Privacy Policy

1. Controller identity and contact

The controller of your personal data is DALI GAMES P.S.A., registered at Wrocław (54-207), at Na Ostatnim Groszu 3, Poland. Company registry: National Court Register (KRS) under number 0001011601, NIP (Tax Identification Number): 8943202508. No Data Protection Officer has been formally appointed. For privacy matters, contact contact@fabbler.ai.

2. Categories of personal data we process

Depending on how you use the Service, we process the following categories of personal data:

• Account and authentication data: Firebase UID, anonymous UID, email address, sign-in provider, Google profile data made available during sign-in, magic-link state, phone verification data where enabled, auth events, and account merge identifiers.
• Order, checkout, and payment data: order ID, user ID, selected creator, user inputs, price, currency, order status, Stripe payment identifiers, batch checkout identifiers, invoices or accounting records, consent snapshot, delivery status, result URLs, and download links.
• User-provided creative data: prompts, text instructions, product or campaign details, uploaded or referenced images, video, audio, voice, likeness, logos, files, metadata, approval-gate answers, workbench canvas data, and generated outputs.
• Creator and marketplace data: creator names, avatars, descriptions, tags, portfolio videos, voice sample metadata, marketplace configuration, search metadata, and derived tags.
• Technical, security, and diagnostic data: IP address, user agent, device and browser identifiers, request metadata, cookies, consent state, error traces, logs, rate-limit signals, and fraud or bot-abuse indicators.
• Usage, analytics, and marketing data: page views, feature interactions, checkout and purchase events, Google Analytics/Firebase Analytics identifiers, Meta Pixel and Conversions API identifiers such as _fbp and _fbc, and campaign attribution data, only where the relevant consent is required and granted.
• Search and discovery data: search queries, filters, tags, viewed creator listings, ranking/click signals, and indexed creator or portfolio metadata.
• Communications: support messages, emails, admin notes, notices, feedback, and other communications you send to us.

3. Purposes and legal bases (Art. 6 GDPR)

We process personal data for the following purposes, each under the legal basis set out below:

• Account creation, authentication, order management, creator marketplace access, delivery of purchased outputs, and customer support — Art. 6(1)(b) performance of a contract.
• AI video-generation and backend orchestration, including sending prompts, user inputs, uploaded media, workbench state, and order metadata to Fabbler/Viges and AI/media subprocessors to generate, render, retry, quality-check, and deliver outputs — Art. 6(1)(b) performance of a contract.
• Payment processing and invoicing — Art. 6(1)(b) performance of a contract and Art. 6(1)(c) legal obligation (Polish tax and accounting law).
• Analytics (Google Analytics 4, Firebase Analytics) — Art. 6(1)(a) consent. You may grant or withdraw this consent at any time via Cookie settings.
• Marketing and remarketing (Meta Pixel and Meta Conversions API) — Art. 6(1)(a) consent.
• Search, marketplace ranking, and service improvement — Art. 6(1)(b) where needed to provide marketplace functionality and Art. 6(1)(f) legitimate interest where we improve discovery quality, prevent irrelevant results, and maintain a usable marketplace.
• Support, dispute handling, refunds, incident investigation, and user communications — Art. 6(1)(b) performance of a contract and Art. 6(1)(f) legitimate interest in resolving issues and protecting users.
• Security, fraud prevention, and production reliability (Sentry error monitoring, reCAPTCHA) — Art. 6(1)(f) legitimate interest. Rationale: service availability and production reliability — without these tools we cannot detect outages, regressions, or abuse that would otherwise harm paying users.
• Compliance with legal obligations to which the controller is subject — Art. 6(1)(c).

4. Data required to use the Service

Some data is required to provide the Service or to comply with law; other data is optional.

• Account and authentication data is required to create or access an account, protect orders, and deliver purchased outputs.
• Order inputs, prompts, files, creator selections, and delivery metadata are required when you ask us to generate or deliver AI video content.
• Payment and invoice data is required to process purchases, refunds, fraud prevention, and tax/accounting obligations.
• Analytics and marketing cookies are optional. Refusing them does not block core Service use.
• If you do not provide required account, order, payment, or generation inputs, we may be unable to create an account, accept payment, generate content, provide support, or deliver outputs.

5. Sources of personal data

We usually collect data directly from you, but some data comes from service providers or is generated by our systems.

• Directly from you: account details, prompts, files, instructions, checkout information, support messages, and cookie choices.
• From authentication providers: Firebase, Google sign-in, email magic-link, and phone verification providers where enabled.
• From payment providers: Stripe checkout/payment status, payment intent identifiers, fraud signals, refund status, and limited billing metadata.
• From cookies and SDKs: analytics identifiers, consent state, Meta browser/click identifiers, reCAPTCHA signals, IP address, user agent, and device/browser data.
• Generated by the Service and backend systems: order status, workbench state, execution logs, generated media, result URLs, model outputs, quality checks, and error reports.
• From optional integrations where enabled: publishing, upload, social, or external account metadata needed to complete the integration you requested.

6. User content, uploaded media, and third-party data

Prompts, files, reference media, product materials, audio, voice, images, videos, logos, names, likenesses, and other content you provide may contain personal data about you or third parties.

• You are responsible for ensuring that you have a lawful basis, permission, or other right to upload or provide third-party personal data and materials.
• Do not upload special-category data, children's data, biometric-identification material, confidential documents, or other highly sensitive information unless the Service expressly permits it and you have a lawful basis.
• Generated outputs may reflect, transform, or infer information from your inputs. Review outputs before publishing or sharing them.

7. AI generation and backend processing

To provide ordered AI content, Rent AI Creator uses backend generation systems, including Fabbler/Viges, workflow queues, media rendering, storage, vector/search infrastructure, and AI providers. These systems may process prompts, user inputs, uploaded media, workbench state, metadata, generated media, logs, and delivery links.

• Generation and AI subprocessors: Fabbler/Viges, OpenAI, Anthropic, Google, ElevenLabs, Replicate, Fal, and BytePlus. We may engage additional AI and media-generation providers from time to time to perform or improve generation; the current list of such providers is available on request using the contact details.
• Media processing may include speech-to-text, text-to-speech, image generation, image-to-video generation, video rendering, thumbnail creation, transcoding, object/scene detection, embeddings, and quality checks.
• Operational logs may include order IDs, user IDs, workbench IDs, request metadata, provider errors, retry data, and snippets or metadata needed to debug failed generation.

8. Third-party recipients and processors

We share personal data only with recipients and processors needed to provide, secure, improve, bill for, or legally operate the Service. The exact list may depend on the features and integrations you use.

Roles: Google (GA4, Firebase, reCAPTCHA) and Sentry act as processors for analytics and reliability data; Stripe acts as an independent controller for payment data under its own privacy policy; our cloud infrastructure providers act as processors under data-processing agreements.

• Infrastructure and storage providers, including Firebase/Google Cloud, databases, queues, object storage, vector/search storage, and hosting providers: Google Cloud Platform services, including Firebase Authentication, Firebase/Google Cloud hosting and storage, Cloud Run, Cloud Tasks, Firestore, Realtime Database, BigQuery, and related logging/monitoring; AWS/S3/CDN; Algolia; Upstash Redis; Qdrant Cloud (qdrant.tech); database providers; backup and disaster-recovery providers.
• Search and marketplace providers, including Algolia, process creator metadata, search queries, filters, and discovery signals.
• AI and media-generation providers may process prompts, media, and output metadata to perform generation requested by you: Fabbler/Viges, OpenAI, Anthropic, Google, ElevenLabs, Replicate, Fal, and BytePlus. We may engage additional AI and media-generation providers from time to time to perform or improve generation; the current list of such providers is available on request using the contact details.
• Publishing or account integrations, where enabled and requested by you, may receive content and metadata needed for that integration: No publishing, upload, social, or external-account integrations are enabled by default. Where you choose to enable and request such an integration, the relevant integration provider may receive the content and metadata needed to complete it; we will identify the relevant provider at the point you enable the integration.

Additional processors: Google Workspace for email and privacy/support communications; other processors required for support, email delivery, logging, backups, security, or compliance may be used where necessary..

9. International transfers

Some recipients and subprocessors may be located outside the European Economic Area, including in jurisdictions used by cloud, payment, analytics, marketing, monitoring, AI, and media-generation providers. Additional transfer notes: Provider-specific safeguards and regions are available on request using the contact details..

Where personal data is transferred outside the EEA, we rely on an adequacy decision where available, the EU-US Data Privacy Framework where the recipient is certified, Standard Contractual Clauses approved by the European Commission, and supplementary measures required for the transfer. You may contact us to request information about the relevant safeguards.

10. Retention periods

We retain personal data only as long as necessary for the purposes set out above:

• Account data — until you request deletion of your account or until the account is otherwise terminated, unless longer retention is required by law, dispute handling, fraud prevention, security, or backup restoration.
• Order, checkout, delivery, refund, and contract records — until you request deletion or removal, unless longer retention is required to complete an order, handle refunds or disputes, comply with tax/accounting/legal obligations, prevent fraud or abuse, maintain security, or restore backups.
• Generated media, result URLs, thumbnails, previews, and downloadable outputs — until you request deletion or removal, unless longer retention is required to complete delivery, resolve disputes, comply with legal obligations, prevent fraud or abuse, maintain security, or restore backups.
• Uploaded source media, reference files, and user-provided generation materials — until you request deletion or removal, unless longer retention is required to generate or deliver ordered content, resolve disputes, comply with legal obligations, prevent fraud or abuse, maintain security, or restore backups.
• Workbench snapshots, pipeline state, execution reports, prompt traces, and model-output metadata — until you request deletion or removal, unless longer retention is required to complete generation, debug failed delivery, resolve disputes, comply with legal obligations, maintain security, or restore backups.
• Queue, retry, rate-limit, and transient worker payload data — until you request deletion or removal, unless longer retention is required to complete generation, retry failed jobs, investigate incidents, maintain security, or restore backups.
• Payment and invoicing data — for the period required by Polish tax and accounting law, typically 5 years from the end of the relevant tax year, unless a longer period is required for claims, disputes, fraud prevention, or legal obligations.
• Analytics data — until you withdraw consent or request deletion, unless longer retention is required for aggregated reporting, legal obligations, security, or backup restoration.
• Security, diagnostic, and error logs — until you request deletion or removal, unless longer retention is required to investigate incidents, maintain security, prevent fraud or abuse, comply with legal obligations, or restore backups.
• Marketing data — until you withdraw consent, object to marketing, or request deletion, unless longer retention is required to evidence consent, comply with legal obligations, prevent fraud or abuse, or restore backups.
• Backups and disaster-recovery copies — data is deleted from active systems on request and from backups according to backup rotation, unless legal retention applies.

11. Your rights as a data subject

Under the GDPR, you have the following rights:

• Right of access (Art. 15).
• Right to rectification (Art. 16).
• Right to erasure (Art. 17).
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20).
• Right to object (Art. 21).
• Right to withdraw consent at any time (Art. 7(3)) — use Cookie settings to withdraw analytics or marketing consent.

To exercise any of these rights, email contact@fabbler.ai. We respond within one month as required by Art. 12(3).

12. Right to lodge a complaint

You have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stanisława Moniuszki 1A, 00-014 Warszawa, https://uodo.gov.pl.

13. Cookies and similar technologies

We use cookies and similar technologies only as set out in your cookie preferences. Strictly necessary cookies are required for the Service to function; all other categories are opt-in. You can change your choice at any time.

• Necessary technologies: authentication/session state, consent storage, Stripe Checkout support, reCAPTCHA/bot-abuse protection, fraud prevention, and service security.
• Analytics technologies: Google Analytics 4 and Firebase Analytics, used only where consent is required and granted.
• Marketing technologies: Meta Pixel and Meta Conversions API identifiers and events, used only where consent is required and granted.
• Security and diagnostics: Sentry, logs, rate-limit signals, and error traces used to keep the Service reliable and secure.
• You can withdraw analytics or marketing consent at any time using Cookie settings. Withdrawal does not affect processing that occurred before withdrawal.

14. Children

The Service is not directed at persons under 16. We do not knowingly process data from children under 16 without verifiable parental consent (Art. 8 GDPR and its Polish implementation).

15. Automated decision-making and profiling

The Service uses automated systems to route jobs, generate creative outputs, retry failed steps, perform quality checks, support fraud/security controls, and rank or filter marketplace/search results. Marketplace ranking and sorting may be automated, including by BigQuery-based functions. These systems affect ordering and discovery of content or creator listings and are not used to make solely automated decisions that produce legal or similarly significant effects concerning you Unless we expressly tell you otherwise for a specific feature, we do not use solely automated decision-making that produces legal or similarly significant effects concerning you within the meaning of Art. 22 GDPR.

16. Changes to this policy

We may update this Privacy Policy to reflect changes in the Service or legal requirements. Material changes are announced by re-prompting for cookie consent and by updating the effective date below.

17. Effective date

This Privacy Policy is effective as of 1 June 2026. Last updated: 1 June 2026.