Privacy Policy
Effective date: 20 May 2026 · Last updated: 28 June 2026
1. Who we are and how to contact us
Circkit is a product of BlackSlate AI Limited, a company registered in England and Wales (company number 17219805), with its registered office at Flat 4, 139 Walm Lane, London, United Kingdom, NW2 3AU. References in this Privacy Policy to “Circkit”, “we”, “us”, or “our” mean BlackSlate AI Limited operating the Circkit product. BlackSlate AI Limited is the data controller responsible for your personal data when you use our website at circkit.io, our mobile applications, and all related services (together, the “Service”).
We have not appointed a statutory Data Protection Officer, but you can reach our privacy team at:
Email: privacy@circkit.io
Post: BlackSlate AI Limited (Circkit), Flat 4, 139 Walm Lane, London, United Kingdom, NW2 3AU
EU representative. If we are required to appoint an EU representative under Article 27 of the EU GDPR, the details will be published here. Until then, EEA residents may contact us at the address above for all data-protection matters.
This Privacy Policy explains how we collect, use, share, and protect personal data, and your rights in relation to it. It applies alongside our Terms of Service.
2. Scope and changes
This Privacy Policy covers personal data we process when you create an account, use the Service, communicate with us, or visit our website. It does not cover the practices of third-party services we integrate with or may enable for connected features (such as Stripe, Vimeo, or Anthropic), which are governed by their own privacy notices.
We may update this Privacy Policy from time to time. When changes are material, we will post the revised policy here with an updated “Last updated” date and notify you by email or in-app notice at least 14 days before the changes take effect (except where a shorter period is required for legal, security, or regulatory reasons).
3. Personal data we collect
3.1 Data you provide directly
- Account data: full name, email address, password (we only store a salted hash, never the plaintext), authentication method (email or Google OAuth).
- Profile and preference data: filmmaker type, purchase and unlock history, onboarding answers, notification preferences, language/region.
- Project data: film title, format, genre, runtime, country of origin, language, director and producer names and bios, loglines, synopses, subject tags, budget tier, completion status, premiere status, stills, posters, and any other content you add to a project.
- Submission data: festival selections, submission dates, deadlines, fees paid, status updates, screener links, notes.
- Network data: contact details, interaction logs, meeting notes, follow-up dates.
- Payment data: processed by Stripe. We store your Stripe customer identifier, one-off Purchase status, refund/dispute status, digital-content acknowledgement records, and limited payment metadata, but we never see or store your full card number, CVC, or full bank details.
- Communications and support: messages you send via our in-app support widget or email, including the transcript of any support escalation, refund review request, your feedback, and any attachments you choose to share. When you escalate via the in-app widget, the transcript is sent to our private Slack workspace and to support@circkit.io via Resend. Product suggestions and refund reviews may also be routed to Linear for tracking.
- Filmmaker credit history: verified credits and festival history you provide or that we source from publicly available, cited material.
3.2 Data generated through your use of the Service
- AI-generated content: festival fit scores, strategy analysis, programmer intelligence briefings, EPK content, AI-drafted bios. Each output is stored against a versioned prompt identifier.
- Awards-tracking data: eligibility status, qualifying-submission links, and award-body tracking records.
- Usage data: pages visited, features used, time spent, actions taken, in-app interactions.
3.3 Data we receive from third parties
- Google OAuth: if you sign in with Google, we receive your name, email address, and Google account identifier. We do not access your Google contacts, calendar, drive, or other Google data.
- Vimeo: when you connect your Vimeo account, we receive video metadata (titles, privacy settings, play statistics, password settings) within the scopes you authorise. We do not download or store your video files; videos remain hosted on Vimeo.
- Stripe: we receive payment success/failure notifications, billing-address country (for tax), and customer identifiers via webhooks.
- Public sources (research data, not personal data about you): we build our Festival Data, programmer profiles, jury history, and selection patterns from publicly available sources (festival websites, official announcements, public press, trade reporting). To the limited extent any of that material constitutes personal data about identifiable festival programmers, juries, or directors of selected films, we process it under the legal basis described in section 4 for journalistic/research and legitimate-interest purposes.
3.4 Technical data
- IP address (truncated where appropriate), browser type and version, device type, operating system, screen size.
- Abuse-prevention hashes: on certain public tools that work without an account (Scam Radar, the landing-page FAQ, and our support intake forms), we store a salted, one-way (non-reversible) hash of your IP address, together with a shortened browser user-agent, solely to detect abuse and apply rate limits. We do not retain your raw IP address for these tools, and the hash cannot be reversed back to it. We rely on our legitimate interest in keeping free, open tools available and free from abuse.
- Referring URL, pages visited, time and date of visits, performance metrics.
- Crash reports, stack traces, and breadcrumbs collected through our error-monitoring provider (Sentry). These may include URL paths, user identifiers, and limited request context. We configure Sentry to filter out sensitive payloads where reasonably practicable.
- Cookies and similar technologies as set out in section 11.
4. How we use your data and our legal bases
Under the UK GDPR and EU GDPR, we must have a legal basis for each processing activity. We process your personal data for the following purposes and on the following bases:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service (account creation, projects, submission tracking, awards tracking, EPK generation, and connected screener features where enabled). | Performance of a contract with you (Art. 6(1)(b)). |
| Processing payments, managing Purchases, billing, refunds, disputes, digital-content acknowledgements, and tax compliance. | Performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)). |
| Generating AI Output you have requested (fit scores, programmer briefings, EPK and bio drafts). | Performance of a contract (Art. 6(1)(b)). |
| Sending transactional communications (deadline reminders, submission confirmations, security notices, billing receipts, important policy updates). | Performance of a contract (Art. 6(1)(b)) and our legitimate interest (Art. 6(1)(f)) in operating the Service safely. |
| Providing customer support, product feedback workflows, and refund review workflows, including escalation to Slack, email, and Linear. | Performance of a contract (Art. 6(1)(b)). |
| Maintaining security, preventing fraud and abuse, monitoring for incidents, debugging errors. | Our legitimate interest (Art. 6(1)(f)) in keeping the Service secure and reliable; compliance with legal obligations (Art. 6(1)(c)). |
| Improving and developing the Service (aggregated analytics, usage patterns, performance). | Our legitimate interest (Art. 6(1)(f)) in understanding how the Service is used to improve it; where required, your consent for analytics cookies (Art. 6(1)(a)). |
| Curating Festival Data, programmer profiles, jury history, and selection patterns from publicly available sources. | Our legitimate interest (Art. 6(1)(f)) in providing a credible film-festival intelligence service to our users, balanced against the limited expectation of privacy in publicly published professional information. |
| Sending marketing communications about Circkit features or offers. | Your consent (Art. 6(1)(a)), opt-in only. You may withdraw at any time. |
| Complying with legal, regulatory, tax, accounting, and audit obligations, and responding to lawful requests by public authorities. | Compliance with a legal obligation (Art. 6(1)(c)); our legitimate interest in defending legal claims (Art. 6(1)(f)). |
We do not knowingly process special-category data (Article 9 of UK GDPR) about you. You should not include special-category data in projects, support messages, or other content unless it is necessary to the work and you have your own legal basis to do so.
5. AI processing
When you use AI-powered features (festival strategy, fit scoring, programmer intelligence, bio generation), the data you submit for the feature is sent to our server-side infrastructure and then to our AI provider (currently Anthropic) for processing.
How it works:
- All AI calls are made from our backend, never directly from your device or browser.
- We send only the data necessary for the requested analysis.
- Anthropic processes the request under Anthropic’s commercial terms and zero-data-retention/short-retention configurations we have selected where available. Anthropic acts as our processor for this purpose.
- AI Output is stored against a versioned prompt identifier so we can keep results consistent and allow you to view history.
What we do not do:
- We do not use your project data or Your Content to train our own AI models, and we do not authorise our AI providers to use it to train their general models.
- We do not share your project content with other Circkit users.
- We do not sell your personal data to any third party.
No automated decisions with legal effect. AI features provide recommendations, scores, and drafts for you to review. We do not make solely automated decisions that produce legal or similarly significant effects on you (Article 22 UK GDPR).
6. Sharing your data: service providers and subprocessors
We share personal data only where necessary to operate the Service, to comply with law, or with your consent. The following providers process personal data on our behalf as processors under data-processing agreements that meet UK and EU GDPR requirements:
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage, real-time features, edge functions. | All Service data. | EU / United States (with SCCs and UK Addendum where applicable). |
| Vercel Inc. | Web application hosting, edge runtime, performance analytics. | Technical and usage data; requests and request-context data. | Global edge network. |
| Anthropic, PBC | AI processing (Claude API) for fit scoring, programmer briefings, EPK and bio drafts. | The project content you submit for the specific AI feature you use. | United States (with SCCs / UK Addendum). |
| Stripe Payments Europe / Stripe Inc. | Payment processing for one-off Purchases, tax calculation, refunds, and dispute handling. | Name, email, billing address country, Stripe customer identifier, card identifier (tokenised), payment/refund/dispute metadata. | EU / United States. |
| Vimeo Inc. (if you connect, where this feature is enabled) | Screener management at your direction. | OAuth tokens, video metadata you access through us. | United States. |
| Resend | Transactional email delivery (account, billing, deadline reminders, support). | Email address, email content (including support transcripts you escalate). | United States / EU. |
| Sentry (Functional Software, Inc.) | Error monitoring, crash reporting, performance debugging. | Technical data, request context, breadcrumbs, user identifier where set. | United States / EU. |
| PostHog Inc. | Product analytics (feature usage, activation events). Only loaded after you accept analytics cookies. Product events are keyed to your account identifier and do not include your email. | Pseudonymous account identifier, feature-usage events, device and page context for analytics. | United States / EU. |
| Slack Technologies, LLC | Receiving in-app support escalations, product suggestions, refund review alerts, and operational alerts. | The support-conversation transcript, suggestion, refund request, or alert details you send, plus your user identifier and email where needed to respond. | United States. |
| Linear Orbit, Inc. | Issue tracking for product suggestions, support follow-up, refund reviews, and bug triage. | Issue summaries, user identifier, email where needed for follow-up, page URL, relevant support/refund details, and technical context. | United States. |
| Google LLC (if you sign in with Google) | Authentication. | Name, email, Google account identifier. | Global. |
We may also disclose personal data: (a) to professional advisers (lawyers, auditors, accountants) under confidentiality obligations; (b) to law-enforcement, courts, or regulators where required by law or lawful request; (c) to enforce or defend our legal rights, or to protect the rights, safety, or property of Circkit, our users, or others; and (d) to a buyer or successor in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate confidentiality and data-protection obligations.
We do not sell your personal data. We do not share it for cross-context behavioural advertising. We do not use third-party advertising trackers or pixels.
7. International data transfers
Some of our providers process personal data outside the UK and the EEA (most commonly in the United States). Where we transfer personal data outside the UK or EEA, we rely on one or more of the following safeguards:
- Adequacy decisions of the UK Government or the European Commission, where applicable.
- The UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses (2021), or the UK International Data Transfer Agreement.
- The EU Standard Contractual Clauses (2021/914).
- The EU-US Data Privacy Framework and its UK Extension, where the recipient is certified.
You may request a copy of the safeguards applied to a specific transfer by contacting us at privacy@circkit.io.
8. How long we keep your data
We retain personal data only as long as necessary for the purposes set out in this policy:
- Account data: while your account is active and for 30 days after account closure to allow recovery, after which it is deleted or anonymised.
- Project, submission, awards, and AI-Output data: while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
- Payment records (invoices, transactions, VAT records, refund/dispute records, and digital-content acknowledgement logs): retained for at least 6 years after the relevant tax year, as required by HMRC, applicable accounting rules, and legal-claims handling.
- Support communications, refund requests, product suggestions, and escalation transcripts: retained for up to 24 months to maintain context for related issues and for service-improvement and dispute-handling purposes, unless longer retention is needed for legal claims.
- Technical, usage, and error-monitoring data: retained for up to 12 months and then aggregated or deleted.
- Marketing consent records: retained for 3 years after withdrawal of consent, to demonstrate compliance.
- Legal-claims records: retained for as long as necessary to establish, exercise, or defend a legal claim (typically up to 6 years from the date the claim arose, longer in limited circumstances).
When data is no longer needed it is securely deleted or anonymised. Backups are purged on a rolling schedule.
9. Security and data-breach handling
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest for all primary data stores.
- Row-level security on the database so users can only access their own records.
- Server-side API key management. AI, Stripe, Vimeo, and email API keys are never exposed to the client.
- Secure storage of sensitive third-party tokens (Vimeo OAuth, Stripe identifiers) in encrypted vault storage.
- Access controls, role-based permissions, multi-factor authentication for staff, and audit logging.
- Regular dependency scanning and security reviews; routine patching of known vulnerabilities.
Breach notification.If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours of becoming aware where required, and notify affected users without undue delay where the breach is likely to result in a high risk to them.
No system is completely secure. You are responsible for keeping your account credentials confidential and for using a strong, unique password.
10. Cookies and similar technologies
We use cookies and similar technologies (local storage, session storage) for the purposes set out below. Where the law requires it (UK PECR, EU ePrivacy Directive, and equivalent rules in the EEA, Switzerland, Brazil, California and Quebec) we show a consent banner before any non-essential storage is read or written.
The banner offers three equal-weight choices: Accept all, Reject all, or Customise(which opens a panel where you can toggle the Analytics category on or off individually). You can change your choice at any time from the “Cookie preferences” link in the site footer or in Settings.
| Category | Examples | Purpose | Duration | Basis |
|---|---|---|---|---|
| Strictly necessary | Supabase auth session, CSRF tokens, your consent choice (circkit_cookie_consent_v2), onboarding completion flag. | Keeping you signed in, protecting against attacks, remembering your cookie choice. | Session – 12 months | No consent required (essential to the Service). |
| Preferences | Sidebar state, last-viewed project, currency, locale. | Remembering your in-app choices. | Up to 12 months | Legitimate interest, with opt-out via Settings. |
| Analytics | Anonymous session ID, page views, viewport size, referrer, feature-usage events stored in our analytics_events table. No third-party advertising or cross-site tracking. | Understanding how the Service is used so we can improve it. | Up to 24 months | Your consent. |
| Error monitoring (Sentry, core) | Crash reports, stack traces, breadcrumbs, request context. PII is filtered where reasonably practicable. | Diagnosing crashes and keeping the Service working. | Up to 90 days | Legitimate interest in providing a reliable service. |
| Session replay (Sentry, optional) | A masked recording of your interactions with the page. Text is hidden, media is blocked. Only loaded if you accept Analytics. | Diagnosing UI bugs that are hard to reproduce from a stack trace alone. | Up to 30 days | Your consent. |
| Consent log | A server-side record of your consent decision, source (banner or preferences), session ID, country and region, and the policy version you saw. No IP address is stored. | Proving to a regulator that consent was sought and recorded correctly. | Up to 5 years (statutory retention for audit purposes) | Legal obligation (Art. 7 GDPR records of consent). |
| Digital-content purchase acknowledgement | A server-side record that you requested immediate access to paid digital content and acknowledged when cancellation rights are lost, including account identifier, film identifier where relevant, purchase type, Stripe checkout session ID where available, policy version, timestamp, and user-agent string. | Operating checkout, proving purchase terms, handling refund reviews and legal claims. | At least 6 years after the relevant tax year. | Performance of a contract, legal obligation, and legitimate interest in defending legal claims. |
You can change your cookie choices at any time via the “Cookie preferences” link in the footer (or in Settings if you’re signed in), and at the operating-system level via your browser. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. Disabling strictly necessary cookies will prevent the Service from working.
We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking for advertising.
11. Your rights (UK and EEA residents)
Under the UK GDPR, the Data Protection Act 2018, and the EU GDPR, you have the following rights in relation to your personal data:
- Right of access: to be told whether we process data about you and to receive a copy.
- Right to rectification: to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”): to ask us to delete your data, subject to certain exceptions (e.g. legal-retention obligations).
- Right to restriction: to ask us to limit processing in certain circumstances.
- Right to data portability: to receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and to have it transmitted to another controller where technically feasible.
- Right to object: to processing based on our legitimate interests, including direct marketing.
- Right to withdraw consent: where processing is based on consent, without affecting the lawfulness of prior processing.
- Rights regarding automated decision-making: we do not make solely automated decisions producing legal or similarly significant effects on you.
To exercise any right, contact privacy@circkit.io. We will respond within one month, as required by law (extendable by two further months for complex requests, in which case we will tell you within the first month). We may need to verify your identity before acting on a request.
You can also delete your account in-app through Settings, which initiates the deletion flow described in section 8.
Complaints.If you are not satisfied with how we have handled your data, you have the right to complain to a supervisory authority. In the UK that is the Information Commissioner’s Office (ico.org.uk, helpline 0303 123 1113). In the EEA, you may complain to the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
12. California residents (CCPA / CPRA)
If you are a resident of California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), gives you specific rights regarding personal information.
- Categories collected. In the past 12 months we have collected the categories of personal information described in section 3, including identifiers, customer records, commercial information (purchase history), internet/electronic activity, geolocation derived from IP, professional information (filmmaker profile), and inferences drawn from this information.
- Sources. Directly from you, automatically from your device, and from the third parties listed in section 3.3.
- Purposes. As described in section 4.
- Sharing. With the service providers listed in section 6, under written contracts that restrict their use to the purposes for which we engaged them.
- No sale or sharing. We do not “sell” personal information and we do not “share” personal information for cross-context behavioural advertising as those terms are defined under the CCPA.
- Sensitive personal information. We do not use or disclose sensitive personal information for any purpose other than those permitted under CCPA § 1798.121(a) (providing the service you asked for, security, quality control).
You have the right to:
- Know the categories and specific pieces of personal information we have collected.
- Request deletion of your personal information, subject to legal exceptions.
- Request correction of inaccurate personal information.
- Opt out of any “sale” or “sharing” for behavioural advertising (we do neither, but you may submit a request to confirm).
- Limit the use of sensitive personal information (we already limit our use as above).
- Non-discrimination for exercising your rights.
To exercise these rights, email privacy@circkit.iowith the subject line “California Privacy Request”. We will verify your request by matching the information you provide against the information associated with your account. You may use an authorised agent; the agent must provide proof of authorisation and we may require you to verify your identity directly.
13. Children
The Service is not directed to children. You must be at least 18 to use the Service. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact privacy@circkit.io and we will take steps to delete it promptly.
14. Marketing and your choices
We will only send you marketing emails if you have opted in (or where allowed by law for existing customers in respect of similar services, with a clear opt-out). You can unsubscribe at any time using the link in any marketing email, in your in-app preference settings, or by emailing privacy@circkit.io. Withdrawing marketing consent does not affect transactional communications (billing, security, deadlines) which are necessary to provide the Service.
15. Third-party links
The Service may contain links to third-party websites or resources (festival pages, partner sites, social platforms). We are not responsible for their content, privacy practices, or terms. Review the privacy notice of any third-party site you visit.
16. People featured in our festival intelligence (data we did not collect from you)
This section is for festival programmers, jury members, festival directors, and film-industry contacts whose professional information appears in Circkit. You did not sign up to Circkit and we did not collect this information from you directly, so Article 14 of the UK GDPR and EU GDPR requires us to tell you the following.
What information we hold
Where you act in a public professional role in the film-festival world, we may hold: your name; your professional role and the festivals or companies you are associated with; your nationality; a short professional biography; public statements or quotes you have made (with the source); festivals or films you have programmed, juried, selected, or acquired; and a link to a public professional profile such as LinkedIn. We hold only professional, already-published information. We do not collect or store special-category data (such as health, religion, sexual orientation, or political opinions), private contact details, home addresses, or personal financial information.
Where we get it, why, and our lawful basis
We collect it from publicly available sources: festival websites and official announcements, public jury and programmer line-ups, published interviews and trade press, award records, and public professional profiles. We use it to provide our film-festival intelligence service to filmmakers (for example, to help a filmmaker understand who programmes a festival and what kind of work has been selected there). Our lawful basis is our legitimate interests (Article 6(1)(f)) in operating a credible festival-intelligence service, and the interest of independent filmmakers in accessing publicly available professional information about the festival circuit. We have carried out a Legitimate Interests Assessment balancing this against your rights; you can ask us for a summary. We process it using the providers listed in section 6, and we do notsell it. We keep it for as long as it remains relevant and accurate, subject to periodic review and to your rights below.
Your rights and how to object or be removed
You have the right to access a copy of what we hold about you, to have it corrected or deleted, to restrict how we use it, and — because we rely on legitimate interests — to object to our processing. If you object, we will stop unless we can show a compelling legitimate ground that overrides your interests; in practice, for this dataset, we will generally remove your information on request. To object or ask us to remove your information, email privacy@circkit.iowith the subject line “Festival data – removal/objection” and tell us your name and the festival(s) or role(s) you are associated with so we can find your record. You do not need a Circkit account. We will acknowledge within 5 working days and aim to complete removal or respond substantively within 30 days. You can also complain to a supervisory authority (in the UK, the Information Commissioner’s Office, ico.org.uk).
Why we publish this notice instead of emailing each person (Article 14(5)(b))
Article 14(5)(b) removes the duty to notify each individual where doing so would involve a disproportionate effort, and requires us instead to make the information public. We gather this information from many public sources across the global festival circuit, about a large and shifting population of professionals, and we typically do not hold a verified private email to notify each person at — obtaining one purely to send a notice would itself mean collecting more personal data than the service needs. Individually tracing and emailing every person would be disproportionate to the limited, professional, already-public nature of the information and the low risk to each individual. Instead, as Article 14(5)(b) requires, we make this notice public here and provide the easy, account-free objection and removal route above. We keep this approach under review.
17. Contact us
For privacy questions, requests, or concerns:
BlackSlate AI Limited (Circkit)
Email: privacy@circkit.io
General support: support@circkit.io
Registered office: Flat 4, 139 Walm Lane, London, United Kingdom, NW2 3AU
UK supervisory authority: Information Commissioner’s Office, ico.org.uk, helpline 0303 123 1113.