Privacy Policy

LAST UPDATED 28 APRIL 2026

Who we are

Backplate is operated as a sole proprietorship by Bijan Vesper in Switzerland. Postal address and contact details are listed in the Imprint. For privacy questions, contact privacy@backplate.ai.

Scope

This policy applies to the Backplate website, the Backplate plugin for DaVinci Resolve and Adobe Premiere Pro, and the API at backplate.ai. It covers Swiss residents under the revised Federal Act on Data Protection (revFADP) and EU/EEA residents under the GDPR.

What we collect

Account data

• Email address — required to create an account, recover access, and contact you about your account.
• Password — stored as a bcrypt hash. We never see or store the plaintext.
• Email verification status and timestamp.
• Account creation timestamp.

Generation requests

• The single video frame you generate against, transmitted over HTTPS as a PNG.
• The text prompt you provide.
• Cache key (hash of frame + prompt) used to deduplicate retries.
• Frames and prompts are not retained beyond the duration of the request. The generated result is held briefly in temporary storage and deleted after delivery.

Usage and billing data

• Token balance and a ledger of every credit (purchase, signup bonus, refund) and debit (generation).
• Each ledger entry records: timestamp, amount, reason, current balance.

Technical data

• IP address — used only for per-IP rate limiting and abuse prevention. Stored in memory for the rate-limit window (typically 60 minutes).
• Authentication tokens — bearer tokens issued to your plugin, hashed at rest, expiring after 90 days.
• Server logs — minimal request logs for debugging and security, retained for 14 days.

What we do not collect

• We use one privacy-friendly, cookie-less analytics service (Plausible — see sub-processors below). We do not use advertising trackers or social media pixels.
• We do not set cookies other than a single session cookie required for sign-in (HttpOnly, SameSite=Lax, Secure).
• We do not retain video frames or prompts after the generation request completes.
• We do not sell or share personal data with advertisers or data brokers.

Third-party processors

We rely on the following service providers to operate Backplate. Each processes data only as needed for its stated purpose.

Hetzner Online GmbH (hosting)

Servers in Nürnberg, Germany. Processes account data, generation requests in transit, and ledger data on persistent storage.

Google LLC — Gemini API (AI generation)

Each generation sends your frame and prompt to Google's Gemini API for processing. Google's data handling for the Gemini API is described at ai.google.dev/gemini-api/terms. Google may transfer data outside the EU/EEA; transfers are covered by Standard Contractual Clauses.

Resend (transactional email)

Resend, Inc. sends account verification and notification emails. Region: EU (Ireland). Processes your email address and the message body.

Paddle (payments — when active)

Paddle.com Market Limited is the Merchant of Record for token purchases. Paddle collects billing details, payment method, billing address, and tax data. Backplate receives only the transaction confirmation. Paddle's privacy policy: paddle.com/legal/privacy.

Cloudflare (DNS registrar)

Cloudflare manages the backplate.ai domain registration. The Cloudflare HTTP proxy is not active — DNS resolves directly to our origin in Nürnberg.

Plausible Analytics (privacy-friendly site analytics)

Plausible Insights OÜ (Estonia, EU) processes anonymous, cookie-less page-view counts for backplate.ai. No personal data is collected, no cross-site tracking is performed, and no consent banner is required under GDPR/PECR. IP addresses are processed in transit only and never stored. Details: plausible.io/data-policy.

Legal basis (GDPR Art. 6)

• Contract performance — account, billing, and generation processing.
• Legitimate interest — rate limiting, abuse prevention, server logs.
• Legal obligation — tax and accounting records.
• Consent — only where explicitly requested (we do not currently rely on consent).

International transfers

Account and ledger data is stored in Germany (EU). Generation processing occurs at Google data centers, which may be outside the EU/EEA — covered by Standard Contractual Clauses. Payment processing by Paddle may involve transfers to the United Kingdom and the United States under the same safeguards.

Retention

• Account data — for the lifetime of your account, plus 30 days after deletion request.
• Ledger and billing records — 10 years (Swiss commercial law / Art. 958f OR).
• Authentication tokens — auto-expire after 90 days.
• Frames and prompts — not retained after the request.
• Server logs — 14 days.

Your rights

Under the revFADP and GDPR you have the right to:

• Request a copy of the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data, subject to legal retention requirements above.
• Object to processing or request restriction.
• Receive your data in a machine-readable format (data portability).
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

To exercise any of these rights, email privacy@backplate.ai. We respond within 30 days.

Security

All traffic uses HTTPS with TLS 1.2+. Passwords are hashed with bcrypt. Authentication tokens are stored hashed. The macOS plugin holds your token in the system Keychain; the Premiere panel uses UXP secure storage. Per-IP and per-account rate limits guard against brute-force attempts. The container runs as an unprivileged user.

Children

Backplate is a professional editing tool and is not directed at users under 16. We do not knowingly collect data from children.

Changes to this policy

Material changes are announced by email to registered users at least 14 days before taking effect. The "last updated" date at the top of this page reflects the current version.