Short ShortsSHORTSHORTS

Privacy Policy

Introduction

Short Shorts AI ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our service at shortshorts.ai.

Data Controller

The data controller responsible for your personal information is:

Signal Group Limited

5 Essex Street, Vogeltown

New Plymouth 4310, New Zealand

Companies Office No: 1396666

NZBN: 9429035771678

Incorporated: 17 September 2003 · NZ Limited Company

For privacy enquiries contact privacy@shortshorts.ai.

Information We Collect

When you use Short Shorts AI, we collect:

  • Account Information: When you sign in with Google, we collect your name, email address, and Google profile information.
  • YouTube Channel Data: When you connect your YouTube account, we access and store your YouTube channel name, channel ID, channel thumbnail, subscriber count, view count, video count, channel description, custom URL, creation date, and banner URL. We use these solely to display your channel information in the dashboard and to upload short-form videos on your behalf.
  • YouTube Analytics Data: We access view counts, watch time, likes, comments, and shares via the YouTube Analytics API. This data is used only to display your channel performance within the Short Shorts AI dashboard.
  • OAuth Access Tokens: We store encrypted OAuth tokens (access token and refresh token) to authenticate API calls to YouTube on your behalf. These tokens are encrypted using AES-256-CBC before storage and are never transmitted to third parties.
  • X (Twitter) Account Information: If you connect your X account, we collect your X username and display name, and store encrypted OAuth tokens to post videos on your behalf.
  • Usage Data: We collect information about how you use our service, including videos processed and uploads scheduled, to improve our service.
  • API Call Logs: We log every YouTube upload API call (outcome, timestamp, and the YouTube video ID on successful uploads) in an internal audit log. This is used solely for quota reconciliation with Google and operational monitoring. These logs are retained for the life of your account.

How We Use Google User Data

Short Shorts AI's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we use Google user data only for the following purposes:

  • YouTube Uploads: We use your YouTube OAuth credentials exclusively to upload short-form video clips to your YouTube channel on your behalf, using the youtube.upload scope.
  • Channel Information: We use the youtube.readonly scope to read your channel name, ID, and thumbnail to display your account information in the dashboard.
  • Analytics Display: We use the yt-analytics.readonly scope to read your channel analytics (views, watch time, likes, comments, shares) and display them in your dashboard. This data is never stored long-term or shared.
  • Authentication: We use your Google account email address to identify your account. We do not use your Google data for advertising, market research, or any purpose unrelated to providing this service.

We do not use Google user data to serve advertisements, train AI models, sell to third parties, or for any purpose other than providing and improving the Short Shorts AI service.

For a full step-by-step explanation of how we access and process your YouTube videos, see our How We Use Your YouTube Data page.

Legal Basis for Processing (GDPR)

For users in the EEA, UK, or Switzerland, we process your personal data under the following legal bases:

Data / PurposeLegal BasisDetails
Account creation, authentication, session managementContract performance (Art. 6(1)(b))Necessary to provide the Service you signed up for
YouTube and X OAuth tokens, upload automationContract performance (Art. 6(1)(b))Necessary to upload content on your behalf
Transactional emails (receipts, alerts)Contract performance (Art. 6(1)(b))Necessary to fulfil billing and account obligations
Lifecycle and summary emailsLegitimate interests (Art. 6(1)(f))Keeping you informed about your account; opt-out available at any time
API call audit logs, usage dataLegitimate interests (Art. 6(1)(f))Quota reconciliation, fraud prevention, service integrity
Security logging, fraud preventionLegitimate interests (Art. 6(1)(f))Protecting the Service and other users

How We Use Your Information

  • To provide our video processing and automated distribution service
  • To upload short-form video clips to your connected YouTube channel and X account on your behalf
  • To authenticate your identity and manage your account session
  • To send you transactional emails about your account (credit purchases, balance alerts, auto-recharge notifications)
  • To send you optional lifecycle and summary emails (welcome, first Short ready, weekly summary, monthly report) — these can be disabled at any time from Settings or via the unsubscribe link in each email
  • To ensure the security and integrity of our service

Email Communications

We send two categories of email:

  • Transactional — purchase receipts, credit balance alerts, auto-recharge confirmations. These are sent in direct response to account activity and cannot be opted out of while your account is active.
  • Lifecycle & summary — welcome, first Short ready, weekly performance summary, monthly channel report. All default to enabled and can be disabled individually from Settings or via the one-click unsubscribe link in each email.

We log every email sent (recipient, subject, type, timestamp, success/fail) for operational purposes. These logs are retained for 90 days. We never share email addresses or send-history with third parties.

Cookies

We use only strictly necessary cookies: a session cookie (30-day httpOnly JWT) to keep you signed in, and two short-lived OAuth cookies used during login to prevent CSRF and secure the authorisation flow. We do not use advertising or analytics cookies. For full details see our Cookie Policy.

Data Storage and Security

We store your data using industry-standard security measures:

  • OAuth token encryption: All OAuth access tokens and refresh tokens are encrypted with AES-256-CBC before being stored in our database. The encryption keys are never stored alongside the encrypted data.
  • Database security: Your data is stored in Supabase (hosted on AWS in US West 2 - Oregon) with access restricted to authorized service accounts only.
  • Session security: User sessions are managed via short-lived JWT tokens stored in httpOnly cookies, preventing client-side access.
  • No video data in cloud storage: Video files are processed on secure worker machines and are not stored in cloud databases or object storage. During upload to YouTube, video files are transiently routed through a US-based upload proxy (Fly.io) for geographic performance — they pass through in transit only and are not stored by Fly.io.

Data Sharing and Third Parties

We integrate with the following third-party services to provide our service:

  • Google/YouTube API: We transmit video files and metadata to YouTube on your behalf when you use our upload feature. Google's privacy policy applies to data handled by YouTube.
  • X (Twitter) API: We transmit video files and post text to X on your behalf. X's privacy policy applies to data handled by X.
  • Supabase: We use Supabase for encrypted data storage and management. Supabase's privacy policy applies.
  • Stripe: We use Stripe to process credit purchases. When you buy credits, your payment details are handled directly by Stripe — we never store card numbers. Stripe's privacy policy applies.
  • Google Gmail API: We use Gmail OAuth to send transactional and lifecycle emails from dave@shortshorts.ai. Email content is transmitted through Google's SMTP infrastructure. Google's privacy policy applies.
  • Fly.io (Upload Proxy): Video files are transiently routed through a Fly.io-hosted proxy in the United States during upload to YouTube. Video content is not stored by Fly.io. Fly.io's privacy policy applies to data in transit through their infrastructure.

We do not sell, rent, or share your personal data or Google user data with any third parties for marketing, advertising, or any other commercial purpose.

International transfers (GDPR): Your data is stored in the United States (Supabase on AWS us-west-2). Signal Group Limited is based in New Zealand, which is recognised by the European Commission as providing adequate protection for personal data under GDPR Article 45. Transfers to US-based sub-processors (Supabase, Stripe, Fly.io) are covered by Standard Contractual Clauses (SCCs) in those providers' data processing agreements, which you can request via privacy@shortshorts.ai.

Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your account and all associated personal data
  • Restriction — request that we restrict processing of your data in certain circumstances (e.g. while a dispute is resolved)
  • Portability — receive your personal data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds
  • Withdraw consent — where processing is based on consent (e.g. lifecycle emails), withdraw it at any time without affecting prior processing. Use the unsubscribe link in any email or go to Settings
  • Revoke platform access — disconnect YouTube at any time via Google Account Permissions or X via X account settings
  • Lodge a complaint — if you are in the EEA or UK, you have the right to lodge a complaint with your national data protection authority. In New Zealand, complaints may be directed to the Office of the Privacy Commissioner

To exercise any of these rights, contact us at privacy@shortshorts.ai. We will respond within 30 days. We may need to verify your identity before processing your request.

Data Retention

  • Account data: Retained for as long as your account is active.
  • OAuth tokens: Retained until you disconnect the platform or delete your account. When you disconnect, your OAuth credentials are permanently deleted from our systems. You can also independently revoke access at any time via Google Account Permissions.
  • Analytics data: YouTube analytics data is fetched live from the YouTube API on demand and is not stored long-term in our database.
  • Email send logs: Records of emails sent (recipient address, subject, type, timestamp) are retained for 90 days for operational and compliance purposes, then deleted.
  • Video processing data: Metadata about processed clips (titles, timestamps) is retained for your account history. Video files themselves are deleted from our worker machines after upload is complete.
  • Upon account deletion: All personal data, OAuth credentials, and account history are permanently deleted within 30 days of your request.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, describing the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address it.

To report a suspected security vulnerability or data breach, contact privacy@shortshorts.ai immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date below. Your continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: privacy@shortshorts.ai

Last Updated: April 3, 2026