Draft — pending legal review. This is a working version adapted from a generic SaaS template. The final version will be lawyer-reviewed before public launch. Email support@reelly.app with concerns.
Privacy Policy
Effective: Pre-launch draft — pending review Last updated: 2026-05-18
This Privacy Policy explains what personal information reelly collects, how we use it, who we share it with, and your rights. reelly is operated by David Yang ("reelly", "we", "us"), an individual sole proprietor based in Ontario, Canada.
This policy is intentionally short and concrete. If anything is unclear,
email privacy@reelly.app.
Person responsible for personal information (Quebec Law 25)
Under Quebec's Act respecting the protection of personal information in the private sector ("Law 25"), the person responsible for the protection of personal information at reelly is:
David Yang — privacy@reelly.app
1. What we collect
1.1 Information you give us
| Category | Examples |
|---|---|
| Account information | Email address, password hash (managed by Supabase Auth); Google account profile (name, email, profile picture URL) if you sign in with Google |
| Payment information | Stripe customer ID, last 4 digits of payment card, billing country. We do not see or store full card numbers — Stripe handles all card data directly |
| Submitted URLs | Every video URL you submit to the service |
| Support correspondence | The contents of any email you send to support@, privacy@, dmca@, security@, hello@, or abuse@reelly.app |
1.2 Information collected automatically
| Category | Examples |
|---|---|
| Usage events | Pageviews, button clicks, signup completion, job submission, payment events — see the analytics events spec for the full list |
| Technical data | IP address (for rate limiting and abuse prevention), browser user-agent, request timestamps |
| Cookies / local storage | A JWT access token (in localStorage) and a PostHog distinct-id cookie. See Section 7 |
1.3 Information we generate
When you submit a video URL, reelly generates the five Markdown documents described in the Terms of Service, plus job metadata (status, duration, stage timings, error messages) and, for some videos, a thumbnail image. This generated content is stored in your account.
1.4 What we don't collect
- We do not retain a copy of the source video after processing is complete. Source media is deleted from our temporary working directories typically within hours of job completion.
- We do not collect or store your Instagram credentials. Instagram videos are downloaded via Apify on our infrastructure, not your browser session.
- We do not sell personal information to anyone.
- We do not run advertising trackers or send your data to advertising networks.
- We do not collect sensitive personal information (health, race, political beliefs, sexual orientation, biometrics, government identifiers) unless you voluntarily put it in a support email, in which case it's processed only to answer your question.
2. How we use it
We use the information above to:
- Provide the service (process submitted videos, deliver results, bill for credits, prevent abuse)
- Operate your account (authenticate logins, enforce credit limits, send transactional emails such as receipts and password resets)
- Improve the product (aggregated usage analytics via PostHog — funnel conversion, feature usage, error rates)
- Respond to support requests
- Comply with legal obligations (tax records, lawful information requests, DMCA takedown handling)
- Detect and prevent fraud, abuse, and security incidents
We do not use the contents of your generated Markdown documents to train AI models. We don't train AI models at all — we use Google Gemini's API as a third-party provider (see Section 4).
3. Legal basis (for users in jurisdictions that require one)
Although we're not directly subject to the GDPR, here is the basis for each category of processing:
| Processing | Basis |
|---|---|
| Operating your account | Performance of a contract |
| Charging for credits | Performance of a contract |
| Sending transactional email | Performance of a contract |
| Product analytics (PostHog) | Legitimate interest (improving the product) and/or consent (where required) |
| Fraud prevention | Legitimate interest |
| Responding to legal requests | Legal obligation |
For users in jurisdictions where consent is the required basis for analytics, you may opt out — see Section 8.
4. Who we share it with
We share personal information only with the third-party providers required to run the service, listed below. Each one is a separate controller or processor under its own privacy policy.
| Provider | What it receives | Why | Region | Their privacy policy |
|---|---|---|---|---|
| Supabase | Email, password hash, profile metadata, all generated documents, job metadata, credit ledger | Authentication and database | US (default project region; may move) | https://supabase.com/privacy |
| Stripe | Email, billing address, payment card (direct from your browser to Stripe — we never see it), purchase history | Payment processing | US / EU | https://stripe.com/privacy |
| Apify | Submitted Instagram URLs | Downloading public Instagram media | US / EU | https://apify.com/privacy-policy |
| Google Gemini (Google AI Studio / Vertex AI) | Submitted video frames (during processing only), transcript text, OCR text | AI vision and synthesis | US / EU | https://policies.google.com/privacy |
| PostHog | Event data per the analytics events spec, distinct-id, IP-derived city/country | Product analytics | EU (eu.posthog.com) | https://posthog.com/privacy |
| Cloudflare | IP address, request metadata, email forwarding metadata for *@reelly.app | DNS, CDN, email forwarding | Global edge | https://www.cloudflare.com/privacypolicy/ |
We may also disclose personal information when required by a valid legal order, subpoena, or court process; to enforce these Terms; to protect the rights, property, or safety of reelly, our users, or the public; or as part of an acquisition, merger, or sale of the service (in which case we'll notify you first).
4.1 Cross-border data transfers
Some of our processors are located outside Canada (primarily the United States and the European Union). When personal information is transferred to those jurisdictions, it becomes subject to the laws of that jurisdiction, including lawful access by foreign government authorities.
We rely on the contractual safeguards offered by each processor (e.g., standard contractual clauses or equivalent) and the processor's publicly stated security commitments.
5. How long we keep it
| Data | Retention |
|---|---|
| Account email + password hash | Until you delete your account, then 30 days for backup retention |
| Submitted URLs and generated documents | Until you delete them individually or delete your account, then 30 days |
| Source video files | Hours (deleted automatically after processing) |
| Job metadata and credit ledger | Until you delete your account, then 30 days for backup retention; longer if required for tax records (~7 years for purchase-related rows) |
| Payment records | As required by tax law (~7 years) — but tied to your Stripe customer ID, not to a live account |
| Analytics events (PostHog) | 7 years on PostHog's default retention (configurable on their side) |
| Support emails | 2 years from the date of last response, then deleted |
| Server access logs | 30 days |
When you close your account, the deletion is logical first (you lose access immediately) and physical within 30 days from backups.
6. Your rights
Under PIPEDA and Quebec's Law 25 you have the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate or incomplete
- Delete your account and the personal information associated with it (subject to legal retention obligations, e.g. tax records)
- Withdraw consent for analytics processing (see Section 8)
- Receive a copy of your personal information in a structured, machine-readable format ("portability")
- Complain to the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/) or, for Quebec residents, the Commission d'accès à l'information du Québec (https://www.cai.gouv.qc.ca/)
To exercise any of these rights, email privacy@reelly.app. We will
respond within 30 days. We may ask you to verify your identity before
acting on a request, to protect against impersonation.
For self-service: most account-level actions (downloading your generated documents, deleting individual jobs, closing your account) are available in your account settings without needing to email us.
7. Cookies and local storage
reelly uses the minimum cookies and localStorage entries needed to
run the service:
| Item | Type | Purpose | Lifetime |
|---|---|---|---|
Supabase access token (sb-*-auth-token) | localStorage | Keeping you logged in | Until you log out or the token expires |
PostHog distinct-id (ph_*_posthog) | Cookie + localStorage | Stitching your pageviews together (without identifying you to us until you sign up) | 1 year, refreshed on each visit |
| Stripe-related cookies | Cookies, set by Stripe during checkout | Fraud prevention during payment | Per Stripe's policy |
We do not use advertising cookies, third-party tracking pixels, or session replay.
8. Analytics opt-out
If you do not want PostHog to collect product-usage events for your account, you can:
- Toggle "Disable analytics for this account" in your account settings (available once Phase 1 ships), or
- Enable your browser's "Do Not Track" or "Global Privacy Control"
signal —
posthog-jsis configured to respect both
Opting out does not affect your access to the service; we just lose the ability to see your usage in our funnels.
9. Children
reelly is not directed to children. We do not knowingly collect
personal information from individuals under 13 (or 16 in jurisdictions
where that is the relevant age of digital consent). If you believe a
child has signed up, email privacy@reelly.app and we will close the
account and delete the data.
10. Security
We take reasonable measures to protect personal information against unauthorized access, alteration, disclosure, or destruction:
- HTTPS / TLS for all client-server traffic
- Per-user data isolation via Supabase Row-Level Security policies
- API keys hashed at rest; password hashes managed by Supabase Auth
- Limited admin access to production data — only David Yang has it
- Third-party providers (Section 4) attest to their own security practices (SOC 2 etc.) on their websites
No internet service is 100% secure. If we become aware of a data breach affecting your account, we will notify you and the relevant privacy commissioner within the timelines required by law.
To report a security issue, email security@reelly.app.
11. Changes to this Policy
We may update this Policy from time to time. When we do, we will:
- Update the "Last updated" date at the top
- For material changes (new processor, new data category, region change), notify you by email and in-app banner at least 14 days before the change takes effect
- Keep a brief change log at the bottom of this document
12. Contact
| Topic | Address |
|---|---|
| Privacy questions, access / correction / deletion requests | privacy@reelly.app |
| Security disclosures | security@reelly.app |
| General support | support@reelly.app |
| DMCA notices | dmca@reelly.app (see Terms of Service §7) |
Postal mail (Ontario, Canada — exact address provided on request to
privacy@reelly.app).
Change log
| Date | Change |
|---|---|
| 2026-05-18 | Initial publication |