Privacy Policy
Effective: June 16, 2026
1. Who We Are
Tsuyu ("Tsuyu", "we", "us", "our") is the operator of the Tsuyu application, an AI-powered service that turns Reddit posts, uploaded text, and source media into short-form video content. Tsuyu is the data controller for personal information processed through the Service.
You can reach us at:
- General support: [email protected]
- Privacy and data requests: [email protected]
2. Scope
This policy applies to personal information we collect when you visit tsuyu.io, create a Tsuyu account, use the Tsuyu web application, or otherwise interact with our services (collectively, the "Service"). It does not apply to third-party websites or platforms you may connect to your Tsuyu account (e.g., YouTube, TikTok, Twitter), which are governed by their own privacy policies.
3. Information We Collect
3.1 Account information
When you create an account we collect your email address, a salted password hash (we never store your raw password — see Security below), and optionally a display name. We also store your current plan tier (free, basic, pro, etc.).
3.2 Billing information
Payments are processed by Stripe. Your full card number, CVC, and billing address are collected directly by Stripe through Stripe Elements and are never seen or stored by Tsuyu's servers. Stripe provides us with limited, non-sensitive metadata — typically the brand of card (e.g., Visa) and the last four digits — so we can display it on your billing page, plus subscription status and invoice records. Stripe is the PCI-compliant processor of record.
3.3 Content you submit
To generate videos, you may submit: Reddit post URLs, custom source text, script prompts, uploaded video/audio/image files, and voice samples (if you use voice cloning). We store these inputs so we can process them and so you can access them later from your dashboard.
3.4 Generated content
We store the outputs we create for you — rendered videos, thumbnails, subtitle/caption files, generated scripts, and custom voice clones — associated with your account.
3.5 OAuth tokens for connected platforms
If you connect YouTube, TikTok, or Twitter to publish directly from Tsuyu, we receive OAuth access and refresh tokens from those platforms. We store the refresh tokens encrypted at rest and use them only to publish on your behalf and read back the status of uploads you initiate. We never see or receive your platform passwords. You can revoke access at any time from your account settings or directly in the connected platform's security settings.
3.6 Usage data
We automatically collect technical information such as IP address, browser and device user agent, pages viewed, video generation events, subscription events, and error traces. This helps us operate the Service, debug issues, and enforce plan limits.
3.7 Communications
When you contact support or reply to our emails, we retain the message and any attachments so we can respond and keep a record of the conversation.
4. How We Use Information
- Provide the Service — generate videos, store your outputs, bill you, send transactional confirmations (video ready, receipt, password reset).
- Improve reliability — error tracking, performance monitoring, and debugging production issues.
- Detect abuse and enforce our Terms — identify fraud, rate-limit violations, and content that breaks our usage rules.
- Comply with legal obligations — respond to lawful requests, meet tax and accounting requirements, and enforce our rights.
- Marketing — we only send product or marketing emails (announcements, tips, offers) if you opt in. You can unsubscribe at any time from a link in any such email.
5. Third-Party Processors (Subprocessors)
Tsuyu relies on the vendors listed below to operate. We share only the minimum data necessary for each vendor's stated role, and each processor is bound by its own terms and privacy policy.
| Processor | Role | Data shared | Policy |
|---|---|---|---|
| Stripe | Billing & subscription management | Email, card details (direct to Stripe), subscription events | stripe.com/privacy |
| Anthropic (Claude) | AI script generation & content analysis | Source text, prompts | anthropic.com/legal/privacy |
| OpenAI | Text-to-speech | Script text to synthesize | openai.com/policies/privacy-policy |
| ElevenLabs | Text-to-speech & voice cloning | Script text, voice samples you upload | elevenlabs.io/privacy |
| Replicate | Thumbnail image generation | Prompt text | replicate.com/privacy |
| Cloudflare R2 / AWS S3 | Object storage for media files | Videos, thumbnails, audio, uploads | cloudflare.com/privacypolicy |
| Resend | Transactional email delivery | Email address, message content | resend.com/legal/privacy-policy |
| Sentry | Error tracking & performance | Stack traces, pseudonymous user ID, request metadata | sentry.io/privacy |
| PostHog (optional) | Product analytics (only if enabled) | Pseudonymous usage events | posthog.com/privacy |
| Google (YouTube Data API) | Publish to your YouTube channel | OAuth token, video file + title/description/tags | policies.google.com/privacy |
| TikTok for Developers | Publish to your TikTok account | OAuth token, video file + metadata | tiktok.com/legal/privacy-policy |
Twitter/X publishing uses OAuth tokens in the same manner described for YouTube and TikTok; see twitter.com/en/privacy.
5.1 YouTube API Services
Tsuyu's YouTube publishing feature uses YouTube API Services. By connecting your YouTube channel and using this feature, you agree to be bound by the YouTube Terms of Service. Tsuyu's use of information received from YouTube API Services adheres to the Google API Services User Data Policy, including its Limited Use requirements. For information on how Google handles your data, please review the Google Privacy Policy.
We request only the minimum scopes needed to (a) upload videos you explicitly choose to publish and (b) read back your connected channel's name and the status of uploads you initiate. We do not use YouTube API data for advertising, do not sell it, and do not transfer it to third parties except as required to provide the publishing feature you requested. You can revoke Tsuyu's access to your YouTube account at any time from your Tsuyu account settings or via the Google security settings page.
6. Data Retention
- Generated videos, thumbnails, and audio: retained while your account is active. If you delete your account, these are deleted within 30 days.
- Account and profile data: retained while your account is active; deleted within 30 days of account deletion.
- Billing and tax records: retained for up to 7 years to comply with tax, accounting, and anti-fraud obligations, even after account deletion.
- Error and application logs: retained for 90 days.
- Backups: encrypted database backups may persist for up to 30 days after the data is deleted from the primary database, then expire automatically.
7. Security
We take reasonable technical and organizational measures to protect your data:
- In transit: all traffic to tsuyu.io and our APIs is encrypted with TLS.
- At rest: OAuth refresh tokens and other high-sensitivity secrets are encrypted with AES-256 before being written to the database.
- Passwords: stored only as bcrypt hashes — never reversible to plaintext.
- Infrastructure: we host on SOC 2-compliant providers (Hetzner for compute, Cloudflare for CDN and R2 storage). Tsuyu itself does not currently hold an independent SOC 2 attestation.
- Access controls: production access is limited to a small number of engineers and reviewed on a quarterly basis. Credentials are rotated when team membership changes.
No system is perfectly secure. If you discover a potential vulnerability, please report it to [email protected].
8. Data Breach Notification
If we confirm a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of confirmation, consistent with GDPR expectations, and we will notify the relevant supervisory authorities where legally required. Notifications will describe the nature of the incident, the categories of data involved, the likely consequences, and the steps we are taking.
9. Your Rights
9.1 All users
Regardless of where you live, you can:
- Access your personal data from your account settings.
- Correct inaccurate profile information at any time.
- Delete your account and associated data from settings, or by emailing [email protected].
- Export your data. On request we will provide a JSON export of your account information, generated scripts, and a manifest of your stored media within 30 days.
9.2 EU / EEA / UK residents (GDPR & UK GDPR)
In addition to the above, you have the right to:
- Object to processing based on our legitimate interests.
- Restrict processing in certain circumstances.
- Port your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent (e.g., marketing emails).
- Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority, or the UK ICO).
Our legal bases for processing:
- Contract — to deliver the Service you signed up for (account management, video generation, billing, support).
- Legitimate interest — to secure the Service, prevent abuse, debug errors, and improve reliability.
- Legal obligation — to meet tax, accounting, and law-enforcement cooperation requirements.
- Consent — for optional marketing communications and any optional analytics.
9.3 California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose about you.
- Delete personal information we have collected, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of your personal information. Tsuyu does not sell or share your personal information as those terms are defined under the CCPA/CPRA.
- Limit use of sensitive personal information.
- Non-discrimination for exercising any of these rights.
To exercise any right, email [email protected]. We may need to verify your identity before acting on your request.
10. Cookies and Tracking
We use only essential cookies and storage needed to run the Service — for example, a session token or CSRF token that keeps you logged in.
We do not use cross-site tracking cookies, advertising cookies, Google Analytics, or Facebook Pixel.
If product analytics are enabled for your environment, PostHog sets a first-party cookie used to deduplicate pseudonymous usage events. PostHog is configured not to capture cross-site activity, and you can disable product analytics in your account settings where the option is available.
11. Children's Privacy
The Service is not directed to, and we do not knowingly collect personal information from, children under 13 years of age. If we learn that we have collected personal information from a child under 13, we will delete the associated account and data promptly. If you believe a child has provided us with personal information, please contact [email protected].
12. International Data Transfers
Tsuyu is operated from the United States, and our primary application infrastructure is hosted with Hetzner in the EU (Germany). Depending on the feature, your data may also be processed in the US, the EU, or other jurisdictions where our subprocessors operate.
Where personal data of individuals in the EU, EEA, or UK is transferred outside those regions, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, together with supplementary safeguards.
13. Changes to This Policy
We may update this policy from time to time. For material changes, we will email registered users at least 30 days before the change takes effect and post the updated policy with a new "Last updated" date. Non-material changes (clarifications, formatting, adding a subprocessor of the same category) may take effect as soon as they are posted.
14. Contact Us
Questions, concerns, or requests about this policy or your data:
- General: [email protected]
- Privacy & data rights: [email protected]