Privacy Policy

This policy explains what personal data SuperMoo collects, why we collect it, and the rights you have over it. Plain English where we can manage it — precise where the law needs us to be.

01 Who we are

SuperMoo Ltd ("we", "us", "our", or "the Provider") is a company registered in England and Wales. We provide a customizable video hosting and embedding platform (the "Services") that enables businesses to host, manage, and embed branded video players on their websites.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, SuperMoo Ltd is the data controller for personal data we collect from website visitors and account holders. Where we process personal data contained within Customer Content (videos uploaded by our customers), we act as a data processor on behalf of the customer (the data controller). The relationship between SuperMoo and its customers as data processor is governed by the data protection provisions in our Terms of Service and, where applicable, our Data Processing Agreement.

02 What data we collect

2.1 Account information

When you create a SuperMoo account, we collect your full name and/or business name, email address, password (stored in hashed form only), and optionally your company name and website URL.

2.2 Billing information

When you subscribe to a paid plan, our payment processor Stripe collects payment card details (processed and stored by Stripe — we do not store full card numbers), billing name and address, and transaction history and invoice records.

2.3 Customer Content

You may upload video files and associated metadata (titles, descriptions, thumbnails) to the Services. Any personal data contained within your Customer Content is processed by us as a data processor on your behalf. You are responsible for ensuring you have the appropriate legal basis and consents for any personal data included in your video content.

2.4 Usage and analytics data

We automatically collect certain information when you use the Services or visit our website, including your IP address (anonymized for analytics purposes), browser type and version, operating system, device type, pages visited, time spent on pages, referral source, video playback data (play, pause, completion rates, buffering events), and feature usage within the platform.

2.5 Communications data

When you contact us via email or through the Services, we collect the content of your communications, your email address, and any attachments you send.

03 How we use your data & lawful basis

We process your personal data for specific purposes, each supported by a lawful basis under the UK GDPR.

Account creation and management

Necessary to provide the Services you signed up for. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Payment processing

Necessary to handle your subscription payments via Stripe. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Video hosting and delivery

Core service functionality — hosting, transcoding, and delivering your content. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Essential cookies (session, auth)

Strictly necessary cookies for the secure operation of the Services. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Analytics

To understand how visitors interact with our website and Services. Only set after consent. Lawful basis: Consent (Art. 6(1)(a)).

Marketing cookies and communications

Only with your explicit consent. Lawful basis: Consent (Art. 6(1)(a)).

Service notifications and transactional emails

To keep you informed about your account, billing, and service changes. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Security monitoring and fraud prevention

To protect the Services and our users from unauthorized access and fraud. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Compliance with legal obligations

Where retention or disclosure is required by law. Lawful basis: Legal obligation (Art. 6(1)(c)).

Anonymized usage data for service improvement

Aggregated, anonymized data to improve performance and features. Lawful basis: Legitimate interest (Art. 6(1)(f)).

04 Cookies & tracking technologies

We use cookies and similar technologies to operate the Services, analyze usage, and support marketing activities. A cookie is a small text file stored on your device when you visit our website.

4.1 Types of cookies we use

4.2 Your cookie choices

When you first visit our website, we present a cookie consent banner (powered by iubenda) that allows you to accept or decline non-essential cookies. You can change your cookie preferences at any time by clicking "Cookie Settings" in the footer of our website. Essential cookies cannot be disabled as they are necessary for the basic functionality of the Services. Analytics and marketing cookies are only activated after you provide your consent. You can also control cookies through your browser settings, though blocking essential cookies may break some features.

05 Who we share your data with

We do not sell your personal data. We share your data only with the third-party service providers ("sub-processors") necessary to operate the Services.

We may also share personal data in limited circumstances: where required by law, regulation, legal process, or governmental request; to enforce our Terms of Service or protect the rights, property, or safety of SuperMoo, our users, or others; in connection with a merger, acquisition, or sale of assets; or where you have given us explicit permission to share your data with a specific third party.

06 International data transfers

SuperMoo Ltd is based in the United Kingdom. However, our sub-processors (Mux, Stripe, Google, and Vercel) are based in the United States, which means your personal data may be transferred to and processed in a country outside the United Kingdom and the European Economic Area.

Where we transfer personal data outside the UK/EEA, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (UK IDTA) or the EU-approved Standard Contractual Clauses (SCCs) with the UK Addendum as applicable, the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the EU-U.S. DPF where the sub-processor is a certified participant, and supplementary technical and organizational measures such as encryption in transit and at rest. You may request a copy of the relevant safeguards by contacting us at team@supermoo.co.

07 How long we keep your data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

• Account data — retained for the duration of your active account. Upon termination, deleted within 60 days, subject to legal retention obligations.
• Customer Content (videos) — retained while your account is active. After termination, a 30-day Data Export Period applies; all content is then permanently deleted within 30 days.
• Billing and transaction records — retained for 7 years after the end of the financial year, as required by UK tax law (HMRC).
• Analytics data — aggregated, anonymized data may be retained indefinitely; individual-level data for a maximum of 26 months.
• Communications — support emails retained for 3 years after the last interaction, unless a longer period is legally required.
• Cookie data — retained for the durations specified in Section 4.1 above.

08 Your rights

Under the UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions.

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request that we correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — request deletion, subject to certain legal exceptions (such as tax law).
• Right to restrict processing — request that we restrict processing in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to object — object to processing based on legitimate interest, and to direct marketing at any time.
• Right to withdraw consent — withdraw consent at any time, without affecting prior lawful processing.
• Right not to be subject to automated decision-making — we do not make decisions based solely on automated processing with legal or similarly significant effects.

To exercise any of these rights, contact us at team@supermoo.co. We will respond within one month. In complex cases, we may extend this by two months and will inform you within the first month. If you are not satisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, by telephone at 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

09 Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2 or higher) and at rest, secure password hashing, access controls limiting data access to authorized personnel on a need-to-know basis, regular security monitoring and vulnerability assessments, and incident response procedures including notification of affected users within 72 hours of a confirmed breach affecting personal data.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

10 Children's privacy

The Services are intended for use by businesses and individuals aged 18 and over, as set out in our Terms of Service. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at team@supermoo.co.

11 Marketing communications

We may send you marketing communications about our products, features, and updates if you have opted in to receive them. You can unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link in any marketing email or by contacting us at team@supermoo.co. We will continue to send transactional and service-related communications (such as billing notifications, security alerts, and Terms of Service updates) regardless of your marketing preferences, as these are necessary for the operation of your account.

12 Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email and/or by posting a prominent notice on our website at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy.

13 Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please get in touch.