Legal
Privacy Policy
Last updated: May 12, 2026
This policy describes how ALFRED PRODUCTION collects, uses, and protects your personal data when you use The Arch, in compliance with the General Data Protection Regulation (GDPR).
1. Data Controller
The data controller is ALFRED PRODUCTION, a non-profit association registered under French law (loi du 1er juillet 1901), registration number SIREN 810 539 866, with registered office at 66 Rue Des Chalets, 31000 Toulouse, France, represented by its President Mrs. Cécile Buono.
For any question regarding your personal data or to exercise your rights, contact us at management@rart-digital.com.
2. Data We Collect
Account data
- Email address
- Full name (optional)
- Password (hashed, never stored in clear)
- Avatar (optional)
Content you provide
- Uploaded audio files
- Uploaded reference images
- Videos generated by the service
Technical data
- IP address
- Browser type and operating system (user agent)
- Activity logs (renders, credit transactions)
- Connection date and time
Payment data
Payments are processed by Stripe. No credit card data is stored on our servers. Stripe collects and processes this data according to its own privacy policy.
Gemini API keys (BYOK mode)
If you choose Bring Your Own Key (BYOK) mode, your Google Gemini API key is encrypted using AES-256-GCM before storage. It is decrypted only at the moment of executing a video render.
3. Purposes and Legal Basis
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Performance of contract (art. 6.1.b GDPR) |
| Generating videos and providing the service | Performance of contract |
| Invoicing and payment tracking | Legal obligation (art. 6.1.c) |
| Fraud prevention and security | Legitimate interest (art. 6.1.f) |
| Customer support | Performance of contract / legitimate interest |
| Invoice retention (10 years) | Legal accounting obligation |
4. Data Recipients
Your data may be processed by the following subprocessors, strictly necessary to provide the service:
- Vercel Inc. (United States) — web application hosting.
- Supabase Inc. (United States) — database and authentication.
- Cloudflare R2 (United States) — storage of audio, image and video files.
- Stripe (United States, French subsidiary) — payment processing.
- RunPod Inc. (United States) — GPU compute for video generation.
- Google LLC (United States) — Gemini API for AI models.
- Sentry (United States) — technical error detection and logging.
No data is sold or transferred to third parties for commercial purposes.
5. International Transfers
Most of our subprocessors are based in the United States, so your data may be transferred there. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission, ensuring a level of protection equivalent to GDPR.
6. Data Retention
- Active account: as long as you keep your account.
- Deleted account: 30 days after deletion, then permanent erasure, except for legal obligations.
- Invoices and accounting data: 10 years (French legal obligation).
- Technical logs: 12 months maximum.
- Generated videos: as long as you keep them on your account.
7. Your Rights
Under GDPR, you have the following rights:
- Right of access — obtain a copy of data concerning you.
- Right of rectification — correct inaccurate data.
- Right to erasure — request deletion of your data.
- Right to portability — retrieve your data in a structured format.
- Right to object — object to processing on legitimate grounds.
- Right to restriction — request temporary suspension of processing.
- Right to withdraw consent — when processing relies on your consent.
To exercise your rights, contact us at management@rart-digital.com. We respond within 30 days.
You may also file a complaint with the French data protection authority (CNIL) at cnil.fr.
8. Cookies and Tracking
The service uses only strictly necessary cookies (authentication, session). These cookies do not require your consent. No advertising or non-essential analytics cookies are used.
9. Security
All communications with our servers are encrypted via HTTPS/TLS. Passwords are hashed using bcrypt. Gemini API keys in BYOK mode are encrypted with AES-256-GCM before storage.
Despite these measures, no system is fully secure. In case of a data breach affecting your rights, you will be notified within 72 hours in accordance with Article 33 of GDPR.
10. Minors
The service is prohibited for minors under 16 years of age. If we learn that an account belongs to a minor under 16, we will delete it immediately.
11. Changes
This policy may evolve. Any substantial change will be notified to active users by email at least 30 days before taking effect. The last update date is shown at the top of this page.