Privacy Policy

What we collect

• — Email address (for account and communications)
• — Music files you upload (processed to generate your video, not stored permanently after processing)
• — Usage data (pages visited, features used)
• — Payment information (processed by Stripe — we never store card details)

Data Protection for Third-Party Integrations

When you connect a third-party service (such as YouTube via Google OAuth), we apply the following protections:

OAuth scopes we request

• — youtube.upload — to publish your finished video to your channel on your behalf
• — youtube.readonly — to verify the upload completed successfully
• — We do not request access to your contacts, email, Drive, or any other Google data

In transit

• — All data exchanged with Google APIs is transmitted over HTTPS/TLS
• — OAuth tokens are never passed in URL parameters; they are exchanged server-side via secure POST requests

At rest

• — Access tokens and refresh tokens are stored in Supabase (our hosted database) in the profiles table
• — Row-level security (RLS) is enforced: each row is readable only by the authenticated user who owns it
• — Tokens are never returned to the browser or exposed to the frontend — all YouTube API calls are made server-side

Access controls

• — Only authenticated server-side API routes can read or use your OAuth tokens
• — No third party, employee, or service has direct access to individual user tokens

Revoking access

• — You can disconnect YouTube at any time from your Dashboard → Settings page
• — You can also revoke Sonscape's access directly from your Google account at myaccount.google.com/permissions
• — Revoking access immediately prevents Sonscape from uploading on your behalf

Data retention

• — OAuth tokens are deleted within 30 days of account deletion or access revocation
• — To request immediate deletion, email privacy@sonscape.io

How we use it

• — To generate your music video
• — To send you your video and related notifications
• — To improve the product

Who we share it with

• — Stripe (payment processing)
• — Supabase (database and authentication)
• — Resend (transactional email)
• — AI video generation providers (your track and brief are sent to generate clips — not stored by them)

Your rights

• — Request deletion of your data: privacy@sonscape.io
• — Export your data: privacy@sonscape.io
• — Opt out of marketing emails: unsubscribe link in emails

Contact

privacy@sonscape.io · sonscape.io