Privacy Policy

1. Overview

This Privacy Policy explains how Sume (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use the Sume website, paid ads tools, studio media tools, AI avatar and video generation services, Google Sign-In, and related features (collectively, the “Services”). By using the Services, you consent to the practices described in this policy.

2. Information We Collect

A. Information you provide directly

• Account information — email address, name, and authentication credentials when you sign up
• Google Sign-In information — if you choose to sign in with Google, we receive the basic Google account information needed to authenticate you, such as your email address, name, profile image, Google account identifier, authentication identifiers, and email verification status
• Generation inputs — reference images, product URLs, brand context, motion clips, prompts, and other content you upload or provide for creative or video generation
• Payment information — when you subscribe, Stripe collects your payment details. We receive your Stripe customer ID and subscription status but do not store your full card number

B. Information collected automatically

• Website analytics — page views, page leave events, product interaction events, session-scoped context, user-profile properties, and session replay data used to understand onboarding, creator-entry funnels, pricing, and product reliability
• Job metadata — timestamps, generation parameters, and processing status for your video generation jobs
• IP address — used transiently for analytics and abuse prevention; not stored with your identity

C. Information generated by the Services

• AI-generated videos — motion-controlled video content created from your inputs
• Usage metrics — generation counts, rate-limit state, and subscription status

3. How We Use Your Information

• To generate and deliver AI-powered video content based on your inputs
• To authenticate your account, maintain secure sessions, personalize your workspace, prevent abuse, and support account recovery
• To process payments and manage your subscription
• To enforce rate limits, usage policies, and our Terms of Service
• To detect, prevent, and respond to abuse, fraud, and security incidents
• To improve generation quality and the overall Services
• To analyze aggregate usage patterns (not individually identifiable)

4. Google Sign-In & Google User Data

Sume offers Google Sign-In so you can create or access your account without maintaining a separate Sume password. We use Google OAuth through Clerk for authentication. For the current sign-in flow, Sume requests only basic profile and email information needed to identify you, secure your account, and operate your workspace.

• We do not request access to your Google Drive, Gmail, Calendar, Contacts, Docs, Sheets, Slides, or other Google Workspace content
• We do not use Google user data for advertising retargeting, selling user profiles, creditworthiness, or unrelated marketing purposes
• We do not use Google user data to train generalized AI or machine learning models
• We do not sell Google user data or transfer it except as needed to provide authentication, security, infrastructure, legal compliance, or user-requested support

Sume's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. AI Processing of Your Data

Your reference images, motion clips, and prompts are processed by third-party AI model providers to generate video content. These providers process your data under data processing agreements with us. We select providers that commit to not using your data to train their models without consent.

6. Third-Party Services & Data Sharing

We integrate with the following third-party services:

• Stripe — payment processing. Subject to Stripe's Privacy Policy
• Clerk — authentication, account sessions, and Google OAuth sign-in
• Vercel — website hosting and privacy-friendly analytics
• PostHog — product analytics for page views , product interaction events, richer funnel analysis, and session replay routed through our first-party ingest path
• Cloudflare — infrastructure and content delivery
• AI model providers — video generation and motion control

We do not sell your personal information to third parties.

7. Data Storage & Retention

• Generated content — retained for as long as necessary to provide the Services
• Payment records — retained as required by applicable regulations
• Analytics data — retained in aggregate form
• Account data — retained until you request deletion
• Google Sign-In data — retained while your Sume account remains active or as needed for security, legal compliance, and account recovery; deleted or de-identified when your account is deleted unless retention is legally required

8. Data Security

We implement industry-standard security measures including encryption in transit (TLS), access controls, and secure infrastructure. Payment information is handled entirely by Stripe and never touches our servers.

9. Your Rights

Depending on your jurisdiction (including under CCPA, GDPR, and other applicable laws), you may have the right to:

• Access — request a copy of the personal information we hold about you
• Deletion — request deletion of your personal data, including Google Sign-In data associated with your Sume account
• Correction — request correction of inaccurate personal information
• Portability — receive your data in a structured, machine-readable format
• Opt out — opt out of certain data processing activities

To exercise any of these rights, email dev@sumelabs.com. We will respond within 30 days.

10. Children's Privacy

The Services are strictly for users aged 18 and older. We do not knowingly collect personal information from anyone under 18.

11. Cookies & Tracking

The Sume website uses product analytics and session replay to understand page flow, creator conversion, onboarding drop-off, reliability issues, and product usage behavior. This may include automatic pageview, pageleave, and interaction capture, along with replay of product sessions. We configure masking and blocking controls to avoid recording sensitive inputs and protected UI regions.

To measure the performance of our advertising on Meta platforms (Facebook, Instagram), we also operate the Meta Pixel together with the Meta Conversions API. This sends a limited set of standard events — page views, content views, lead form submissions, account registrations, and purchases — to Meta. For logged-in users we include SHA-256 hashed identifiers (email address and an opaque account ID) so Meta can match the event to an existing user and attribute it to the ad that drove the visit. Raw email addresses are never transmitted. We also use the standard Meta cookies _fbp and _fbc to deduplicate browser and server events; when our server receives a request without an _fbp cookie we generate one in the standard Meta format and set it on your browser so subsequent events are consistent.

You can opt out of Meta-driven advertising at any time through your Meta account settings, and you can block these cookies through your browser settings or a tracker-blocking extension.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the “Last updated” date at the top of this page. Your continued use of the Services after changes constitutes acceptance of the updated policy.

13. Contact

For questions about this Privacy Policy, contact us at:

Sume
Email: dev@sumelabs.com