Privacy
Your data, treated like a story —
with care, and only where it needs to go.
Last updated April 15, 2026
This Privacy Policy explains how Reela("we", "us") collects, uses, stores and shares personal data when you visit reela.studio, shorts.reela.studio, or any other Reela service. We are the data controller under the EU General Data Protection Regulation (GDPR).
For any privacy question, write to hello@reela.studio.
1. What we collect
We keep the data collection surface intentionally small. Here is everything we process:
- Account data — your email address, display name, locale, country (inferred at signup), and the time of your first sign-in. Stored in our Supabase instance (EU Ireland).
- Content you create — the prompts/briefs you write, the generated scripts, images, audio and videos, plus project titles and settings. Stored in Supabase (EU Ireland) and Cloudflare R2 (EU region).
- Billing data — handled by Stripe. We receive subscription status, plan id, current period end, and a Stripe customer id. We never see your card number; Stripe does.
- Product analytics — via PostHog (EU Cloud). We track anonymous page views, key actions (sign-up, generate, subscribe), and identify you only once you sign in. You can opt out at any time via the cookie banner.
- Technical logs — our serverless runtime (Vercel) keeps transient logs for error-tracking purposes, retained up to 30 days.
- Support correspondence — any email you send to hello@reela.studio.
2. Why we process it
- To run the service you signed up for (contractual basis, GDPR Art. 6.1.b): authenticating you, generating shorts, storing your projects, billing.
- To keep the service reliable and improve it(legitimate interest, GDPR Art. 6.1.f): analytics, error tracking, anti-abuse measures.
- To meet our legal obligations (GDPR Art. 6.1.c): VAT/tax records, fraud prevention, responding to lawful requests.
- With your consent (GDPR Art. 6.1.a): non-essential analytics cookies when you accept them via the banner.
3. Data processors we rely on
We use a small, vetted list of processors. Each handles a specific piece of the stack, under a Data Processing Agreement, with the data residency noted below.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database + authentication | EU (Ireland) |
| Cloudflare R2 | Generated video, image, audio storage | EU region |
| Vercel | Application hosting + logs | Global edge, primary EU |
| Stripe | Subscription billing + payments | EU (Ireland) + US |
| OpenAI | Script generation (gpt-4o-mini) | US, SCCs in place |
| fal.ai | Image + video model inference | US, SCCs in place |
| ElevenLabs | Text-to-speech voice generation | US / EU, SCCs |
| PostHog | Product analytics (opt-in) | EU Cloud |
| Resend | Transactional email | EU region |
| I-Creativi SMTP | Authentication email delivery | EU (Italy) |
Transfers to processors outside the EU are protected by the EU Commission's Standard Contractual Clauses (2021/914) and the processor's own safeguards.
4. How long we keep it
- Account + content: as long as your account is active. You can delete your account at any time from
/dashboard/settings. Deletion removes profile, projects and their assets within 30 days. - Billing records: 10 years (Italian/EU tax law retention requirement).
- Logs: 30 days rolling.
- Waitlist entries: until launch or until you ask for removal.
5. Your rights
Under GDPR you can, at any time:
- Access — request a copy of every piece of personal data we hold about you.
- Rectify — correct anything that is inaccurate.
- Erase— have your account and linked data deleted (the "right to be forgotten").
- Restrict or object to certain processing (e.g. analytics).
- Port your data — receive a machine-readable export of your projects and account data.
- Lodge a complaint with the Italian Garante per la protezione dei dati personali or your local supervisory authority.
Most of these can be exercised directly from your account settings. For anything else email hello@reela.studio — we respond within 30 days.
6. Security
All traffic is served over HTTPS with automatic certificates. The database runs on Supabase with Row Level Security policies restricting each row to its owner workspace. Assets in Cloudflare R2 are private by default and served via short-lived signed URLs (1 hour). Webhooks are signature-verified; secrets live only in Vercel's encrypted environment.
7. Children
Reela is not directed at children under 16. We do not knowingly collect personal data from them. If you believe a child has created an account, email us and we will remove it.
8. Changes to this policy
We will update this page if our practices change. Material changes trigger an email notification to active users at least 30 days before taking effect.
9. Contact
Data controller: Reela — operated in Italy.
Email: hello@reela.studio