Privacy Policy

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• First and last name
• Profile image (optional)
• Organization name and details
• Account credentials (passwords are securely hashed)

2.2 Media Assets and Metadata

When organizational users upload media files, we collect and process:

• File content: Images, videos, and other media files
• Technical metadata: File size, format, resolution, codec information
• EXIF/IPTC data: Camera settings, lens information, timestamps, and GPS coordinates if embedded in the original file
• Production metadata: Scene names, shot names, project identifiers, creator credits

2.3 Facial Recognition Data (Biometric Information)

Our Service includes AI-powered face detection and recognition features to help production teams organize and tag individuals across media assets. When this feature processes uploaded media:

• Facial embeddings: Mathematical representations (numerical vectors) derived from detected faces in uploaded media
• Face metadata: Bounding box coordinates, detection confidence scores, quality assessments
• Cluster associations: Groupings of similar faces and assigned tags/names

Important clarification: This biometric data is derived from media assets uploaded by production companies, not collected directly from the individuals depicted. The media assets are owned by our organizational customers (production companies, studios) who have their own contractual relationships with the talent depicted in the content.

2.4 Talent Approval Access

When talent (individuals depicted in production media) access our approval portal via access codes, we collect:

• Name and email (if provided by the production company)
• Approval/rejection decisions on specific assets
• Session information (IP address, browser type, timestamps)

2.5 Payment Information

Payment processing is handled by Stripe, Inc. We do not store complete credit card numbers on our servers. We receive and store:

• Stripe customer and subscription identifiers
• Billing plan and subscription status
• Transaction history and invoices

2.6 Usage and Technical Data

We automatically collect:

• Log data: IP addresses, browser type, device information, pages visited, actions taken
• Session data: Login timestamps, session duration, feature usage
• Analytics: Aggregated usage statistics via privacy-focused analytics that does not track users across websites or share data with third parties

2.7 Communications

When you contact us or subscribe to updates, we collect email addresses and message content.

3. How We Use Your Information

We use collected information to:

• Provide the Service: Store and organize media assets, enable collaboration, process approvals
• Enable face recognition: Automatically detect, group, and tag faces in uploaded media for organizational efficiency
• Process payments: Manage subscriptions and billing through Stripe
• Communicate: Send transactional emails, notifications, and support responses
• Improve the Service: Analyze usage patterns, fix bugs, develop new features
• Ensure security: Detect fraud, prevent abuse, maintain audit logs
• Comply with legal obligations: Respond to legal requests, enforce our terms

3.1 Automated Decision-Making

Our face recognition features use automated processing to detect and cluster similar faces within uploaded media. These features assist production teams with organization but do not make decisions with legal or similarly significant effects on individuals. Human review and approval by organization users is required before any face tags or identifications are finalized and associated with named individuals.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and similar jurisdictions, we process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interests: Improving our Service, ensuring security, and marketing (where permitted)
• Legal compliance: Meeting regulatory requirements
• Consent: Where required, particularly for marketing communications

Regarding facial recognition data: We process this data as a data processor on behalf of our organizational customers (data controllers). The legal basis for processing is established between the production company and their contracted talent. Our organizational customers are responsible for ensuring appropriate consents or contractual bases exist with individuals depicted in their media.

4.1 Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with our organizational customers that define our obligations as a data processor, including:

• Instructions for processing personal data
• Security requirements and technical measures
• Sub-processor management and notification
• Data subject rights assistance
• Data deletion and return upon termination

To request a copy of our standard DPA, please contact [email protected].

5. Data Sharing and Disclosure

5.1 Service Providers (Sub-processors)

We share data with third-party service providers who assist in operating our Service:

A complete list of sub-processors is available at /legal/sub-processors. We will notify organizational customers of any intended changes to sub-processors, providing an opportunity to object before the change takes effect.

5.2 Within Organizations

Data uploaded by organizational users is accessible to other authorized members of that organization based on their assigned roles and permissions.

5.3 Talent Access

Production companies may grant talent access to specific assets for approval purposes. Talent can only view assets explicitly shared with them via access codes.

5.4 Legal Requirements

We may disclose information when required by law, court order, or government request, or to protect rights, safety, or property.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users before their data becomes subject to a different privacy policy.

6. International Data Transfers

ReelStorage is operated from the United States. If you access the Service from the EEA, UK, or other regions with data protection laws, please note that your data may be transferred to and processed in the United States.

We rely on appropriate safeguards for international transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our service providers
• Where applicable, reliance on adequacy decisions or other recognized transfer mechanisms

6.1 Supplementary Measures

In accordance with the Schrems II decision and EDPB guidance, we implement supplementary technical and organizational measures to protect transferred data, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access with principle of least privilege
• Data minimization: We only transfer data necessary for the specific processing purpose
• Pseudonymization: Where feasible, we use identifiers rather than direct personal data
• Audit logging: All access to personal data is logged and monitored

7. Data Retention

We retain data according to the following schedule:

• Account data: Retained while your account is active and for 30 days after deletion request
• Media assets: Retained until deleted by the organization, then permanently removed after a 30-day recovery period
• Facial recognition data: Deleted when the associated media asset is permanently deleted
• Audit logs: Retained for security and compliance purposes for up to 3 years
• Payment records: Retained as required for tax and legal compliance (typically 7 years)

When an individual user account is deleted but belongs to an active organization, personal user data is removed, but organization-owned assets (including any derived facial recognition data) are retained by the organization.

Legal holds: Retention periods may be extended when required by law, legal proceedings, litigation holds, or regulatory investigations.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

8.2 Analytics

We use privacy-focused analytics that does not use cookies for cross-site tracking, does not collect personally identifiable information, and we do not share analytics data with third parties. The anonymous identifier cookie helps us understand usage patterns without identifying individual users across sessions.

8.3 Do Not Track Signals

Our Service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no consistent industry standard for compliance. However, our privacy-focused analytics does not track individual users across websites, and we do not engage in cross-site tracking or behavioral advertising.

8.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

9. Your Rights

9.1 All Users

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Export your data in a structured, commonly used, machine-readable format (data portability)
• Opt out of marketing communications

9.2 EEA/UK Users (GDPR)

If you are in the European Economic Area or United Kingdom, you additionally have the right to:

• Object to processing based on legitimate interests
• Restrict processing in certain circumstances
• Withdraw consent at any time (where processing is based on consent)
• Receive your data in a structured, commonly used format and transmit it to another controller
• Lodge a complaint with your local data protection authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)

9.3 California Residents (CCPA/CPRA)

California residents have the right to:

• Know what personal information is collected, used, shared, or sold
• Delete personal information (with certain exceptions)
• Opt out of the sale or sharing of personal information
• Correct inaccurate personal information
• Limit use of sensitive personal information
• Non-discrimination for exercising these rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Sensitive Personal Information: We process facial recognition data as part of our Service. Under CPRA, biometric information is considered sensitive personal information. This data is processed solely to provide the face recognition features of our Service to our business customers and is not used for profiling or advertising purposes.

9.4 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law (typically 30-45 days).

For individuals depicted in production media: If you believe your likeness appears in media processed through our platform and wish to exercise data protection rights, please contact the production company that owns the media. As a data processor, we act on instructions from our organizational customers.

9.5 Withdrawing Consent for Facial Recognition

To withdraw consent for facial recognition processing of your likeness, please contact the production company that uploaded your media. They can instruct us to:

• Delete specific facial embeddings associated with you
• Remove you from face clusters
• Exclude your face from future automated processing

We will process such requests within 30 days of receiving instructions from the data controller.

10. Biometric Data: State-Specific Notices

10.1 Illinois Residents (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) provides specific protections for biometric data. If you are an Illinois resident or your likeness appears in media processed through our platform:

• Data processor role: ReelStorage acts as a data processor. Our organizational customers (production companies) are responsible for obtaining written releases from individuals before uploading media containing biometric identifiers to our Service.
• Retention and destruction: Facial embeddings are retained only as long as the associated media asset exists. When media is permanently deleted, all derived biometric data is destroyed within 30 days.
• No sale or profit: We do not sell, lease, trade, or otherwise profit from biometric data.
• Storage and protection: Biometric data is encrypted at rest and protected using industry-standard security measures at least as protective as those used for other confidential and sensitive information.

For organizations subject to BIPA: Our organizational customers are responsible for obtaining written informed consent from individuals before uploading media containing their biometric identifiers. Our Terms of Service require customers to confirm they have obtained necessary consents.

10.2 Texas Residents (CUBI)

Under the Texas Capture or Use of Biometric Identifier Act, we do not capture biometric identifiers for commercial purposes without consent. Our organizational customers must ensure proper consent is obtained before uploading media containing biometric data.

10.3 Washington Residents

Under Washington's biometric privacy law (RCW 19.375), we provide notice that our Service processes biometric data from uploaded media for the purpose of organizing and tagging individuals in production assets.

11. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Industry-standard secure password hashing
• Role-based access controls
• Regular security audits and monitoring
• Rate limiting and abuse prevention
• Comprehensive audit logging
• Infrastructure hosted on SOC 2 compliant providers

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11.1 Data Breach Notification

In the event of a data breach affecting personal data, we will:

• Notify affected organizational customers without undue delay and within 72 hours where feasible
• Provide information about the nature of the breach, categories of data affected, approximate number of records, and remediation steps taken
• Assist customers in meeting their own notification obligations to data protection authorities and affected individuals
• Document the breach including facts, effects, and remedial actions taken

If required by applicable law, we will also directly notify affected individuals and relevant data protection authorities.

12. Children's Privacy

ReelStorage is a B2B service designed for professional production companies and is not directed at children under 16. We do not knowingly collect personal information directly from children.

Regarding minors depicted in production media: Media uploaded by production companies may contain images of minor talent who are under professional contracts with studios and represented by agents or guardians. Production companies using our Service must ensure they have:

• Obtained appropriate parental/guardian consent for the minor's likeness
• Complied with applicable laws including:
  • COPPA (Children's Online Privacy Protection Act) for US minors under 13
  • California's SOPIPA (Student Online Personal Information Protection Act) if applicable
  • Coogan Law provisions and other entertainment industry regulations governing minor performers
  • Applicable child labor laws in their jurisdiction

When minor talent access our approval portal, such access is facilitated by the production company under their existing contractual arrangements with the minor's guardians or representatives.

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date
• Sending an email notification to account holders for significant changes
• Notifying organizational customers of changes that affect their processing arrangements

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

15. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, please contact us:

K5 Labs, LLC
1401 21st Street Suite R
Sacramento, CA 95811, United States

General Support: [email protected]
Privacy Inquiries: [email protected]

For data protection inquiries or to contact our Data Protection Officer, please email [email protected] with "Data Protection Officer" in the subject line.