Vertical Studio
Home
$VERTAI
Blog
Legal

Privacy Policy

Privacy Policy PDF

Privacy Policy

Version: September 2025
Updated: 22 January 2026

Vertical Studio B.V.
Julianaplein 36, Willemstad, Curaçao

1. Introduction

This Privacy Policy explains how Vertical Studio B.V. (trade register number 169067), located at Julianaplein 36, Willemstad, Curaçao ("Company", "we", "us", or "our") collects, uses, shares, and protects your personal data when you access or use our websites at https://www.verticalstudio.ai and https://app.verticalstudio.ai and the Vertical Studio platform (collectively, the "Service").

This Privacy Policy should be read together with our Terms of Service and, where applicable, the Data Processing Agreement ("DPA") annexed to the Terms of Service. In the event of a conflict, the order of precedence set out in the Terms of Service applies.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, you should not use the Service.

2. Definitions

Capitalised terms used in this Privacy Policy have the same meaning as in the Terms of Service, unless defined differently below.

  • Account means a unique account created for you to access the Service or parts of the Service.
  • Contributions means any content you contribute, upload, generate, or share via the Platform, including input materials, prompts, reference materials, Vertical Models, AI-generated outputs (including video content generated through Vertical Motion), Datasets, feedback, images, text, code, and suggestions.
  • Cookies are small files placed on your device by a website, containing details of your browsing history among other uses.
  • Device means any device that can access the Service, such as a computer, mobile phone, or tablet.
  • Personal Data means any information that relates to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • Service Provider means any natural or legal person who processes data on behalf of the Company, including third-party companies or individuals employed by the Company to facilitate, provide, or analyse the Service.
  • Usage Data means data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.

3. Personal Data We Collect

3.1 Data you provide to us

  • Account registration data: email address, name, and authentication credentials (including via third-party social login providers such as Google, Facebook, Instagram, Twitter, and LinkedIn).
  • Payment and billing data: payment method details, billing address, and transaction history. We do not store your payment card details; these are processed directly by our payment processor Stripe (see Section 8).
  • Contributions: any content you upload, submit, or generate via the Platform, including prompts, Datasets, reference materials, Vertical Models, and AI-generated video content through Vertical Motion.
  • Wallet information: if you use $VERTAI tokens or other cryptocurrencies via the Platform, your public wallet address and transaction details.
  • Communications: any messages, support requests, or feedback you send to us.
  • Content moderation data: if you flag content or appeal a moderation decision (in accordance with the European Digital Services Act), the content of your flag or appeal.

3.2 Data collected automatically (Usage Data)

  • Device and browser information: IP address, browser type and version, operating system, device type, unique device identifiers.
  • Usage information: pages visited, time and date of visits, time spent on pages, referral URLs, click patterns, and feature usage.
  • Mobile device data: mobile device type, unique mobile ID, mobile IP address, mobile operating system, and mobile browser type.
  • Log data: server logs, error reports, and diagnostic data.

3.3 Data from third-party social media services

If you register or log in through a third-party social media service (Google, Facebook, Instagram, Twitter, LinkedIn), we may collect data already associated with that account, such as your name, email address, profile picture, and contact list. The scope of data collected depends on your privacy settings with the relevant provider.

3.4 Sensitive personal data

You should not upload special categories of sensitive personal data (e.g., health, biometric, political opinions) unless explicitly permitted. Where such data is processed, we will only do so if an exception to the prohibition of Article 9 GDPR applies.

4. How We Use Your Personal Data

We process your personal data for the following purposes and on the following legal bases:

Purpose Description Legal Basis
Providing the Service To operate, maintain, and improve the Platform, manage your Account, process your Contributions, and provide AI model customisation, Vertical Motion video generation, marketplace, and compute services. Performance of contract (Art. 6(1)(b) GDPR)
Payment processing To process payments for Credits, Subscription Plans, and Pay-as-You-Go purchases via Stripe; to manage $VERTAI token transactions. Performance of contract (Art. 6(1)(b) GDPR)
Communication To contact you regarding account matters, security updates, service notifications, and responses to your support requests. Legitimate interest (Art. 6(1)(f) GDPR)
Marketing To send you information about products, services, and events similar to those you have purchased or enquired about. You can opt out at any time. Legitimate interest (Art. 6(1)(f) GDPR) with opt-out
Analytics and improvement To analyse usage trends, determine effectiveness of campaigns, and improve the Service, including AI model performance. Legitimate interest (Art. 6(1)(f) GDPR)
AI model training Data you upload (Datasets, prompts, RAG inputs) is processed to provide fine-tuning and hosting services on your behalf. We will not use your uploaded data to train or improve models for other users unless you give explicit consent. Performance of contract / Consent (Art. 6(1)(a)/(b) GDPR)
Content moderation and DSA compliance To process flags of illegal or harmful content, to handle appeals, and to publish transparency reports as required by the EU Digital Services Act. Legal obligation / Legitimate interest (Art. 6(1)(c)/(f) GDPR)
Security and fraud prevention To monitor for and prevent fraudulent activity, money laundering, or other financial crime in connection with blockchain transactions and $VERTAI token use. Legitimate interest / Legal obligation (Art. 6(1)(c)/(f) GDPR)
Business transfers To evaluate or conduct mergers, acquisitions, restructurings, or asset sales where Personal Data may be among transferred assets. Legitimate interest (Art. 6(1)(f) GDPR)

5. Who We Share Your Data With

We may share your personal data in the following circumstances:

  • Service Providers (Sub-Processors): We share data with third-party service providers who process data on our behalf to deliver the Service. These providers are listed in Section 8 below and are bound by data processing agreements.
  • Payment processor: Stripe processes your payment data. We do not store your payment card details. Stripe's processing is governed by their own privacy policy and PCI-DSS compliance.
  • Other users: When you share your Contributions or interact in public areas of the Platform, such content may be viewed by other users. If you register through a third-party social media service, your contacts on that service may see your name, profile, and activity.
  • Affiliates: We may share data with our parent company and affiliates, who will honour this Privacy Policy.
  • Business partners: We may share data with business partners to offer you certain products, services, or promotions.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
  • Law enforcement and legal requirements: We may disclose data if required by law, to respond to valid requests by public authorities, to protect our rights or property, to prevent wrongdoing, to protect user safety, or to protect against legal liability.
  • Content flagged under DSA: Content flagged as illegal or harmful may be stored and shared with authorities or other parties as necessary to comply with the EU Digital Services Act.
  • With your consent: We may disclose your data for any other purpose with your consent.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (beacons, tags, scripts) to track activity on the Service and store certain information. This section constitutes our Cookie Policy.

6.1 What are cookies?

Cookies are small files placed on your device by a website. They can be "Session" cookies (deleted when you close your browser) or "Persistent" cookies (remain on your device until they expire or you delete them).

6.2 Cookies we use

Cookie Type Duration Legal Basis Purpose
Essential / Necessary Session Legitimate interest Required to provide services available through the Platform, to authenticate users, and to prevent fraudulent use of accounts. The Service cannot function without these cookies.
Cookie Consent Persistent Legitimate interest Records whether you have accepted the use of cookies on the Platform.
Functionality Persistent Legitimate interest Remembers choices you make (login details, language preference) to provide a personalised experience.
Analytics Persistent Consent Helps us understand how visitors interact with the Platform by collecting anonymised usage statistics.

6.3 Managing cookies

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of the Service. Most browsers allow you to manage cookie preferences through their settings.

6.4 Web beacons

Certain sections of the Service and our emails may contain web beacons (clear gifs, pixel tags, single-pixel gifs) that permit us to count users who have visited certain pages or opened an email, and for other related website statistics.

7. International Data Transfers

Your information, including Personal Data, is processed at the Company's operating offices and by our Service Providers, which may be located outside the European Economic Area (EEA). Several of our Service Providers are based in the United States.

Where Personal Data is transferred outside the EU/EEA to a country that does not provide an adequate level of data protection, such transfers are protected by EU Standard Contractual Clauses (SCCs) or other approved safeguards under Chapter V GDPR, together with supplementary measures where required.

You can request information about the specific safeguards in place by contacting us at [email protected].

8. Service Providers and Sub-Processors

The following third-party Service Providers may have access to your Personal Data in order to provide services on our behalf. Each provider processes data in accordance with their own privacy policies and in compliance with applicable data protection laws.

8.1 Infrastructure and hosting

Provider Processing Activities Location Transfer Mechanism
Amazon Web Services (AWS) Cloud infrastructure, computing, storage and hosting EU / US AWS DPA; SCCs
Google Cloud Platform Cloud computing, AI/ML services, analytics EU / US Google Cloud DPA; SCCs
Railway Application hosting, backend services, logging US Railway DPA; SCCs
Vercel Frontend hosting, serverless functions, CDN Global / US Vercel DPA; SCCs; DPF
Supabase Database hosting (PostgreSQL), authentication, real-time sync US Supabase DPA; SCCs

8.2 AI and model inference

Provider Processing Activities Location Transfer Mechanism
fal.ai AI model inference, serverless GPU computing, model hosting US SCCs; fal.ai DPA
OpenRouter AI model routing and API gateway; forwarding prompts to downstream AI providers US OpenRouter DPA; SCCs

Note: OpenRouter routes user inputs to downstream AI model providers (such as OpenAI, Anthropic, and Meta). The specific downstream provider may vary depending on the model selected. We require OpenRouter to contractually ensure equivalent data protection obligations from each downstream provider.

8.3 Payments

Provider Processing Activities Location Transfer Mechanism
Stripe Payment processing for Credits, Subscription Plans, and Pay-as-You-Go purchases. We do not store your payment card details. US / EU Stripe DPA; SCCs; DPF

Stripe adheres to PCI-DSS standards. Their privacy policy is available at https://stripe.com/privacy.

9. Data Retention

We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy:

  • Account data: retained for the duration of your active account and deleted two (2) years after your account has been inactive or deactivated.
  • Legal compliance data: retained for one (1) year after the purpose of collection has been fulfilled, to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
  • Usage Data: retained for internal analysis purposes for a shorter period, except where used to strengthen security or improve functionality, or where we are legally obligated to retain it longer.
  • Content moderation records: retained in accordance with the EU Digital Services Act requirements.
  • Blockchain transaction data: note that on-chain transactions are immutable and cannot be deleted from the blockchain.

10. Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your Personal Data:

  • Access: You have the right to request a copy of the Personal Data we hold about you.
  • Rectification: You have the right to request correction of inaccurate or incomplete Personal Data.
  • Erasure: You have the right to request deletion of your Personal Data, subject to legal retention obligations.
  • Restriction: You have the right to request that we restrict the processing of your Personal Data in certain circumstances.
  • Data portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format.
  • Objection: You have the right to object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

You can exercise most of these rights through your Account settings or by contacting us at [email protected]. We will respond to your request within one (1) month, unless the complexity or volume of requests requires an extension of up to two additional months.

You also have the right to lodge a complaint with your national data protection authority if you believe we have not handled your Personal Data correctly.

11. Data Processing Agreement

If you are a User based in the EU and upload Personal Data on our Platform outside of purely personal use, we operate as a Data Processor and you operate as a Data Controller under the GDPR. In this context, you and we agree on the Data Processing Agreement annexed to the Terms of Service.

The DPA sets out the subject matter, duration, nature and purpose of the processing, the types of Personal Data processed, the categories of Data Subjects, and the obligations of both Controller and Processor. The DPA also lists the approved Sub-Processors engaged by us.

12. Children's Privacy

The Service is not directed at anyone under the age of 18. We do not knowingly collect Personal Data from anyone under 18. If you are a parent or guardian and become aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under 18 without verification of parental consent, we will take steps to remove that information from our servers.

13. Links to Other Websites

The Service may contain links to other websites not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

14. Security of Your Personal Data

The security of your Personal Data is important to us. We implement and maintain appropriate technical and organisational security measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. However, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and, where appropriate, by email or a prominent notice on the Service prior to the change becoming effective. The "Version" date at the top of this Privacy Policy indicates when it was last revised.

You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, you can contact us at:

Vertical Studio B.V.
Julianaplein 36, Willemstad, Curaçao
Trade register number: 169067
Email: [email protected]