Privacy Policy

Last updated: June 2026

This policy explains what personal data Mevro ("the Service", "we", "us") collects when you use it, how we handle that data, what rights you have under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and equivalent laws, and how to contact us about any of it.

Mevro is operated from Poland. The data controller is the operator of mevro.app. Contact: hello@mevro.app.

1. What we collect and why

Account data

Email address, display name, avatar URL, sign-in provider (email magic link or Google OAuth), and a Supabase-issued user ID. Collected when you sign up; used to authenticate you and attribute your work to you. Legal basis: performance of contract (art. 6(1)(b) GDPR).

Date of birth and onboarding survey

Your date of birth, and the onboarding answers you provide — what you intend to use Mevro for and how you heard about us. Date of birth is used to confirm you meet our minimum age (see section 7). The onboarding answers are used to understand who uses the Service and improve the product. Legal basis: compliance with a legal obligation and our legitimate interest in age-appropriate access for the date of birth; legitimate interests — understanding and improving the Service — for the survey answers.

Content you create

Projects, scripts, messages, character and background selections, caption style selections, music choices, and the rendered MP4s produced from them. Stored so you can return to and re-render your work. Legal basis: performance of contract.

Content you upload

Character cutout images (PNG/JPG/WebP, max 5 MB) and music tracks (MP3/WAV/M4A, max 20 MB). Stored in Supabase Storage under paths scoped to your user ID. These files are private to your account by default and are not listed to other users. Only the videos you explicitly choose to share via a share link (or the opt-in public gallery) become externally accessible, and even then only through short-lived signed URLs. Legal basis: performance of contract.

AI generation inputs and outputs

When you use AI Script generation, the prompt you submit is sent to Anthropic (Claude) and the returned script is saved to your project. When you generate audio, the script text and voice selection are sent to Fish Audio, and the returned MP3 is cached in Supabase Storage and tied to your project. We do not train AI models on your scripts, voices, or videos, and our AI sub-processors are configured to not retain inputs for training where a no-retention option is available. Legal basis: performance of contract.

Connected YouTube accounts (Automations)

If you use Automations and connect a YouTube channel, you authorise Mevro through Google OAuth to: read your channel's basic details — id, name and thumbnail — via the youtube.readonly scope, so we can show you which channel is connected; and publish the videos you generate to that channel via the youtube.upload scope. We store the resulting OAuth refresh token encrypted at rest (AES-256-GCM) solely to perform the uploads you scheduled. You can disconnect a channel at any time in Settings — this revokes Mevro's access on Google's side and deletes the stored token — and you can also review or revoke access at myaccount.google.com/permissions. Legal basis: performance of contract.

Mevro's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements: we use this data only to provide the Automations upload feature you enabled, and we never sell it, use it for advertising, or transfer it to others except as needed to deliver that feature, for security, or where required by law. Mevro uses YouTube API Services; by connecting a channel you also agree to the YouTube Terms of Service and acknowledge the Google Privacy Policy.

Billing data

When you buy credits or subscribe, Stripe collects and processes your payment method; we receive your Stripe customer ID and subscription status but never your card number, CVC, or bank details. Currency: PLN (test mode during beta). Legal basis: performance of contract + compliance with tax obligations (art. 6(1)(c) GDPR).

Error and performance logs

Crash reports, stack traces, and performance traces via Sentry. May include request paths and user IDs to correlate errors to accounts. Retained 30 days. Legal basis: legitimate interests — keeping the Service reliable.

2. How long we keep it

Account data and project metadata are kept while your account is active. When you delete your account from Settings, we delete your users row, cancel any active subscription, wipe your uploaded characters and music, delete your rendered videos, and remove cached audio files. Stripe retains billing records as required by Polish tax law (Ordynacja podatkowa, at least 5 years). Sentry logs auto-expire after 30 days. Rendered MP4s are capped at 10 per project — older renders are automatically pruned from storage on each new render. The 10-render cap is also removed when you delete the project or the account.

3. Who we share with (sub-processors)

We use a small set of sub-processors to run the Service. Each holds only the data needed for its function:

  • Supabase (Europe, Ireland) — authentication, database, file storage, realtime updates.
  • Vercel (multi-region) — web application hosting and edge/Fluid Compute.
  • Amazon Web Services (us-east-1) — Remotion Lambda rendering and S3 storage for rendered video. Data is transferred to the United States under the EU–US Data Privacy Framework.
  • Anthropic (United States) — Claude language model for AI Script generation.
  • Fish Audio (United States) — text-to-speech generation of voice audio.
  • Modal (United States) — speech-to-text alignment (WhisperX) that syncs captions to the voice audio; receives the generated TTS audio and the script text.
  • fal.ai (United States) — image background removal; receives images you upload to the background-removal tool.
  • Stripe (Ireland/United States) — payment processing and subscription management.
  • Trigger.dev (United States) — background job execution (audio generation, render orchestration).
  • Resend (United States) — transactional email (render-complete notifications).
  • Sentry (United States / Germany) — error tracking.
  • Google / YouTube (United States) — YouTube channel connection and video upload, only if you connect a channel for the Automations feature.

We do not sell your personal data. We do not share it with advertisers. We only disclose data to authorities when legally compelled by a valid, jurisdictionally proper request.

4. International transfers

Some sub-processors (AWS, Anthropic, Fish Audio, Modal, fal.ai, Stripe, Trigger.dev, Resend, Sentry, Google) process data outside the European Economic Area, primarily in the United States. Transfers are covered by Standard Contractual Clauses (2021/914/EU) and, for US recipients certified under it, by the EU–US Data Privacy Framework.

5. Your rights under GDPR

You can exercise the following rights at any time, free of charge:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data. Most fields are editable directly in Settings.
  • Erasure — delete your account and associated data from the Danger Zone in Settings or by emailing us. Some billing records are retained for tax compliance as noted above.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests (analytics, error logging).
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Lodge a complaint — with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (uodo.gov.pl).

Email hello@mevro.app to exercise any right that cannot be completed in-app. We respond within one month.

6. Cookies

We use only strictly-necessary cookies: the Supabase auth session cookie and a CSRF protection token. We do not use advertising cookies, third-party tracking pixels, or fingerprinting. Because these cookies are essential to running the Service, no consent banner is shown; if we ever introduce non-essential cookies we will ask for consent first.

7. Children

Mevro is not intended for children under 13 (or under 16 in jurisdictions that set a higher age of digital consent under GDPR art. 8). If you learn that a child under this age has an account, email us and we will delete it.

8. Uploads and rendered videos — how we secure them

Character images and music tracks you upload are stored in Supabase Storage with row-level-security policies that restrict access to your user ID. Rendered videos live in a private Amazon S3 bucket; we serve them only through short-lived signed URLs generated on demand (typically valid for one to twenty-four hours). If you delete your project or revoke a share link, new signed URLs cannot be minted, existing ones expire within the hours that follow, and the underlying files are removed on our deletion sweep.

9. Responsibility for uploaded content

You are responsible for ensuring you have the right to upload the images, audio, and other content you provide. If you upload material that infringes someone else's copyright, trademark, or personality rights, we will remove it on receipt of a valid notice. See the DMCA & Takedown Policy for the notice procedure.

10. Changes

We may update this policy as the Service evolves. We will note the new "Last updated" date above. Material changes — those that expand what we collect or who we share with — will be communicated by email or in-app at least 14 days before they take effect.

11. Contact

Questions or data requests: hello@mevro.app. Copyright/takedown notices: abuse@mevro.app.