Privacy Policy

When you use WTF.ai we may collect:

• Images you upload for identification
• Feedback you provide (thumbs up or thumbs down) and any corrections you submit
• Email address and name if you create an account (managed by Clerk)
• Hashed IP addresses — we store a one-way cryptographic hash, not your raw IP address
• Browser type, device type, and session identifiers
• Dates and times of your interactions with the Service

We use your data to:

• Provide the film identification service
• Operate, maintain, improve, and develop the Service and its features
• Ensure the security and integrity of the Service
• Prevent abuse, fraud, and policy violations
• Send transactional emails if you have an account
• Monitor platform health and diagnose errors
• Comply with our legal obligations

Our legal basis for processing your data is: performance of a contract (providing the Service), legitimate interests (improving and securing the Service), and, where required, your consent (which you give when you upload content and agree to our Terms).

Images you upload are stored securely in Amazon S3. They are not publicly accessible — they are only available via time-limited private links. By uploading content and accepting our Terms of Service, you grant us a licence to use that content to operate and improve the Service as described in those Terms. We retain uploaded content for as long as necessary to fulfil those purposes.

We use trusted third-party providers to operate the Service. Each has their own privacy practices:

• Clerk — user authentication and account management
• Amazon Web Services — secure file storage and automated content safety screening
• Google — AI-powered image analysis
• Sentry — error monitoring (logs retained for 90 days)
• Resend — transactional email delivery
• Railway — application hosting
• Supabase / PostgreSQL — database storage

We do not sell your personal data to any third party and we do not use your data for advertising purposes.

• Uploaded content and associated records: retained indefinitely for service operation
• User account data: retained until you request deletion
• Hashed IP addresses: retained indefinitely (anonymised — cannot be reversed to identify you)
• Error logs: 90 days (Sentry free tier limit)
• Session data: up to 24 hours for anonymous sessions

Depending on where you live, you may have specific rights regarding your personal data. To exercise any of these rights, email legal@whatsthatfilm.ai. We will respond within 45 days (or sooner where required by law).

California Residents (CCPA / CPRA). Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes for collection, and the categories of third parties with whom we share it
• Delete — request deletion of your personal information, subject to certain exceptions. We will anonymise your account data within 45 days. Uploaded content that forms part of our service infrastructure will be retained but permanently disassociated from your identity.
• Correct — request correction of inaccurate personal information we hold about you
• Opt Out of Sale or Sharing — we do not sell or share your personal information with third parties for their advertising or marketing purposes
• Non-Discrimination — we will not discriminate against you for exercising your CCPA rights

California residents may also submit a rights request through an authorised agent. We may require verification of your identity before processing your request.

EU / UK Residents (GDPR / UK GDPR). If you are located in the European Union or United Kingdom you additionally have the rights of rectification, restriction of processing, data portability, and the right to object to processing. You also have the right to lodge a complaint with your local supervisory authority (for the UK: the ICO at ico.org.uk).

All Users. Regardless of location, you may contact us at any time to request access to, correction of, or deletion of information associated with your account.

We use only essential cookies necessary for the Service to function. We do not use advertising or tracking cookies. See our Cookie Policy for details.

The Service is not directed at children under 13 years of age and we do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (“COPPA”). If you are under 13, do not use the Service or provide any information to us. If we learn that a user is under 13, we will promptly delete their account and any personal information associated with it, including name, email address, and account identifiers. If you believe a child under 13 has created an account on the Service, please contact us at legal@whatsthatfilm.ai.

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users. The “Last updated” date at the top reflects the most recent revision.

All privacy enquiries, data subject requests, and legal notices should be sent to legal@whatsthatfilm.ai.