Privacy Policy

Last updated: April 2026

This policy explains what personal data Mevro ("the Service", "we", "us") collects when you use it, how we handle that data, what rights you have under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and equivalent laws, and how to contact us about any of it.

Mevro is operated from Poland. The data controller is the operator of mevro.app. Contact: hello@mevro.app.

1. What we collect and why

Account data

Email address, display name, avatar URL, sign-in provider (email magic link or Google OAuth), and a Supabase-issued user ID. Collected when you sign up; used to authenticate you and attribute your work to you. Legal basis: performance of contract (art. 6(1)(b) GDPR).

Content you create

Projects, scripts, messages, character and background selections, caption style selections, music choices, and the rendered MP4s produced from them. Stored so you can return to and re-render your work. Legal basis: performance of contract.

Content you upload

Character cutout images (PNG/JPG/WebP, max 5 MB) and music tracks (MP3/WAV/M4A, max 20 MB). Stored in Supabase Storage under paths scoped to your user ID. These files are private to your account by default and are not listed to other users. Only the videos you explicitly choose to share via a share link (or the opt-in public gallery) become externally accessible, and even then only through short-lived signed URLs. Legal basis: performance of contract.

AI generation inputs and outputs

When you use AI Script generation, the prompt you submit is sent to Anthropic (Claude) and the returned script is saved to your project. When you generate audio, the script text and voice selection are sent to Fish Audio, and the returned MP3 is cached in Supabase Storage and tied to your project. We do not train AI models on your scripts, voices, or videos, and our AI sub-processors are configured to not retain inputs for training where a no-retention option is available. Legal basis: performance of contract.

Billing data

When you buy credits or subscribe, Stripe collects and processes your payment method; we receive your Stripe customer ID and subscription status but never your card number, CVC, or bank details. Currency: PLN (test mode during beta). Legal basis: performance of contract + compliance with tax obligations (art. 6(1)(c) GDPR).

Error and performance logs

Crash reports, stack traces, and performance traces via Sentry. May include request paths and user IDs to correlate errors to accounts. Retained 30 days. Legal basis: legitimate interests — keeping the Service reliable.

2. How long we keep it

Account data and project metadata are kept while your account is active. When you delete your account from Settings, we delete your users row, cancel any active subscription, wipe your uploaded characters and music, delete your rendered videos, and remove cached audio files. Stripe retains billing records as required by Polish tax law (Ordynacja podatkowa, at least 5 years). Sentry logs auto-expire after 30 days. Rendered MP4s are capped at 10 per project — older renders are automatically pruned from storage on each new render. The 10-render cap is also removed when you delete the project or the account.

3. Who we share with (sub-processors)

We use a small set of sub-processors to run the Service. Each holds only the data needed for its function:

  • Supabase (Europe, Ireland) — authentication, database, file storage, realtime updates.
  • Vercel (multi-region) — web application hosting and edge/Fluid Compute.
  • Amazon Web Services (us-east-1) — Remotion Lambda rendering and S3 storage for rendered video. Data is transferred to the United States under the EU–US Data Privacy Framework.
  • Anthropic (United States) — Claude language model for AI Script generation.
  • Fish Audio (United States) — text-to-speech generation of voice audio.
  • Stripe (Ireland/United States) — payment processing and subscription management.
  • Trigger.dev (United States) — background job execution (audio generation, render orchestration).
  • Resend (United States) — transactional email (render-complete notifications).
  • Sentry (United States / Germany) — error tracking.

We do not sell your personal data. We do not share it with advertisers. We only disclose data to authorities when legally compelled by a valid, jurisdictionally proper request.

4. International transfers

Some sub-processors (AWS, Anthropic, Fish Audio, Stripe, Trigger.dev, Resend, Sentry) process data outside the European Economic Area, primarily in the United States. Transfers are covered by Standard Contractual Clauses (2021/914/EU) and, for US recipients certified under it, by the EU–US Data Privacy Framework.

5. Your rights under GDPR

You can exercise the following rights at any time, free of charge:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data. Most fields are editable directly in Settings.
  • Erasure — delete your account and associated data from the Danger Zone in Settings or by emailing us. Some billing records are retained for tax compliance as noted above.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests (analytics, error logging).
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Lodge a complaint — with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (uodo.gov.pl).

Email hello@mevro.app to exercise any right that cannot be completed in-app. We respond within one month.

6. Cookies

We use only strictly-necessary cookies: the Supabase auth session cookie and a CSRF protection token. We do not use advertising cookies, third-party tracking pixels, or fingerprinting. Because these cookies are essential to running the Service, no consent banner is shown; if we ever introduce non-essential cookies we will ask for consent first.

7. Children

Mevro is not intended for children under 13 (or under 16 in jurisdictions that set a higher age of digital consent under GDPR art. 8). If you learn that a child under this age has an account, email us and we will delete it.

8. Uploads and rendered videos — how we secure them

Character images and music tracks you upload are stored in Supabase Storage with row-level-security policies that restrict access to your user ID. Rendered videos live in a private Amazon S3 bucket; we serve them only through short-lived signed URLs generated on demand (typically valid for one to twenty-four hours). If you delete your project or revoke a share link, new signed URLs cannot be minted, existing ones expire within the hours that follow, and the underlying files are removed on our deletion sweep.

9. Responsibility for uploaded content

You are responsible for ensuring you have the right to upload the images, audio, and other content you provide. If you upload material that infringes someone else's copyright, trademark, or personality rights, we will remove it on receipt of a valid notice. See the DMCA & Takedown Policy for the notice procedure.

10. Changes

We may update this policy as the Service evolves. We will note the new "Last updated" date above. Material changes — those that expand what we collect or who we share with — will be communicated by email or in-app at least 14 days before they take effect.

11. Contact

Questions or data requests: hello@mevro.app. Copyright/takedown notices: abuse@mevro.app.