Security, privacy, and compliance — how we protect your data and your creators' accounts.
GDPR
Compliant
AES-256-CBC
A grade
99.9% UPTIME
updown.io
PCI DSS
Payments via Stripe
NZ REGISTERED
Co. No. 1396666
GOOGLE LIMITED USE
Policy compliant
All OAuth tokens are encrypted at rest using AES-256-CBC before being written to the database. Keys are never logged or transmitted to third parties.
Hosted on Vercel (edge) and Supabase (Postgres, AWS US West 2 — Oregon). Temporary file processing via Cloudflare R2. Automatic daily database backups.
We collect only what's needed to operate the service. We do not sell or share your data. YouTube and X credentials are used solely to upload content on your behalf.
Source video files are never stored long-term. Shorts source videos exist only in worker memory during clipping. Hub Upload episode files are deleted from Cloudflare R2 the moment the YouTube upload completes.
Every category of data we touch, where it lives, and exactly when it's deleted.
OAuth tokens
Supabase (US West 2)Until you disconnectAES-256-CBC encrypted at rest. Never logged or transmitted.
Source videos (Shorts)
Worker memory only2–5 minutes during clippingHeld in RAM, never written to disk or cloud storage. Deleted immediately after clips are generated.
Episode files (Hub Upload)
Cloudflare R2 (temporary)Until YouTube upload completesUploaded directly from your browser to R2. Permanently deleted once the YouTube upload finishes.
Generated Shorts clips
Worker filesystem (temporary)Until uploaded to YouTube/XDeleted from our servers immediately after upload to your channel. Not retained.
Analytics data
Not storedNever persistedFetched live from YouTube Analytics API on demand. Displayed in your dashboard only — never stored in our database.
Account data
Supabase (US West 2)While account is activeEmail address, YouTube channel ID, and channel name. Full deletion available on request.
Every component of Short Shorts AI runs on infrastructure trusted by the world's largest companies.
Vercel
Edge hosting & CDN
The dashboard and all API routes run on Vercel's global edge network. Automatic TLS, DDoS protection, and zero-downtime deployments.
Supabase
Database & storage
Postgres database hosted on AWS US West 2 (Oregon). Row-level security enforced on all tables. Automatic daily backups.
Cloudflare R2
Temporary file processing
Episode files uploaded for Hub processing land in R2 temporarily. Files are deleted as soon as the YouTube upload completes — R2 is never used as long-term storage.
Stripe
Payments
All billing is handled by Stripe. We never store card details. Stripe is PCI DSS Level 1 certified — the highest available standard.
Google Cloud
OAuth & YouTube API
Authentication and channel publishing use Google's official OAuth 2.0 and YouTube Data API v3. We comply with Google API Services User Data Policy Limited Use requirements.
Fly.io
Geo-IP upload proxy
Upload requests are optionally routed through Fly.io's global edge network to ensure correct geo-attribution on YouTube uploads. Fly.io is SOC 2 Type II certified.
Google for Startups
Cloud Program member
Accepted into the Google for Startups Cloud Program — Google's vetted startup support program providing infrastructure credits, mentorship access, and technical resources.
