Legal

Privacy Policy.

Last updated May 21, 2026

1. What we collect

  • Account info: email, display name, handle, optionally your Apple/Google sub when you use OAuth.
  • Generated content: the projects, scenes, scripts, prompts, and films you make.
  • Payments: Stripe customer + subscription IDs. Card details never touch Aflik — Stripe holds them.
  • Verification: if you verify with World ID, we store the nullifier hash (not your iris, not your biometrics). The hash lets us recognize you as a unique verified human without identifying you.
  • Activity: films you watch, watchtime per film, follows, likes, my-list, channel page, generation jobs. Used to power dashboards, discovery, and (in future) watchtime-based royalty distributions.
  • Provider keys (BYOK): if you bring your own AI provider keys, they're encrypted at rest with AES-256-GCM using a key Aflik holds. Aflik staff don't have routine access to the decrypted plaintext.
  • Logs: request URLs, timing, IP address (transient), country derived from IP. Standard server logs, kept ~30 days.

2. Why we collect it

To run the platform: sign you in, generate the content you ask for, charge correctly, distribute tips and (in future) watchtime royalties, deliver the right films to the right viewers, surface discovery (trending, continue-watching), notify you about events you opted into, prevent abuse.

3. Third parties

We share data with these processors as needed to run the platform:

  • Stripe — payments, subscriptions, Connect Express payouts.
  • Vercel — hosting, edge cache, AI Gateway (LLM + video models).
  • Neon — Postgres database.
  • Resend — transactional email delivery.
  • fal.ai — secondary video generation provider.
  • Worldcoin — World ID verification (we only see the nullifier).
  • Apple, Google — OAuth sign-in (only if you use them).

We don't sell your data. We don't share it with advertisers or data brokers.

4. Your rights

  • Access: we surface your data in the app (projects, billing, FLIK, etc.). Email help@aflik.app if you want an export.
  • Delete: Settings → Account → Delete account. Your profile, drafts, uploaded media, and channel data are removed. Financial records (tip transactions, payouts, credit history) are retained for accounting and tax compliance — they're decoupled from your personal info (email, handle, display name) which is purged. Your handle becomes free for re-use. You can also request deletion by email.
  • Correct: change anything in Settings, or email us.
  • Opt out of marketing email: Settings → Notifications. Security and identity emails (sign-in links, welcome) can't be opted out of.
  • GDPR / CCPA: if you're in the EEA or California, the rights above apply. We're our own data controller. For data-protection complaints, email us first; if unresolved, you can contact your local data protection authority.

5. Children

Aflik is not for users under 13 (or 16 in EEA). We don't knowingly collect data from minors. If you believe a child has signed up, email help@aflik.app and we'll delete the account.

6. Security

Sessions are HttpOnly cookies signed with HMAC. BYOK provider keys are encrypted at rest. Database connections are TLS. We don't store passwords for OAuth users; magic-link sign-in tokens expire in 15 minutes and are single-use. Despite this, no system is perfectly secure — if you suspect a compromise, contact us immediately.

7. Cookies

We use one essential cookie (aflik_session) to keep you signed in. No analytics or advertising trackers.

8. Changes

Material changes get a 30-day email heads-up to registered users. Date at the top of this page reflects the most recent revision.

9. Contact

For any privacy question: help@aflik.app.