Legal Document

Privacy Policy

We believe in transparency. This document explains exactly what data we collect, why we collect it, and how we protect it — in plain English alongside the legal language.

Effective Date: January 1, 2025 Last Updated: February 27, 2026 Applies Worldwide

1. Overview & Philosophy

Welcome to Reel Engine ("Company," "we," "our," or "us"). This Privacy Policy describes how Reel Engine collects, uses, discloses, and safeguards information when you visit our website at reelengine.online, purchase a license, or use any of our services (collectively, the "Services").

Reel Engine is fundamentally different from conventional SaaS platforms. Our product is a self-hosted software system that is deployed and operated on your own Virtual Private Server (VPS). This architectural choice means that the vast majority of your operational data — the videos you generate, the AI prompts you use, the social media accounts you connect — never touches our servers. It lives entirely on infrastructure you own and control.

Our data philosophy is simple: we collect only what we absolutely need to operate the licensing and support systems, and nothing more. We do not sell your data. We do not broker your data. We do not use it for advertising. This is not merely a legal obligation — it is a core product principle.

The short version: Your content, your videos, your AI prompts, your API keys, and your social media credentials stay on your server. We only hold what's necessary to manage your license, process your payment, and provide support.

By accessing or using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with its terms, please discontinue use of our Services immediately.

2. Who We Are

Reel Engine is a digital software product operating under the domain reelengine.online. We develop, sell, and support a self-hosted automated video generation system powered by artificial intelligence. Our product allows users to deploy a complete AI video production and social media publishing pipeline on their own private server infrastructure.

For all privacy-related inquiries, the data controller responsible for your personal information is Reel Engine, reachable at:

  • Email: support@reelengine.online
  • Website: https://reelengine.online
  • Customer Portal: https://portal.reelengine.online

We are committed to complying with applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international privacy frameworks.

3. Data We Collect

We operate a minimal data collection model. Below is a comprehensive and exhaustive list of the personal and operational data we may collect. If it is not listed here, we do not collect it.

3.1 Account & Identity Information

  • Full Name: Provided at checkout, used to identify your account and personalize support communications.
  • Email Address: Your primary identifier for your account, used for license delivery, product updates, and support communications.
  • Account Password: Stored in cryptographically hashed form (never plain text) in our customer portal database. We cannot read your password.

3.2 Purchase & Billing Information

  • Transaction ID: A unique reference number generated by our payment processor (Flutterwave) for each purchase. We store this to reconcile your license.
  • Purchase Amount & Currency: The amount paid, the currency used, and the exchange rate applied at time of purchase, retained for tax, refund, and compliance purposes.
  • Purchase Date & Time: Timestamp of your transaction, used for license validity and refund eligibility calculations.
  • Product Purchased: Which license tier (Starter, Duo, Triple, or Team) you purchased.
  • Payment Method Type: General category only (e.g., "card" or "bank transfer"). We never store card numbers, CVV codes, or bank account numbers — all payment processing is handled exclusively by our payment processor.

3.3 License & Technical Data

  • License Key: A unique cryptographic token assigned to your purchase that activates and validates your software installation.
  • Installation ID: A unique identifier generated at the time of software deployment, used to enforce VPS slot limits per your license tier.
  • VPS IP Address: The public IP address of your Virtual Private Server, collected at the time of deployment solely for installation verification and license validation. This is never used for any other purpose.
  • Domain Name: The domain you register for your Reel Engine installation, used to verify deployment, configure SSL, and validate OAuth callbacks.
  • Activation Date & Time: When your software was successfully installed, used to calculate update and support eligibility windows.
  • Number of Active Installations: A count of how many of your licensed VPS slots are currently in use, to enforce license limits.
  • Software Version: Which version of Reel Engine is installed on your server, used to determine applicable updates and maintain compatibility.

3.4 Support & Communication Data

  • Support Ticket Contents: Messages you send to our support team, including any diagnostic information, error logs, or screenshots you voluntarily share.
  • Email Communication History: Correspondence between you and our team, retained for context and continuity of support.
  • Support Ticket Timestamps: When tickets were opened, responded to, and resolved.

3.5 Website & Analytics Data

  • IP Address (Website Visits): Your IP address when visiting reelengine.online, retained briefly for security and analytics purposes.
  • Browser & Device Information: Browser type, operating system, screen resolution, and device type, collected in aggregated form for website optimization.
  • Pages Visited & Time Spent: Which pages on our marketing website you visit and how long, used to improve user experience and content.
  • Referral Source: How you found our website (search engine, social media, referral link), used to understand our marketing effectiveness.
  • Cookie Data: See Section 8 for detailed information on cookies.

3.6 Social Media OAuth Data (Optional Add-On Only)

If you choose to use our optional Social Posting Service (see Section 18), we additionally collect and store the following data exclusively for the purpose of posting content on your behalf:

  • OAuth Access Tokens: Short-lived credentials issued by YouTube (Google), Meta (Facebook/Instagram), or TikTok that authorize our system to post content on your behalf. Stored AES-256-GCM encrypted.
  • OAuth Refresh Tokens: Long-lived tokens used to obtain new access tokens without requiring you to re-authorize frequently. Stored AES-256-GCM encrypted.
  • Platform Account Identifiers: Your YouTube Channel ID, Facebook User ID, Facebook Page ID, Instagram User ID, or TikTok User ID — used solely to direct posts to the correct destination.
  • Account Display Names: Your channel name, page name, or username on the connected platform — displayed in the application UI to confirm the correct account is connected.
  • Token Expiry Timestamps: The expiry time of access tokens, used to determine when a refresh is needed.
  • Posting Activity Logs: Records of token issuances, token refreshes, and post outcomes (success/failure) including timestamps. No video content or post content is logged.

This data is collected only if you explicitly connect a social media account. It is never used for advertising, profiling, analytics, or any purpose other than executing the specific posting actions you initiate. See Section 18 for full details.

4. Data We Do NOT Collect

This section is equally as important as what we do collect. Because Reel Engine runs on your server, the following categories of data remain exclusively on your infrastructure and are never transmitted to, stored on, or accessible by Reel Engine systems:

We have zero access to the following. This is not a policy choice that could be reversed — it is an architectural reality of how self-hosted software works.

  • AI-Generated Videos: All videos created by your Reel Engine installation exist solely on your VPS. We never see, store, or transmit them.
  • AI Prompts & Scripts: The topics, prompts, scripts, or keywords you input to generate video content. These are processed between your server and your chosen AI provider (e.g., OpenAI) and are never shared with us.
  • AI-Generated Images: Any images generated during video production remain on your server.
  • API Keys: Your OpenAI, ElevenLabs, Leonardo AI, Pexels, or any other API keys entered into your dashboard. These are stored encrypted on your VPS and never transmitted to our systems.
  • Social Media OAuth Tokens (Self-Hosted Mode): If you are NOT using our optional Social Posting Service (Section 18), any OAuth tokens you manage locally within your installation live exclusively on your VPS and never reach our servers. If you do use the Social Posting Service, see Section 3.6 and Section 18 for how tokens are securely stored on our portal — that is the only circumstance in which we hold them.
  • Social Media Account Credentials: Your social media usernames, passwords, or session data. We have no access to these whatsoever — OAuth connections use revocable tokens, never your password.
  • VPS Root Passwords or SSH Keys: While you provide these during the setup process so our installer can configure your server, they are used transiently for a single installation session and are never stored in our systems afterward.
  • Generated Captions or Subtitles: All subtitle files, caption text, and timing data created by your installation.
  • Voiceover Audio Files: Audio files generated by ElevenLabs or other TTS providers through your API credentials.
  • Stock Footage Downloads: Videos sourced from Pexels or other providers via your API key.
  • Uploaded Logos or Branding Assets: Any images or files you upload to customize your installation.
  • Scheduling Data: Your autopilot topics, schedules, and publishing queues configured within your installation's dashboard.
  • Performance Analytics: View counts, engagement metrics, or any social media performance data pulled into your dashboard.
  • Client Account Information: If you use Reel Engine to serve multiple clients or manage multiple social accounts, all of that client data remains on your server.

5. Decentralized Infrastructure Model

Reel Engine is architected as decentralized deployment software. Understanding this architecture is fundamental to understanding our privacy posture.

5.1 What "Self-Hosted" Means for Privacy

When you purchase and install Reel Engine, you are installing a complete, standalone application onto your own rented server (VPS). Once installed, the system operates as follows:

  • Your VPS communicates directly with AI providers (OpenAI, ElevenLabs, etc.) using your own API keys and billing accounts.
  • Your VPS communicates directly with social media platforms (YouTube, Facebook, Instagram) using your own authorized OAuth connections.
  • Your VPS stores all generated media files in its own local file system.
  • Your VPS runs its own database containing all your configuration, scheduling, and operational data.
  • Reel Engine servers are contacted only for license validation (a brief cryptographic check) and to deliver software updates.

5.2 Data Flow Architecture

The primary data flow is: Your Browser → Your VPS → AI Providers & Social Platforms. Reel Engine sits outside this operational loop for all content generation. The only communication our servers receive from your installation during normal operation is the periodic license validation ping (license key + installation ID — no content data).

If you use the optional Social Posting Service, there is one additional step: Your VPS → Reel Engine Portal (for a fresh access token) → Social Platform (for the actual video upload). In this flow, our portal supplies a decrypted OAuth token to your installation on request. The video file itself travels directly from your VPS to the social platform — it never passes through our servers.

5.3 Implications for Data Control

This architecture means you are the data controller for all operational content. You decide how your VPS is secured, what backups are taken, who has access to the server, and how long data is retained. Reel Engine is a data processor only in the narrow sense of managing your account and license information.

6. How We Use Your Data

The limited data we collect is used exclusively for the following purposes. We do not use your data for any purpose not described in this section without obtaining your explicit prior consent.

6.1 License Management

Your name, email, license key, VPS IP, domain, and installation data are used to issue, validate, track, and manage your software license. This is the core operational purpose of our data collection and cannot be separated from the provision of our service.

6.2 Payment Processing & Financial Records

Purchase and billing data is used to process your payment, confirm your transaction, calculate refund eligibility, and maintain the financial records required by applicable tax laws. Some billing records must be retained even after account deletion to comply with legal obligations.

6.3 Software Installation & Deployment

Your VPS IP address and SSH credentials (used transiently) enable our automated installer to configure your server. Your domain name is used to configure Nginx virtual hosts, provision SSL certificates, and set up OAuth redirect URIs. This data is used once at installation and then retained only in the limited form described in Section 3.3.

6.4 Software Updates

Your license status, installation ID, and software version are used to determine which updates you are eligible for and to deliver them. Updates are pushed over SSH when you request them through the portal.

6.5 Customer Support

Support ticket data and email communication history are used to provide you with technical assistance, troubleshoot issues, and maintain a complete record of your support interactions for continuity of service.

6.6 Security & Fraud Prevention

License and IP data is used to detect and prevent license abuse, unauthorized installations, key sharing, and other fraudulent use of our service.

6.7 Product Improvement

Aggregate, anonymized analytics data from our marketing website is used to understand how users discover and interact with our product, enabling us to improve our content, user experience, and onboarding flow. This data cannot be used to identify individual users.

6.8 Legal Compliance

We may use and retain your data to comply with applicable laws, regulations, legal processes, or governmental requests, including responding to lawful court orders or law enforcement inquiries.

6.9 What We Will Never Do With Your Data

  • Sell your personal information to any third party, ever.
  • Share your information with advertisers or data brokers.
  • Use your data to build advertising profiles about you.
  • Contact you for marketing purposes without your explicit opt-in.
  • Transfer your data to a third party for their own commercial purposes.

7. Third-Party Integrations & Disclosures

Reel Engine interacts with several third-party services in two distinct contexts: services we use to operate our business, and services your installation uses to generate and publish content. Each category has different privacy implications.

7.1 Services We Use to Operate Our Business

The following third parties receive some of your personal data as part of operating our service. We have selected these providers based on their privacy standards and, where applicable, entered into data processing agreements with them.

  • Flutterwave (Payment Processing): When you complete a purchase, your payment details are processed by Flutterwave. We receive a transaction confirmation and ID but never your full card details. Flutterwave's privacy policy governs how they handle your payment data.
  • Email Service Provider: We use a transactional email provider to send you license keys, receipts, and support responses. Your name and email address are shared with this provider for this purpose only.
  • Analytics (Marketing Website): Our marketing website uses analytics tools to understand visitor behavior. This data is collected in aggregate and may include IP address in anonymized form. You can opt out via your browser's cookie controls.

7.2 Services Your Installation Uses (Your Responsibility)

Your Reel Engine installation, operating on your VPS, may connect to the following third-party services using your own API credentials. Reel Engine is not a party to these connections and has no visibility into the data exchanged. You are solely responsible for reviewing and complying with the privacy policies and terms of service of these providers:

  • OpenAI: Used for AI script generation and potentially voice synthesis. Subject to OpenAI's Privacy Policy at openai.com/privacy.
  • ElevenLabs: Used for AI voice generation and text-to-speech. Subject to ElevenLabs' Privacy Policy at elevenlabs.io/privacy.
  • Pexels: Used to source royalty-free stock footage. Subject to Pexels' Privacy Policy at pexels.com/privacy-policy.
  • Leonardo AI / Other Image AI Providers: May be used for AI image generation. Subject to each provider's respective privacy policy.
  • YouTube (Google LLC): Your installation may post videos to YouTube using your authorized credentials. Subject to Google's Privacy Policy at policies.google.com/privacy.
  • Meta (Facebook & Instagram): Your installation may publish to Facebook Pages and Instagram accounts. Subject to Meta's Privacy Policy at facebook.com/privacy/policy.
  • VPS Providers (Contabo, Hetzner, DigitalOcean, etc.): Your server and all its data are subject to your VPS provider's privacy and data processing policies.
  • Domain Registrars: Your domain registration data is subject to your registrar's policies.

Reel Engine does not control and is not responsible for the privacy practices of any of the above third-party providers. We strongly encourage you to review their respective policies before use.

8. Cookies & Website Tracking

This section applies specifically to our marketing website at reelengine.online. The installed software running on your VPS has its own separate cookie and session management system that is entirely within your control.

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They serve various functions, from keeping you logged in to helping us understand how visitors use our site. We use cookies only as described below.

8.2 Types of Cookies We Use

  • Strictly Necessary Cookies: These are required for the website to function and cannot be disabled. They include session cookies that maintain your checkout state and security tokens. No personal data is stored in these cookies beyond what is necessary for the session.
  • Performance & Analytics Cookies: We may use analytics tools that set cookies to understand how visitors navigate our website, which pages are most visited, and how long visitors stay. This data is collected in aggregate and is used solely to improve our website. Where possible, IP addresses are anonymized.
  • Marketing & Retargeting Cookies: Our marketing website may use pixels from platforms such as Meta or Google to measure the effectiveness of advertising campaigns and, where you have consented, to serve you relevant advertising. These cookies are set by third parties and are subject to their privacy policies.
  • Preference Cookies: We may use cookies to remember your preferences, such as your selected display currency.

8.3 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or receive a warning before a cookie is stored. Please note that disabling certain cookies may affect the functionality of our website. Browser-specific instructions for managing cookies can be found at your browser's help center.

8.4 Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. Our website does not currently respond to DNT signals at a technical level, but we commit to the minimum data collection principles described throughout this policy regardless of DNT status.

9. Data Storage & Retention

9.1 Where Data is Stored

Your account and license data is stored on secured servers operated by our hosting provider. We implement industry-standard security measures on these servers, including encryption at rest and in transit, access controls, and regular security reviews. All data is stored in encrypted databases with access restricted to authorized personnel only.

9.2 Retention Periods

  • Active Account Data: Retained for as long as your license is active and your account exists. This includes your name, email, license information, and installation records.
  • Billing & Payment Records: Retained for a minimum of seven (7) years from the date of transaction to comply with applicable tax laws, accounting standards, and financial regulations. This data may be retained even after account deletion.
  • Support Communications: Retained for three (3) years from the date of last support interaction to provide continuity of service and reference for recurring issues.
  • Website Analytics: Aggregate, anonymized analytics data is retained for up to twenty-four (24) months. Raw event data is typically retained for a shorter period of ninety (90) days.
  • Security Logs: Access logs and security event records are retained for up to twelve (12) months for security monitoring and fraud investigation purposes.
  • Transient SSH Data: Any SSH credentials you provide during installation are used only during the installation session and are not stored in our systems afterward. They are held transiently in memory only for the duration of the automated installation process.

9.3 Data Deletion

When an account is deleted at your request, all personal data associated with that account (excluding legally required billing records) is permanently deleted from our primary systems within thirty (30) days. Backups containing your data may persist for up to sixty (60) additional days before being overwritten through our standard backup rotation cycle.

10. Security Measures

We implement multiple layers of security to protect the limited personal data we hold. However, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

10.1 Measures We Implement

  • Encryption in Transit: All communications between your browser and our website, and between your VPS and our license server, are encrypted using TLS (Transport Layer Security) 1.2 or higher.
  • Encryption at Rest: Sensitive data in our databases, including password hashes and license keys, is encrypted at rest.
  • Password Hashing: Account passwords are processed using strong cryptographic hashing algorithms. We do not store plain-text passwords and cannot retrieve them.
  • Access Controls: Access to our internal systems and customer data is restricted to authorized personnel on a need-to-know basis. All access is logged and audited.
  • License Validation Security: License validation checks use cryptographic tokens rather than transmitting sensitive account data. The validation process is designed to confirm license validity without exposing your personal information.
  • OAuth Security Model: Where OAuth is used, we implement standard OAuth 2.0 flows with appropriate token scoping, ensuring that access is limited to what is functionally necessary.

10.2 Your Security Responsibilities

Because Reel Engine is self-hosted, the security of your VPS environment, including all the operational data described in Section 4, is your responsibility. We strongly recommend:

  • Keeping your VPS operating system and software packages up to date.
  • Using strong, unique passwords for your VPS root account and SSH keys.
  • Enabling a firewall and limiting SSH access to trusted IP addresses where possible.
  • Regularly backing up your VPS data to a secure, separate location.
  • Monitoring your server logs for unauthorized access attempts.
  • Rotating your API keys periodically and immediately if you suspect compromise.

10.3 Breach Notification

In the event of a data breach affecting your personal information that we hold, we will notify you by email within seventy-two (72) hours of becoming aware of the breach, to the extent required by applicable law. Our notification will describe the nature of the breach, the data affected, the likely consequences, and the measures we are taking to address it.

11. Your Rights

Regardless of your location, we are committed to honoring the following rights with respect to your personal data. To exercise any of these rights, contact us at support@reelengine.online with the subject line "Data Rights Request."

  • Right to Access: You have the right to request a copy of all personal data we hold about you. We will provide this in a machine-readable format (JSON or CSV) within thirty (30) days of your verified request.
  • Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it. You can also update your name and email directly through the customer portal.
  • Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data. We will comply within thirty (30) days, except where retention is required by law (such as certain billing records) or where the data is necessary to enforce our legal rights.
  • Right to Restrict Processing: You may request that we limit how we use your data while a dispute about that data is being resolved.
  • Right to Data Portability: You may request a copy of the data you have provided to us in a structured, commonly used, machine-readable format for transfer to another service.
  • Right to Object: You have the right to object to our processing of your data for certain purposes, including direct marketing.
  • Right to Withdraw Consent: Where our processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

We will respond to all verified requests within thirty (30) days. In complex cases, we may extend this period by a further sixty (60) days but will notify you of the extension within the initial thirty-day period.

We will not discriminate against you for exercising any of these rights.

12. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is protected under the General Data Protection Regulation (GDPR) and equivalent national laws. This section supplements the general rights described in Section 11 with GDPR-specific obligations.

12.1 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing your name, email, license data, and VPS information is necessary to perform our contract with you — specifically, to deliver and maintain your software license.
  • Legal Obligation (Article 6(1)(c)): Retaining billing records is necessary to comply with applicable tax and financial regulations.
  • Legitimate Interests (Article 6(1)(f)): We process security and fraud-prevention data based on our legitimate interest in protecting our business and other customers from abuse.
  • Consent (Article 6(1)(a)): Where we use analytics or marketing cookies, we will seek your explicit consent before setting these cookies, and you may withdraw consent at any time.

12.2 Data Protection Officer

Given the limited and minimal nature of personal data we process, we are not currently required to appoint a formal Data Protection Officer. However, all privacy inquiries are handled directly by our leadership team at support@reelengine.online and receive priority attention.

12.3 Your GDPR Rights

In addition to the rights described in Section 11, EEA/UK residents have the right to data portability under Article 20 GDPR and the right to not be subject to solely automated decision-making with legal effects under Article 22. We do not make any solely automated decisions about you that produce legal or similarly significant effects.

13. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

13.1 Categories of Personal Information Collected

In the twelve months preceding the effective date of this policy, we have collected the following CCPA categories of personal information: Identifiers (name, email, IP address), Commercial Information (purchase history), and Internet/Electronic Network Activity (website analytics). We have not collected any Sensitive Personal Information as defined by the CPRA.

13.2 Your CCPA Rights

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information. Therefore, there is no opt-out mechanism needed. If our practices change, we will update this policy and provide a "Do Not Sell My Personal Information" link.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: Not applicable as we do not collect Sensitive Personal Information.

To submit a CCPA request, contact us at support@reelengine.online with the subject "CCPA Request." We will verify your identity before processing your request and respond within forty-five (45) days, with a possible extension of an additional forty-five (45) days with notice.

14. International Data Transfers

Reel Engine serves customers globally, including from the European Economic Area, United Kingdom, Australia, Canada, Nigeria, Ghana, Kenya, South Africa, and many other jurisdictions. Our servers may be located in a country different from your country of residence.

When we transfer personal data from the EEA or UK to countries not deemed adequate by the European Commission, we implement appropriate safeguards as required by GDPR Chapter V, which may include Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

For customers outside the EEA, by providing your personal information to us, you consent to the transfer of that information to our servers and to the processing of that information as described in this Privacy Policy.

We commit to maintaining the same level of data protection regardless of where your data is physically stored or processed, consistent with the protections described in this policy.

15. Children's Privacy

Reel Engine is a professional software product intended exclusively for adults aged eighteen (18) and older. Our Services are not directed to, designed for, or intended to be used by individuals under the age of 18.

We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that we have inadvertently collected personal information from someone under 18, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your minor child has provided personal information to Reel Engine without your consent, please contact us immediately at support@reelengine.online. We will investigate and take prompt corrective action.

16. Limitation of Liability

Reel Engine's liability for any privacy-related matters is limited to the maximum extent permitted by applicable law. Specifically, Reel Engine is not responsible for, and disclaims all liability related to:

  • VPS Security Breaches: Data breaches, unauthorized access, or security incidents occurring on your VPS environment, which is under your sole control and management.
  • Third-Party Provider Breaches: Security incidents, data breaches, or privacy violations occurring at OpenAI, ElevenLabs, Pexels, YouTube, Meta, or any other third-party service your installation connects to.
  • Social Media Account Compromise: Unauthorized access to or compromise of your YouTube, Facebook, Instagram, or other social media accounts, whether or not connected to Reel Engine.
  • Improper API Key Storage: Mishandling, exposure, or theft of API keys by any party, including through compromised VPS environments.
  • User Error: Data loss, exposure, or privacy violations resulting from user error, misconfiguration of the VPS, or failure to follow security best practices.
  • Force Majeure Events: Data incidents arising from circumstances beyond our reasonable control, including natural disasters, cyberattacks on critical internet infrastructure, or governmental actions.

This limitation of liability does not apply in cases of our gross negligence, willful misconduct, or fraud, nor does it limit any rights you may have under applicable consumer protection laws that cannot be excluded by contract.

17. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will provide notice through one or more of the following methods:

  • Sending an email notification to the address associated with your account.
  • Displaying a prominent notice on our website or customer portal.
  • Updating the "Last Updated" date at the top of this page.

For changes that materially reduce your privacy rights or significantly change how we use your data, we will provide at least thirty (30) days' advance notice before the changes take effect, giving you the opportunity to review and, if necessary, request deletion of your account before the new policy applies.

Your continued use of our Services after the effective date of any modification constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically to stay informed about how we protect your data.

18. Central Social Media Posting Service

Reel Engine offers an optional add-on service ("Social Posting Service") that enables customers to connect their social media accounts — including YouTube, Facebook, Instagram, and TikTok — through a central OAuth system operated by Reel Engine. This section describes how we handle data related to that service.

18.1 How We Act as Your Intermediary

When you connect a social media account through our platform, you authorize Reel Engine to act as an intermediary between your self-hosted Reel Engine installation and the social media platform. We do not post content on your behalf without your explicit instruction, triggered through the Reel Engine software you operate.

18.2 What We Collect

To provide the Social Posting Service, we collect and store:

  • OAuth Access Tokens — Short-lived credentials that authorize posting on your behalf for the connected platform.
  • OAuth Refresh Tokens — Long-lived credentials used to obtain new access tokens without requiring you to re-authenticate.
  • Platform Account Identifiers — Your channel ID, page ID, or account username on the connected platform, used to direct posts to the correct destination.
  • Activity Logs — Records of when tokens were issued or refreshed, and the outcome of any posting actions, for troubleshooting and audit purposes.

We do not collect your social media passwords, your followers' data, your private messages, or any content from your connected accounts beyond what is strictly necessary to authenticate and post.

18.3 How We Store and Protect Your Tokens

All OAuth tokens are encrypted at rest using AES-256-GCM encryption before being written to our database. The encryption key is stored separately from the database and is never logged or transmitted. Tokens are stored on our portal server at portal.reelengine.online in an isolated MySQL database. We do not share tokens with any third party. Tokens are only decrypted at the moment they are needed to serve a posting request from your licensed installation.

18.4 How Tokens Are Used

Tokens are used solely to:

  • Authenticate API requests on your behalf to the social platform you have connected.
  • Refresh expired access tokens using a refresh token so you do not need to re-authorize frequently.
  • Deliver posting authorization to your self-hosted Reel Engine installation when you initiate a post.

We do not use your tokens to read your social media content, access your private messages, scrape your followers, or perform any action beyond posting content that you direct through our software.

18.5 Your Consent

By clicking "Connect" on a social media platform within the Reel Engine application, you explicitly consent to Reel Engine storing and using the resulting OAuth tokens as described in this section. You may withdraw this consent at any time by clicking "Disconnect" within the application. Upon disconnection, all tokens associated with that platform are permanently and irreversibly deleted from our servers.

18.6 Platform Terms Compliance

By connecting a social media account, you agree to comply with the terms of service of the respective platform (e.g., YouTube Terms of Service, Meta Terms of Service, TikTok Terms of Service). You are responsible for ensuring that content posted through our service complies with each platform's community guidelines and content policies.

18.7 Data Retention

Tokens are retained for as long as your account is active and the connection is maintained. Upon disconnection, all OAuth access tokens and refresh tokens associated with that platform are deleted immediately and permanently — not within a grace period. Upon account termination or license expiry, all remaining token data is deleted within 7 days. Activity log entries (which contain no token data — only timestamps, platform names, and success/failure outcomes) are retained for up to 12 months for audit and support purposes, then permanently deleted.

18.8 Core Software Remains Self-Hosted

The Social Posting Service is an optional add-on. The core Reel Engine video generation software remains entirely self-hosted on your own server. We do not have access to your generated videos, your configuration data, your AI API keys, or any other data stored on your self-hosted installation.

18.9 YouTube / Google API Services

Reel Engine's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use the YouTube Data API solely to upload videos to your connected YouTube channel on your explicit instruction. We do not read, download, or store any YouTube content, comments, subscriptions, watch history, or other data from your channel.
  • Google user data received via OAuth (including your YouTube channel ID and channel name) is used only to identify the correct upload destination and is never shared with third parties, sold, used for advertising, or processed for purposes other than fulfilling the upload you initiate.
  • You may review and revoke Reel Engine's access to your Google account at any time by visiting Google's Security Settings. Revoking access there will also immediately invalidate any tokens we hold, and we will delete them from our system within 30 days of us being notified, or immediately upon your request via our app's Disconnect function.
  • We do not store your Google account password. Access is maintained solely through revocable OAuth tokens as described in Section 18.3.

OAuth Scopes Requested (YouTube): Reel Engine requests only the minimum scopes necessary to fulfil its stated purpose:

  • https://www.googleapis.com/auth/youtube.upload — Required to upload video files to your YouTube channel. This is the only write permission requested.
  • https://www.googleapis.com/auth/youtube.readonly — Used only to retrieve your channel name and channel ID for display in the application UI, confirming the correct account is connected. No content, playlists, comments, or subscriber data is accessed.

We request only these two scopes and will never request additional permissions without displaying a new authorization dialog and explaining the purpose. Your Google data is not used to target you with advertisements and is not transferred to any third party. Our use is limited to the uploading service you explicitly requested when connecting your account.

YouTube API Terms of Service: Your use of Reel Engine's YouTube integration is also subject to the YouTube API Services Terms of Service. By connecting your YouTube account, you agree to those terms in addition to these.

18.10 Meta (Facebook & Instagram) Data Handling & Deletion

What Meta data we collect: When you connect Facebook or Instagram, we receive and store your Facebook User ID, Facebook Page ID, Facebook Page access token, Instagram User ID, and Instagram username. We request only the minimum permissions (scopes) required for page posting and account identification: pages_manage_posts (to create posts on your Facebook Page), pages_show_list (to retrieve the list of Pages you manage so you can select the correct one), instagram_basic (to read your Instagram account ID and username for display), instagram_content_publish (to publish video content to your Instagram account), and public_profile (to display your Facebook display name in the connected account UI). We do not request permissions to read your friends list, private messages, timeline, likes, comments, follower lists, or any data not directly required for posting.

Strict limited use: Meta user data received through our app is used exclusively to post content that you initiate. It is never used for advertising targeting, user profiling, cross-platform tracking, data brokering, or any secondary purpose.

No third-party transfer: Meta user data (tokens, IDs, account names) is never shared with, sold to, or transferred to any third party. It is stored only on our portal server at portal.reelengine.online in an encrypted database, accessible only by our authorized systems.

Deletion — Via App: When you disconnect your Facebook or Instagram account via the in-app "Disconnect" button, all Meta OAuth tokens, Page access tokens, Page IDs, and Instagram account identifiers stored on our servers are permanently and irreversibly deleted immediately upon disconnection.

Deletion — Via Facebook Settings: If you remove Reel Engine from your Facebook App Settings, Meta will send a deauthorize callback to our servers. We will automatically delete all your stored Meta tokens upon receiving this callback.

Deletion — GDPR/Platform Request: We implement Meta's required Data Deletion Request callback. If you submit a data deletion request through Meta's platform, we will delete all associated data and provide you with a confirmation URL at portal.reelengine.online/data-deletion-status containing a confirmation code.

Manual Request: To request explicit deletion of any Meta-related data at any time, visit portal.reelengine.online/data-deletion or email support@reelengine.online with the subject "Meta Data Deletion Request". We will process and confirm deletion within 48 hours.

Meta Platform Policy compliance: Our use of Meta's APIs complies with the Meta Platform Policy and Meta Platform Terms. By connecting your Facebook or Instagram account, you agree to Meta's Terms of Service as they govern the data you post to those platforms.

18.11 TikTok Data Handling

Standalone implementation: TikTok is integrated as a fully independent, first-class platform — separate from Meta/Facebook. It uses its own registered TikTok developer application with a dedicated PKCE (Proof Key for Code Exchange) OAuth 2.0 authorization flow. TikTok credentials, tokens, and account identifiers are stored and managed entirely independently of any other platform's data.

What TikTok data we collect: When you connect a TikTok account, we receive and store only the OAuth access token, refresh token, TikTok User ID (open_id), and display name required to post content on your behalf. We request only the minimum scopes necessary for content publishing: user.info.basic, video.publish, and video.upload. We do not access your TikTok followers, following list, private videos, direct messages, analytics, or any data beyond what is strictly necessary to authenticate and publish content you initiate.

How posting works: When you post to TikTok, your self-hosted Reel Engine installation uploads the video file directly to TikTok's servers using the FILE_UPLOAD method. The video is never routed through Reel Engine's portal servers. The portal's sole role is to supply a valid access token for the upload request.

Strict limited use: TikTok user data received via their API is used solely to fulfil the specific posting action you trigger. It is never shared with third parties, used for profiling, used for advertising, transferred to data brokers, or processed for any purpose other than executing the post you initiate. We comply with the TikTok Developer Terms of Service.

Deletion: Disconnect your TikTok account via the in-app "Disconnect" button to immediately and permanently delete all stored TikTok tokens. You may also revoke Reel Engine's access from your TikTok Account Settings under "Manage account access." To submit a manual data deletion request, visit portal.reelengine.online/data-deletion.

Retention: TikTok tokens are retained only for as long as you maintain an active connection. Upon disconnection or account deletion, all TikTok data is immediately deleted. Activity log entries are deleted within 30 days of account deletion.

18.12 Instagram-Specific Data Handling

Platform ownership note: Instagram is a product owned and operated by Meta Platforms, Inc. However, Reel Engine integrates Instagram as a standalone connection — you can connect your Instagram account independently of your Facebook account. Instagram has its own OAuth authorization flow, separate credentials, and separate stored tokens. Connecting or disconnecting Instagram does not affect your Facebook connection, and vice versa.

Data collected: When you connect Instagram, we store your Instagram User ID, Instagram username, and the access token granted through the OAuth flow. For the Meta-linked path (Facebook + Instagram), we use the instagram_basic and instagram_content_publish scopes (alongside the Facebook Page scopes described in §18.10). For the Instagram Business Login path (standalone), we use instagram_business_basic and instagram_business_content_publish. In both cases, we store only the Instagram User ID and username for account display, and the access token for publishing. We do not access your Instagram DMs, follower lists, tagged photos, Stories insights, or any content you have posted or received.

Deletion: Deletion of Instagram data follows the same procedures as Section 18.10 above. You may also revoke Reel Engine's access directly through your Instagram app settings. Because Instagram is a Meta product, Meta's deauthorization and data deletion callbacks also apply.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, we want to hear from you. Privacy is something we take seriously, and we commit to responding to all inquiries promptly and substantively.

  • Email: support@reelengine.online (Subject: "Privacy Inquiry")
  • Customer Portal: https://portal.reelengine.online (Submit a support ticket)
  • Website: https://reelengine.online

We aim to respond to all privacy-related inquiries within five (5) business days. Complex requests, such as full data exports, may take up to thirty (30) days to fulfill, but we will acknowledge receipt within five days.

If you are not satisfied with our response to your privacy inquiry, you have the right to lodge a complaint with your applicable data protection authority.