Privacy Policy

1. Data fiduciary

Charky Labs Pvt. Ltd., Coimbatore, Tamil Nadu, India – 641035, is the data fiduciary / controller for personal data processed through storyboard.show.

Privacy contact: use the contact form at /legal/contact and choose category "Privacy or data request".

Grievance Officer: Grievance Officer, Charky Labs Pvt. Ltd., same address. To reach the Grievance Officer, use the contact form at /legal/contact and choose category "Legal / Grievance Officer".

2. Personal data we collect

Account data: email address, display name, password hash, authentication identifiers from supported providers, country code, and language preference.

Project data: prompts, flow-graph state, uploaded reference images and audio, generated frames and videos, timeline edits, and exports.

Billing data: plan, subscription status, payment provider transaction identifier, amount, currency, country, and invoice metadata. We do not store full card numbers or banking credentials — these are handled directly by Razorpay.

Communications: messages you send to support, including any attachments.

Product analytics and technical logs: device type, browser, IP address, page views, feature events, error traces, and performance metrics, used to operate, secure, and improve the service.

3. Cookies and similar technologies

We use first-party cookies and local storage to keep you signed in, remember preferences, and run essential product features.

We use Vercel’s privacy-friendly analytics, which does not use third-party tracking cookies. We do not run advertising trackers.

You can control cookies through your browser. Disabling essential cookies will prevent sign-in and other core functionality.

4. How we use personal data

To provide and operate the service — authentication, generation, storage, timeline editing, export, billing, and account management.

To send transactional and service messages, including payment receipts, security notices, and important product updates.

To prevent fraud, abuse, and harm; to enforce our Terms; and to keep the platform secure.

To debug, monitor, and improve the product, including analyzing usage patterns and error rates in aggregate.

To comply with legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use your prompts, references, or generated output to train any of our own models.

5. Lawful bases (where applicable)

For users in jurisdictions that require a lawful basis (such as the EU/UK), we rely on: contract performance for account, generation, and billing operations; legitimate interests for analytics, security, and product improvement; consent where required (such as optional marketing emails); and legal obligation for tax, accounting, and regulatory matters.

6. Sharing with third parties

We share personal data only with the processors listed below, and only to the extent needed to provide the service:

• Supabase — authentication, database, and file storage.

• Vercel — application hosting, edge delivery, and privacy-friendly analytics.

• Razorpay — payment processing, invoicing, and tax collection.

• AI model providers — currently Seedance and Kling, with additional providers added over time. When you submit a generation job, your prompt and any references attached to that job are sent to the chosen provider to produce output. Each provider applies its own usage and retention policy.

• Email and communication infrastructure used to send transactional messages.

We may disclose data when required by law, by a valid legal process, to protect rights, property, or safety, or in connection with a corporate transaction (with notice where legally required).

7. International transfers

We currently host the service through Supabase (database, authentication, storage) and Vercel (application hosting and edge delivery). Some processors — in particular AI model providers and transactional email infrastructure — operate from regions outside your country of residence, including the United States.

As the product grows we may add other infrastructure providers (for example AWS) and will update this policy when we do.

Where required, we rely on appropriate safeguards — including standard contractual clauses with our processors — for transfers outside your country of residence.

8. Data retention

Account, project, and billing data are retained while your account is active.

After account deletion, we delete or anonymize personal data within 90 days, except where retention is required for tax, accounting, fraud prevention, dispute defence, or other legal obligations (typically 7 years for invoicing records under Indian law).

Encrypted backups roll off on a defined cycle and are deleted in due course.

9. Security

We use TLS in transit, encryption at rest for primary stores, role-based access controls, audit logging, and least-privilege production access.

No system is perfectly secure. If a breach affects your personal data, we will notify you and the relevant authorities as required by applicable law.

10. Your rights

Depending on where you live, you may request access, correction, deletion, portability, restriction, or objection in respect of your personal data, and you may withdraw consent where processing is based on consent.

Indian users have the rights granted under the Digital Personal Data Protection Act, 2023, including the right to information, correction, erasure, grievance redressal, and nomination.

EU/UK users have rights under the GDPR/UK GDPR, including the right to lodge a complaint with a supervisory authority.

California users have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of “sale” or “sharing” — we do not sell personal information.

To exercise any of these rights, submit a request through the contact form at /legal/contact (category "Privacy or data request"). We may need to verify your identity before completing your request and will respond within the timelines required by the applicable law.

11. Children

storyboard.show is not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have collected data about a child, contact us through /legal/contact and we will delete it.

12. Grievance redressal (India)

If you have a privacy concern, submit it through the contact form at /legal/contact and choose category "Legal / Grievance Officer".

We aim to acknowledge complaints within 24 hours and resolve them within 15 days, in line with the Information Technology Rules, 2021 and the Digital Personal Data Protection Act, 2023.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the “Last updated” date and, where appropriate, by in-app or email notice.