Privacy Policy

Last updated: May 30, 2026

This Privacy Policy describes how ViralHighlight ("we", "our") collects, uses, stores, and shares your personal information when you use our platform. We comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Data Controller

The data controller responsible for your personal data within the meaning of the GDPR is ViralHighlight. For any privacy-related queries or to exercise your rights, contact us at:

ViralHighlight
legal@viralhighlight.com

2. Data We Collect

Account data:

Email address
Username
Password (stored as bcrypt hash — never in plain text)
Avatar URL (only for Google OAuth accounts)

Billing data:

Stripe Customer ID
Subscription plan (free/pro)
Remaining and consumed credits
Note: credit card data is managed exclusively by Stripe. ViralHighlight never stores payment card data.

Usage data:

AI generation history (tool used, inputs, outputs)
Result ratings (👍/👎)
Login count and last access date
Satisfaction survey responses (if you complete them)

Technical data:

IP address and browser type (access logs)
Session data (httpOnly JWT token, expires in 30 days)
Technical error logs (via Sentry)

Analytics data:

Pages visited and interactions (Vercel Analytics — no third-party cookies, aggregated and anonymous data)

3. How We Use Your Data

Provide, operate, and maintain the Service
Manage your account and authentication
Process payments and manage subscriptions through Stripe
Personalize AI generations with examples you have rated positively (few-shot learning)
Send transactional emails (welcome, payment confirmation, low credit alerts, terms changes)
Detect, prevent, and investigate fraud and abusive use
Monitor technical errors and improve platform stability
Aggregated and anonymous usage analytics to improve the Service
Comply with legal and tax obligations

4. Legal Basis for Processing (GDPR)

Performance of a contract (Art. 6.1.b GDPR): account management, credits, billing, and AI generations.
Legitimate interests (Art. 6.1.f GDPR): platform security, fraud prevention, service improvement, and anonymous analytics.
Legal obligation (Art. 6.1.c GDPR): accounting records and tax compliance (7-year retention obligation under Spanish tax law).

5. Data Sharing with Third Parties

We do not sell, rent, or transfer your personal data to third parties for advertising purposes. We share data only with the following service providers, to the extent necessary for them to provide their services:

Stripe — payment processing. Receives email and billing data necessary for the transaction. stripe.com/privacy

Google — OAuth authentication (optional). If you choose "Sign in with Google", receives your name and email to create the session. policies.google.com/privacy

OpenAI / Groq — AI content generation. The inputs and prompts you submit are processed by these APIs. Per their business policies (API), they are not used to train models. openai.com/policies

Vercel — hosting, CDN, and cookie-free analytics. Analytics are privacy-first, without personal fingerprinting, using aggregated data. vercel.com/legal/privacy-policy

Sentry — error monitoring. Receives stack traces and technical data (without deliberately including sensitive personal data). sentry.io/privacy

Neon — serverless PostgreSQL database where all user data is stored. neon.tech/privacy-policy

We may also disclose data if required by law, court order, or competent regulatory authority.

6. Data Retention

Account data: for the duration of the account + 90 days after deletion.
Generation history: 24 months.
Error logs (Sentry): 30 days.
Accounting records: 7 years (Spanish tax obligation).
Session data (JWT): 30-day expiration.

After the retention periods, data is securely deleted or anonymized.

7. Your Rights (GDPR)

If you reside in the European Economic Area (EEA) or Spain, you have the following rights regarding your personal data:

Access (Art. 15): request a copy of the data we hold about you.
Rectification (Art. 16): correct inaccurate or incomplete data.
Erasure / "Right to be forgotten" (Art. 17): delete your account and data from profile settings or by requesting it by email.
Portability (Art. 20): receive your data in a structured, machine-readable format (JSON/CSV).
Restriction of processing (Art. 18): request restriction of processing while a dispute is being resolved.
Objection (Art. 21): object to processing based on our legitimate interests.
Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at legal@viralhighlight.com. We will respond within a maximum of 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): aepd.es.

8. CCPA Rights (California Residents)

If you reside in California (USA), the California Consumer Privacy Act (CCPA) grants you the following additional rights:

Right to know what personal data is collected, used, disclosed, or sold.
Right to request deletion of your personal data.
Right to non-discrimination for exercising your CCPA rights.

ViralHighlight does not sell personal data; therefore, the right to opt-out of sale does not apply. To exercise your rights, contact: legal@viralhighlight.com.

9. Cookies and Tracking Technologies

Essential cookies (session): We use an httpOnly cookie to manage the user session (NextAuth.js JWT). This cookie is strictly necessary for login functionality and does not require consent.
Analytics (Vercel Web Analytics): We use Vercel Analytics, a privacy-first analytics solution that does not use third-party cookies or perform personal fingerprinting. Data is aggregated and anonymous.
Google AdSense (potential): The site may load the Google AdSense script, which could place advertising cookies. See Google's privacy policy for more information.

We do not use tracking pixels, retargeting technologies, or our own third-party advertising cookies.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Passwords stored with bcrypt hash (cost factor ≥ 12)
Sessions managed with JWTs signed with server-side secret key
All communications encrypted with TLS/HTTPS
Neon database with access restricted by encrypted connection string
Periodic security reviews and dependency updates

No system is 100% secure. In the event of a security breach affecting your data, we will notify you in accordance with the timeframes established by the GDPR (maximum 72 hours to the competent authority, without undue delay to those affected).

11. International Data Transfers

Some of our providers (Stripe, Google, OpenAI, Groq, Vercel, Sentry) process data on servers located in the United States or other jurisdictions outside the European Economic Area. These transfers are covered by:

Standard Contractual Clauses (SCCs) approved by the European Commission (for EU→US transfers)
The EU-U.S. Data Privacy Framework, where the provider is certified

12. Children's Privacy

The Service is not directed at persons under 16 years of age. We do not intentionally collect personal data from persons under 16. If you become aware that a minor has created an account or provided personal data, contact us at legal@viralhighlight.com and we will delete that information immediately.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email before they take effect. The "Last updated" date at the top reflects the current version. Continued use of the Service after notification of changes constitutes acceptance of the new policy.

14. Contact and Data Protection

For any questions about this Privacy Policy, to exercise your rights, or to report a privacy incident, contact us:

ViralHighlight
Data Controller
legal@viralhighlight.com

We commit to responding to all inquiries and rights requests within a maximum of 30 calendar days.