Privacy Policy

Last updated: 6 April 2026

1. Who we are

Circkit Ltd. ("Circkit", "we", "us", or "our") is the data controller responsible for your personal data. We are registered in England and Wales.

Contact for data protection matters:
Email: privacy@circkit.io
Address: Circkit Ltd., London, United Kingdom

This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website at circkit.io, mobile applications, and all related services (the "Service"). It applies alongside our Terms of Service.

2. Data we collect

2.1 Data you provide directly

  • Account data: Full name, email address, password (hashed — we never store plaintext passwords).
  • Profile data: Filmmaker type, subscription tier, onboarding preferences.
  • Project data: Film title, format, genre, runtime, country of origin, language, director and producer names and bios, loglines, synopses, subject tags, budget tier, stills and poster images.
  • Submission data: Festival selections, submission dates, deadlines, fees paid, status updates, screener links, notes.
  • Network data: Contact interaction logs, meeting notes, follow-up dates.
  • Payment data: Processed by Stripe. We store your Stripe Customer ID and subscription status but never your full card number or CVV.
  • Communications: Support emails, feedback, and any other messages you send us.

2.2 Data generated through your use

  • AI-generated content: Festival fit scores, strategy analysis, materials feedback, programmer intelligence briefings, EPK content, and AI-drafted bios. These are generated using your project data and stored alongside a prompt version identifier.
  • Awards tracking data: Eligibility status, qualifying submissions, and award body tracking records.
  • Usage data: Pages visited, features used, time spent, actions taken within the Service.

2.3 Data from third parties

  • Google OAuth: If you sign in with Google, we receive your name and email address from Google. We do not access your Google contacts, calendar, or other Google services.
  • Vimeo: When you connect your Vimeo account, we access video metadata (titles, privacy settings, play statistics) within the scopes you authorise. We do not download or store your video files.
  • Stripe: We receive subscription status updates, payment success/failure notifications, and customer identifiers via webhooks.

2.4 Technical data

  • IP address, browser type and version, device type, operating system.
  • Referring URL, pages visited, time and date of visits.
  • Crash reports and performance data from mobile applications.

3. How we use your data

We process your data for the following purposes and legal bases under UK GDPR:

PurposeLegal basis
Providing and operating the Service (account management, project features, submission tracking)Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptionsPerformance of contract (Art. 6(1)(b))
AI-powered analysis and content generationPerformance of contract (Art. 6(1)(b))
Sending transactional communications (deadline reminders, submission confirmations, account notifications)Performance of contract (Art. 6(1)(b))
Improving and developing the ServiceLegitimate interest (Art. 6(1)(f))
Ensuring security and preventing fraudLegitimate interest (Art. 6(1)(f))
Sending marketing communicationsConsent (Art. 6(1)(a)) — opt-in only
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

4. AI data processing

When you use AI-powered features (festival strategy, materials analysis, programmer intelligence, bio generation, script analysis), your project data is sent to our AI processing infrastructure for analysis.

How it works:

  • Your project data is sent to our secure server-side functions, which then call the AI provider (currently Anthropic Claude).
  • AI calls are never made directly from your device — all processing goes through our backend.
  • We send only the data necessary for the specific analysis you requested.

What we do not do:

  • We do not use your data to train AI models.
  • We do not share your project content with other users.
  • We do not sell your data to any third party.

AI-generated outputs (scores, analyses, suggested rewrites) are stored in your account alongside a prompt version identifier, allowing us to maintain consistency and enable analysis history features.

5. Data sharing and third parties

We share your data only in the following circumstances:

RecipientData sharedPurpose
Supabase (infrastructure)All Service dataDatabase hosting, authentication, file storage, real-time features
AnthropicProject data relevant to AI feature usedAI-powered analysis and content generation
StripeEmail, Stripe Customer IDPayment processing and subscription management
VimeoOAuth tokens (if connected)Screener management at your direction
ResendEmail address, notification contentTransactional email delivery
VercelTechnical/usage dataWeb application hosting and performance

All third-party processors are bound by data processing agreements. We do not sell your personal data. We may disclose your data if required by law, court order, or to protect our legal rights.

6. International data transfers

Some of our third-party service providers are based outside the UK and European Economic Area (EEA). Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
  • Adequacy decisions where applicable.
  • Binding corporate rules of the receiving organisations.

You may request details of the specific safeguards applied to any transfer by contacting privacy@circkit.io.

7. Data retention

We retain your data for as long as necessary to fulfil the purposes described in this policy:

  • Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
  • Project and submission data: Retained while your account is active. Deleted within 30 days of account closure.
  • AI-generated content: Retained while the associated project exists.
  • Payment records: Retained for 7 years after the transaction as required by UK tax and accounting regulations (HMRC).
  • Technical and usage data: Retained for up to 12 months.
  • Marketing consent records: Retained for 3 years after consent is withdrawn, for compliance purposes.

When data is no longer needed, it is securely deleted or anonymised. Backups are purged on a rolling schedule.

8. Cookies and tracking

We use cookies and similar technologies to operate the Service. Here is what we use:

Cookie typePurposeDuration
Essential / AuthenticationMaintaining your login session and security tokensSession / 7 days
PreferencesRemembering your settings (e.g. sidebar state, theme)1 year
AnalyticsUnderstanding how the Service is used to improve it12 months

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or sell data to advertisers.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

9. Your rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data where there is no compelling reason for continued processing. You can also delete your account through Settings.
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to data portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to object: Object to processing based on legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Rights related to automated decision-making: We do not make solely automated decisions that produce legal effects concerning you. AI features provide recommendations that you choose whether to act on.

To exercise any of these rights, contact us at privacy@circkit.io. We will respond within one month, as required by law. We may ask you to verify your identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Row-level security on all database tables — your data is isolated from other users at the database level.
  • Secure storage of sensitive tokens (Vimeo, Stripe) using encrypted vault storage.
  • Regular security reviews and access controls.
  • Server-side API key management — no API keys are exposed to client applications.

No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

11. Children's privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact privacy@circkit.io.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will post the revised policy on this page with an updated "Last updated" date.
  • We will notify you by email at least 14 days before the changes take effect.
  • We will display an in-app notice on your next login.

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance.

13. Contact us

For any privacy-related questions, requests, or concerns:

Circkit Ltd.
Email: privacy@circkit.io
General support: support@circkit.io

UK Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113