Privacy Policy

This Privacy Policy explains how Highstyle (“Highstyle,” “we,” “us,” or “our”) collects, uses, shares, and protects your information when you use our website at highstyle.ai, join our waitlist, or use our AI video clipping service (the “Service”).

This Policy applies to information about you, including information about content you submit to the Service. It does not apply to third-party websites or services we don’t control, even when they integrate with the Service.

By using the Service, you acknowledge this Privacy Policy. If you disagree with any part of it, please don’t use the Service. Your use is also governed by our Terms of Service.

Information you provide directly

• Waitlist signup: your email address, plus metadata captured automatically when you submit the form (IP address, user agent string, timestamp).
• Account information: the email address you register or sign in with, an optional display name, and your workspace name. If you create a password, we store it only as a salted bcrypt hash — we never store, and cannot see, your plaintext password. If you sign in with Google or an email magic-link instead, we store the authentication state and tokens that method requires.
• Content you submit: source videos (uploaded directly or referenced by URL), prompts, brand assets, metadata, and any other information you enter into the Service. We refer to this collectively as “User Content” in our Terms.
• Content we generate from yours: transcripts (including word-level timing and speaker labels), clip selections, virality scores, and suggested titles, descriptions, captions, and tags derived from your User Content.
• Communications: messages you send to support, sales, legal, security, privacy, or DMCA addresses, including attachments.
• Billing information: payments are processed by Stripe. We do not receive or store full payment-card numbers. We store a Stripe customer identifier, your plan and subscription status, your credit balance, and limited details Stripe returns such as the card’s last four digits and billing postal code.

Information collected automatically

• Device and connection data: IP address, approximate location (derived from IP), browser type, operating system, language preference, referring URL, and the pages you view.
• Usage data: features you use, configuration choices, error events, performance telemetry, and aggregated metrics about your interaction with the Service.
• Cookies and similar technologies: see the Cookies and tracking section for details.

Information from third parties

• Sign-in providers. If you sign in with Google, we receive your email address, name, and profile image from Google and store the OAuth tokens needed to keep you signed in. If you use an email magic-link, our email provider confirms the link you clicked.
• Connected destinations. If you connect a third-party publishing destination (for example, YouTube, TikTok, or Instagram), we store the access tokens that platform issues so we can upload on your instruction.
• Source platforms. If you provide a YouTube URL or other third-party source, we access publicly available metadata about that source.

We do not ask for special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, trade-union membership, health, genetic, or biometric data). Your User Content may incidentally contain such information — for example, a video in which someone discusses their health. We process that content only to provide the Service and do not single it out for any other use. For how we handle faces that appear in video, see Face detection and biometric data.

We use the information we collect to:

• Provide, operate, and maintain the Service — including transcribing, reframing, generating clips and captions, and producing other Output from your User Content.
• Authenticate you, secure your account, and prevent fraud or abuse.
• Send you transactional emails (sign-in links, security notices, billing receipts, important policy updates).
• Communicate with you about your waitlist status, early access invitations, and (with your consent where required) marketing.
• Monitor and improve the Service, including troubleshooting, performance optimization, and aggregated analytics. We do not use your User Content to train our or any third party’s generative AI models without your explicit opt-in consent.
• Comply with legal obligations, respond to lawful requests, enforce our Terms, and protect our rights and the rights of others.

Because the Service is built around video, this section spells out exactly what happens to the media you submit.

• Private by default. Your source videos, the clips we generate, transcripts, and related metadata are private to your workspace. We do not publish, post, sell, license, or make your User Content public. It only leaves your workspace when you direct it to — for example, by downloading it or connecting a third-party publishing destination.
• Stored with our infrastructure providers.Uploaded videos and generated clips are stored using Vercel Blob; account and operational data lives in our Neon database. See How we share information for the full list of providers.
• Processed by automated systems. Your media is analyzed by automated software and AI models to transcribe speech, detect spoken moments, score and rank segments, reframe the video, and burn in captions. See Automated processing and AI.
• Limited, need-based human review. We do not routinely watch your videos. A member of our team may access your User Content only in narrow circumstances: to investigate suspected abuse or a violation of our Terms, to provide support you request, to debug a processing failure, or to comply with law or a valid legal request. Such access is restricted, logged, and limited to what the task requires.
• Not used to train models. We do not use your User Content, or the Output derived from it, to train, fine-tune, or improve our own or any third party’s generative AI models, except with your explicit, separate opt-in consent. Our processing providers are contractually barred from using your content to train their general-purpose models.
• Content from URLs. When you submit a YouTube or other source URL, we download and process that media on your instruction and on your representation that you hold the necessary rights. We do not independently verify ownership of submitted URLs.

To turn a wide video into a vertical clip, the Service has to decide which part of each frame to keep. To do that, our reframing software detects where faces appear in the frame and measures lip movement to follow whoever is speaking. Because this involves analyzing images of people, we want to be precise about what we do and do not do.

What we do

• We run on-the-fly face detection — locating the position and size of faces within sampled video frames — and measure motion in the mouth region to estimate who is talking.
• The output of this analysis is a set of crop coordinates (where to position the vertical frame over time). These coordinates describe a region of the picture, not an identifiable person.

What we do not do

• We do not perform facial recognition. We do not match faces against any database, and we have no means of determining the identity of any person in your video.
• We do not create, extract, or store faceprints, face embeddings, face templates, or any other biometric identifier capable of uniquely identifying an individual.
• We do not use video to infer emotions, mood, age, gender, ethnicity, or health, and we do not perform emotion recognition.
• The face-position and lip-motion data is ephemeral — computed in memory while a clip is rendered and not retained as a separate biometric record afterward.

Because of these design choices, we do not consider this feature to collect “biometric information” or “biometric identifiers” as those terms are defined under laws such as the EU GDPR (Article 9), the Illinois Biometric Information Privacy Act (BIPA), or the Texas and Washington biometric statutes. If we ever introduce a feature that creates biometric identifiers or performs facial recognition, we will update this Policy and obtain any consent the law requires before enabling it. You must not use the Service to identify, profile, or surveil individuals.

If you’re in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract — to provide the Service you have requested, including processing User Content you submit.
• Legitimate interests — to operate, secure, and improve the Service; to communicate with you about your account; to detect and prevent abuse. We balance these interests against your rights and freedoms.
• Consent — for non-essential cookies, marketing communications, and any future opt-in use of your User Content for model improvement. You can withdraw consent at any time.
• Legal obligation — to comply with applicable law, including tax, accounting, and law-enforcement obligations.

The Service is built on automated processing: AI models transcribe your audio, select and rank moments by a predicted “virality” score, reframe video, and generate captions, titles, and descriptions. This processing acts on the content you submit to produce Output for you.

We do not use automated decision-making that produces legal or similarly significant effects about you as an individual (for example, decisions about credit, employment, or eligibility). The scores and rankings the Service produces describe your content, are advisory, and are always subject to your review and editing before you publish anything.

If you are in the EEA or UK, and a decision were ever based solely on automated processing with a legal or similarly significant effect, you would have the right under Article 22 of the GDPR to obtain human intervention, express your view, and contest the decision. You can reach us using the details in the Contact section.

We do not sell your personal information. We share it only in the ways described below.

Service providers (sub-processors)

We use third-party providers to operate the Service. They process information on our behalf and are bound by contractual obligations to use it only for our purposes. Our current providers include:

• Vercel — hosting, edge network, and CDN, plus Vercel Blob storage for your uploaded videos and generated clips.
• Neon — managed Postgres database for account data, waitlist signups, and operational records.
• Modal — compute infrastructure for the AI clipping pipeline (transcription, moment selection, reframing, encoding).
• OpenAI — speech-to-text (Whisper API) and potentially other language-model inference. OpenAI is contractually required not to use our customer data to train its general-purpose models.
• Resend — transactional email delivery for magic links, notifications, and account communications.
• Google / YouTube — when you supply a YouTube URL, we interact with public YouTube infrastructure to access the video.
• Stripe (once paid plans launch) — payment processing.

This list may change as we add or replace providers. The current list is maintained on this page; material changes will be reflected in an updated version of this Policy.

Legal disclosures

We may disclose information if we believe in good faith that disclosure is necessary to: comply with a legal obligation, subpoena, court order, or other lawful request; protect the safety, rights, property, or security of Highstyle, our users, or the public; enforce our Terms; investigate fraud or abuse; or respond to claims that User Content infringes third-party rights.

Business transfers

If Highstyle is involved in a merger, acquisition, financing due diligence, or sale of assets, your information may be transferred as part of that transaction. We will notify you (for example, via email or a notice on the Service) before your information becomes subject to a different privacy policy.

With your direction

We share information when you direct us to — for example, when you connect a third-party publishing destination such as TikTok or Reels for direct upload from Highstyle.

With respect to your account and how you use Highstyle, we act as a controller — we decide why and how that data is processed. With respect to the User Content you upload and the third parties who may appear in it, we act as a processor (a “service provider” under U.S. state law): we process that content only to provide the Service on your instructions, as described in this Policy and our Terms.

If you use the Service for business purposes and your processing is subject to the GDPR, UK GDPR, or a comparable law, you may require a Data Processing Addendum (DPA) with us. Our DPA incorporates the European Commission’s Standard Contractual Clauses for restricted transfers and identifies the sub-processors we use. To request it, email contact@highstyle.ai with the subject line “DPA — Highstyle.”

As the controller of any User Content you upload, you are responsible for having a lawful basis to include other people’s personal data and for giving those individuals any notice the law requires.

Highstyle is operated from Canada (Ontario). Our sub-processors operate in several jurisdictions, including the United States, Canada, the European Economic Area, and the United Kingdom. When you use the Service, your personal information will be transferred to and processed in those jurisdictions, where privacy laws may differ from those of your country of residence.

When we transfer personal data from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms. Canada is the subject of a European Commission adequacy decision for commercial organizations subject to PIPEDA.

You can request more information about these safeguards by emailing contact@highstyle.ai.

We use a small number of cookies and similar technologies to operate the Service. These include:

• Strictly necessary cookies: required for authentication, security (CSRF protection), and session management. The Service will not function without them.
• Preference cookies: remember settings such as your dashboard preferences. Optional; the Service works without them.
• Analytics cookies (if and when we enable them): aggregate usage data to help us improve the Service. In jurisdictions where consent is required (EEA, UK, California for “Sale”/“Share” purposes), we will obtain consent before placing non-essential cookies.

Most browsers let you delete or block cookies through the browser settings. Blocking necessary cookies may break parts of the Service.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of “Sale” and “Sharing” of personal information under applicable U.S. state laws, where available.

We keep personal data only for as long as we need it for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention windows include:

• Waitlist email: retained until you ask us to delete it or until the waitlist program concludes.
• Account data: retained for the life of your account plus a short tail period (up to 90 days) to handle cancellations, refunds, and disputes.
• User Content (source videos, outputs):retained per your plan’s storage limits and your explicit retention settings. You can delete your User Content from the Service at any time.
• Operational logs: retained for security and troubleshooting purposes — typically 30 to 90 days, longer for security-relevant events.
• Billing records: retained as long as required by applicable tax and accounting law (typically 7 years in the United States).

We implement reasonable technical and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit (TLS), encryption at rest where applicable, restricted access controls, audit logging, regular security review, and contractual obligations on sub-processors.

No method of transmission or storage is completely secure. We cannot guarantee absolute security. If you suspect a security issue, please email contact@highstyle.ai.

In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by law.

Depending on where you live, you may have the following rights over your personal information:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — ask us to delete your data, subject to limited exceptions (for example, where we must retain information to comply with law).
• Portability — receive your personal data in a machine-readable format.
• Restriction or objection — ask us to limit or stop certain processing, including processing based on legitimate interests.
• Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Complain to a regulator — you have the right to lodge a complaint with a data-protection authority in your jurisdiction.

To exercise these rights, email contact@highstyle.ai. We may need to verify your identity before fulfilling certain requests. We will respond within the timelines required by applicable law.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), gives you specific rights and requires the disclosures below. This section also serves as our Notice at Collection.

Categories of personal information we collect

In the preceding twelve months we have collected the following statutory categories of personal information:

• Identifiers — name, email address, IP address, and account or device identifiers.
• Customer records and commercial information — subscription plan, credit balance, purchase history, and tokenized billing details (we do not store full card numbers).
• Internet or other network activity — usage data, feature interactions, and error and performance telemetry.
• Coarse geolocation — approximate location derived from your IP address (not precise geolocation).
• Audio, visual, and electronic information — the videos, audio, images, and transcripts you submit, and the clips and metadata generated from them.
• Sensitive personal information — your account log-in and password. We use this solely to authenticate you and secure your account; we do not use or disclose it to infer characteristics about you, so the right to limit its use does not functionally apply, though we honor requests.

We do not collect Social Security or government ID numbers, precise geolocation, financial account numbers, or genetic or biometric identifiers (see Face detection and biometric data).

Sources, purposes, and disclosures

• Sources: directly from you, automatically from your device as you use the Service, and from sign-in providers when you choose them.
• Business purposes: to provide and secure the Service, process your content, communicate with you, bill you, prevent abuse, and comply with law — as detailed under How we use information.
• Disclosures: we disclose personal information to the service providers listed under How we share information for those business purposes only. We retain each category for the periods described under Data retention.

We do not sell or share your personal information

Highstyle does not sell personal information and does not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA, and we have not done so in the preceding twelve months. We do not knowingly sell or share the personal information of consumers under 16. Because we do not sell or share, no separate opt-out is required; we nonetheless honor the Global Privacy Control (GPC) signal, and if this ever changes we will provide a “Do Not Sell or Share My Personal Information” mechanism and update this Policy first.

Your California rights

Subject to the CCPA, you have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.
• Request deletion of personal information.
• Correct inaccurate personal information.
• Opt out of the “Sale” or “Sharing” of personal information for cross-context behavioral advertising. Highstyle does not sell personal information. We do not engage in “Sharing” for cross-context behavioral advertising at this time. If this changes, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” mechanism.
• Limit the use and disclosure of “sensitive personal information.”
• Non-discrimination — we will not deny service, charge a different price, or provide a different level of service for exercising any of these rights.

To exercise these rights, contact contact@highstyle.ai or use the contact methods listed below. You may designate an authorized agent to submit a request on your behalf, subject to our verification process.

California residents may also request information about our disclosure of personal information to third parties for direct marketing purposes under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83).

Highstyle is a Canadian organization and complies with the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy laws (including Alberta’s PIPA, British Columbia’s PIPA, and Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25).

Under PIPEDA and these provincial laws, you have the right to:

• Know whether we hold personal information about you and obtain access to it.
• Challenge the accuracy of that information and request corrections.
• Withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
• Request information about how we use, share, retain, and safeguard your personal information.
• Be informed about the existence, nature, and purpose of any automated decision-making that significantly affects you (Quebec residents).
• Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d’accès à l’information du Québec, or another applicable provincial regulator.

To exercise these rights, contact contact@highstyle.ai with subject line “Privacy — Highstyle.” We may ask you to verify your identity before fulfilling certain requests.

Where your data is processed. As described in the “International data transfers” section, some of our sub-processors are located outside Canada (notably in the United States and the European Union). By using the Service you understand that your personal information may be processed in those jurisdictions and may become subject to legal process under their laws — including U.S. law applicable to data held by U.S. service providers.

The Service is intended for adults and is not directed to children. You must be at least 18 to hold an account (see our Terms of Service), and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us personal information, contact contact@highstyle.ai and we will take steps to delete it.

Minors in uploaded content. You must not upload User Content featuring a minor unless you are their parent or guardian, or have the verifiable consent of the parent or guardian and any other rights the law requires. In the EEA and UK, the age of digital consent ranges from 13 to 16 depending on the member state. We do not knowingly process a child’s personal data contained in User Content without appropriate authorization, and we will remove such content on a validated request.

We may update this Privacy Policy from time to time. When we make material changes, we’ll provide notice by posting the updated Policy on this page with a new effective date, and where appropriate, by sending you an email or other notification. We encourage you to review this page periodically.

For privacy questions, requests, or complaints:

• Email: contact@highstyle.ai
• Mail: Highstyle, 149 Roselawn Avenue, Toronto, Ontario, Canada

Please use one of these subject-line prefixes so we can route your message promptly:

• “Privacy — Highstyle” for data-subject requests, GDPR/CCPA/PIPEDA inquiries, and policy questions.
• “Security — Highstyle” for vulnerability disclosures or suspected breaches.
• “Copyright Notice — Highstyle” for DMCA or Canadian Notice-and-Notice complaints.

EU/UK representative. If we are required to designate a representative in the EU or UK under Article 27 of the GDPR, their contact details will be published here. Until then, EU and UK residents can reach us directly at the address above using the subject line “Privacy — Highstyle.”