Privacy Policy

1. Introduction

sftir ("we," "us," or "our") operates the website at sftir.com and the web application at app.sftir.com, along with associated browser extensions, mobile shortcuts, and API services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

sftir is an AI-powered video intelligence platform that analyzes short-form video content from social media platforms and transforms it into structured, searchable, actionable knowledge. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: When you create an account, we collect your email address, name, and authentication credentials. If you sign up via Google OAuth, we receive your name, email address, and profile picture from Google.
• Profile and Onboarding Data: During onboarding, you may voluntarily provide your profession/role, projects you are working on, your technology stack, and topic interests. This information is used to personalize your AI-generated insights.
• Payment Information: If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store your credit card number, bank account details, or other sensitive financial information on our servers. We retain your Stripe customer ID and subscription status.
• User-Generated Content: Collections you create, notes you add to collection items, and any other content you voluntarily submit to the Service.
• Communications: If you contact us for support or feedback, we collect the content of those communications.

2.2 Information Collected Automatically

• Video URLs: When you submit a video URL through our Service (via browser extension, iOS/Mac shortcut, bookmarklet, or API), we collect and store that URL.
• AI-Generated Data: Our Service uses Google Gemini AI to analyze videos you submit. The AI-generated outputs — including transcripts, on-screen text extraction, summaries, categories, action items, tags, and relevance scores — are stored in your account.
• Usage Data: We track the number of videos you process per month for billing and plan limit enforcement.
• API Key Usage: We record when your personal API keys are used (last used timestamp) but do not log the content of individual API requests beyond the video URL submitted.
• Log Data: Our servers automatically collect standard log data including IP address, browser type, referring/exit pages, and timestamps when you access our Service.
• Cookies and Local Storage: We use cookies for authentication session management. Our Chrome extension uses chrome.storage.local to store your API key on your device. We do not use third-party tracking cookies or advertising cookies.

2.3 Information We Do NOT Collect

• Video Content: We do not permanently store any video files. Videos are temporarily downloaded to our processing servers, analyzed by AI, and immediately deleted after processing. Only the text-based AI analysis results are retained.
• Social Media Credentials: We never ask for or store your login credentials for TikTok, Instagram, YouTube, X/Twitter, LinkedIn, or any other social media platform.
• Browsing History: Our Chrome extension only activates on supported video platform pages. It does not track your general browsing activity.

3. How We Use Your Information

• Provide the Service: To process video URLs, generate AI-powered analysis, display insights on your dashboard, and enable search and collection features.
• Personalization: To customize AI analysis based on your profile data (projects, tech stack, interests) so that action items and relevance scores are tailored to your specific context.
• Account Management: To create and manage your account, authenticate your identity, and maintain your subscription.
• Billing: To process payments, enforce plan limits, track usage, and manage subscriptions through our payment processor Stripe.
• Service Improvement: To understand usage patterns, diagnose technical issues, and improve the quality of our AI analysis and platform features.
• Communications: To respond to your inquiries, provide customer support, and send service-related notices.
• Public Collections: If you choose to make a collection public, its title, description, and the summaries of included insights are visible to other users and visitors. Full transcripts and action items are not displayed in public collections.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

4.1 Service Providers

• Google (Gemini AI): Video files are temporarily sent to Google's Gemini API for AI analysis. Google's use of this data is governed by their API terms of service. Videos are sent for processing only and are not used by Google to train their models when accessed via the API.
• Stripe: Payment and subscription data is processed by Stripe. Stripe's handling of your data is governed by the Stripe Privacy Policy.
• Supabase: Our database and authentication infrastructure is hosted on Supabase.
• Vercel: Our web application and API are hosted on Vercel's platform.
• Railway: Our video processing worker runs on Railway's cloud infrastructure.

4.2 Public Content

When you publish a collection as public, its title, description, cover icon, category, tags, and the summaries of included video insights become visible to all users and visitors. You control whether a collection is public or private, and you can change this setting at any time.

4.3 Legal Requirements

We may disclose your information if required to do so by law, in response to a valid legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

5. Data Storage and Security

5.1 Data Storage

• Account data, AI-generated insights, collections, and subscription information are stored in our Supabase PostgreSQL database hosted in the United States.
• Video files are temporarily stored on our processing servers during analysis (typically under 5 minutes) and are permanently deleted immediately after processing.
• We do not maintain copies or backups of video content.

5.2 Security Measures

• All data in transit is encrypted using TLS/SSL (HTTPS).
• Database access is protected by Row-Level Security (RLS) policies ensuring users can only access their own data.
• Personal API keys are generated using cryptographically secure random bytes.
• Stripe webhook signatures are verified to prevent unauthorized access.
• Service role credentials are stored server-side only and are never exposed to clients.
• Authentication sessions are managed through secure, httpOnly cookies.

5.3 Data Retention

• Account data and AI-generated insights are retained for as long as your account is active.
• If you delete your account, all associated data will be permanently deleted within 30 days.
• Video files are deleted immediately after AI processing is complete.
• Payment records may be retained as required by applicable tax and financial regulations.
• Server logs are retained for up to 90 days for security and debugging purposes.

6. Your Rights and Choices

6.1 Access and Export

You can access all your data through the sftir dashboard at any time.

6.2 Correction

You can update your profile information through the Settings page at any time.

6.3 Deletion

• You can delete individual video insights from your dashboard.
• You can delete collections and their associated items.
• You can revoke API keys at any time through the Connect page.
• You can request complete account deletion by contacting us at privacy@sftir.com.

6.4 Public Collection Controls

You have full control over whether your collections are public or private. You can make a public collection private at any time, which immediately removes it from public view.

6.5 Marketing Communications

We do not send marketing emails. All email communications are transactional (account verification, password reset, subscription confirmations).

7. Third-Party Platforms

sftir processes publicly available video content from TikTok, Instagram, YouTube, X (formerly Twitter), and LinkedIn. We access these videos only through publicly available URLs that you provide to us. We do not access private, restricted, or unlisted content.

We are not affiliated with, endorsed by, or officially connected to TikTok, Instagram, YouTube, X/Twitter, LinkedIn, or any of their parent companies.

8. Chrome Extension

• Permissions: The extension requests access only to supported video platform domains and our own API endpoint. It does not request access to all websites.
• Data Collection: The extension collects only the URL of the current page when you click the save button.
• Local Storage: Your API key is stored locally in chrome.storage.local on your device.
• Content Script: A floating save button is injected on supported video platform pages. The content script does not read, modify, or collect any page content beyond detecting whether you are on a video page.

9. Children's Privacy

Our Service is not intended for use by anyone under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@sftir.com.

10. International Data Transfers

Our Service is operated from the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using our Service, you consent to the transfer of your information to the United States.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what data we collect, request deletion, and the right to non-discrimination. We do not sell personal information to third parties. To exercise your CCPA rights, contact us at privacy@sftir.com.

12. European Privacy Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise your GDPR rights, contact us at privacy@sftir.com. We will respond within 30 days.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

This Privacy Policy was last updated on March 30, 2026.