LEGAL · PRIVACY

Privacy Policy

Last updated: May 15, 2026

This Privacy Policy explains how YouGenOne ("we", "us", "our"), operated by Stanislav Sorokoletov, an Individual Entrepreneur registered in Georgia, collects, uses, and protects your personal data. We are committed to compliance with applicable privacy laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA, and the Personal Data Protection Law of Georgia.

Quick summary: We collect only what we need to deliver the Service: your email, license key, and how you use the Service. We do not sell your data. We do not allow our AI providers to use your prompts or outputs to train their models. You can request deletion of your data at any time by emailing support@yougenone.io.

1. Who We Are (Data Controller)

The data controller is Stanislav Sorokoletov, operating as YouGenOne, an Individual Entrepreneur registered in Georgia. For all data protection inquiries, contact support@yougenone.io.

2. What Data We Collect

2.1 Account Data

Email address (required for license delivery)
License key (issued by us)
Hardware identifier (HWID) — a non-reversible hash used to bind desktop licenses to a device
Plan, credit balance, and credit usage history

2.2 Payment Data

For card payments, we use a Merchant of Record (currently Lemon Squeezy and/or Paddle) who acts as the seller of record. The Merchant of Record may collect from you, directly:

Billing name and address (required for tax invoicing)
Tax identification information where applicable
Card details and authentication data (we do not have access to this)

What we receive from the Merchant of Record is limited to:

Transaction ID, amount, currency, and timestamp
Country of purchase (for tax and fraud-prevention purposes)
Promo code used (if any)

For cryptocurrency payments processed through Heleket, we receive the transaction ID, amount, and timestamp. We do not store full credit card numbers, CVVs, or crypto wallet private keys.

2.3 Usage Data

Topics and prompts you submit for video generation
Selected style, voice, and configuration parameters
Generated video metadata (duration, language, scene count)
Timestamps of API calls

You are responsible for the content of your prompts. You must not include personal data of third parties in your prompts unless you have a lawful basis to do so. We treat prompts as user content; we do not actively monitor them except for safety and abuse prevention.

2.4 Biometric Inputs (special category data)

Some features of the Service allow you to upload images of real persons (face uploads), and our API accepts voice samples. Where these inputs depict identifiable individuals, the resulting processing involves biometric data within the meaning of Article 9 of the GDPR. See Section 6 for the legal basis, retention, and your obligations.

2.5 Technical Data

IP address (used for rate limiting, security, and fraud prevention)
Browser user agent
Session cookies (necessary for the Service to function)

3. How We Use Your Data

To deliver the Service — generate videos, manage credits, send license keys
To process payments — coordinate with the payment provider, handle refunds
To prevent fraud and abuse — detect chargebacks, prevent multi-account abuse, enforce rate limits
To support you — respond to your requests at support@yougenone.io
To comply with legal obligations — tax records, accounting, court orders
To improve the Service — aggregate analytics, never tied to individual users

3.1 Transactional emails — an essential part of the Service

License keys are delivered to you exclusively by email — without sending the message we cannot complete delivery of the Service. Accordingly, by creating an account or making a purchase, you instruct us to send you the following transactional messages, which are necessary for the performance of our contract with you (Art. 6(1)(b) GDPR; and Para. 5 of Art. 6 of Federal Law No. 152-FZ of the Russian Federation, where applicable):

delivery of your license key and receipt after a successful purchase;
important service notices (e.g. plan expiration, failed renewal, account security alerts);
responses to support requests you initiate.

Transactional emails are not marketing communications and do not require separate consent — they are part of contract performance. You cannot opt out of strictly transactional emails while you have an active license or unused credits: without them we cannot deliver your key or essential service notices. If we introduce marketing communications in the future (product news, updates, promotions), such emails will be sent only on the basis of separate, voluntary consent and can be unsubscribed from at any time with a single click.

You are responsible for providing a valid email address that you control. We have no obligation to redeliver license keys to incorrect, inaccessible, or third-party email addresses. If a message does not arrive within a reasonable time, please check your spam folder and contact support@yougenone.io — we will retry delivery or provide the key by an alternative channel.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR). Our anti-fraud systems may flag accounts for review, but enforcement decisions are made or confirmed by a human reviewer.

4. Legal Basis for Processing (GDPR Articles 6 and 9)

Contract performance (Art. 6(1)(b)) — to provide the Service you signed up for, including account management and credit accounting
Legitimate interest (Art. 6(1)(f)) — to prevent fraud, secure the Service, and improve quality. You may object to this processing under Section 9
Legal obligation (Art. 6(1)(c)) — to comply with tax and accounting laws of Georgia
Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — for processing of biometric inputs (Section 6) and for any optional features that require it. You may withdraw consent at any time

5. Data Sharing & Third-Party Processors

We share your data with the following categories of processors and partners:

AI providers — text, image, voice, and video generation services. The prompt, configuration, or biometric input you submit is transmitted to these providers to generate the requested output. Providers we currently use include OpenAI, Anthropic, and Google. We use these providers under their commercial API terms, which prohibit the use of customer prompts or outputs for model training; we have not opted in to any training-on-data programs. Where technically possible, we minimize and pseudonymize data sent to providers (we do not transmit your email address, license key, or payment data to AI providers).
Merchant of Record (card payments) — Lemon Squeezy and/or Paddle act as the seller of record for card transactions. They collect billing and tax-identification data directly from you and process it under their own privacy policies. We receive only transactional metadata (see Section 2.2). Each Merchant of Record is independently responsible for tax collection, invoicing, and PCI-DSS compliance.
Cryptocurrency payment provider — Heleket processes cryptocurrency transactions under their own privacy policy.
Hosting and infrastructure — our servers are operated by commercial hosting providers located in the European Union and the United States.
Transactional email delivery — to deliver license keys, receipts, and important account notifications (such as plan expiration, recovery, or security alerts) we use Resend Inc. (United States, resend.com) as our sub-processor (data processor). When we send a transactional email, we transmit to Resend only the following data: your email address, the message subject and body, and delivery metadata (delivery status, bounce information). Resend acts strictly on our instructions under a Data Processing Agreement (DPA) and does not use the data for its own purposes, share it with third parties, or use it for marketing or model training. Transfers to the United States are performed under the mechanisms described in Section 7 of this Policy (EU–US Data Privacy Framework / Standard Contractual Clauses).

We maintain a current list of sub-processors and material data processors. You may request the latest version by emailing support@yougenone.io.

We do not sell, rent, or trade your personal data to advertisers or marketers.

6. Biometric Data

6.1 Scope

When you upload an image depicting a real person, or submit a voice sample of a real person via our API, we process biometric data — that is, special category data under Article 9 GDPR. We process such data only to deliver the generation feature you have requested, and only for the duration of that generation.

6.2 Legal basis

Our legal basis for processing biometric inputs is your explicit consent (Art. 9(2)(a) GDPR), provided through an affirmative action at the point of upload. By uploading an image of, or voice sample depicting, an identifiable person, you represent and warrant that:

You are the depicted person; or
You have obtained the explicit, verifiable consent of the depicted person to use their image or voice for AI generation through the Service

You must not upload images or voice samples of public figures, celebrities, minors, or any third party for whom you do not hold such consent. Use of biometric inputs to create non-consensual intimate imagery, deceptive depictions of real persons, or other content prohibited by our Acceptable Use Policy is strictly forbidden.

6.3 Retention

Uploaded images and voice samples are processed transiently and deleted from our systems immediately after the requested generation completes. We do not retain biometric inputs in persistent storage, and we do not extract or store separate biometric templates.

6.4 Withdrawal

You may withdraw your consent at any time by ceasing to upload such inputs and by emailing support@yougenone.io. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

7. International Data Transfers

Some of our service providers are located outside the European Union, notably in the United States. When we transfer your data internationally, we rely on the following mechanisms:

EU–US Data Privacy Framework — for transfers to recipients certified under the DPF
Standard Contractual Clauses (SCCs) approved by the European Commission — for other transfers, supplemented by additional safeguards where required

Georgia (the country where we are established) is not currently the subject of a European Commission adequacy decision but maintains its own Personal Data Protection Law that broadly aligns with GDPR principles.

8. Data Retention

Account data — retained while your account is active and for 12 months after the last activity, unless you request deletion
Credit usage history — retained for the lifetime of the account for billing transparency
Payment records — retained for 6 years to comply with tax laws
IP and access logs — retained for 90 days for security purposes
Generated videos and prompts — temporarily cached during processing and deleted within 30 days unless you save them
Biometric inputs — deleted immediately after generation completes (see Section 6)

Data sent to our AI providers is subject to their own retention policies. The providers we use under commercial API terms typically retain inputs for up to 30 days for abuse-monitoring purposes and then delete them. Data held by our Merchant of Record (billing and tax data) is retained under their own retention policies, which are typically driven by tax law (6–10 years).

9. Your Rights Under GDPR

If you are in the European Economic Area, you have the following rights:

Right of access — request a copy of the data we hold about you
Right of rectification — correct inaccurate data
Right of erasure ("right to be forgotten")
Right to data portability — receive your data in a machine-readable format
Right to restriction of processing
Right to object — particularly for legitimate-interest processing
Right to withdraw consent — at any time, where processing is based on consent, including biometric processing
Right not to be subject to automated decision-making with legal or similarly significant effects (Art. 22)
Right to lodge a complaint — with your local data protection authority

To exercise any of these rights with respect to data we hold, email support@yougenone.io. We respond within 30 days, extendable by up to 60 days for complex requests, in which case we will inform you of the extension.

For requests concerning billing data held by our Merchant of Record, we will assist you in directing the request to the appropriate provider, where their own privacy policy and process applies.

10. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

Right to know — what personal information we collect, the sources, the purposes, and the categories of recipients
Right to access — request a copy of your personal information
Right to correct — request correction of inaccurate personal information
Right to delete — request deletion of your personal information
Right to opt-out of sale or sharing — we do not sell your information and we do not share it for cross-context behavioral advertising
Right to limit use of sensitive personal information — to that which is necessary to provide the Service
Right to non-discrimination — we will not discriminate against you for exercising your rights
Authorized agents — you may designate an authorized agent to submit requests on your behalf, subject to verification

To exercise these rights, email support@yougenone.io with the subject line "CCPA Request". We will verify your identity (typically by confirming the email address associated with your account) and respond within 45 days, extendable by an additional 45 days where reasonably necessary.

11. Cookies

We use only essential cookies necessary for the Service to function (session, authentication, language preference). We do not use advertising cookies or tracking pixels. Where we use minimal infrastructure tooling for security, error monitoring, or service reliability, it is configured to avoid profiling individual users. Note that our Merchant of Record's checkout pages may set their own cookies under their privacy policy.

12. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18, and we do not direct the Service to children. If we discover that we have collected data from a person under 18 (or under 13, for purposes of the U.S. Children's Online Privacy Protection Act), we will delete it promptly. If you believe a minor has provided us with personal data, please contact support@yougenone.io.

13. Security

We implement industry-standard security measures including TLS encryption in transit, server-side hashing for sensitive identifiers, and access controls for our systems. However, no method of transmission or storage is 100% secure. In case of a personal data breach, we will notify the relevant supervisory authority within 72 hours, as required by Article 33 GDPR, and will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.

14. Changes to This Policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the most recent changes. Material changes will be communicated by email or via a notice on the Service at least 30 days before they take effect, consistent with our Terms of Service.

15. Contact

For privacy-related questions, requests, or complaints, contact us at support@yougenone.io.