Privacy policy

Last updated May 18, 2026

This privacy policy explains how Curvable collects, uses, and protects your personal data when you use the Curvable website and product (collectively, the "Service"). Curvable is operated by Tiago Lemos (Trabalhador Independente), registered in Portugal under the trading name Nodewave, with operating address Praceta Casa De Sal, 3810-418 Aveiro, Portugal ("we", "us", "Curvable").

By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

1. What we collect

We collect the following categories of data:

  • Account data. Email address, display name, profile photo (if provided via Google sign-in), and authentication identifiers. Collected when you sign up.
  • Billing data. Subscription tier, billing status, and a reference identifier for your Stripe customer record. We do not store credit card numbers or full payment instruments. Stripe holds those.
  • Product data. Prompts you submit, brand URLs you provide for research, generated video assets, and project metadata. Stored so you can access your work across sessions.
  • Usage data. Pages visited, features used, performance metrics, errors encountered. Used to operate the Service, debug issues, and improve product quality.
  • Device + technical data. IP address, browser type, operating system, language preference, screen size. Standard web request metadata.

2. How we use it

We use your data for the following purposes:

  • To operate and provide the Service.
  • To bill you and manage your subscription.
  • To send transactional emails (receipts, password resets, failed payment notifications).
  • To debug errors and improve product quality.
  • To detect, prevent, and respond to abuse, fraud, or security incidents.
  • To comply with legal obligations (tax, accounting, lawful requests from authorities).

We do not sell your personal data. We do not share your prompts or generated videos with third parties for advertising or model training.

3. Third-party processors we share data with

To run the Service we use the following processors. Each is bound by a data processing agreement and processes data only on our instructions:

  • Supabase— database, authentication, file storage. EU region.
  • Vercel— application hosting and edge delivery.
  • Stripe— payment processing and subscription management. Stripe is the controller of payment card data; we do not see or store it.
  • Anthropic, Google, OpenAI— large language model providers used to generate video plans and scene code. Prompts are sent server-side; providers process them under their respective enterprise terms and do not use them to train their models.
  • Upstash— rate limiting and ephemeral caching.
  • PostHog— product analytics. EU region.
  • Plausible— privacy-friendly marketing analytics. No cookies, no personal identifiers.
  • Sentry— error monitoring.
  • Cloudflare— CDN and security layer.

We may add additional processors in the future as the product evolves, including but not limited to email senders, customer support tools, advertising attribution platforms (such as Meta or Google), or A/B testing tools. We will update this list when we do. Continued use of the Service after such updates means you accept the change.

4. Cookies and similar technologies

We use a small number of cookies and local storage entries strictly necessary to operate the Service (session, authentication, CSRF tokens, preferences). We also use first-party analytics that may set identifier cookies; if PostHog is enabled in your session it stores a random distinct identifier locally.

We do not use third-party advertising cookies today. If we add advertising tools in the future we will update this policy and surface a consent banner where required by law.

5. Legal basis (GDPR)

For users in the European Economic Area, our legal bases are:

  • Contract— to provide the Service you signed up for and process your subscription.
  • Legitimate interest— to debug, secure, and improve the Service; to communicate with you about your account.
  • Legal obligation— to keep tax and accounting records and to respond to lawful requests.
  • Consent— where required (for example, for optional marketing emails).

6. Where your data lives

Primary data storage is in the European Union (Supabase EU region). Some processors operate globally; data may transfer to the United States or other jurisdictions under standard contractual clauses or equivalent safeguards.

7. How long we keep it

We retain account data for as long as your account is active. After you delete your account we delete personal data within 30 days, except where retention is required for legal, tax, or accounting purposes (typically up to 10 years for invoices under Portuguese law).

Generated videos and project files are deleted alongside your account. You can also delete individual projects at any time from the editor.

8. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (right to erasure).
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent at any time (where consent is the legal basis).
  • Lodge a complaint with a supervisory authority. In Portugal that is the CNPD (cnpd.pt).

To exercise any of these rights, email support@curvable.ai. We will respond within 30 days.

9. Security

We use industry-standard practices to protect your data: TLS for all connections, encryption at rest for databases and storage, scoped access controls via row-level security, rate limiting, and audit logging. No system is perfectly secure; if a breach occurs we will notify affected users without undue delay and in line with applicable law.

10. Children

Curvable is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page reflects the most recent revision. Material changes will be announced via email or in-product notice.

12. Contact

Questions about this policy, your data, or anything else: support@curvable.ai.