Privacy Policy

We collect the minimum data needed to run the Service: your email, your subscription state, your project metadata, and the videos / files you upload. We don’t sell your data. We don’t use it for advertising. We don’t share it with third parties beyond the small set of providers listed below, and only for the operational purposes described.

Operated by Nicholas Kalisz d/b/a Mountain Creative Directory, Colorado, USA. Questions: nicholaskalisz@gmail.com.

Account data

• Email address (used to sign you in via one-time codes)
• Display name, profile slug, role (creator / producer)
• Optional profile content you choose to share publicly (bio, headshot, reel URL, gallery images)

Billing data

• Stripe customer ID + subscription state. We do NOT see or store your full credit card number; Stripe handles the payment-card data on their PCI-compliant platform.

Your Content

• Videos uploaded for review (stored on Mux), and the files you upload for delivery (stored on Cloudflare R2)
• Comments, approvals, project + folder + delivery metadata you create through the app

Operational telemetry

• Server logs (IP address, request paths, error traces) — kept ~30 days for debugging and abuse detection
• Email delivery state (sent, opened, bounced) via Resend
• Video playback analytics from Mux (anonymized — counts and durations, not personal data)

• To run the Service — sign you in, show you your projects, deliver files to people you share with
• To bill you — process subscriptions and issue receipts through Stripe
• To send transactional email — sign-in codes, review-comment notifications, approval status, billing receipts
• To debug and prevent abuse — server logs let us track down errors and respond to suspicious activity

We do not use your data for advertising, third-party tracking, lookalike audiences, or any kind of behavioral profiling. There are no ad pixels or analytics trackers on the Service beyond the operational telemetry above.

We rely on the following providers to run the Service. Each is bound by their own privacy commitments; we’ve picked them because they take privacy seriously.

• Supabase — authentication, database (Postgres), realtime, file storage for profile media. Data hosted in their US region.
• Stripe — payment processing. Stores your card details on their PCI-compliant infrastructure.
• Cloudflare R2 — object storage for delivery files (master uploads, color references, etc.).
• Mux — video encoding, hosting, and streaming for review videos.
• Resend — transactional email delivery.
• Vercel — web application hosting. Server logs live here ~30 days.

We do not share your data with anyone outside this list, except as required to comply with valid legal process (subpoena, court order) — in which case we’ll notify you if we’re not legally prohibited from doing so.

• Account data — for as long as your account is open; deleted within 30 days of account closure
• Your Content — until you delete it; backup copies cycle out within 30 days
• Billing records — retained as required by U.S. tax / accounting rules (typically 7 years), then deleted
• Server logs — ~30 days, then rotated out
• Email delivery state — ~90 days via Resend

You can:

• Access your account data at any time through the app
• Correct profile or project data through the app
• Export your content — videos via download, delivery files via the same download flow your recipients use
• Delete your account by emailing nicholaskalisz@gmail.com — we’ll confirm and process within 7 days

California residents have additional rights under the CCPA (the right to know what we collect, the right to delete, the right to opt out of sale of personal information — we don’t sell). EU / UK residents have additional rights under the GDPR (access, rectification, erasure, restriction, portability, objection). Email us to exercise any of these.

We use a small number of strictly-necessary cookies:

• Session cookies (Supabase auth) — let you stay signed in
• Theme cookies — remember light / dark mode preference
• Per-review-link cookies (e.g. rl-<token>) — remember the password you entered for a password- gated review or delivery so you don’t have to re-enter it on every page load

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that fingerprint visitors.

We protect your data using standard security practices: HTTPS everywhere, encryption at rest on our storage providers, password-hashed share-link credentials, signed time-limited download URLs, row-level security in the database. No system is impossible to breach — but we treat client footage like the production asset it is.

If we become aware of a breach affecting your data, we’ll notify you by email within a reasonable timeframe and describe what happened, what data was affected, and what steps to take.

The Service is intended for adults working in a professional production capacity. We do not knowingly collect data from anyone under 16. If you believe we have, email us and we’ll delete it.

The Service is operated from the United States. By using it, you understand that your data will be processed in the U.S. We rely on standard contractual clauses with our sub-processors where required by EU/UK data-transfer law.

We may update this Privacy Policy from time to time. When we do, we’ll update the “Last updated” date at the top. Material changes will be emailed to you.

For privacy questions or to exercise any of the rights described above, email nicholaskalisz@gmail.com.

See also our Terms of Service.