New accounts get 10 free credits — no credit card required.
Vidney
Sign in

Privacy

/legal/privacy

Last updated: 2026-05-04

This Privacy Policy explains how Vidney ("we", "us") collects, uses, discloses, and protects information when you use the website at vidney.ai and related services (the "Service"). It applies to all users worldwide. For privacy questions or to exercise the rights described below, contact support@vidney.ai.

Vidney is the trade name of Michael Sin, an independent developer (sole proprietor) based in Ohio, United States. For users in the European Economic Area ("EEA"), the United Kingdom, and Switzerland, Michael Sin (trading as Vidney) is the data controller for personal data described in this Policy. For users in California, terms used in the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") carry the meanings given in those statutes.

1. Information We Collect

1.1 Information you provide

  • Account information. When you sign in with Google, we receive your email address, display name, profile picture URL, and Google account ID. We do not receive your Google password.
  • Prompts and inputs. Text prompts, reference images, and any other content you submit to generate Output.
  • Communications. Messages you send to support@vidney.ai, including any attachments.

1.2 Information generated through your use of the Service

  • Generations. Images, videos, and other Output produced from your inputs.
  • Credit ledger. Records of Credits granted, consumed, refunded, and purchased, with timestamps.
  • Service logs. API requests, errors, model selections, generation duration, and feature usage events.

1.3 Information collected automatically

  • Technical data. IP address, user-agent string, device type, approximate location derived from IP (city/country level), and timestamps.
  • Anti-abuse signals. Rate-limit counters, request fingerprints, and bot-detection signals — used solely to protect the Service from fraud and abuse.
  • Cookies and similar technologies. Strictly-necessary cookies for authentication and session management. We do not use advertising or cross-site tracking cookies, and we do not run a third-party analytics provider at this time. If we add cookieless analytics in the future, we will update this Policy and list the provider in §4.

1.4 Information we do not collect

  • Payment-card data. Card numbers, CVVs, and bank-account details are collected and stored by Creem.com (our Merchant of Record) and its PCI-DSS-compliant processors. We receive only a transaction reference, the amount, and the last four digits of the card for invoicing.
  • Sensitive personal information. We do not knowingly collect government IDs, biometric identifiers, precise geolocation, health data, or information revealing racial or ethnic origin, religious beliefs, political opinions, sexual orientation, or trade-union membership. Do not submit such information through prompts.
  • Children's data. The Service is not directed to children under sixteen (16). If we discover that we have collected personal data from a child under sixteen, we delete it.

2. How We Use Information & Legal Bases (GDPR)

| Purpose | Categories of data | Legal basis (GDPR Art. 6) | |---|---|---| | Provide the Service — authenticate you, route prompts to Model Providers, store and serve your Output, debit Credits | Account info, prompts, generations, ledger | Performance of a contract (Art. 6(1)(b)) | | Process payments and prevent payment fraud | Transaction reference, amount | Performance of a contract; legitimate interest (Art. 6(1)(b), (f)) | | Detect, prevent, and respond to abuse, fraud, security incidents, and policy violations | Technical data, prompts, generations | Legitimate interest in operating a secure Service (Art. 6(1)(f)) | | Comply with legal obligations including tax, accounting, and law-enforcement requests | Account info, ledger, transaction data | Legal obligation (Art. 6(1)(c)) | | Send service announcements (e.g., outages, ToS changes) | Email | Performance of a contract / legitimate interest | | Improve the Service through aggregated, de-identified analytics | Aggregated usage data | Legitimate interest (Art. 6(1)(f)) |

We rely on legitimate interests only where we have determined those interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time (see §6).

3. AI Training & Model Provider Routing

Your prompts and Output are transmitted to third-party AI Model Providers (Kuaishou, OpenAI, Google, Black Forest Labs, Midjourney, Runway, and others) via our routing partner piapi.ai to produce Generations. We do not use your prompts, reference images, or Generations to train AI models. Whether a Model Provider uses traffic for training is governed by that provider's policies; we have configured routing through piapi.ai under enterprise terms that enable training opt-out where the Model Provider supports it. Because of this, you should treat any Generation as if it may resemble outputs produced for other users, and you should not submit confidential information through prompts.

4. How We Share Information

We share personal data only with the following categories of recipients, each acting on our behalf or under their own legal obligations:

| Recipient | Purpose | Location | |---|---|---| | Supabase (Supabase, Inc.) | Authentication, application database, realtime sync | United States | | Cloudflare R2 (Cloudflare, Inc.) | Storage of Generations | Global, with EU regions available | | piapi.ai | Routing prompts to upstream Model Providers | United States | | Model Providers — Kuaishou, OpenAI, Google, Black Forest Labs, Midjourney, Runway, etc. | Generating Output from your prompts | Varies per provider | | Vercel (Vercel, Inc.) | Hosting of the Service | Global edge network | | Creem.com | Payment processing as Merchant of Record (when paid plans launch); tax collection and remittance | European Union | | Google (sign-in) | OAuth authentication | United States | | Law-enforcement, regulators, courts | Compliance with valid legal process | As required by law |

We do not sell your personal data and do not "share" your personal data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

In the unlikely event Vidney is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred to the successor entity, subject to a privacy notice that is at least as protective as this Policy.

5. International Data Transfers

The Service is operated from the United States, and personal data is processed in the United States and other countries where our subprocessors operate. When we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism, supplemented by additional safeguards where required. You may request a copy of the relevant transfer mechanism by contacting support@vidney.ai.

6. Your Rights

Subject to applicable law, you have the rights listed below. To exercise any right, email support@vidney.ai from the address associated with your Account, or use the in-product controls where provided. We respond within thirty (30) calendar days, extendable by up to sixty (60) additional days for complex requests, with notice to you.

6.1 Rights available globally

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to correct inaccurate or incomplete data.
  • Deletion. Ask us to delete your personal data. We will honor the request unless retention is required by law (e.g., tax records).
  • Portability. Receive your data in a structured, machine-readable format.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time.

6.2 Additional rights for EEA / UK / Swiss residents (GDPR / UK GDPR)

  • Object to processing based on legitimate interests.
  • Restrict processing in certain circumstances.
  • Lodge a complaint with your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu.

6.3 Additional rights for California residents (CCPA/CPRA)

  • The right to know what personal information we collect, the categories of sources, the business or commercial purpose, and the categories of third parties to whom we disclose it.
  • The right to delete personal information collected from you, subject to statutory exceptions.
  • The right to correct inaccurate personal information.
  • The right to limit the use and disclosure of sensitive personal information — although, as stated in §1.4, we do not knowingly collect such information.
  • The right to non-discrimination for exercising any of these rights.

We do not sell or "share" personal information for cross-context behavioral advertising. Therefore we are not required to and do not provide a "Do Not Sell or Share" mechanism.

You may designate an authorized agent to exercise these rights on your behalf. We may require verification before honoring an agent's request.

7. Retention

| Category | Retention period | |---|---| | Account profile | While Account is active; deleted within 90 days of Account closure | | Generations stored on Cloudflare R2 | While the Account is active; deleted within 90 days of Account closure or upon request | | Prompts and credit-ledger entries | 12 months for prompts (used for fraud investigation); 7 years for ledger entries (tax-record requirements) | | Service logs | 30 days, then aggregated or deleted | | Anti-abuse signals | Up to 90 days | | Payment receipts (transaction reference, amount, last4) | 7 years (tax records) | | Support correspondence | 24 months from last message |

After the periods above, data is deleted or de-identified except where retention is required by law, or where the data is needed for the establishment, exercise, or defense of legal claims.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest for stored Generations and database backups, principle-of-least-privilege access controls, audit logging for administrator access, and routine subprocessor review. No system is perfectly secure; we cannot guarantee absolute security and we do not assume liability beyond what these Terms allow.

9. Children

The Service is not directed to children under sixteen (16) and we do not knowingly collect personal data from them. If you are a parent or guardian and believe your child has provided personal data, contact support@vidney.ai and we will delete it promptly.

10. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email or by a prominent in-product notice at least thirty (30) days before the effective date, except where a shorter period is required by law. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date of an update constitutes acceptance of the revised Policy.

11. Contact

For privacy questions, requests to exercise your rights, or complaints, contact:

support@vidney.ai

We aim to respond within one (1) business day.