← Back to SceneCrew

Privacy Policy

We respect your privacy and we minimise what we collect. This Policy explains what personal data we process when you use SceneCrew, why we process it, who else sees it, how long we keep it, and the rights you have over it.

Last updated 22 April 2026Version 1.0

At a glance

  • Who we are. Quantum Touch Limited, a company registered in England and Wales, trading as SceneCrew. We are the data controller for the personal data described here.
  • What we collect. Account data, payment metadata, the content you create on the platform, technical logs, and cookies used to keep you signed in.
  • What we do with it. We operate the Service, handle your billing, route your Inputs to the AI Providers you choose, keep your account secure, and meet our legal obligations.
  • We do not sell your personal data. We do not train AI models on your content. We do not profile you for advertising.
  • Your rights are real. You can access, correct, export, or delete your personal data. Contact privacy@scenecrewai.com.

1. Data controller

The controller of the personal data described in this Policy is:

Quantum Touch Limited
trading as SceneCrew
Registered in England and Wales
Company number: (see Contact page)
Registered office: (see Contact page)
Privacy contact: privacy@scenecrewai.com

We are not currently required to appoint a Data Protection Officer under UK GDPR or EU GDPR. If that changes, we will update this Policy and publish the DPO's contact details here.

2. Scope of this Policy

This Policy applies to personal data we process in connection with the SceneCrew platform at scenecrewai.com and related subdomains, our marketing pages, and direct communications with you. It does not apply to third-party websites or services we do not control, including the AI Providers, whose own privacy policies govern their processing of your data.

3. What personal data we collect

3.1 Data you provide to us

  • Identity & contact. Name, email, organisation (optional).
  • Authentication. A hashed password (bcrypt). If you enable two-factor authentication, the encrypted TOTP secret and recovery codes.
  • Content. Everything you submit to generate a video: briefs, scripts, character descriptions, images or audio you upload, Director chat messages, prompt edits, and the AI-generated outputs delivered back to you (“Your Content” as defined in the Terms).
  • API keys. If you use our BYOK mode, the API keys you provide for AI Providers. These are stored encrypted and used only to send requests you explicitly trigger.
  • Preferences. Director choice, plan settings, notification preferences, cookie preferences.
  • Support correspondence. Messages you send to us and any information you choose to include.

3.2 Data from payments

Payments are processed by Stripe, Inc. We do not see or store your full payment card number. Stripe provides us with a customer identifier, your billing country, a truncated card descriptor (last four digits and network), and subscription status. Stripe is a separate controller for the card details you enter on their forms.

3.3 Data collected automatically

  • Technical logs. IP address, user-agent, referrer, timestamps, and request metadata. We use these for security, debugging, and rate limiting.
  • Login history. A record of successful and failed sign-in attempts (timestamp, IP address, user-agent) to help you and us detect unauthorised access.
  • Usage analytics. Counts of requests, generation volume, model selection, error rates, and feature interactions in aggregate form.
  • Cookies. See Cookie Policy. Only strictly-necessary cookies are set by default.

3.4 Data from third parties

  • Identity providers. If you sign in with Google OAuth, Google provides us with your name, email address, and a stable unique identifier.
  • Payment processor. Stripe shares subscription events (renewals, failures) and refunds via webhooks.

4. How we use personal data

We use personal data only for these purposes:

PurposeUK / EU GDPR legal basis
Create and manage your account; provide the Service; route your Inputs to AI Providers you select; return Outputs; operate the Director system.Performance of a contract (Art. 6(1)(b))
Send transactional emails: verification, billing notices, password resets, security alerts, material service changes.Performance of a contract (Art. 6(1)(b))
Handle payments, prevent payment fraud, process refunds and chargebacks.Performance of a contract (Art. 6(1)(b)); legitimate interests in fraud prevention (Art. 6(1)(f))
Secure the Service: intrusion detection, abuse monitoring, rate limiting, backup integrity.Legitimate interests (Art. 6(1)(f))
Investigate suspected violations of the Agreement, enforce the Acceptable Use Policy, respond to abuse reports.Legitimate interests (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c))
Product analytics: aggregated usage patterns to improve features and pricing. We do not profile individual users.Legitimate interests (Art. 6(1)(f))
Marketing communications about SceneCrew features or tips. Only where you have opted in or the soft-opt-in applies to similar products.Consent (Art. 6(1)(a)) / legitimate interests
Comply with our legal obligations: tax, accounting, responses to lawful requests, reporting of illegal content.Legal obligation (Art. 6(1)(c))

We do not train any AI model on your personal data or Your Content. We do not use Your Content to improve any AI Provider's models. See AI Disclosures for how we configure AI Providers to avoid training use of your data where the Provider offers that option.

5. Who we share data with

We share personal data only with the categories of recipients below, and only to the extent needed for the listed purpose.

5.1 AI Providers (processors of Your Content)

When you generate content, we send your Inputs (and any relevant project context) to the AI Provider you have selected. The Provider processes your Inputs to return an Output. We choose providers that publish enterprise-grade data terms and we select no-training tiers where those tiers are offered and suitable. The Providers we route to include, without limitation:

ProviderPurposePrimary locationReference
Google LLC (Gemini, Veo, Imagen via Google AI & Vertex)Text reasoning, image and video generationUnited States & Google EU regionspolicies.google.com/privacy
Anthropic PBC (Claude)Text and review reasoning for the Director systemUnited Statesanthropic.com/legal/privacy
OpenAI, L.L.C. (optional)Text and image generation, when selectedUnited Statesopenai.com/policies
OpenRouter, Inc. (optional gateway)Multi-model routing when selectedUnited Statesopenrouter.ai/privacy
fal.ai (FAL, Inc.)Video and audio model hosting (e.g. Kling, Wan, Seedance)United Statesfal.ai/privacy-policy
A2EAI avatar generationProvider-stateda2e.ai

We may add or remove AI Providers as the Service evolves. The current list is maintained on the AI Disclosures page. In BYOK mode, your relationship with the Provider is direct: you are the Provider's customer, and its privacy policy governs that relationship in full.

5.2 Infrastructure and operations

VendorRoleLocation
Contabo GmbHServer hosting for the platform and databaseEuropean Union (Germany)
Stripe, Inc. and Stripe Payments Europe, Ltd.Payment processing and subscription managementUnited States; European Union (Ireland)
Google LLC (Workspace / email)Inbound and outbound transactional emailUnited States; European regions
Cloudflare, Inc. (if enabled at the network edge)DNS, DDoS protection, TLS terminationGlobal

5.3 Other recipients

  • Professional advisers. Lawyers, accountants, insurers, and auditors under duties of confidence.
  • Authorities.Law enforcement, regulators, and courts where we are legally obliged to disclose — including reports of child sexual abuse material to the National Center for Missing & Exploited Children (NCMEC) and the Internet Watch Foundation (IWF).
  • Corporate transactions. A potential acquirer under confidentiality, or a successor entity in the event of a merger, acquisition, insolvency, or sale of assets.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising as defined by the California Consumer Privacy Act (CCPA/CPRA).

6. International transfers

Some of the vendors listed above are located in, or transfer personal data to, the United States or other countries that the UK or EU has not deemed to offer an adequate level of data protection. Where such transfers occur, we rely on an appropriate transfer mechanism under Article 46 of the UK GDPR and EU GDPR, including:

  • The European Commission's Standard Contractual Clauses (2021);
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs;
  • Provider participation in the EU-US Data Privacy Framework and the UK Extension, where certified; and
  • Supplementary technical and organisational measures.

You may request a copy of the safeguards in place for any specific transfer by writing to privacy@scenecrewai.com.

7. How long we keep personal data

CategoryRetention
Account data (name, email, hashed password, 2FA secret)Life of the account, then up to 6 months
Project content, prompts, generated outputs, render artefactsLife of the account, or as set by your plan; deletable at any time via the dashboard. Backups cycle out within 35 days of deletion.
Payment records and invoices7 years to comply with UK tax and accounting obligations
Technical logs (IP, request metadata)90 days
Login history12 months
Support tickets3 years
Abuse reports and evidence preserved under legal holdAs long as required to investigate, defend claims, or comply with law-enforcement requests

8. Your rights

8.1 Rights under UK GDPR and EU GDPR

You have the right to:

  • Access your personal data (Art. 15);
  • Rectify inaccurate or incomplete data (Art. 16);
  • Erase your personal data in certain circumstances (Art. 17);
  • Restrict processing in certain circumstances (Art. 18);
  • Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20);
  • Object to processing based on legitimate interests or for direct marketing (Art. 21);
  • Withdraw consent at any time where we rely on it (Art. 7);
  • Not be subject to solely automated decisions producing legal or similarly significant effects (Art. 22). We do not currently make such decisions.

To exercise your rights, email privacy@scenecrewai.com. We may ask for information to verify your identity. We respond within one month; in complex cases we may extend by up to two further months and will tell you if we do.

You also have the right to lodge a complaint with a supervisory authority. In the UK that is the Information Commissioner's Office. In the EU it is the supervisory authority in your country of residence. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

8.2 Rights under US state privacy laws (CCPA / CPRA and others)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you, the sources of that information, the purposes for which we collect and use it, and the categories of recipients we share it with;
  • Request a copy of your personal information in a portable format;
  • Correct inaccurate personal information;
  • Delete your personal information, subject to legal exceptions;
  • Opt out of “selling” or “sharing” of your personal information — note, we do neither; and
  • Limit the use of sensitive personal information. We do not use sensitive PI for purposes that trigger this right.

Residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws have analogous rights. You may exercise these rights by contacting privacy@scenecrewai.com. You may use an authorised agent; we may verify their authority before responding.

We will not discriminate against you for exercising your privacy rights.

9. Cookies and similar technologies

See our detailed Cookie Policy. In short, we use strictly-necessary cookies for authentication and security. Any optional cookies are set only with your consent through the cookie banner, which you can change at any time via Manage cookies in the footer.

10. Security

We take the security of personal data seriously. Measures we currently apply include:

  • TLS encryption in transit for all web and API traffic;
  • Bcrypt hashing of passwords;
  • Encryption of stored user-supplied API keys;
  • Optional two-factor authentication using TOTP;
  • Rate limiting, login-history logging, impersonation audit logs, and admin audit logs;
  • Role-based access controls inside our infrastructure; principle of least privilege for engineering access;
  • Daily automated database backups with 14-day retention;
  • Hardening of the host: server-wide rules, file immutability on critical production files, restricted SSH access.

No system is perfectly secure. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where legally required, notify you too.

11. Automated decisions and AI

Generative AI is central to the Service. The AI models that produce Outputs are operated by AI Providers, not by us. These models do not make legal or similarly significant decisions about you — they generate creative content in response to your instructions.

We do apply automated systems to protect the Service — for example rate limiting, fraud detection, and automated content safety filters supplied by AI Providers. These systems may result in requests being blocked or outputs being refused. You can ask us to review any automated block by writing to support@scenecrewai.com.

12. Children

The Service is not directed to children under 18 and we do not knowingly collect personal data from them. If we learn that we hold data about a child, we will delete it. See also our Content Rights & Consent Policy, which strictly prohibits AI generation of minors as subjects.

13. Do Not Track

Because there is no agreed standard for how online services should respond to the “Do Not Track” browser signal, we do not respond to it. Our cookie banner gives you direct control instead.

14. Changes to this Policy

We may update this Policy to reflect changes in our practices, technologies, legal requirements, or the services we use. When we make a material change we will notify you by email or by prominent notice in the Service at least fourteen days before the change takes effect, unless a shorter period is required by law or urgent security considerations.

15. Contact

Quantum Touch Limited (trading as SceneCrew)
Email: privacy@scenecrewai.com
Postal contact available from legal@scenecrewai.com on request.

Not legal advice. This document sets out the contractual position between you and Quantum Touch Limited. It is not a substitute for independent legal advice about your specific circumstances.

If any provision of this document is held unenforceable, the remainder continues in full force. If the English-language version conflicts with any translation, the English version controls.

© 2026 Quantum Touch Limited. SceneCrew is a trading name of Quantum Touch Limited.