Privacy Policy

GDPRLaw 09-08Updated: March 31, 2026

1. Data controller

Viffly.app is a service operated byLumatech MA LTD, a company registered in the United Kingdom, operating in Morocco under the nameBrightCore SARL.

DPO
privacy@lumatech.ma
Support
support@lumatech.ma
Headquarters
Casablanca, Morocco

2. Legal basis for processing

We process your data in accordance with Article 6 of the GDPR:

Contract performanceArt. 6.1.b
Provision of the video generation service
ConsentArt. 6.1.a
Analytics, non-essential cookies
Legitimate interestArt. 6.1.f
Security, abuse prevention
Legal obligationArt. 6.1.c
Billing, tax compliance

3. Data collected

Category
Data
Retention
Account
Email, hashed password (bcrypt 12 rounds)
Account lifetime
Payment
Handled by Stripe (PCI DSS Level 1). No card details stored by us.
Per Stripe
Uploads
Audio files, images, article links
24 hours
Videos
MP4 files on AWS S3 (eu-west-3, Paris)
7 days
Usage
Video history, settings, credits
Account lifetime
Technical
IP address, browser, timestamp
90 days

4. Processors and transfers

AWS
Video storage, Lambda rendering
EU Paris
Supabase
PostgreSQL database
EU Frankfurt
Stripe
Secure payment (PCI DSS)
EU / US
ElevenLabs
AI voice synthesis
US
Fal.ai
AI image generation
US
Pexels
Royalty-free images
EU

For transfers outside the EU, we rely on theStandard Contractual Clauses (SCC)of the European Commission.

5. Your rights (GDPR Art. 15-22)

Access
Obtain a copy of your data
Rectification
Correct inaccurate data
Erasure
Right to be forgotten
Portability
Export in JSON format
Objection
Refuse processing
Restriction
Restrict processing

Exercise your rights:send an email toprivacy@lumatech.mawith the subject "GDPR Request". Response within 30 days.

You can delete your account fromSettings > Account > Danger zone. Complaints can be filed with the CNDP (Morocco) or any European supervisory authority.

6. Cookies and trackers

Essential

Authentication (JWT), language preferences. No consent required.

Analytics

PostHog, anonymized audience measurement, subject to consent. Hosted in the EU.

No advertising or third-party tracking cookies.

7. Data security

HTTPS/TLS on all communications
Passwords hashed with bcrypt (12 rounds)
API keys hashed with SHA-256
Stripe PCI DSS Level 1
EU storage (AWS Paris) + auto-delete 7d
SSRF, CSP, rate limiting, CORS protection

8. Minors

Viffly.app is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors.

9. Changes

This policy may be updated. In the event of a substantial change, we will notify you by email. The date of the last update appears at the top of the page.

10. Contact

Lumatech MA LTD
BrightCore SARL