Privacy Policy

Last updated: 4 February 2025

1. Introduction & Data Controller

This Privacy Policy explains how BSD Marketing Solutions ("we", "us", "our"), a company registered at 86-90 Paul Street, London, EC2A 4NE, United Kingdom, collects, uses, and protects your personal information when you use Alters at createalters.com and app.createalters.com (the "Service").

BSD Marketing Solutions is the data controller responsible for your personal data. This policy applies under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are located in the European Economic Area, the EU General Data Protection Regulation (GDPR) also applies. If you are a California resident, the California Consumer Privacy Act (CCPA) provides additional rights described in Section 8.

2. Information We Collect

Information you provide

  • Name and email address when you create an account
  • Google profile information (name, email, profile picture) if you sign in with Google OAuth
  • Campaign briefs, offer descriptions, and other content you enter into the Service
  • Payment information processed via Stripe - we do not store your card number, expiry date, or CVC on our servers

Information generated through your use of the Service

  • AI-generated scripts created from your campaign inputs
  • Video configurations (presenter selections, voice choices, aspect ratios)
  • Credit balance, transaction history, and subscription records

Information collected automatically

  • IP address
  • Browser type and version, device type, and operating system
  • Pages visited, time spent, and referring URLs
  • Cookies and similar tracking technologies (see Section 4)

3. How We Use Your Information

Contract performance: Providing the Service to you, processing your account, generating scripts and videos, managing credits, and processing payments.

Legitimate interests: Improving and optimising the Service, analytics and usage patterns, fraud prevention, and providing customer support.

Consent: Sending marketing communications (if you opt in), and deploying non-essential cookies such as analytics and advertising pixels.

Legal obligation: Maintaining tax and financial records, and responding to lawful requests from authorities.

4. Cookies & Tracking

We use the following categories of cookies:

  • Essential cookies: Supabase authentication session cookies required for the Service to function. These cannot be disabled.
  • Analytics cookies: Google Analytics 4 (GA4) to understand how users interact with the Service.
  • Advertising cookies: Meta Pixel for advertising measurement and optimisation.

Non-essential cookies (analytics and advertising) require your consent before being placed on your device, in accordance with the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive. A cookie consent mechanism will be implemented before any non-essential tracking goes live.

5. Third-Party Providers

Provider Data Processed Purpose
Supabase Account data, authentication, application data Backend infrastructure and authentication
Stripe Payment details, billing information Payment processing
ElevenLabs Script text sent for processing Text-to-speech voice generation
Railway Application traffic and logs Application hosting
Google Analytics Usage data, IP address (anonymised) Service analytics
Meta (Facebook) Page interactions, IP address Advertising measurement

6. International Data Transfers

BSD Marketing Solutions is based in the United Kingdom. Our third-party service providers may process your data in the United States, the European Union, or other jurisdictions. Where data is transferred outside the UK or EEA, it is protected by appropriate safeguards including UK and EU adequacy decisions and Standard Contractual Clauses (SCCs) as approved by the relevant authorities. These protections apply to all users regardless of location.

7. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion to allow for recovery requests.
  • Generated content: Scripts, video configurations, and generated videos are retained while your account is active.
  • Payment records: Retained for 7 years in accordance with UK tax law (HMRC requirements).
  • Analytics data: Retained per Google and Meta's respective data retention settings.

8. Your Rights

All users

Regardless of your location, you may:

  • Request access to the personal data we hold about you
  • Request correction of inaccurate personal data
  • Request deletion of your personal data

To exercise these rights, contact us at support@createalters.com.

Additional rights under UK and EU GDPR

If you are located in the UK or EEA, you also have the right to:

  • Request restriction of processing of your personal data
  • Data portability - receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Not be subject to solely automated decision-making with legal effects (our AI script generation involves automation, but you review and control all output before use)
  • Lodge a complaint with the Information Commissioner's Office (ICO) in the UK, or your relevant EU supervisory authority

Additional rights under the CCPA (California residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale of personal information - we do not sell your personal information
  • Non-discrimination for exercising your privacy rights

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit
  • Row Level Security (RLS) policies on our Supabase database
  • Stripe PCI DSS compliance for payment processing
  • Access controls limiting data access to authorised personnel

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

BSD Marketing Solutions
86-90 Paul Street
London, EC2A 4NE
United Kingdom

Email: support@createalters.com