ViralTwin
Get started
Legal

Privacy Policy

Effective April 17, 2026

ViralTwin (“we,” “us,” “our”) is a tool for recreating short-form videos using AI. This page explains, in plain English, what data we collect, why we collect it, who we share it with, and the controls you have. If anything below is unclear, email us at support@viraltwin.app.

The short version

  • We collect the minimum needed to run your account: your name, email, and avatar from Google sign-in; your subscription status from Stripe; and the canvases, prompts, reference images, and generated videos you create inside ViralTwin.
  • Your OpenRouter API key is encrypted at rest with AES-256-GCM and only decrypted in memory when we proxy a request on your behalf. We never log your key.
  • We do not sell your data, train models on your content, or share your videos with anyone outside the providers required to deliver the service.
  • You can delete your account at any time and we’ll wipe it.

What we collect

Account information

When you sign up via Google through Clerk, we receive your name, email address, profile image, and a stable user ID. We use this to create your ViralTwin account and personalize the app.

Billing information

Subscriptions are processed by Stripe. Your card details are entered on Stripe’s servers and never touch ours. We store only the Stripe customer ID, subscription ID, plan, status, and renewal date so we can give you access and show your billing state.

Your OpenRouter API key

ViralTwin uses a Bring-Your-Own-Key model. When you paste your OpenRouter key into Settings, we encrypt it with AES-256-GCM using a server-side master key and store only the ciphertext, the initialization vector, the auth tag, and the last four characters (for display). The plaintext key is decrypted only in memory, only when proxying a request to OpenRouter on your behalf, and is never written to logs.

Content you create

Anything you put into a canvas — YouTube URLs, written prompts, reference images you upload, the per-scene analysis we generate, and the final stitched videos — is stored in your account so you can come back to it. We treat this as your private content.

Operational telemetry

Like any web app, our hosting provider (Vercel) and our edge layer record standard request metadata such as IP address, user agent, and path, for short retention windows used for security and abuse prevention. We do not attach analytics scripts that fingerprint you across the web.

How we use it

  • To authenticate you and run your sessions.
  • To call AI providers on your behalf (analysis, prompt generation, video generation) using your OpenRouter key.
  • To store and serve your canvases, reference images, and generated videos so you can come back to them.
  • To process your subscription and send transactional emails.
  • To investigate abuse, debug issues, and improve the product.

We do not use your content to train any AI model and we do not pass it to providers for training purposes.

Who we share it with

We only share data with subprocessors strictly necessary to deliver ViralTwin:

  • Vercel — application hosting and edge delivery.
  • Clerk — authentication, session management, and user account storage.
  • Turso — managed SQLite database for your account data and canvases.
  • Cloudflare R2 — object storage for uploaded reference images, extracted frames, and rendered videos.
  • Stripe — subscription billing and the customer portal.
  • OpenRouter and the upstream model providers it routes to (Google for Gemini, OpenAI for GPT-5-mini, ByteDance for Seedance) — only the specific request payloads you trigger when generating content.
  • Google — only if you sign in with Google, in which case Google’s own privacy policy applies to that handshake.

We do not sell your data to advertisers or data brokers. We do not share your content with any party not listed above.

How long we keep it

  • Account data — for as long as your account is active. When you delete your account, we delete your record and associated canvases, uploads, and renders within 30 days.
  • Billing records — Stripe retains transaction records for the period required by tax and accounting law. We retain a minimal record on our side (status + customer ID).
  • Logs — short retention windows on our hosting providers, typically 7–30 days.

Your rights

You can sign in at any time and:

  • View, export, or delete your canvases.
  • Remove your stored OpenRouter key.
  • Cancel your subscription from the billing page.
  • Request a full account deletion by emailing support@viraltwin.app. We honor deletion requests within 30 days.

If you are in the EU, UK, or California, you also have the right to access, correct, port, restrict, or object to processing of your personal data, and to lodge a complaint with your local supervisory authority. Email us and we’ll handle it.

Security

We use TLS for all traffic, encrypt OpenRouter API keys at rest with AES-256-GCM, and rely on managed providers (Clerk, Turso, R2, Stripe) for the underlying account, database, storage, and payment systems. No system is perfectly secure, but we treat your data as if it were our own.

Children

ViralTwin is not intended for users under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has signed up, email us and we’ll remove the account.

Changes to this policy

We may update this policy as the product evolves. When we make material changes we’ll update the effective date at the top and, for substantial changes, notify you by email or in-app banner.

Contact

Questions, deletion requests, or anything else, email support@viraltwin.app.