Privacy Policy

The data controller responsible for your personal data is Short Bytes (“we,” “us,” or “our”), operator of shortbytes.app.

For any question about this policy or your personal data, contact us at contact@shortbytes.app.

We have not appointed a Data Protection Officer (DPO). For privacy matters, please use the contact details above.

This policy applies to visitors and registered users of the Short Bytes website, editor, and related services (collectively, the “Service”).

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data in accordance with the General Data Protection Regulation (GDPR) and equivalent local laws.

This policy should be read together with our Terms of Service.

“Personal data” means any information relating to an identified or identifiable natural person. We may collect the following categories:

Providing account and billing data is necessary to create an account and use paid features under our contract with you. Social connection data is optional; without it, you can still edit and export videos, but not publish directly to those platforms through our Service.

We process personal data only where we have a valid legal basis:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service, process your videos, manage your account, and handle subscriptions and credits.
• Consent (Art. 6(1)(a)) — when you connect social accounts, enable optional auto-posting, or accept non-essential cookies where required. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, improve features, and defend legal claims, where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other applicable laws.

We use personal data to:

• Provide, operate, and maintain the Service.
• Authenticate you and protect your account.
• Process payments and manage subscriptions and credits.
• Publish to connected social accounts only when you initiate a publish or enable auto-post.
• Send transactional communications (for example processing status or security notices).
• Monitor performance, diagnose errors, and ensure security.
• Improve and develop the Service.
• Comply with law and enforce our Terms of Service.

We do not sell your personal data. We do not use social login data to build unrelated advertising profiles.

Social publishing is optional and based on your consent and explicit actions.

• OAuth tokens are stored on our servers and used only to connect your account, publish on your request, refresh tokens, or disconnect.
• We do not post without your deliberate action or a user-enabled auto-post setting.
• You may disconnect any linked account at any time in the editor.
• On disconnect, we delete associated tokens and cease accessing that platform on your behalf.
• Content published to third-party platforms is also governed by their privacy policies.

For TikTok: we use user.info.basic to show your connected account in our UI and video.publish to publish videos you request. Videos are transferred via HTTPS from our verified storage URLs.

We use trusted service providers (“processors”) who process personal data on our instructions and under data processing agreements where required by GDPR. Categories include:

• Cloud infrastructure and object storage.
• Payment processing (Stripe).
• Authentication providers (for example Google).
• AI and media processing providers where used for Service features.
• Email and customer support tools.

We may also share data:

• With social platforms you choose when you publish content.
• With authorities when required by law or to protect rights and safety.
• In connection with a merger or acquisition, subject to continued protection of your data.

We do not share OAuth tokens with other users or unrelated third parties.

Your data may be processed in the EEA and in other countries (for example the United States) where our processors operate. When personal data is transferred outside the EEA to countries without an adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and supplementary measures where necessary.

You may request more information about transfers and safeguards by contacting contact@shortbytes.app.

We retain personal data only as long as necessary for the purposes described in this policy:

• Account and project data — while your account is active; deleted or anonymized within a reasonable period after account deletion, except where retention is required by law.
• Media files — until you delete projects/processed outputs or your account, subject to backup cycles.
• Social OAuth tokens — until you disconnect or delete your account.
• Billing records — as required for tax and accounting (typically up to 10 years where mandated).
• Security logs — for a limited period (generally up to 90 days unless needed for incident investigation).

We implement appropriate technical and organizational measures, including HTTPS encryption, access controls, and secure credential storage. No system is completely secure; please use a strong password and protect your account credentials.

If GDPR applies to you, you have the following rights in relation to your personal data:

• Right of access (Art. 15) — obtain a copy of personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion where applicable (“right to be forgotten”).
• Right to restriction of processing (Art. 18) — limit how we use your data in certain cases.
• Right to data portability (Art. 20) — receive data you provided in a structured, commonly used, machine-readable format where processing is based on contract or consent.
• Right to object (Art. 21) — object to processing based on legitimate interests, including profiling related to direct marketing (we do not use your data for direct marketing profiling).
• Right to withdraw consent (Art. 7(3)) — at any time where processing is based on consent, without affecting prior lawful processing.

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22.

The Service is not directed at children. We do not knowingly collect personal data from children under 16 in the EEA (or under 13 where permitted by applicable local law) without parental consent. If you believe we have collected a child's data, contact us and we will delete it promptly.

We may update this Privacy Policy to reflect legal, technical, or business changes. Material updates will be posted on this page with a revised effective date. Where required by GDPR, we will notify you of significant changes (for example by email or in-app notice).

Last updated: May 28, 2026.

• Data controller: Short Bytes
• Privacy requests: contact@shortbytes.app
• Account & support: support@shortbytes.app
• General inquiries: contact@shortbytes.app