Privacy Policy
Last updated: 30 March 2026
1. Introduction
Progressive Robot Ltd ("we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our AI creative platform at video.progressiverobot.com ("the Service").
We are registered in England and Wales and process personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Please read this Privacy Policy carefully. By using the Service, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the Service.
2. Data Controller
Progressive Robot Ltd is the data controller for all personal data collected through the Service.
- Data Protection Contact: [email protected]
- General Contact: [email protected]
3. Data We Collect
3.1 Data You Provide Directly
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Username | Account identification and display | Contract |
| Email address | Account recovery, notifications, transactional emails | Contract / Consent |
| Password (hashed) | Account authentication | Contract |
| Display name and bio | Public profile (optional) | Consent |
| Avatar image | Public profile (optional) | Consent |
| Organisation/team name | Team collaboration features | Contract |
| Payment information (via Stripe) | Processing subscriptions, top-ups, and purchases | Contract |
3.2 Data Generated Through Use
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Generation prompts, settings, and parameters | Providing video/image/audio generation, history, and regeneration | Contract |
| Uploaded images and audio files | Image-to-video, face swap, brand kits, editing inputs | Contract |
| Generated output files (videos, images, audio) | Delivering and storing results for your access | Contract |
| Projects, storyboards, and studio data | Studio workspace functionality | Contract |
| Community prompts and votes | Community prompt marketplace | Consent / Legitimate interest |
| Hosted page content (titles, descriptions, CTAs) | Video hosting feature | Contract |
| Brand kit data (logos, colours, fonts, intros) | Brand kit feature | Contract |
| Comments on projects | Collaboration features | Contract |
| Prompt templates | Saved prompt functionality | Contract |
| API key metadata | Programmatic API access authentication | Contract |
3.3 Data Collected Automatically
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| IP address | Security, rate limiting, fraud prevention, abuse detection | Legitimate interest |
| Session tokens | Authentication persistence | Contract |
| Request logs (URL, timestamp, user agent) | Security monitoring, debugging, abuse prevention | Legitimate interest |
| Credit usage and transaction history | Billing, account management, dispute resolution | Contract |
| Hosted page view analytics | Showing you page view statistics | Legitimate interest |
| Generation queue and job status data | Providing real-time generation progress | Contract |
3.4 Data We Do NOT Collect
- We do not use tracking pixels, fingerprinting, or cross-site tracking.
- We do not collect location data beyond what is inherent in IP addresses.
- We do not use advertising cookies or sell your data to advertisers.
- We do not process biometric data, except transiently during face-swap operations (which are processed server-side and not stored beyond the output).
4. How We Use Your Data
- Service delivery: To create and maintain your account, process generations (video, image, audio), manage subscriptions and credits, deliver hosted pages, enable studio projects, enable team collaboration, and provide customer support.
- Security: To detect abuse, prevent fraud, enforce rate limits, protect against DDoS attacks, investigate suspicious activity, and maintain the integrity of the platform.
- Improvement: To analyse aggregated and anonymised usage patterns to improve models, features, performance, and user experience. We do not use your individual prompts or outputs for model training without explicit consent.
- Communication: To send transactional emails (password resets, email verification, subscription confirmations, payment receipts). We will not send marketing or promotional emails without your explicit opt-in consent.
- Legal compliance: To comply with applicable laws, regulations, legal processes, or government requests, including UK tax obligations for payment records.
- Billing and payments: To process subscriptions, credit purchases, generate invoices, and handle refund requests.
5. AI-Generated Content and Model Training
- Your prompts and generated content may be temporarily cached in server memory during processing but are not used to train, fine-tune, or improve AI models without your explicit consent.
- We process generation requests through ComfyUI-based inference pipelines. Prompt text and generation parameters are sent to local AI model servers for processing.
- Generated output files are stored on our servers and associated with your account for your access and management.
- If you share prompts via the Community feature, those prompts become publicly visible and usable by other platform users. You can delete community prompts at any time.
- Anonymised, aggregated statistics (e.g., number of generations per model, average generation time) may be used for service improvement and reporting.
6. Face Swap and Biometric Data
The face swap tool processes facial geometry data to perform the swap operation. This data is:
- Processed server-side only, in real-time, and discarded after the output is generated.
- Not stored, catalogued, or used for identification purposes.
- Not shared with any third party.
- Not used for model training.
You are solely responsible for ensuring you have appropriate consent from any individuals whose face appears in uploaded images. See our Terms of Service for acceptable use requirements.
7. Data Storage and Security
7.1 Security Measures
- Passwords are hashed using PBKDF2-HMAC-SHA256 with 600,000 iterations and unique per-user salts. Passwords are never stored or logged in plain text.
- API keys are stored as SHA-256 hashes. The original key value is displayed only once at creation and cannot be retrieved.
- All connections to the Service are encrypted via HTTPS/TLS (enforced via HSTS).
- Security headers are implemented: Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
- Session cookies are HttpOnly (inaccessible to JavaScript), Secure (sent only over HTTPS), and SameSite=Strict (prevents CSRF attacks).
- Rate limiting is applied to login attempts, generation requests, and API calls to prevent brute-force and abuse.
- We conduct regular security reviews of our codebase and infrastructure.
7.2 Data Location
- All primary data (user database, generated content, uploaded files) is stored on servers located in the United Kingdom.
- AI inference processing occurs on local GPU infrastructure in the United Kingdom.
- Third-party services may process limited data outside the UK (see Section 8).
7.3 Data Breach Procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.
- Where the breach is likely to result in a high risk to your rights, we will notify affected users without undue delay via email and/or in-platform notice.
- We maintain an internal breach register and incident response procedures.
8. Third-Party Services
We share data with the following third-party processors only to the extent necessary to provide the Service:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment card data, email, billing address | EU/US (SCC in place) |
| Resend | Transactional email delivery | Email address, email content | US (SCC in place) |
| Cloudflare | CDN, DDoS protection, SSL | IP address, request metadata | Global (UK-adequate) |
| Pexels / Pixabay | Stock media search | Search queries only (no personal data) | EU/US |
We do not sell, rent, or trade your personal data to any third party. We do not share your data with data brokers, advertisers, or marketing platforms.
Links to third-party privacy policies:
9. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (username, email, password hash) | While account is active + 30 days after deletion request | Contract |
| Generated content (videos, images, audio) | While account is active; individually deletable at any time | Contract |
| Generation logs (prompts, parameters) | While account is active; deleted with account | Contract / Legitimate interest |
| Projects, storyboards, studio data | While account is active; individually deletable | Contract |
| Community prompts | Until withdrawn by you or removed by moderation | Consent |
| Hosted pages and analytics | While account is active; individually deletable | Contract |
| Payment and billing records | 7 years from transaction date (UK HMRC requirement) | Legal obligation |
| Credit transaction history | While account is active + 7 years for financial records | Contract / Legal obligation |
| Session data | 24 hours (auto-expires) | Contract |
| Security logs (IP, rate-limit data) | 90 days rolling | Legitimate interest |
| Uploaded images (for I2V, face swap, brand kits) | While account is active; deletable via account or on request | Contract |
| API key hashes | Until revoked by you or account deletion | Contract |
10. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access (Article 15): Request a copy of all personal data we hold about you (Subject Access Request). We will respond within 30 days.
- Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data. You can update most data directly via account settings.
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten"). We will comply unless retention is required by law (e.g., financial records).
- Right to Restrict Processing (Article 18): Request that we limit how we use your data while a dispute or request is pending.
- Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON). You can export your generation history and parameters at any time.
- Right to Object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to Withdraw Consent (Article 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Rights Related to Automated Decision-Making (Article 22): We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
To exercise any right, email [email protected]. We will verify your identity before acting and respond within 30 days. If a request is complex, we may extend this by a further 60 days with notification.
These rights are provided free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
11. Cookies and Local Storage
11.1 Cookies
We use a single, strictly necessary session cookie:
| Cookie Name | Purpose | Type | Duration |
|---|---|---|---|
session | User authentication | Strictly necessary (first-party) | 24 hours |
This cookie is HttpOnly (inaccessible to JavaScript), Secure (sent only over HTTPS), and SameSite=Strict (prevents cross-site request forgery). No consent banner is required for this cookie under PECR as it is strictly necessary for the Service.
11.2 Local Storage
We may use browser localStorage to store your UI preferences (e.g., theme, last-used model settings). This data stays on your device, is not transmitted to our servers, and can be cleared via your browser settings at any time.
11.3 No Tracking
We do not use analytics cookies, advertising cookies, tracking pixels, third-party tracking scripts (e.g., Google Analytics, Facebook Pixel), or any form of cross-site tracking. We respect your privacy and your browser's Do Not Track signal.
12. Children
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will take immediate steps to delete that data and terminate the associated account. If you believe a child has provided us with personal data, please contact us at [email protected].
13. International Data Transfers
Your data is primarily stored and processed in the United Kingdom. Where third-party services process data outside the UK (see Section 8), they do so under appropriate safeguards recognised by UK law, including:
- Standard Contractual Clauses (SCCs) approved by the ICO.
- UK adequacy decisions where applicable.
- Binding corporate rules of the data processor.
We conduct transfer impact assessments for international transfers as required by UK GDPR.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users via email or in-platform notification at least 14 days before changes take effect.
- Provide a summary of what has changed.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of changes constitutes acceptance.
15. Contact and Complaints
Privacy enquiries: [email protected]
General support: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint
Progressive Robot Ltd · Registered in England and Wales · This policy was last reviewed on 30 March 2026.