Privacy Policy

Dramatize takes your privacy seriously. This policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. We’ve tried to write it plainly — ask us at hello@dramatize.app if anything is unclear.

1. Who we are

Dramatize is the data controller for your personal information when you use our service. We’re reachable at hello@dramatize.app.

2. What we collect

• Account information: name, email, optional phone and company. You provide these at sign-up.
• Brand profile: business name, audience description, voice notes, goals, industry. You provide these during onboarding so Emmy and Oscar can give better creative feedback.
• Chat content: every message you exchange with Emmy or Oscar, plus any briefs, quotes, and project artifacts that result. Stored so you can pick up conversations where you left off.
• Project deliverables: storyboards and final video masters we produce for you.
• Payment information: card details are handled entirely by Stripe — Dramatize never sees or stores raw card numbers. We do store the Stripe customer ID associated with your account.
• Reference uploads: any photos, voice notes, or videos you upload to inform a brief.
• Usage data: standard web telemetry — page views, feature usage, performance — collected via PostHog. Used to improve the product.

3. How we use it

• To run the service: chat, render, deliver, bill.
• To remember your brand context across conversations so the agents give better, less repetitive feedback.
• To detect and prevent abuse, fraud, or violations of our terms.
• To send you transactional emails about your account, projects, and producer callbacks (via Resend). We don’t send marketing emails today; if that changes we’ll get explicit consent first.
• To improve the product — usage analytics, error logs, feature discovery.

4. Third-party processors

Running Dramatize means data passes through a small number of trusted third-party services. Here’s exactly who, and why:

• Supabase — database, authentication, file storage. Hosted in the US (us-west-1). Your account, chats, projects, and uploaded files live here.
• Stripe — payment processing and card storage. PCI-DSS compliant. We pass only the information Stripe needs to take payment.
• Moonshot AI (Kimi K2.6)— the primary LLM provider powering Emmy and Oscar. Your chat content is sent to Moonshot to generate responses. Moonshot’s own privacy policy applies to data they receive.
• Anthropic Claude— fallback LLM provider. Same treatment as Moonshot if it’s the active path.
• Higgsfield AI — AI visual generation. Brief details (text descriptions, reference images) are sent to Higgsfield to render footage.
• HeyGen — AI avatar generation when your brief calls for a synthetic presenter.
• ElevenLabs — AI voiceover generation. Voice direction text is sent; the resulting audio is stored with your project.
• Resend — transactional email delivery (producer callbacks, account notifications). Your email address is shared with Resend at send-time.
• PostHog — product analytics. Anonymized or pseudonymized event data only — never message contents.
• Vercel — application hosting. Standard web server logs (IP address, user agent, request URLs) are retained for security and debugging.

We don’t sell your personal information. We don’t share it with advertisers. We share only with the processors above, only for the purposes described.

5. Data retention

• Active accounts: data is kept as long as your account is active.
• After account closure: a 90-day grace period to download your assets, then automated deletion.
• Legal / audit holds: limited records (e.g., payment receipts) are retained for the period required by tax, accounting, or regulatory law.
• AI provider logs: chat content sent to Moonshot, Anthropic, ElevenLabs, etc. is subject to those providers’ retention policies, which we link to from this document.

6. Your rights

Depending on where you live, you have some or all of the following:

• Access: request a copy of the personal data we have about you.
• Correction: request that we fix inaccurate data (you can also edit most of it yourself in Account Settings).
• Deletion: request that we delete your account and associated data. We’ll honor this within 30 days unless we have a legal obligation to retain something specific.
• Portability: request your data in a machine-readable format.
• Objection / restriction: ask us to stop processing for certain purposes (e.g., analytics) without closing your account.
• Opt-out of analytics: PostHog respects browser Do-Not-Track signals.

To exercise any of these, email hello@dramatize.app from the address associated with your account.

7. Cookies and similar technologies

We use a small number of cookies to keep you signed in (Supabase session), remember your preferences, and collect aggregate analytics. You can disable cookies in your browser, but the app won’t work properly without session cookies.

8. Children

Dramatize is not directed at people under 18. We don’t knowingly collect data from children. If we discover we have, we delete it.

9. International data transfers

Dramatize is operated from the United States and our processors are primarily US-based. If you’re in the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the US, which has different data protection laws. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Security

We use industry-standard measures to protect your data — TLS in transit, encryption at rest where supported by the underlying provider, role-based access controls, RLS policies on our database. No system is perfectly secure; if we ever experience a breach affecting your data we’ll notify you per applicable law.

11. Changes to this policy

We may update this policy. Material changes will be announced in-app and the effective date above will move forward. If you keep using Dramatize after the change, you accept the updated policy.

12. Contact

hello@dramatize.app for anything privacy-related.

Note on legal review: this document is a first-pass operational reflection of our actual data practices. It is not legal advice and may need adjustment based on jurisdictions you serve (GDPR for EU users, CCPA/CPRA for California, etc.). Before you rely on it for compliance, have it reviewed by qualified counsel.