Privacy Policy — VideoJoy

Effective Date: May 18, 2026 ·
Last Reviewed: May 18, 2026

This Privacy Policy ("Policy") describes how VideoJoy, a brand of Azimut Agency OÜ, a company registered in the Republic of Estonia ("VideoJoy," "we," "us," or "our"), collects, uses, stores, and protects the personal data of users ("you," "Subscriber," or "Data Subject") who access or use the VideoJoy platform and services available at videojoy.pro (the "Service").

This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Estonian Personal Data Protection Act, the California Consumer Privacy Act ("CCPA") and its amendments under the CPRA, the UK GDPR, and all other applicable international data protection laws. Where requirements differ across jurisdictions, we apply the highest applicable standard.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of the Service immediately.

1. Data Controller

The data controller responsible for your personal data is:

Azimut Agency OÜ
Trading as: VideoJoy
Registered in: Republic of Estonia
Contact: hello@videojoy.pro

For all data protection inquiries, requests, or complaints, please contact us at the email address above. We will respond within the timeframes required by applicable law (no later than 30 days for GDPR requests).

2. Data We Collect

We collect only the personal data that is strictly necessary to provide the Service. We do not engage in excessive or speculative data collection.

2.1 Data You Provide Directly

Full name and company/brand name — collected at account registration
Email address — used for account access, service communications, and transactional notifications
Password — stored in hashed and salted form; we never store plaintext passwords
Brand assets — logos, images, guidelines, and other files you upload to brief your video requests
Brief content — descriptions, scripts, references, and instructions you submit for video production
Messages — communications you send through the in-platform messaging system

2.2 Data Collected Automatically

IP address — collected for security, fraud prevention, and abuse detection purposes
Browser type and version — for compatibility and debugging purposes
Device type and operating system — for platform optimization
Pages visited and timestamps — for Service improvement and security logging
Authentication session tokens — to keep you securely logged in

2.3 Payment Data

VideoJoy does not collect, process, or store any payment card data. All payment processing is handled exclusively by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We receive only limited non-sensitive transaction metadata from Stripe (e.g. subscription status, last 4 digits of card, payment success/failure), which is used solely for account management purposes. For information on how Stripe handles your data, please refer to Stripe's Privacy Policy at stripe.com/privacy.

2.4 Data We Do Not Collect

We do not use cookies for tracking or advertising purposes
We do not use third-party analytics platforms (e.g. Google Analytics) that profile you across the web
We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation
We do not collect data from minors under the age of 21

3. Legal Basis for Processing (GDPR)

Under the GDPR, we are required to identify a lawful basis for each type of personal data processing. Our legal bases are as follows:

3.1 Performance of a Contract (Art. 6(1)(b) GDPR)

We process your name, email address, brief content, uploaded assets, and messaging data because it is necessary to perform the subscription service you have contracted with us. Without this processing, we cannot deliver your videos or manage your account.

3.2 Legitimate Interests (Art. 6(1)(f) GDPR)

We process technical data (IP address, session logs, device data) based on our legitimate interests in ensuring the security, integrity, and proper functioning of the Service. We have conducted a balancing test and determined that these interests are not overridden by your rights, given the limited and proportionate nature of the processing.

3.3 Legal Obligation (Art. 6(1)(c) GDPR)

We may process personal data where necessary to comply with a legal obligation, such as responding to a lawful court order or regulatory requirement.

3.4 Consent (Art. 6(1)(a) GDPR)

Where we send promotional or marketing emails, we rely on your consent, which you give by opting in at registration or through your account settings. You may withdraw this consent at any time by clicking the unsubscribe link in any promotional email, or by contacting us at hello@videojoy.pro. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

We use your personal data exclusively for the following purposes:

To create and manage your VideoJoy account
To receive, process, and deliver your video production requests
To communicate with you about the status of your requests, revisions, and deliveries
To send transactional emails (account confirmation, password reset, billing notifications, delivery alerts)
To send promotional communications, where you have given consent
To process subscription payments and manage billing through Stripe
To respond to your support inquiries and messages
To detect, prevent, and investigate fraud, abuse, or security incidents
To comply with applicable legal obligations
To improve and maintain the technical performance of the Service

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Cookies & Tracking Technologies

VideoJoy does not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not deploy any pixel trackers, fingerprinting technologies, or cross-site tracking mechanisms.

We use only strictly necessary session cookies that are essential for the functioning of the Service — specifically, to maintain your authenticated login session. These cookies are temporary, expire when you close your browser or log out, and do not collect any personal information beyond what is required to keep you securely signed in. No consent is required for these strictly necessary cookies under the ePrivacy Directive and GDPR.

We will update this Policy and implement a cookie consent mechanism if we introduce any non-essential cookies in the future.

6. Data Sharing & Disclosure

We do not sell, rent, trade, or otherwise disclose your personal data to third parties for their own commercial purposes. Ever.

We share personal data only in the following limited and necessary circumstances:

6.1 Service Providers (Data Processors)

We engage a small number of carefully selected third-party service providers who process data on our behalf, strictly under our instructions, and only to the extent necessary to provide the Service:

Stripe, Inc. — payment processing. Stripe acts as an independent data controller for payment data. Their privacy policy applies at stripe.com/privacy.
Supabase, Inc. — cloud database, authentication, and file storage infrastructure. Data is stored on servers within the European Union or equivalent jurisdictions.
Email service provider — used solely to send transactional and service emails on our behalf. We do not permit our email provider to use your address for their own marketing.

All service providers are bound by data processing agreements that comply with GDPR Article 28 requirements.

6.2 Legal Requirements

We may disclose your personal data if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our legal rights, prevent fraud, or respond to an emergency involving a risk to life. Where lawfully permitted, we will notify you of any such disclosure request.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. We will notify you via email and provide you with the opportunity to delete your account before your data is transferred to a new controller with materially different privacy practices.

7. International Data Transfers

VideoJoy is operated from Estonia, within the European Economic Area ("EEA"). Our primary data infrastructure is located within the EEA.

Where we engage service providers located outside the EEA (such as Stripe, incorporated in the United States), we ensure that appropriate safeguards are in place to protect your data, in accordance with GDPR Chapter V. These safeguards include:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions issued by the European Commission where applicable
Binding Corporate Rules or other recognized transfer mechanisms

You may request information about the specific transfer safeguards we rely on by contacting us at hello@videojoy.pro.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Account data: retained for the duration of your active subscription, plus 12 months after account closure, to allow for re-activation and to resolve any disputes.
Brief content and uploaded assets: retained for the duration of the subscription and deleted within 90 days of account closure, unless you request earlier deletion.
Delivered videos: retained for 12 months after delivery to allow re-download, then deleted unless retention is required by law.
Billing and transaction records: retained for 7 years to comply with Estonian accounting and tax law obligations.
Security and access logs: retained for 90 days for fraud detection and security purposes.
Email consent records: retained for the duration of your account plus 3 years, to demonstrate compliance with applicable consent requirements.

When data is no longer required, we securely delete or anonymise it.

9. Your Rights

Depending on your location, you have the following rights with respect to your personal data. We honour all applicable rights regardless of your jurisdiction, and we process all requests free of charge within 30 days (extendable by a further 60 days for complex requests, with notice).

9.1 Rights Under GDPR (EEA & UK Residents)

Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is used.
Right to Rectification (Art. 16): You have the right to have inaccurate or incomplete personal data corrected without undue delay.
Right to Erasure / "Right to be Forgotten" (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to our legal retention obligations.
Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your data in certain circumstances, such as while a rectification request is pending.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Estonia, the competent authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon), at www.aki.ee. UK residents may contact the ICO at ico.org.uk.

9.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following additional rights:

Right to Know: The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Right to Delete: The right to request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: The right to correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you are entitled to this confirmation.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under the CPRA.

To exercise any of your rights, please contact us at hello@videojoy.pro with the subject line "Privacy Request." We may need to verify your identity before processing your request.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. Our security measures include:

All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security)
Passwords are stored using strong cryptographic hashing algorithms (bcrypt); plaintext passwords are never stored or transmitted
Authentication sessions use secure, httpOnly tokens with appropriate expiration policies
Access to personal data is restricted to personnel who require it to perform their duties, under strict access controls
Our infrastructure provider (Supabase) implements Row-Level Security (RLS) to ensure strict data isolation between accounts
We conduct periodic reviews of our security practices and update them in response to evolving threats

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify you directly without undue delay, in accordance with GDPR Article 34.

11. Children's Privacy

VideoJoy is not directed at, and does not knowingly collect personal data from, individuals under the age of 18. Our Terms of Service require all users to be at least 18 years of age. If we become aware that we have inadvertently collected personal data from a minor, we will delete it immediately. If you believe a minor has provided us with personal data, please contact us at hello@videojoy.pro.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

Update the "Last Reviewed" date at the top of this document
Notify you by email at least 14 days before the changes take effect
Where required by law, seek your consent before applying new processing activities

Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the revised terms. If you disagree with any changes, you may close your account and request deletion of your data before the changes come into force.

13. Contact & Data Protection Inquiries

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

VideoJoy / Azimut Agency OÜ
Email: hello@videojoy.pro
Registered jurisdiction: Republic of Estonia

We are committed to working with you to resolve any privacy concerns promptly and in good faith. If you are not satisfied with our response, you retain the right to escalate your complaint to the relevant supervisory authority in your country of residence.