Hildesheim
Germany
Email: privacy@kashi.mov
2. What data we collect and why
We collect only what is necessary to provide the service. Here is the complete list:
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Account creation, login via magic link, service communications | Art. 6(1)(b) — contract performance |
| Uploaded audio files | Lyric sync editor and video export | Art. 6(1)(b) — contract performance |
| Uploaded video/image files | Background assets in lyric video exports | Art. 6(1)(b) — contract performance |
| Rendered MP4 exports | Temporary storage for download and social posting | Art. 6(1)(b) — contract performance |
| TikTok OAuth token | Publishing videos to TikTok on user request | Art. 6(1)(b) — contract performance |
| Instagram OAuth token | Publishing videos to Instagram on user request | Art. 6(1)(b) — contract performance |
| Basic server logs (page loads, errors) | Service stability and debugging | Art. 6(1)(f) — legitimate interest |
What we do not collect:
- Social media follower data, analytics, or feed content from your TikTok or Instagram accounts.
- Device fingerprints or advertising identifiers.
- Behavioural tracking data across third-party websites.
- Any data from your audience or followers on social platforms.
- Passwords — we use magic-link authentication only.
3. Rendering happens in your browser
Video rendering in Kashi.mov is performed entirely within your own browser using the WebCodecs API — a native browser technology. When you export a video, your audio and media files are processed locally on your device. No audio or video data is sent to our servers during the rendering process.
Files are uploaded to our cloud storage only when you explicitly choose to save them to your library or when an export is stored for later download. Rendering itself generates no outbound network traffic.
4. Sub-processors we share data with
We use the following third-party service providers to operate Kashi.mov. All share data only to the extent necessary for their specific role.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database and file storage | EU (AWS eu-central-1) | Data Processing Agreement in place |
| Vercel | Web hosting and edge delivery | USA / EU | Standard Contractual Clauses (SCCs) |
| TikTok | Video publishing (user-initiated only) | USA | User-initiated; minimal data transfer |
| Meta (Instagram) | Video publishing (user-initiated only) | USA | User-initiated; minimal data transfer |
We do not sell your data. We do not share your data with advertisers, data brokers, or any party not listed above.
5. How long we keep your data
- Account data (email): Retained until you delete your account.
- Uploaded audio and media files: Retained until deleted by you or upon account deletion.
- Rendered video exports: Automatically deleted 30 days after creation unless saved to your library.
- OAuth tokens (TikTok / Instagram): Deleted immediately when you disconnect the integration from Settings.
- Payment records: Retained for 10 years to meet German commercial and tax law requirements (§ 147 AO).
- Server logs: Retained on a 30-day rolling basis, then automatically deleted.
6. Your rights under GDPR
As a data subject under the GDPR you have the following rights:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your account and all associated personal data.
- Data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Restriction (Art. 18): Ask us to pause processing of your data in certain circumstances.
- Object (Art. 21): Object to processing based on our legitimate interest.
- Withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting prior processing.
To exercise any right, email privacy@kashi.mov. We will respond within 30 days. No fee is charged for reasonable requests.
You also have the right to lodge a complaint with a supervisory authority. In Germany: the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).
7. Cookies
Kashi.mov uses only technically necessary cookies. We do not use advertising cookies, analytics cookies, or any third-party tracking. See our Cookie Policy for the full list.
Because we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive.
8. Security
We take reasonable technical and organisational measures to protect your data:
- All data is transmitted over HTTPS/TLS.
- OAuth tokens are stored encrypted in the database.
- Production database access is restricted to the application service account only.
- We use magic-link authentication — no passwords are ever stored.
- File storage uses access-controlled signed URLs with short expiry times.
No system is perfectly secure. In the event of a data breach affecting your rights and freedoms we will notify you and the relevant supervisory authority as required by GDPR.
9. Children
Kashi.mov is not directed at children under 16. We do not knowingly collect personal data from users under 16. If you believe a child has provided us with personal data, please contact privacy@kashi.mov and we will delete it promptly.
10. Changes to this policy
We will notify you by email at least 14 days before any material changes to this policy take effect. The "last updated" date at the top of this page reflects the version currently in force. Archived versions are available on request.