Privacy Policy

UGC King is the controller of your personal information for the purposes of this Policy. For privacy questions, data-rights requests, or to report a concern, email hello@ugcking.com. For general support, use the help channel in your dashboard or email hello@ugcking.com.

We collect the following categories of information:

2.1 Information you give us

• Account details: email address, password (hashed, never stored in plaintext), and — if you delete your account — a short-lived record of the deletion event.
• Brand inputs: project names, business descriptions, target audience notes, industry classifications, content pillars, competitor names, and brainstorm instructions.
• Product data: product names, descriptions, and product images you upload.
• Knowledge-base content: FAQs, product-detail entries, proven hooks, and any text you paste into the knowledge tab.
• Characters: AI-generated or manually configured on-screen personas (name, tone, visual style, prompt template). Characters do not represent real people and are not biometric data.
• Schedule and preferences: posting days, times, timezone, approval-mode settings, caption CTAs, character lock preferences, and weight-learning preferences.
• Billing data: full payment details (card numbers, expiration, CVC) go directly to our payment processor Stripe — we never see or store your full card number. We receive and store only a Stripe customer ID, billing email, the last 4 digits of your card, card brand, and billing ZIP. Any invoices Stripe generates are retained for accounting and tax compliance.
• Support correspondence: emails you send us, tickets you file, and any attachments.

2.2 Social platform connections and their data

• OAuth tokens and account identifiers for platforms you connect (e.g., TikTok, Instagram). Tokens are stored encrypted at rest in our database and are used solely to post on your behalf and pull back analytics for posts we published.
• Per-post analytics pulled from those platforms — views, likes, comments, shares, saves, reach, impressions, and engagement rate — attributed only to posts we published through your account.
• We do not read your direct messages, harvest follower lists, scrape content you did not publish through us, access your inbox, or use your social accounts for anything outside the scope of running your automated content pipeline.

2.3 Usage and device information

• IP address, approximate geographic region (derived from IP), browser type, device type, operating system.
• Pages viewed in the dashboard, features used, click-stream interactions, and timestamps.
• Error logs, request IDs, and diagnostic data needed to troubleshoot.
• Usage counters — number of videos generated, ideas brainstormed, posts published, API calls made.
• Contact-form rate-limit logs: when you submit the contact form, we record the IP address only (no message content) for 7 days to enforce per-IP submission limits and stop spam.

2.4 AI generation inputs and outputs

When you generate content, the Service sends your brand inputs to third-party AI providers, receives generated text and video, and stores the result in your account. We retain AI inputs and outputs on your behalf so you can review, approve, retry, or reject videos. These are stored in your account, not shared with other users, and not used to train our models (see Section 4).

2.5 Cookies and similar technologies

We use strictly necessary cookies to keep you logged in and to remember your preferences. We may use limited analytics cookies to measure feature usage — never for cross-site advertising. We do not sell or share cookie data with ad networks. A "Do Not Track" browser signal is respected by treating the browser as though no analytics cookies are set.

We use information for the following purposes, each tied to a legal basis under GDPR where applicable:

• To provide the Service — brainstorm ideas, generate videos, post to connected accounts, pull analytics, rebalance AI character weights, and keep the pipeline running. (Legal basis: performance of a contract.)
• To authenticate you and keep your account secure. (Contract / legitimate interest.)
• To charge you and prevent fraud via Stripe. (Contract / legitimate interest / legal obligation.)
• To communicate with you — transactional emails (billing, quota alerts, generation failures, content pending approval, password resets), support replies, and service announcements. (Contract / legitimate interest.)
• To improve the Service — aggregated, anonymized analytics of how features are used. (Legitimate interest.)
• To prevent abuse and enforce our Terms — detecting misuse of AI generation, protecting against fraud, chargebacks, and abuse. (Legitimate interest / legal obligation.)
• To comply with legal obligations — tax records, government requests, subpoenas. (Legal obligation.)

We do not use your information for advertising, do not sell it, do not share it for cross-context behavioral advertising, and do not profile you to sell your attention to third parties.

Your brand inputs, product photos, knowledge-base content, generated videos, captions, characters, analytics, and any other content in your account are not used to train our own AI models or to fine-tune third-party models on your behalf.

When we send data to third-party AI providers (OpenAI, Evolink) to generate content, we do so under their business / API terms, which — for our current providers — prohibit training on your inputs by default. We will update this section if our subprocessors or contract terms change. If any provider ever changes its default to allow training, we will move to one that does not, or give you advance notice and a meaningful opt-out before continuing.

We may use aggregated, de-identified usage patterns (for example, "average generation latency on Starter plan = 45s") to measure and improve the Service. Aggregated data cannot be re-identified and is not personal information under applicable law.

We share information only with the service providers needed to run the Service. Each is bound by contract to process data only on our instructions, maintain reasonable security, and delete data when no longer needed. Our current subprocessors are:

We may add or change subprocessors over time as we scale or re-architect the Service. Material changes will be reflected in this Policy. If you want email notice of subprocessor changes, email hello@ugcking.com to subscribe.

We may also disclose information: (a) in response to a valid subpoena, court order, or government request, when we are legally required to do so; (b) to enforce our Terms, prevent fraud, or protect our rights, safety, or property or those of our users; (c) in connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, subject to standard confidentiality protections and subject to this Policy continuing to apply to transferred data.

We do not sell personal information, do not share it for cross-context behavioral advertising, and do not disclose it to advertising networks.

UGC King is based in the United States. Our subprocessors are located in the U.S., the European Union, and other regions as listed above. If you access the Service from outside the country where data is processed, your information will be transferred internationally. For transfers out of the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (or equivalent adequate safeguards) to protect your data.

We keep information only as long as needed for the purposes described in this Policy:

• Active account data (projects, characters, ideas, content, analytics, subscription records) — for the life of your account.
• Account after deletion — most data is deleted within 30 days of account deletion. Some records are retained longer where required by law (billing/tax records up to 7 years) or for legitimate security/fraud-prevention purposes (abuse patterns, chargeback records up to 3 years).
• Generated video files — kept in storage until you delete them or for 90 days after account deletion, then removed.
• Server logs and diagnostic data — rotated out after 90 days unless relevant to an ongoing incident.
• Contact-form rate-limit logs (IP only, no content) — purged automatically after 7 days.
• Support correspondence — retained for 2 years after last contact for continuity and quality purposes.
• Aggregated, anonymized usage data — retained indefinitely; not personal information.

We apply reasonable administrative, technical, and physical safeguards to protect personal information:

• TLS encryption in transit; database and storage encryption at rest.
• OAuth access and refresh tokens for connected social platforms (TikTok, Instagram) are encrypted with a separate symmetric key before being written to the database — readable only via service-role functions that hold the decryption key in memory.
• Row-level access controls — per-user RLS ensures users can only read their own data.
• Scoped service-role keys used only from trusted server environments.
• Access to production systems limited to authorized personnel and audit-logged.
• Automated dependency scanning and regular security review.

No system is perfectly secure. If we discover a data breach that materially affects you, we will notify you without undue delay and, where required by law, within 72 hours. Notification will describe the nature of the incident, the data involved, mitigation steps, and the steps you can take to protect yourself.

Depending on where you live, you may have the following rights regarding your personal information:

• Access and portability — request a copy of the personal information we hold about you, in a structured, machine-readable format.
• Correction — correct inaccurate or incomplete information. Most fields can be edited directly in your dashboard; contact us for anything you can't edit yourself.
• Deletion — delete your account and associated data, subject to the retention exceptions in Section 7. You can initiate deletion from Settings → Account → Delete account.
• Restriction and objection — ask us to stop or limit certain processing of your information.
• Withdraw consent — where we rely on consent, withdraw it at any time; this does not affect the lawfulness of processing before withdrawal.
• Lodge a complaint — with your local data-protection authority (e.g., an EU supervisory authority, the UK ICO, your U.S. state attorney general).

To exercise any of these rights, email hello@ugcking.com. We will respond within the timelines required by applicable law (typically 30 days, extendable by 60 days for complex requests). We may ask you to verify your identity before fulfilling the request.

We will not discriminate against you for exercising any privacy right.

If you're a California resident, you have the rights described in Section 9 plus the following additional rights:

• Right to know the categories of personal information we collect, the sources, the purposes, and the categories of third parties we share it with — all described in Sections 2, 3, and 5.
• Right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, so there is nothing to opt out of — but if that ever changed, a "Do Not Sell or Share My Personal Information" link would appear in the footer.
• Right to limit use of sensitive personal information — we do not use sensitive personal information (as defined by CPRA) for any purpose beyond providing the Service and associated security/fraud prevention.
• Right to non-discrimination — we will not charge different prices or provide different service levels because you exercised a privacy right.

Authorized agents may submit requests on your behalf with verifiable proof of authority.

If you're in the European Economic Area, the United Kingdom, or Switzerland, you have the rights in Section 9 under the GDPR / UK GDPR. Our legal bases for processing are listed in Section 3.

We do not have a designated EU representative or UK representative at this time. For GDPR-related questions, email hello@ugcking.com.

The Service is not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have collected data from a minor, email hello@ugcking.com and we will delete it. If you're in a jurisdiction where the age of digital consent is higher than 18, the higher age applies.

The Service creates fictional on-screen characters for video generation. These characters are designed to look like plausible creators but are not intended to depict specific real people. You agree not to upload images or instructions that would cause the Service to generate content resembling any identifiable real person (including public figures or celebrities) without that person's documented consent. If you do so and we receive a complaint, we may disable that character, take down the content, and/or suspend your account.

The Service uses AI to: select characters based on performance (weighted rotation and auto-adjusted weights); prioritize ideas based on predicted engagement; decide which pending videos to schedule at which slots; and generate scripts, captions, and video prompts. These decisions affect your account but do not produce legal or similarly significant effects under GDPR Article 22. You can pause weight-learning and lock characters in project settings to override most automated decisions.

We may update this Policy. Material changes will be announced via email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

Privacy questions, data-rights requests, breach reports, or concerns: email hello@ugcking.com.

For general support: hello@ugcking.com.