Privacy

1. Who We Are

SuperMoo Ltd ("we", "us", "our", or "the Provider") is a company registered in England and Wales. We provide a customizable video hosting and embedding platform (the "Services") that enables businesses to host, manage, and embed branded video players on their websites.

Registered Address: 37 Chynowen Parc, Cubert, TR8 5HD, United Kingdom

‍Data Protection Contact: team@supermoo.co

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, SuperMoo Ltd is the data controller for personal data we collect from website visitors and account holders. Where we process personal data contained within Customer Content (videos uploaded by our customers), we act as a data processor on behalf of the customer (the data controller). The relationship between SuperMoo and its customers as data processor is governed by the data protection provisions in our Terms of Service and, where applicable, our Data Processing Agreement.

2. What Data We Collect

2.1 Account Information

When you create a SuperMoo account, we collect your full name and/or business name, email address, password (stored in hashed form only), and optionally your company name and website URL.

2.2 Billing Information

When you subscribe to a paid plan, our payment processor Stripe collects payment card details (processed and stored by Stripe — we do not store full card numbers), billing name and address, and transaction history and invoice records.

2.3 Customer Content

You may upload video files and associated metadata (titles, descriptions, thumbnails) to the Services. Any personal data contained within your Customer Content is processed by us as a data processor on your behalf. You are responsible for ensuring you have the appropriate legal basis and consents for any personal data included in your video content.

2.4 Usage and Analytics Data

We automatically collect certain information when you use the Services or visit our website, including your IP address (anonymized for analytics purposes), browser type and version, operating system, device type, pages visited, time spent on pages, referral source, video playback data (play, pause, completion rates, buffering events), and feature usage within the platform.

2.5 Communications Data

When you contact us via email or through the Services, we collect the content of your communications, your email address, and any attachments you send.

3. How We Use Your Data & Lawful Basis

We process your personal data for specific purposes, each supported by a lawful basis under the UK GDPR.

Account creation and management — We process your account data as necessary to provide you with the Services you have signed up for. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Payment processing — We process your billing data as necessary to handle your subscription payments via Stripe. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Video hosting and delivery — We process your Customer Content as part of our core service functionality, including hosting, transcoding, and delivering your video content. Lawful basis: Performance of a contract (Art. 6(1)(b)).

Essential cookies (session, auth) — We use strictly necessary cookies for the secure operation of the Services. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Analytics — We use analytics tools to understand how visitors interact with our website and Services. We only set analytics cookies after you provide consent via our cookie banner. Lawful basis: Consent (Art. 6(1)(a)).

Marketing cookies and communications — We only use marketing cookies and send promotional emails with your explicit consent. Lawful basis: Consent (Art. 6(1)(a)).

Service notifications and transactional emails — We send communications necessary to keep you informed about your account, billing, and service changes. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Security monitoring and fraud prevention — We monitor activity to protect the Services and our users from unauthorized access and fraud. Lawful basis: Legitimate interest (Art. 6(1)(f)).

Compliance with legal obligations — We retain data or disclose information where required by law. Lawful basis: Legal obligation (Art. 6(1)(c)).

Anonymized usage data for service improvement — We use aggregated and anonymized data to improve platform performance and features. Lawful basis: Legitimate interest (Art. 6(1)(f)).

4. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Services, analyze usage, and support marketing activities. A cookie is a small text file stored on your device when you visit our website.

4.1 Types of Cookies We Use

Essential (Strictly Necessary) cookies include session and authentication cookies that keep you logged in and maintain session state and CSRF protection, Stripe cookies used for secure payment processing and fraud prevention, and a cookie consent preferences cookie that remembers your cookie choices. Essential cookies last for the duration of your session or up to 30 days for persistent login, and up to 1 year for Stripe and consent cookies.

Analytics (Performance) cookies include Google Analytics cookies (_ga, _gid, _gat) that help us understand how visitors interact with our website, including page views and traffic sources. The _ga cookie lasts for 2 years, _gid for 24 hours, and _gat for 1 minute.

Marketing (Targeting) cookies are used to measure advertising effectiveness, retargeting, and attribution. Duration varies by provider, typically ranging from 30 days to 2 years.

4.2 Your Cookie Choices

When you first visit our website, we present a cookie consent banner (powered by iubenda) that allows you to accept or decline non-essential cookies. You can change your cookie preferences at any time by clicking "Cookie Settings" in the footer of our website.

Essential cookies cannot be disabled as they are necessary for the basic functionality of the Services. Analytics and marketing cookies are only activated after you provide your consent.

You can also control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, if you block essential cookies, some features of the Services may not function properly.

5. Who We Share Your Data With

We do not sell your personal data. We share your data only with the third-party service providers ("sub-processors") necessary to operate the Services.

Mux, Inc. provides video hosting, transcoding, streaming, and playback analytics. Mux is based in the United States and processes Customer video files, playback metadata, and viewer IP addresses.

Stripe, Inc. provides payment processing and billing. Stripe is based in the United States and processes Customer name, email, billing address, and payment card details (tokenized).

Google LLC (Google Analytics) provides website analytics and usage tracking. Google is based in the United States and processes anonymized IP addresses, device information, browsing behavior, and page views.

Vercel, Inc. provides application hosting, CDN, and edge delivery. Vercel is based in the United States with a global edge network and processes request data, IP addresses, and application data in transit.

We may also share personal data in the following limited circumstances: where required by law, regulation, legal process, or governmental request; to enforce our Terms of Service or protect the rights, property, or safety of SuperMoo, our users, or others; in connection with a merger, acquisition, or sale of all or a portion of our assets; or where you have given us explicit permission to share your data with a specific third party.

6. International Data Transfers

SuperMoo Ltd is based in the United Kingdom. However, our sub-processors (Mux, Stripe, Google, and Vercel) are based in the United States, which means your personal data may be transferred to and processed in a country outside the United Kingdom and the European Economic Area.

Where we transfer personal data outside the UK/EEA, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (UK IDTA) or the EU-approved Standard Contractual Clauses (SCCs) with the UK Addendum as applicable, the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the EU-U.S. DPF where the sub-processor is a certified participant, and supplementary technical and organizational measures such as encryption in transit and at rest to ensure an adequate level of protection.

You may request a copy of the relevant safeguards by contacting us at team@supermoo.co.

7. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Account data is retained for the duration of your active account. Upon account termination, we delete your account data within 60 days, subject to any legal retention obligations.

Customer Content (videos) is retained for the duration of your active account. Upon termination, you have a 30-day Data Export Period to download your content (as described in our Terms of Service, Section 12.3). After the export period, all Customer Content is permanently deleted within 30 days.

Billing and transaction records are retained for 7 years after the end of the financial year in which the transaction occurred, as required by UK tax law (HMRC).

Analytics data that has been aggregated and anonymized may be retained indefinitely. Individual-level analytics data is retained for a maximum of 26 months, in line with our Google Analytics data retention settings.

Communications such as support emails and correspondence are retained for 3 years after the last interaction, unless a longer period is required for legal purposes.

Cookie data is retained for the durations specified in Section 4.1 above.

8. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions.

Right of access — You have the right to request a copy of the personal data we hold about you.

Right to rectification — You have the right to request that we correct any inaccurate or incomplete personal data.

Right to erasure ("right to be forgotten") — You have the right to request that we delete your personal data, subject to certain legal exceptions (such as compliance with tax law).

Right to restrict processing — You have the right to request that we restrict the processing of your personal data in certain circumstances.

Right to data portability — You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

Right to object — You have the right to object to the processing of your personal data where we rely on legitimate interest as the lawful basis. You also have the right to object to processing for direct marketing purposes at any time.

Right to withdraw consent — Where we process your data based on your consent (e.g., analytics cookies, marketing), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right not to be subject to automated decision-making — We do not currently make any decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, please contact us at team@supermoo.co. We will respond to your request within one month. In complex cases, we may extend this period by an additional two months, in which case we will inform you of the extension and the reasons for it within the first month.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, by telephone at 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2 or higher) and at rest, secure password hashing, access controls limiting data access to authorized personnel on a need-to-know basis, regular security monitoring and vulnerability assessments, and incident response procedures including notification of affected users within 72 hours of a confirmed breach affecting personal data.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

10. Children's Privacy

The Services are intended for use by businesses and individuals aged 18 and over, as set out in our Terms of Service. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at team@supermoo.co.

11. Marketing Communications

We may send you marketing communications about our products, features, and updates if you have opted in to receive them. You can unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link in any marketing email or by contacting us at team@supermoo.co.

We will continue to send you transactional and service-related communications (such as billing notifications, security alerts, and Terms of Service updates) regardless of your marketing preferences, as these are necessary for the operation of your account.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email and/or by posting a prominent notice on our website at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: team@supermoo.co

‍Postal Address: SuperMoo Ltd, 37 Chynowen Parc, Cubert, TR8 5HD, United Kingdom