Privacy Policy
Last updated: March 5, 2026
At MotionFlow AI, we place the highest importance on protecting your personal data. This policy details how we collect, process, and protect your information in compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Data controller
The data controller for personal data collected on the motionflow.ai website is:
- Entity
- MAKDEV (MotionFlow AI)
- Contact email
- hello@motionflow-ai.co
- Data Protection Officer (DPO)
- hello@motionflow-ai.co
2. Data collected
We collect different categories of data as part of providing our service:
Identification data
Name, surname, email address — collected through our authentication partner Clerk during your registration.
Payment data
Transactions are processed by Stripe. We never store your credit card numbers. Only transaction identifiers and your subscription status are retained.
Usage data
Projects created, animations generated, brand guides, style and voice preferences — necessary for service operation.
Technical data
IP address, browser type, operating system, pages visited, error logs — collected automatically to ensure security and improve the service.
Cookies
Clerk session cookie (authentication), user preferences (onboarding, theme). See the Cookies section below for details.
3. Purposes
Your data is processed for the following purposes:
- Service provision: account creation, project management, animation generation, content export.
- Billing: subscription management, payment processing, invoice delivery.
- Service improvement: usage analysis, anonymized statistics, performance optimization.
- Transactional communication: registration confirmations, payment notifications, security alerts.
- Security: fraud detection, abuse prevention, access logging.
4. Legal bases (Art. 6 GDPR)
Each data processing activity relies on a specific legal basis:
| Legal basis | Related processing |
|---|---|
| Contract performance | Service provision, account management, animation generation, export |
| Consent | Analytical cookies (if applicable), optional marketing communications |
| Legitimate interest | Service improvement, usage statistics, fraud detection, security |
| Legal obligation | Invoice retention, response to legal requests, tax obligations |
5. Retention period
We retain your data only for the duration necessary for the purposes for which it was collected:
| Data category | Retention period |
|---|---|
| Account data | Duration of contractual relationship + 3 years |
| Billing data | 10 years (legal accounting obligation) |
| Usage data | 2 years after last activity |
| Technical logs | 12 months |
| Generated animations | Duration of account (deleted upon closure) |
| Account deletion | All personal data, generated images and videos are deleted within 30 days |
Upon expiration of these periods, your data is deleted or irreversibly anonymized.
6. User rights
GDPR rights (European Economic Area)
Under the GDPR, you have the following rights:
- Right of access: obtain a copy of your personal data.
- Right of rectification: correct inaccurate or incomplete data.
- Right to erasure: request the deletion of your data (within legal limits).
- Right to portability (Art. 20 GDPR): receive your data in a structured, commonly used, and machine-readable format (JSON). This includes your projects, scripts, brand guides, generation history, and account settings. You may request a full data export from your account settings or by contacting our DPO.
- Right to object: object to the processing of your data on legitimate grounds.
- Right to restriction: request temporary suspension of processing.
CCPA rights (California residents)
Under the California Consumer Privacy Act, you have the right to know what data we collect and the right to opt out of the sale of your data. We wish to clarify that we do not sell any personal data to third parties, whether for advertising or commercial purposes.
To exercise your rights, contact us at hello@motionflow-ai.co. We will respond within 30 days (GDPR) or 45 days (CCPA).
7. Transfers outside the EU
Some of your data may be transferred to countries outside the European Economic Area (EEA), particularly the United States, where our technical sub-processors are located.
These transfers are governed by one or more of the following legal mechanisms, depending on the sub-processor:
- EU-US Data Privacy Framework (DPF): Our US-based partners certified under the DPF (Clerk, Stripe, Google, Vercel, Sentry) benefit from the European Commission's adequacy decision of July 10, 2023.
- Standard Contractual Clauses (SCCs): All sub-processors located outside the EEA have executed or incorporated the European Commission's Standard Contractual Clauses (June 2021 version) into their service agreements.
- Adequacy decisions: Transfers to Israel (LTX / Lightricks) benefit from the European Commission's adequacy decision. Transfers within the EU (Pollinations — Germany) do not require additional safeguards.
These mechanisms collectively ensure an adequate level of protection for your personal data in accordance with Chapter V of the GDPR (Articles 44-49). For detailed information about the safeguards applicable to a specific sub-processor, please refer to the Sub-processors table above.
8. Sub-processors
We use the following sub-processors to provide our service. Each is bound by a data processing agreement (DPA) or equivalent contractual safeguards:
| Sub-processor | Function | Personal data processed | Location | Transfer mechanism | DPA status | Privacy policy |
|---|---|---|---|---|---|---|
| Supabase (PostgreSQL, Storage) | Database, file storage | User profiles, projects, generated content metadata, uploaded files | USA (West US — North California) | SCCs | DPA signed | Privacy policy |
| Clerk | Authentication, user management | Authentication data, sessions, email address, profile information | USA | DPF + SCCs | DPA signed | Privacy policy |
| Stripe | Payment processing | Payment details (processed by Stripe, not stored by us), email, billing address | USA / EU (Stripe Payments Europe, Limited — Ireland) | DPF + SCCs (auto-applicable via Stripe Services Agreement) | DPA auto-applicable via SSA | Privacy policy |
| Google (Gemini AI) | Image generation, text analysis, script processing | Prompts, uploaded images, script content | USA | DPF + SCCs (via Google Cloud Terms of Service) | DPA via Google Cloud TOS | Privacy policy |
| fal.ai (FLUX) | Image generation | Prompts, reference images | USA | SCCs | DPA to be verified | Privacy policy |
| Runway | Video generation | Prompts, reference images | USA | SCCs | DPA signed | Privacy policy |
| Kling (Kuaishou) | Video generation (fallback) | Prompts, reference images | USA / China | SCCs | DPA signed | Privacy policy |
| LTX (Lightricks) | Video generation (fallback) | Prompts, reference images | Israel | SCCs (EU adequacy decision for Israel) | DPA signed | Privacy policy |
| Vercel | Hosting, CDN, edge computing | Server logs, IP addresses, request metadata | Global (Edge network) | DPF + SCCs (via DPA addendum) | DPA via DPA addendum | Privacy policy |
| Sentry | Error monitoring, performance tracking | Error traces, breadcrumbs, performance data (no PII collected by design) | USA | DPF + SCCs | DPA via Terms of Service | Privacy policy |
| UptimeRobot | Uptime monitoring | Endpoint availability data (no personal data processed) | USA | N/A — no personal data processed | No DPA required (no PII) | Privacy policy |
| Pollinations | Image generation (fallback) | Prompts | Germany / EU | GDPR native (EU-based) | GDPR native | Privacy policy |
This list is kept up to date. Any addition or change of sub-processor will be reflected on this page. You may subscribe to updates by contacting our DPO at hello@motionflow-ai.co.
9. Cookies
Our website uses a limited number of cookies, strictly necessary for service operation:
| Type | Cookie | Purpose |
|---|---|---|
| Essential | Clerk session | Authentication and user session maintenance |
| Functional | Onboarding preferences | Remember if the user has completed onboarding |
| Analytics | Analytics (if applicable) | Anonymized usage statistics (subject to consent) |
Essential and functional cookies do not require consent as they are strictly necessary for service operation. Analytical cookies, if deployed, will be subject to your prior consent.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- TLS encryption: all communications are encrypted in transit (HTTPS).
- Restricted access: data access limited to authorized personnel following the principle of least privilege.
- Strong authentication: secure authentication via Clerk with multi-factor support.
- Logging: audit logs of access and modifications for traceability.
11. DPO Contact
For any question regarding the protection of your data or to exercise your rights, you may contact our Data Protection Officer:
Supervisory authority — CNIL
If you believe that the processing of your data constitutes a violation of your rights, you may file a complaint with the French Data Protection Authority (CNIL): www.cnil.fr