{"document_type":"privacy","version":"1.0","content":"# Privacy Policy\n\n**Last Updated: April 30, 2026**\n\n## 1. Introduction\n\nNarrateAI (\"we\", \"us\", or \"our\") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered video narration service, including the web app at `narrateai.app`, the `narrateai-mcp` server, and the **DemoMaker** plugin (the `narrateai-demomaker` MCP server / `demomaker-plugin` for Cursor and Claude). Section 15 covers DemoMaker-specific data handling.\n\n## 2. Information We Collect\n\n### 2.1 Information You Provide\n- **Account Information**: Name, email address, password (hashed)\n- **Content**: Videos, audio files, voice samples, and text you upload\n- **Payment Information**: Processed securely through third-party payment processors (Stripe)\n- **Communication**: Messages you send to us through support channels\n\n### 2.2 Automatically Collected Information\n- **Usage Data**: How you interact with the Service, features used, time spent\n- **Device Information**: IP address, browser type, device type, operating system\n- **Log Data**: Access times, pages viewed, error logs\n- **Cookies and Tracking**: We use cookies and similar technologies to enhance your experience\n\n### 2.3 Third-Party Information\n- **OAuth Providers**: If you sign in with Google, we receive basic profile information\n- **Payment Processors**: Billing information is handled by Stripe (we do not store full payment details)\n\n## 3. How We Use Your Information\n\nWe use collected information to:\n- **Provide the Service**: Process videos, generate narrations, clone voices\n- **Improve the Service**: Analyze usage patterns to enhance features and performance\n- **Communicate**: Send service updates, security alerts, and support responses\n- **Security**: Detect and prevent fraud, abuse, and security threats\n- **Legal Compliance**: Comply with legal obligations and enforce our Terms of Use\n- **Business Operations**: Manage subscriptions, process payments, generate analytics\n\n## 4. AI Processing and Voice Cloning\n\n### 4.1 Voice Data Processing\n- Voice samples you upload are processed using AI technology to create voice clones\n- Voice data is stored securely and used solely to provide voice cloning services\n- We do not use your voice data to train general-purpose AI models without your explicit consent\n- Voice data may be retained for the duration of your account to enable voice reuse\n\n### 4.2 Video Processing\n- Videos you upload are processed using AI to generate narrations\n- Video content is stored temporarily during processing and may be retained per your subscription plan\n- We use industry-standard security measures to protect your content\n\n## 5. Information Sharing and Disclosure\n\nWe do not sell your personal information. We may share information only in these circumstances:\n\n### 5.1 Service Providers\n- **Cloud Storage**: Google Cloud Platform for secure file storage\n- **Payment Processing**: Stripe for payment processing\n- **Email Services**: SendGrid for transactional emails\n- **AI Services**: Third-party AI providers for voice cloning and narration (under strict data processing agreements)\n\n### 5.2 Legal Requirements\n- When required by law, court order, or government regulation\n- To protect our rights, property, or safety, or that of our users\n- In connection with legal proceedings or investigations\n\n### 5.3 Business Transfers\n- In the event of a merger, acquisition, or sale of assets, your information may be transferred\n- We will notify you of any such change in ownership\n\n### 5.4 With Your Consent\n- We may share information with your explicit consent for specific purposes\n\n## 6. Data Security\n\nWe implement industry-standard security measures:\n- **Encryption**: Data in transit (TLS/SSL) and at rest (AES-256)\n- **Access Controls**: Limited access to authorized personnel only\n- **Regular Audits**: Security assessments and vulnerability testing\n- **Secure Storage**: Content stored in secure cloud infrastructure\n\nHowever, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.\n\n## 7. Data Retention\n\n### 7.1 Account Data\n- Account information is retained while your account is active\n- You may request deletion of your account and associated data at any time\n\n### 7.2 Content Data\n- Videos and voice samples are retained per your subscription plan\n- Free tier: Content may be deleted after 30 days of inactivity\n- Paid tiers: Content retained according to your plan's terms\n- You can delete your content at any time through the Service\n\n### 7.3 Legal Requirements\n- Some data may be retained longer if required by law or for legitimate business purposes\n- Deletion requests are processed within 30 days, subject to legal requirements\n\n## 8. Your Rights and Choices\n\n### 8.1 Access and Correction\n- You can access and update your account information through the Service\n- You can request a copy of your personal data\n\n### 8.2 Deletion\n- You can delete your account and associated data at any time\n- Deletion is permanent and cannot be undone\n\n### 8.3 Data Portability\n- You can export your content and data in standard formats\n- Contact us to request data export\n\n### 8.4 Opt-Out\n- You can opt out of marketing communications (transactional emails cannot be opted out)\n- You can disable cookies through your browser settings\n\n### 8.5 Voice Cloning Control\n- You can delete voice profiles at any time\n- Deletion removes voice data from our systems\n\n## 9. Children's Privacy\n\nWe do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.\n\n## 10. International Data Transfers\n\nYour information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses.\n\n## 11. California Privacy Rights (CCPA)\n\nIf you are a California resident, you have additional rights:\n- Right to know what personal information is collected\n- Right to delete personal information\n- Right to opt-out of sale of personal information (we do not sell your data)\n- Right to non-discrimination for exercising your privacy rights\n\n## 12. European Privacy Rights (GDPR)\n\nIf you are in the European Economic Area, you have additional rights:\n- Right to access your personal data\n- Right to rectification of inaccurate data\n- Right to erasure (\"right to be forgotten\")\n- Right to restrict processing\n- Right to data portability\n- Right to object to processing\n- Right to withdraw consent\n\n## 13. Cookies and Tracking Technologies\n\n### 13.1 Types of Cookies\n- **Essential**: Required for the Service to function\n- **Analytics**: Help us understand how users interact with the Service\n- **Preferences**: Remember your settings and preferences\n\n### 13.2 Managing Cookies\n- You can control cookies through your browser settings\n- Disabling cookies may affect Service functionality\n\n## 14. Changes to This Privacy Policy\n\nWe may update this Privacy Policy from time to time. Material changes will be notified via:\n- Email to your registered address\n- Notice through the Service\n- Updated \"Last Updated\" date\n\nContinued use after changes constitutes acceptance of the updated policy.\n\n## 15. DemoMaker Plugin & MCP Server\n\nThis section applies specifically to users of the **NarrateAI DemoMaker plugin** (also distributed as the `narrateai-demomaker` MCP server, the `demomaker-plugin` for Cursor and Claude, and the one-line installer at `narrateai.app/install.sh`). It supplements—but does not replace—the rest of this Privacy Policy.\n\n### 15.1 What runs on your machine vs. our servers\n\nThe DemoMaker plugin is a local tool that drives a browser on your computer to record demo videos. The split is:\n\n**Stays on your machine (NarrateAI never sees it):**\n- Your source code, repository contents, environment files (`.env`, `.env.local`), and any files the agent reads to understand your app\n- Your local database, your localhost server, and any internal URLs you point the recorder at\n- Your IDE chat history with your AI assistant\n- The browser session and authentication cookies created during recording\n- Your API key (stored locally in your IDE's `mcp.json` configuration)\n\n**Sent to NarrateAI's narration pipeline:**\n- The recorded video file (MP4) produced by the plugin\n- The narration plan you accept (titles, step descriptions, the `description` and `facts` you author or that the agent assembles for narration context)\n- Any voice sample you explicitly upload for voice cloning\n- Standard request metadata (API key, IP address, timestamp) needed to authenticate and bill the request\n\nWe do **not** receive your source code, your `.env` contents, your database, or anything else from your machine that wasn't part of the recorded video, the plan, or an explicit upload.\n\n### 15.2 Authentication and API keys\n\n- API keys minted via the one-line installer (`uvx narrateai-demomaker init`) are issued through OAuth (Google or GitHub). We receive only the basic profile information described in section 2.3.\n- Each `init` run rotates any previous CLI-minted key for the same account, leaving exactly one active CLI key per user. The active key is stored locally in your IDE's MCP configuration file; it is never transmitted to NarrateAI except as the `Authorization` header on API calls you initiate.\n- You can revoke API keys at any time from your NarrateAI dashboard (\"Usage & API Keys\"). Revoked keys stop working immediately.\n\n### 15.3 Free tier, watermarks, and credit pool\n\n- Free-tier accounts share a single 5-minute monthly credit pool across the web app, MCP, and DemoMaker.\n- Videos generated against a free-tier API key include a NarrateAI watermark; paid tiers do not.\n- Usage is metered server-side and visible in your dashboard.\n\n### 15.4 Recorded video retention\n\n- Videos uploaded by the plugin follow the same retention rules as web-uploaded videos (section 7.2): tied to your subscription tier, and deletable at any time.\n- Plans you save locally with `list_saved_plans` / `get_saved_plan` live in `~/.narrateai-demomaker/plans/` on your machine and are **not** synced to NarrateAI.\n\n### 15.5 What we do not do\n\n- We do not read, store, or train on your source code.\n- We do not access your IDE, your terminal, or your filesystem outside of the video and explicit uploads you initiate.\n- We do not record your screen outside of the browser tab the plugin opens for the demo.\n- We do not collect telemetry from the plugin beyond standard pipeline request logs (timestamps, status codes, byte counts) needed for billing and abuse prevention.\n\n### 15.6 Open source and audit\n\nThe plugin's source code (manifest, MCP server, skill files) is published on GitHub at `github.com/narrateai-app/demomaker-plugin` under the MIT license. You can inspect exactly what it sends to NarrateAI before installing.\n\n### 15.7 Your rights for plugin data\n\nAll rights described in sections 8, 11, and 12 (access, deletion, portability, GDPR, CCPA) apply identically to data generated through the plugin. Use `narrateai@narrateai.app` for any requests.\n\n## 16. Contact Us\n\nFor privacy-related questions or requests, contact us at:\n- **Email**: narrateai@narrateai.app\n\n## 17. Data Protection Officer\n\nFor GDPR-related inquiries, contact our Data Protection Officer at:\n- **Email**: narrateai@narrateai.app\n\n---\n\n**By using NarrateAI, you acknowledge that you have read and understood this Privacy Policy.**","last_updated":"2026-04-30"}