Privacy Policy

Overview

Virl ("we", "us", "our") operates the Virl platform and website. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service. It applies to all users globally, with specific provisions for EU (GDPR), California (CCPA), and Indian (DPDP Act) users.

Data Controller: Virl, Hyderabad, Telangana, India. Contact: privacy@virl.ai

Data We Collect

2.1 Information You Provide

Account data: Name, email address, password (hashed), profile photo, and billing address
Payment data: Credit/debit card details (processed by Stripe/Razorpay — we never store raw card numbers), billing address, GST number (if applicable)
Content uploads: Videos, audio files, URLs, and text you submit for processing
Brand voice data: Past content samples you upload to train your brand voice profile
Social account credentials: OAuth tokens for connected social media accounts (encrypted at rest)
Communications: Emails, support tickets, and feedback you send us

2.2 Automatically Collected Data

Usage data: Pages visited, features used, repurpose history, publish logs, session duration
Device data: IP address, browser type, operating system, device identifiers
Performance data: Crash reports, error logs, API response times
Cookies and similar technologies: See Section 8

2.3 Data from Third Parties

Social media profile data (name, handle, profile photo) when you connect accounts via OAuth
Payment verification data from Stripe and Razorpay
Authentication data if you sign in via Google, LinkedIn, or other OAuth providers

How We Use Your Data

Purpose	Data Used	Legal Basis
Provide and improve the Service	Account data, content, usage data	Contract performance
Process payments	Payment data, billing address	Contract performance
AI content processing	Content uploads, brand voice data	Contract performance
Auto-publish to platforms	OAuth tokens, generated content	User consent
Security & fraud prevention	IP address, usage patterns	Legitimate interest
Customer support	Account data, communications	Contract performance
Product analytics	Anonymized usage data	Legitimate interest
Legal compliance	Any required data	Legal obligation
Marketing (with opt-in)	Email, usage data	Consent

We do not use your personal data to train third-party AI models. We do not use your content to improve Anthropic, OpenAI, or other AI providers' foundation models without your explicit consent.

We do not sell your personal data. We share data only in these circumstances:

4.1 Service Providers (Data Processors)

We share data with trusted service providers who process data on our behalf, under strict data processing agreements:

Anthropic: Text content for AI processing (no training on your data per Anthropic's API terms)
OpenAI: Audio content for transcription via Whisper API
fal.ai: Image generation prompts and parameters
ElevenLabs / D-ID: Voice and video generation data
Reap: Video files for clip extraction
Ayrshare: Generated content and OAuth tokens for social publishing
Stripe / Razorpay: Payment processing
Clerk: Authentication and user management
Supabase: Database and file storage (encrypted)
Railway / Vercel: Hosting and infrastructure

4.2 Legal Requirements

We may disclose data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Virl, our users, or the public.

4.3 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you with 30 days' advance notice and provide options to delete your account.

4.4 With Your Consent

We may share data with third parties with your explicit consent, such as when you connect a new integration.

Data Storage & Security

Your data is stored on servers located in India and/or the United States (AWS / Supabase infrastructure). International data transfers comply with applicable data protection frameworks.

Security measures include:

AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
OAuth token encryption with rotating keys
Role-based access controls for all staff
Regular security audits and penetration testing
SOC 2 Type II compliance (in progress)
Multi-factor authentication for all internal systems

Data Retention

Account data: Retained while your account is active. Deleted within 30 days of account closure
Uploaded content: Stored for 90 days after processing, then automatically deleted unless you save outputs
Generated content: Stored in your account until you delete it
Payment records: Retained for 7 years as required by Indian tax law
Support communications: Retained for 3 years
Usage logs: Anonymized after 12 months

Your Rights

Depending on your jurisdiction, you have the following rights over your personal data:

Access: Request a copy of all personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data ("right to be forgotten")
Portability: Request your data in a machine-readable format
Restriction: Request restriction of processing in certain circumstances
Objection: Object to processing based on legitimate interest
Withdraw consent: Withdraw consent for consent-based processing at any time

To exercise any right, email privacy@virl.ai with subject "Data Rights Request". We will respond within 30 days. Identity verification may be required.

Cookie Policy

8.1 What We Use

Category	Purpose	Can Opt Out?
Essential	Login session, security, load balancing	No (required)
Functional	Remember preferences, language settings	Yes
Analytics	Usage patterns, feature adoption (anonymized)	Yes
Marketing	Personalized ads (only with consent)	Yes

8.2 Managing Cookies

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from using the Service. You can opt out of analytics cookies via our Cookie Preference Center accessible from the website footer.

We use privacy-respecting analytics (no cross-site tracking, no fingerprinting) to minimize data collection.

AI Processing & Your Content

When you submit content for AI processing:

Your content is sent to AI providers (Anthropic, OpenAI, fal.ai, etc.) only as needed to provide the Service
We do not allow AI providers to train on your content. Our API agreements include data processing terms that prohibit training use
Processed content is not shared with other Virl users
Brand voice training data is stored separately and used only to personalize your own outputs
Autopilot mode processes content on your behalf according to your pre-set preferences

When you connect social media accounts:

We store OAuth access tokens (encrypted) to publish content on your behalf
We access only the permissions you grant (publish, basic profile)
We do not access your followers' private data
You can disconnect any platform at any time from Account Settings, which revokes our access
Analytics data (likes, views, engagement) is fetched from platform APIs and stored in your account only

Children's Privacy

Virl is not directed to children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that a child under 18 has provided personal data, we will delete it immediately. Contact privacy@virl.ai if you believe we have inadvertently collected such data.

If you are in the European Economic Area (EEA), UK, or Switzerland, your data rights are protected under GDPR and equivalent laws. Our lawful bases for processing are: contract performance, legitimate interest, legal obligation, and consent. You have the right to lodge a complaint with your national Data Protection Authority (DPA). Our EU Representative contact: eu-privacy@virl.ai

CCPA — California Users

California residents have rights under the California Consumer Privacy Act (CCPA) including: the right to know what personal information is collected, the right to delete personal information, the right to opt-out of sale (we do not sell personal information), and the right to non-discrimination for exercising rights. To submit a CCPA request, email privacy@virl.ai with "CCPA Request" in the subject line.

India — Digital Personal Data Protection Act (DPDP) 2023

Virl complies with India's Digital Personal Data Protection Act, 2023. As a Data Fiduciary:

We process personal data only with consent or for legitimate uses as defined by the Act
We maintain a Consent Artefact for all consent-based processing
You have the right to access, correct, and erase your personal data
You have the right to nominate another person to exercise your rights in the event of death or incapacity
You have the right to grievance redressal — contact our Grievance Officer at grievance@virl.ai
Significant data fiduciary obligations will be applied as notified by the Government

Grievance Officer: grievance@virl.ai · Response time: 72 hours

Security Practices

We implement industry-standard security measures to protect your data. In the event of a data breach that poses a risk to your rights, we will notify you and relevant authorities within 72 hours as required by applicable law.

To report a security vulnerability, email security@virl.ai. We maintain a responsible disclosure program.

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and/or a notice on our platform at least 14 days before taking effect. The "Last updated" date at the top will always reflect the most recent version. Continued use of the Service after changes constitutes acceptance.

Contact & Data Requests

For privacy-related inquiries, data requests, or complaints:

Privacy Officer: privacy@virl.ai
Grievance Officer (India): grievance@virl.ai
EU Representative: eu-privacy@virl.ai
Security: security@virl.ai
Postal address: Virl, Hyderabad, Telangana 500081, India

We aim to respond to all privacy requests within 30 days.