Privacy Policy

MMVault ('MMVault', 'we', 'us') is the controller of your personal data. For any privacy question, request, or complaint you can reach our privacy team at contact@mmvault.ai.

We collect only what we need to operate MMVault. Categories of data we process:

• Account data — email address, authentication identifiers, workspace membership; if you sign in with Google or Apple, the email and (where provided) display name and avatar from that provider.
• Uploaded media — videos, audio, images and screenshots you choose to upload, plus their file metadata (size, format, capture timestamps where embedded).
• Derived data — transcripts, screen text (OCR), scene descriptions, key moments, clip suggestions, and vector embeddings produced by AI processing of your media.
• Usage data — product events such as uploads, searches and asks; basic device info (browser user-agent, OS family); crash and error logs; coarse approximate location inferred from IP.
• Communications — messages you send to support and our replies.

We use the data above only to:

• Provide, operate, secure and maintain the service.
• Process your media with AI to make it searchable and answerable inside your workspace.
• Authenticate you and enforce workspace access controls.
• Detect, investigate and prevent fraud, abuse, illegal content and security incidents.
• Respond to your requests and provide support.
• Comply with legal obligations and enforce our Terms.
• Send transactional emails about your account; we do not send marketing emails without your consent.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the service you signed up for.
• Legitimate interests — to keep the service secure, prevent abuse, and improve reliability, balanced against your rights.
• Legal obligation — to comply with applicable law and lawful requests.
• Consent — for any processing that specifically asks for it (e.g. optional features); you can withdraw consent at any time.

Your files and the data derived from them are scoped to the workspace where you uploaded them. Only members of that workspace can search, ask about or view them. We do not surface your media to other users or in any public index. We do not sell your personal data and we do not share it for advertising.

MMVault staff can access stored data only when strictly necessary for support, debugging, abuse investigation or to comply with law, under confidentiality obligations.

We rely on a small set of trusted providers who process data on our behalf under written agreements:

• Hosting, database and storage — Supabase / Lovable Cloud (managed Postgres, object storage and authentication).
• AI providers — Google (Gemini) and OpenAI (GPT) accessed through the Lovable AI Gateway, used to transcribe, OCR, describe, embed and answer questions about your media.
• Authentication — Google OAuth and Sign in with Apple, if you choose those sign-in methods.
• App distribution and in-app purchases — Apple (App Store) and Google (Play) for the mobile apps; payment data is handled by them, not us.
• Email and error monitoring — providers used to deliver transactional email and aggregate crash logs.

To make your media searchable, MMVault sends content to AI providers via secure APIs. We only use providers whose API terms commit them not to train their foundation models on data sent through their APIs, and we do not opt into any model-training or data-sharing programs.

Outputs (transcripts, descriptions, embeddings, answers) are stored in your workspace and used solely to power your search, Ask and clip features.

We retain your media and derived data for as long as your account is active. When you delete a file, we delete the original and any data derived from it. When you delete your account, we delete your media, derived data and account record within 30 days, except where we are required to retain limited records to comply with legal obligations, resolve disputes, or enforce our Terms.

Backups are rotated on a rolling basis and overwritten within 90 days.

Data is hosted on managed cloud infrastructure and may be processed in regions where our hosting and AI providers operate, including the European Union and the United States. Where personal data is transferred outside your country, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

Depending on where you live (e.g. EU/EEA, UK, California, Brazil), you have rights over your personal data, including:

• Access — get a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate data.
• Deletion — ask us to delete your data ('right to be forgotten').
• Portability — receive your data in a structured, machine-readable format.
• Objection and restriction — object to or restrict certain processing.
• Withdraw consent — where processing is based on consent.
• Lodge a complaint — with your local data-protection authority.

You can delete any file from your library at any time. Deleting a file removes the original and the derived transcripts, screen text, scene descriptions, key moments, clip suggestions and embeddings created from it.

You can delete your entire account in-app from Settings → Account → Delete account, or by emailing contact@mmvault.ai from your account address. Deletion is permanent and irreversible. We complete deletion within 30 days, subject to limited legal retention.

On the web we use strictly necessary cookies and browser local storage to keep you signed in, remember your workspace and language, and protect against abuse. We do not use advertising cookies or third-party tracking cookies. In the mobile apps we do not use Apple's IDFA or any cross-app tracking identifiers, and we do not run the App Tracking Transparency prompt because we do not track users across other companies' apps and websites.

MMVault is not directed to children under 13, or under the minimum age in your country (16 in much of the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact contact@mmvault.ai and we will delete it.

Files and derived data are stored on managed cloud infrastructure with encryption in transit (TLS) and at rest. Access to derived data is enforced at the database level via row-level security tied to your workspace. We follow least-privilege access for staff, log administrative access, and run periodic reviews. No system is perfectly secure — please use a strong, unique password and enable any available two-factor protection.

Categories of personal information we collect, the purposes, and the third parties we share with are described in sections 2, 3, 5 and 6. In the past 12 months we have not sold or shared personal information for cross-context behavioural advertising, and we do not knowingly do so for users under 16.

California residents have the right to know, delete, correct and limit the use of sensitive personal information, and to be free from discrimination for exercising these rights. To exercise any right, email contact@mmvault.ai from your account address.

We may update this Policy as the product and law evolve. We will update the 'Last updated' date and, for material changes, give reasonable advance notice (e.g. by email or in-app notice).

For privacy questions, data requests or to reach the data controller, email contact@mmvault.ai.