Privacy Policy & Data Processing Agreement (DPA) – Vibeo.ai

Last updated: 15/04/25

SECTION 1 – PRIVACY POLICY

1.1 Introduction

Vibeo.ai (“Vibeo”, “we”, “us”) is a video software platform that allows businesses to collect and generate authentic testimonial-style videos from their clients, customers, or partners.

By default, Vibeo acts as the Data Controller of all personal data processed through the platform.

However, when a user activates the GDPR Consent feature and provides their own privacy policy, that user becomes the Data Controller and Vibeo acts as a Data Processor.

This policy explains how personal data is collected, processed, and protected under both configurations.

1.2 What Data We Collect

We may collect:
- Identification data (name, email if provided)
- Video/audio content submitted by participants
- Technical metadata (IP address, timestamps, browser data)
- Account data from registered business users (company name, login credentials)

1.3 Purpose of Processing

Data is processed to:
- Collect and manage video testimonials via shareable links
- Generate and edit branded video content using AI
- Allow users to download, export, and share content
- Support platform operations and improvements
- Comply with legal obligations

1.4 Legal Basis

a) Default Mode (Vibeo = Data Controller)
- Consent (Art. 6.1.a GDPR) – for video submissions
- Legitimate interest (Art. 6.1.f GDPR) – for platform performance and fraud prevention

b) GDPR Consent Mode (User = Data Controller)
- Vibeo acts solely on instructions of the user (Art. 28 GDPR)
- Users are responsible for collecting lawful consent and providing legal information to data subjects

1.5 Participant Rights & Video Deletion

Participants may request deletion of their video at any time by emailing:
📧 privacy@vibeo.ai

Required:
- The email address used (if any)
- The company name that invited you
- A link to the video (if available)

Requests are processed within 7 working days. If Vibeo is acting as a Data Processor, we will forward the request to the responsible business.

1.6 How Videos Are Used

Collected videos may be used by the business user for:
- Customer success and testimonials
- Marketing and sales enablement
- Website and social media publishing
- Internal communications or hiring content

Participants are always informed prior to submission, and may refuse to participate.

1.7 Subprocessors

We use trusted third-party providers for hosting, AI transcription, video rendering, and analytics.
A list of subprocessors is available upon request. All subprocessors are contractually bound to GDPR-compliant standards.

1.8 Data Retention

We retain personal data:
- Until deletion by the user (business account)
- Until request from the data subject
- As required to fulfill service obligations or legal requirements

1.9 Data Transfers

Data may be stored and processed outside the EEA. In such cases, we use safeguards like Standard Contractual Clauses (SCCs) approved by the European Commission.

1.10 Security

We apply industry best practices to ensure data protection:
- Encrypted data transmission and storage
- Access control based on roles
- Monitoring and logging of platform activity

1.11 Contact

For any privacy-related request, please contact:
Vibeo.ai – DKY Consulting FZCO
Dubai Silicon Oasis

📧 privacy@vibeo.ai

SECTION 2 – DATA PROCESSING AGREEMENT (DPA)

This section applies only when the business user activates the GDPR Consent feature, making them the Data Controller.

2.1 Scope and Duration

This DPA governs the processing of personal data by Vibeo (Data Processor) on behalf of the business user (Data Controller). It applies only when GDPR Consent is enabled by the user.

2.2 Nature and Purpose of Processing

Vibeo processes personal data for:
- Video collection via shareable link
- AI-based editing and transcription
- Campaign and account management
- Storage, export, and rendering of video content

2.3 Types of Data and Data Subjects

Data Subjects:
- Individuals invited to submit videos (e.g., clients, employees)

Personal Data:
- Name, email (optional)
- Video/audio content
- Technical metadata

2.4 Processor Obligations

Vibeo agrees to:
- Process data only on documented instructions
- Keep all personnel under confidentiality
- Implement technical and organizational security measures
- Assist the Controller with data subject requests
- Notify the Controller of any data breach
- Delete or return all data upon termination
- Make available all necessary documentation for compliance and audits

2.5 Subprocessors

Vibeo may engage subprocessors under GDPR-compliant contracts. The list of subprocessors is maintained and can be provided upon request.

2.6 International Transfers

Vibeo ensures legal safeguards for all transfers outside the EEA, including the use of SCCs where applicable.

2.7 Breach Notification

Vibeo shall notify the Controller without undue delay upon discovery of a personal data breach, including:
- Description of the breach
- Affected data
- Mitigation measures taken

2.8 Controller Responsibilities

The Controller is solely responsible for:
- Providing lawful grounds for processing
- Obtaining consent from data subjects
- Ensuring compliance with GDPR obligations
- Providing an appropriate privacy policy

2.9 Liability

Each party is liable for its own GDPR violations. Vibeo is not liable for any breach caused by actions of the Controller beyond the scope of this agreement.

2.10 Termination and Data Return

Upon termination of services or on request, Vibeo will:
- Delete or return all personal data
- Confirm deletion in writing if required

2.11 Governing Law

This Agreement is governed by the law of the EU Member State where the Controller is established, or, if not applicable, Irish law.

2.12 Contact Details

Data Processor:
DKY Consulting FZCO (Vibeo.ai)
📧 privacy@vibeo.ai
Dubai Silicon Oasis

Data Controller:
Defined dynamically per user activating GDPR Consent
Contact details available in the user’s own privacy policy