legal · 01
Privacy notice
Last updated: 2026-05-18. Version 1.0.
1. Who runs DemoScreen
DemoScreen is operated by Omelas, an independent software studio. Postal address available on written request to hello@demoscreen.co. No Data Protection Officer is appointed — DemoScreen's scale and the categories of data we process don't meet the GDPR Art. 37 threshold. All privacy correspondence routes to the address above.
2. What we collect and why
| Category | Purpose | Basis | Retention |
|---|---|---|---|
| Account (email, sign-in events) | Authenticate, scope your data | Contract (Art. 6(1)(b)) | Account lifetime + 30d grace |
| Projects (screenshots, outline, config) | Render and store your work | Contract | Until you delete the project / account |
| Render outputs (MP4 + SRT) | Deliver generated video | Contract | Account lifetime; deletable per render |
| Render history metadata | Show past jobs, enforce quota | Contract + legitimate interest | Account lifetime |
| Billing (name, address, card-tail) | Process Pro payments | Contract + legal obligation (tax) | 10 years (EU tax law) |
| LLM prompts (outline → scenes) | Generate scenes.jsx from your outline | Contract | Not stored by us after render; held by DeepSeek per their policy |
| Idempotency keys | Safe retry of POSTs | Legitimate interest | 24h then auto-purged |
We do not collect special-category data (race, religion, health, etc.) and we do not profile you for automated decision-making. We do not train models on your data.
3. Where your data lives
Application data (Postgres, render output, project assets) is hosted on a Contabo VPS in Düsseldorf, Germany. Cloudflare R2 buckets are pinned to the EU jurisdiction. We do not train models on your data and we do not sell, rent, or share it for advertising.
Sub-processors outside the EU:
- Firebase Authentication (Google LLC, US) — stores your email + sign-in credentials. Transfer under the EU Standard Contractual Clauses.
- Stripe (Stripe Payments Europe, IE + Stripe Inc., US) — processes Pro subscriptions. Transfer under EU SCCs.
- DeepSeek (China) — large-language model that rewrites your outline into a scenes plan for the renderer. Transfer under EU SCCs; no special-category data is sent and we never include your raw screenshots in the prompt.
Full list: /legal/subprocessors.
4. Cookies and browser storage
DemoScreen sets zero non-essential cookies and uses no analytics or advertising tracking. We do use strictly-necessary browser storage to make the app work:
- IndexedDB — Firebase auth session, project draft cache for fast reloads.
- localStorage — theme preference, dismissed notices.
- Stripe checkout cookies — set by Stripe on the checkout page only, required to process your payment.
No consent is required for strictly-necessary storage under the EU ePrivacy Directive. If we ever add analytics, we'll switch to opt-in consent with category toggles and update this notice in advance.
5. Your rights
Under GDPR you can, at any time:
- Access a copy of the data we hold about you — /account/data.
- Rectify incorrect data — edit it in the studio or your account page.
- Erase your account and everything tied to it — /account → "delete account". Hard purge runs 30 days later; you can cancel during that window.
- Restrict or object to processing based on legitimate interest — email us.
- Port your data to another service — download a JSON bundle from /account/data.
- Withdraw consent for marketing email — toggle off at /account#email; takes effect immediately.
- Complain to your local supervisory authority. If you're in the EU, that's typically your national Data Protection Authority — for Germany this is the regional DPA in Düsseldorf (LDI NRW); a directory of all EU authorities is on the EDPB website.
We respond to rights requests within 30 days at no charge, unless requests are clearly excessive.
6. Email
Transactional mail (render-ready notifications, billing receipts, sign-in links) is tied to using the service and can't be opted out of while your account is active.
Product updates are off by default. You only receive them if you tick the consent box at sign-up. Toggle off any time at /account#email; we sync the change to our email provider on the same request. Every marketing email also carries a one-click unsubscribe link.
7. Security
TLS everywhere with HSTS. Postgres + R2 encrypted at rest by the host. API keys stored as sha256 hashes. Stripe webhooks verified by signature. Soft-delete grace window of 30 days before hard purge so accidental deletes are recoverable. We keep audit logs of sensitive operations.
In the event of a personal-data breach likely to result in risk to your rights, we notify the relevant supervisory authority within 72 hours and you directly without undue delay.
8. Children
DemoScreen is a developer / marketing tool for adults. We do not knowingly process data of anyone under 16. If you believe we have, write to hello@demoscreen.co and we'll delete it.
9. Changes
We'll bump the version + date at the top whenever this notice changes. Material changes get an email to active accounts.
10. Contact
Privacy questions, rights requests, breach reports: hello@demoscreen.co.