Privacy Policy
Last updated: February 21, 2026
At Prodeo, we take your privacy seriously. This Privacy Policy explains what information we collect, how we use it, and the choices you have. We've written this policy in plain language so you can understand exactly how your data is handled when you use our video editing platform.
Prodeo is built by a two-person team at En Dash ("we," "us," or "our"). By using Prodeo, you agree to the collection and use of information as described in this policy.
1. Information We Collect
We collect different types of information depending on how you interact with Prodeo. Here is a breakdown of each category:
Account Information
When you create an account through our OAuth authentication provider, we receive and store:
- Your name (as provided by your identity provider)
- Your email address
- Your profile picture URL
- A unique user identifier from the identity provider
Media Files You Upload
When you use Prodeo to create and edit videos, we process and store:
- Video files — MP4, WebM, MOV, and AVI formats (up to 2 GB per file)
- Audio files — MP3, WAV, AAC/M4A, and FLAC formats (up to 50 MB per file)
- Background images — PNG, JPEG, WebP, and SVG formats (up to 10 MB per file)
- File metadata — duration, dimensions, sample rate, audio channels, and waveform data automatically extracted from uploaded files
Project Data
Your video editing projects contain the creative decisions you make in the editor:
- Timeline configurations (clips, transitions, effects, audio tracks)
- Custom backgrounds and overlays
- Rendering settings and export preferences
- Project names and organizational data
Billing Information
If you subscribe to a paid plan (Pro or Team), our payment processor Stripe collects and handles your billing information. We store:
- Your Stripe customer identifier (not your payment card details)
- Your subscription plan tier and status
- Billing period dates
We never store your credit card numbers, bank account details, or other direct financial information on our servers. All payment processing is handled by Stripe in accordance with PCI-DSS standards.
Usage & Storage Data
We track storage usage to enforce plan limits and provide you with accurate usage information:
- Per-file type and size records
- Aggregate storage usage snapshots
- Number of cloud projects
Compliance Data
To comply with applicable trade and export regulations (such as OFAC sanctions), we may collect:
- Your IP address (used to determine your country of access)
- Your resolved country code (derived from IP address)
- Compliance check results (whether access was allowed or restricted)
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the service — Processing your video uploads, running render jobs, storing your projects, and delivering the edited video output you create
- Account management — Authenticating your identity, maintaining your session, and personalizing your experience
- Subscription management — Processing payments, enforcing plan limits (storage quotas, project counts), and managing your subscription lifecycle
- Storage management — Tracking your file uploads and storage usage, enforcing storage quotas, and cleaning up orphaned files
- Legal compliance — Verifying compliance with trade sanctions and export control regulations
- Service improvement — Understanding usage patterns to improve the platform's reliability and features
3. Video Upload, Processing & Storage
Video editing is central to Prodeo, so we want to be transparent about how your media files are handled:
Upload Process
Large video files are uploaded using a chunked upload process. This means your file is split into smaller pieces and reassembled on our server, which improves upload reliability. During this process, we validate file types, enforce size limits, and extract technical metadata (such as duration and dimensions) needed for the editor.
Processing & Rendering
When you render a video, the processing happens on our servers using the Remotion rendering engine. Render outputs are treated as ephemeral artifacts — they are generated for you to download and are automatically cleaned up after 24 hours.
Storage
Your uploaded media files and cloud projects are stored on our servers. Storage limits vary by plan:
- Free plan — Up to 500 MB of storage, up to 3 cloud projects
- Pro plan — Up to 50 GB of storage, up to 100 cloud projects
- Team plan — Up to 500 GB of storage, unlimited cloud projects
Local Projects
Prodeo also supports local-only projects stored in your browser's local storage. These projects never leave your device and are not transmitted to our servers. We cannot access, read, or recover locally stored projects.
4. Authentication & Account Data
We use OAuth 2.0 with PKCE (Proof Key for Code Exchange) for authentication. This means we never see or store your password. When you log in, your identity provider authenticates you and shares limited profile information with us (name, email, and profile picture).
We store the following authentication-related data:
- Session cookie — An encrypted, HTTP-only cookie that maintains your login session. This cookie expires after 7 days of inactivity.
- OAuth tokens — Access and refresh tokens stored in your encrypted session cookie, used to verify your identity and refresh your session transparently.
- Temporary OAuth state — During the login flow, a short-lived cookie stores a CSRF token and PKCE code verifier. This cookie is destroyed immediately after the login completes.
5. Cookies & Local Storage
Cookies We Use
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| user_session | Maintains your authenticated login session | 7 days | Essential |
| oauth_session | Temporary CSRF and PKCE state during login | Session only | Essential |
Both cookies are HTTP-only, encrypted, and use the SameSite=Lax attribute. They are secured with HTTPS in production. We do not use any advertising, analytics, or tracking cookies.
Browser Local Storage
Prodeo uses your browser's local storage for the following purposes:
- Local projects — Storing project data for projects you choose to keep on your device rather than in the cloud
- Editor state — Temporary UI state such as undo/redo history, playback position, and timeline settings that improve your editing experience
Data stored in your browser's local storage remains entirely on your device and is never transmitted to our servers.
6. Third-Party Services
We use the following third-party services to operate Prodeo:
Stripe (Payment Processing)
We use Stripe to process subscription payments. When you subscribe to a paid plan, Stripe collects your payment information directly. We never see or store your full card number. Stripe's handling of your data is governed by Stripe's Privacy Policy.
OAuth Identity Provider
We delegate authentication to a third-party OAuth provider. When you log in, you authenticate with that provider and authorize sharing your basic profile information (name, email, profile picture) with us. We request only the profile and email scopes — the minimum needed to create your account.
Google Cloud Platform (Infrastructure)
Prodeo is hosted on Google Cloud Platform infrastructure. Google may process request metadata (such as IP addresses) as part of operating the infrastructure. Google Cloud's data handling is governed by Google Cloud's Privacy Notice.
7. Data Retention & Deletion
We retain your data only as long as necessary to provide the service and fulfill the purposes described in this policy. Here are the specific retention periods for each type of data:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Video, audio & image uploads | Until you delete them or your account is closed |
| Cloud project data | Until you delete the project or your account |
| Rendered video outputs | 24 hours (automatically cleaned up) |
| Orphaned upload files | 24 hours (automatically cleaned up) |
| Session cookies | 7 days from last activity, or until you log out |
| Billing records | As required by tax and accounting law (typically 7 years) |
| Compliance audit logs | As required by applicable regulations (typically 5 years) |
| Local browser data | Until you clear your browser data (we cannot delete this) |
Deletion Process
When you delete data in Prodeo:
- Soft deletion — Projects and files are initially marked as deleted (soft delete) but retained briefly for audit and recovery purposes.
- Permanent deletion — Soft-deleted data is permanently removed from our systems during regular cleanup cycles.
- Account deletion — When you request account deletion, all associated data (projects, uploads, account information) is permanently deleted, except where retention is required by law (e.g., billing records).
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract performance — Processing necessary to provide the Prodeo service you've signed up for (account management, video processing, project storage)
- Legal obligation — Processing required to comply with trade sanctions, tax regulations, and other legal requirements
- Legitimate interests — Processing for service improvement, security, and fraud prevention, where these interests don't override your rights
Your Rights
You have the right to:
- Access — Request a copy of the personal data we hold about you. We will provide this in a commonly used, machine-readable format.
- Rectification — Request correction of any inaccurate personal data. Since account information comes from your OAuth provider, some corrections may need to be made with your identity provider first.
- Erasure ("Right to be forgotten") — Request deletion of your personal data. We will delete your account and all associated data, except where we are legally required to retain certain records.
- Data portability — Request your data in a structured, commonly used, machine-readable format so you can transfer it to another service. This includes your project data and uploaded media files.
- Restriction of processing — Request that we limit how we process your data in certain circumstances, such as while we verify a correction request.
- Object to processing — Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us using the details in the Contact Us section below. We will respond to your request within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority.
9. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you specific rights regarding your personal information.
Categories of Personal Information We Collect
Under CCPA definitions, we collect the following categories of personal information:
| Category | Examples |
|---|---|
| Identifiers | Name, email address, unique user ID |
| Internet activity | IP address, country of access |
| Commercial information | Subscription plan, billing period |
| Audio, visual, and similar information | Video files, audio files, and images you upload |
| Geolocation data | Country-level location derived from IP address |
Your CCPA Rights
As a California resident, you have the right to:
- Know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
- Delete — Request deletion of personal information we have collected from you, subject to certain exceptions (such as legal retention requirements).
- Correct — Request correction of inaccurate personal information.
- Opt out of sale or sharing — We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.
- Non-discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing or quality of service.
To exercise your CCPA rights, contact us using the information in the Contact Us section. We will verify your identity before fulfilling your request and respond within 45 days.
Do Not Sell or Share
Prodeo does not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising purposes. Your media files and project data are never used for advertising or shared with advertisers.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- All data in transit is encrypted using HTTPS/TLS
- Session cookies are encrypted, HTTP-only, and use the Secure flag in production
- OAuth authentication uses PKCE to protect against authorization code interception
- Sensitive configuration values are stored in Google Cloud Secret Manager, not in application code
- Payment processing is handled by PCI-DSS compliant Stripe — we never store card details
- CSRF protection is implemented via OAuth state parameters
While we strive to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly notifying affected users in the event of a data breach as required by applicable law.
11. International Data Transfers
Prodeo is hosted on Google Cloud Platform infrastructure, which may involve processing your data in the United States or other countries where Google operates data centers. If you are accessing Prodeo from outside the United States, please be aware that your data may be transferred to, stored, and processed in a country with different data protection laws than your own.
For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
12. Children's Privacy
Prodeo is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 16, we will take steps to promptly delete that information. If you believe a child has provided us with personal data, please contact us using the details below.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically to stay informed about how we protect your data.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your information, please contact us:
For GDPR-related requests, we will respond within 30 days. For CCPA-related requests, we will respond within 45 days. If we need more time, we will notify you of the extension and the reason for it.