Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Maliza Corporation, a Delaware corporation ("Maliza," "we," "us," or "our"), collects, uses, shares, and protects information in connection with your use of the Vid Receipts web application and all related services, features, content, APIs, and functionality (collectively, the "Service"). Our registered agent address is c/o Corporation Service Company (CSC), 251 Little Falls Drive, Wilmington, DE 19808, New Castle County, Delaware.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please do not use the Service. This Policy applies to all users of the Service, including visitors, registered users, subscribers, and contributors.

The Service uses YouTube API Services. By using our Service, you are also bound by the Google Privacy Policy.

2. Information We Collect

We collect information in multiple ways depending on how you interact with the Service. The categories below describe the types of information we may collect.

2.1 Account and Registration Information

When you create an account, we collect information provided through our authentication providers, which include Google Sign-In and email/password registration. This may include:

• Full name and display name
• Email address
• Profile photograph or avatar
• Unique Google account identifier (when using Google Sign-In)
• Authentication credentials (passwords are hashed and never stored in plaintext)

We use Firebase Authentication (provided by Google) to manage all account creation, authentication, and session management.

2.2 User-Generated Content

When you use the Service, you may create and contribute various types of content, including:

• Receipts: Timestamped, rich-text annotations on YouTube videos, including text, images, and timestamps
• Comments: Text responses to other users' Receipts
• Votes: Validation or invalidation votes on Receipts and Comments
• Feeds: Curated collections of videos and Receipts, including Public Feeds, Custom Feeds, Private Feeds, and Draft Feeds
• Personas: Alternate identities users may create for authoring Receipts
• Uploaded Media: Images, screenshots, and avatar photographs uploaded through the Service

All User-Generated Content is stored using Google Firebase services (Firestore for structured data and Firebase Storage for media files).

2.3 Payment and Subscription Information

If you subscribe to a paid plan (Individual Pro, Creator Pro, Creator Elite, Business Starter, or White Label Business), we collect:

• Subscription tier and billing period
• Stripe customer identifier and subscription identifier
• Billing period start and end dates
• Plan selection history

Important:We do not directly collect, process, or store your credit card numbers, bank account details, or other payment instrument information. All payment processing is handled exclusively by our third-party payment processor, Stripe, Inc. ("Stripe"). Please review Stripe's Privacy Policy for information on how Stripe handles your payment data.

2.4 YouTube and Third-Party Platform Data

If you connect your YouTube account to the Service via OAuth, we may access:

• YouTube channel information and subscriptions
• Video metadata (titles, descriptions, thumbnails, durations, publish dates)
• Playlist information
• OAuth access and refresh tokens (stored securely and encrypted)

This data is accessed via the YouTube Data API v3 in accordance with YouTube's API Services Terms of Service. You may revoke our access to your YouTube data at any time through your Google Security Settings.

2.5 Usage and Analytics Data

We collect usage data through Firebase Analytics (Google Analytics 4) to understand how the Service is used and to improve it. This may include:

• Device type, operating system, and browser information
• IP address (used for approximate geolocation, then discarded)
• Pages visited, features used, and navigation patterns
• Session duration and frequency of use
• Referring URLs and search terms that led you to the Service
• Interaction events (e.g., button clicks, form submissions, feature engagement)
• Quota and resource usage counters (e.g., receipts created per month, storage consumed)

Analytics data is collected only in production environments and is processed by Google in accordance with Google's Privacy Policy.

We also use Sentry for error tracking and performance monitoring. When an application error occurs, Sentry may collect error details, stack traces, browser and device metadata, and request context to help us diagnose and fix issues. This data is processed by Functional Software, Inc. in accordance with Sentry's Privacy Policy. We filter personally identifiable information (PII) from error reports before transmission.

2.6 AI-Processed Data

We use Google Gemini artificial intelligence (via Google Genkit) for automated content moderation. When you create or edit a Receipt, the plain-text content of your Receipt may be sent to Google's Gemini AI service for analysis against our community guidelines. This processing determines whether content is safe and appropriate for the platform. Google processes this data in accordance with its Gemini API Terms of Service.

2.7 Cookies and Local Storage

The Service uses the following client-side storage mechanisms:

• Cookies: A sidebar state cookie to remember your UI layout preferences (expires after 30 days)
• Local Storage: YouTube authentication state persistence, application state management (via Zustand stores), and user preference settings
• Firebase SDK Cookies: Firebase Authentication uses cookies and local storage to maintain your authenticated session
• Analytics Cookies: Google Analytics 4 (Firebase Analytics) may set cookies to distinguish unique users, track sessions, and collect analytics data as described in Section 2.5

You can manage or disable cookies through your browser settings. Please note that disabling cookies may impair the functionality of the Service, including authentication and session persistence.

2.8 Organization and Team Data

If you create or join an Organization (Business Starter or White Label Business plans), we additionally collect:

• Organization name and identifiers
• Team membership records (member user IDs and roles)
• Pending invitations and invitation metadata
• Shared storage and resource usage across the organization

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To create and maintain your account, authenticate your identity, provide the core functionality of the Service (including creating Receipts, Feeds, comments, votes, and personas), and manage your subscription.
• Content Moderation: To automatically review user-generated content against our community guidelines using AI-powered moderation (Google Gemini), and to manually review flagged content.
• Payment Processing: To manage subscriptions, process billing through Stripe, enforce tier-based quotas and feature access, and handle subscription upgrades, downgrades, and cancellations.
• Service Improvement: To analyze usage patterns, identify bugs and performance issues, develop new features, and improve the overall user experience.
• Communication: To send transactional emails (e.g., account verification, password resets, billing notifications), and, with your consent where required by law, marketing or promotional communications.
• Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, fraud, and violations of our Terms of Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Permission and Access Control: To enforce role-based access controls (Owner, Admin, Contributor, Commenter, Viewer) within Feeds and subscription-tier-based feature gating across the platform.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your information:

• Google / Firebase: Cloud infrastructure, authentication, database (Firestore), file storage (Firebase Storage), serverless functions (Cloud Functions), real-time database, and analytics (Firebase Analytics / Google Analytics 4)
• Stripe, Inc.: Payment processing, subscription management, and billing
• Google AI (Gemini): Automated content moderation via the Genkit framework
• YouTube / Google: Video metadata retrieval and YouTube account integration via the YouTube Data API v3
• Sentry (Functional Software, Inc.): Error tracking, performance monitoring, and application stability reporting. Sentry may receive error details, stack traces, browser/device metadata, and request context when application errors occur. Sentry processes this data in accordance with its Privacy Policy.

4.2 Public Content

Certain information you contribute is publicly visible by design. This includes your display name and avatar on Public Receipts and Comments, your vote activity, and content contributed to Public Feeds. Custom Feeds may be shared with specific users or made discoverable at the Feed owner's discretion.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers and Assignments

Maliza Corporation reserves the right to assign, transfer, or delegate this Policy, along with any and all rights, obligations, and user data (including personal information), to any subsidiary, affiliate, successor entity, or third party in connection with a merger, acquisition, reorganization, sale of assets, change of control, or similar corporate transaction, without requiring additional consent from you. In such an event, the acquiring entity will be bound by the terms of this Policy with respect to your information. We will notify you via prominent notice on the Service or by email if a material change to this Policy results from such a transaction.

4.5 With Your Consent

We may share your information with third parties when you have provided explicit consent to do so.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service and to fulfill the purposes described in this Policy. Specific retention practices include:

• Active Accounts: Your account data, User-Generated Content, and associated metadata are retained for the duration of your active account.
• Deleted Accounts: Upon account deletion, your private profile information (name, email, avatar, payment identifiers) will be deleted or anonymized within thirty (30) days. However, pursuant to our Immutable Public Record policy (see Section 5.1), Public Receipts and other publicly contributed content will be retained in anonymized form.
• Payment Records: Billing and transaction records may be retained for up to seven (7) years to comply with tax and accounting obligations.
• Backup Data: Residual copies of your information may persist in encrypted backup systems for up to ninety (90) days following deletion.
• Legal Holds: We may retain information beyond these periods as necessary to comply with legal obligations, resolve disputes, or enforce our agreements.

5.1 Immutable Public Record

Vid Receipts is designed to create a verifiable, persistent public record of video annotations. Public Receipts that you contribute to Public Feeds constitute part of this historical record. If you delete your account, your Public Receipts are not deleted.Instead, they are permanently anonymized — your display name, avatar, and personal identifiers are removed and replaced with a generic "Deleted User" attribution. The substantive content of the Receipt (text, timestamp, images) remains part of the public record. Similarly, if a source YouTube video is removed or made unavailable, any associated Receipts are preserved on a "Ghost Video" page as part of the historical record. By using the Service and contributing to Public Feeds, you acknowledge and consent to this Immutable Public Record policy.

6. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding your personal information:

6.1 General Rights (All Users)

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may update or correct inaccurate personal information through your account settings or by contacting us.
• Deletion: You may request deletion of your account and personal data, subject to the Immutable Public Record policy described in Section 5.1 and any legal retention obligations.
• Data Portability: You may request an export of your data in a structured, commonly used, machine-readable format.
• Opt-Out of Analytics: You may disable Firebase Analytics tracking by using browser-based opt-out mechanisms, such as the Google Analytics Opt-out Browser Add-on.
• YouTube Data Revocation: You may revoke our access to your YouTube data at any time through your Google Security Settings.
• Cookie Management: You may manage or disable cookies through your browser settings, though this may affect the functionality of the Service.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (including the Immutable Public Record policy).
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information beyond what is necessary to provide the Service, you may request that we limit its use.

To exercise your rights under the CCPA/CPRA, please contact us at privacy@vidreceipts.com. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf. In the twelve (12) months preceding the effective date of this Policy, we have not sold personal information, and we do not have actual knowledge that we sell the personal information of minors under 16 years of age.

6.3 European Economic Area, United Kingdom, and Swiss Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) and applicable national implementing laws provide you with additional rights:

• Legal Basis for Processing: We process your personal data on the following legal bases: (a) performance of a contract (to provide the Service); (b) your consent (for analytics and optional integrations); (c) our legitimate interests (service improvement, security, fraud prevention); and (d) compliance with legal obligations.
• Right of Access: You have the right to obtain confirmation as to whether we process your personal data and to request a copy of such data.
• Right to Rectification: You have the right to request correction of inaccurate personal data.
• Right to Erasure ("Right to Be Forgotten"): You have the right to request deletion of your personal data, subject to the Immutable Public Record policy (Section 5.1) and applicable legal retention requirements.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: You have the right to object to the processing of your personal data based on our legitimate interests, including for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise your GDPR rights, please contact us at privacy@vidreceipts.com.

7. International Data Transfers

Maliza Corporation is based in the United States, and the Service is hosted on Google's global cloud infrastructure. Your personal information may be transferred to, stored, and processed in the United States or any other country in which our service providers maintain facilities. By using the Service, you consent to the transfer of your information to countries outside of your country of residence, which may have different data protection laws than your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on: (a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as applicable; (b) Standard Contractual Clauses approved by the European Commission; and/or (c) other lawful transfer mechanisms under applicable data protection laws. Google (including Firebase and Google Cloud services) maintains compliance with these frameworks for data processed through their services.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• All data transmitted between your browser and the Service is encrypted using TLS/HTTPS
• Firebase Authentication with secure session management and token-based access control
• Granular Firestore Security Rules that enforce role-based and owner-based access controls at the database level
• Firebase Storage Security Rules that restrict file access to authorized users
• Firebase Custom Claims for server-side permission verification (three-axis identity: account class, system role, subscription tier)
• Server-side validation in Cloud Functions for all sensitive operations
• Stripe PCI-DSS compliance for all payment processing
• Regular security updates and dependency auditing

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Children's Privacy

The Service is not intended for use by children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at privacy@vidreceipts.com, and we will take steps to delete such information. Users between the ages of 13 and 17 may use the Service with the consent of a parent or legal guardian, but may not purchase subscriptions (which require users to be at least 18 years of age). We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws in other jurisdictions.

10. Third-Party Links and Services

The Service may contain links to or embed content from third-party websites and services, including YouTube videos, external images (Tenor, Giphy, Gfycat, Imgur), and payment processors. This Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service. Key third-party privacy policies include:

• Google Privacy Policy (Firebase, YouTube, Analytics, Gemini AI)
• Stripe Privacy Policy (Payment Processing)
• YouTube Terms of Service

11. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no common industry standard for interpreting DNT signals, the Service does not currently respond to DNT signals. We will continue to monitor developments in DNT technology and adjust our practices as industry standards evolve.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will: (a) update the "Last Updated" date at the top of this Policy; (b) provide a prominent notice on the Service (such as a banner notification); and (c) where required by applicable law, send you an email notification. We encourage you to review this Policy periodically. Your continued use of the Service after any changes to this Policy constitutes your acceptance of the revised Policy.

13. Assignment

Maliza Corporation may assign, transfer, or delegate this Privacy Policy and all associated rights, obligations, and user data (including personal information collected under this Policy) to any subsidiary, affiliate, successor, or acquiring entity in connection with a merger, acquisition, corporate reorganization, sale of all or substantially all assets, change of control, or any similar transaction, without requiring your prior consent. In the event of such assignment, the successor entity shall be bound by the terms of this Privacy Policy. You may not assign or transfer your rights or obligations under this Policy without our prior written consent.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For CCPA/CPRA requests, please include "California Privacy Rights" in the subject line. For GDPR requests, please include "GDPR Data Subject Request" in the subject line. We will respond to verified requests within the timeframes required by applicable law (generally 30 to 45 days, extendable as permitted by law).