LEGAL · PRIVACY

What we know, what we do with it.

We collect the minimum we need to make MotionSteer work for you. We don't sell data. We don't train models on your content. Below: every category we touch, and your tools to remove it.

01Who we are

MotionSteer is operated by Individual Entrepreneur Yastremskyi P. (FOP, registered under the laws of Ukraine), doing business as OpenClub.dev — the data controller for your account, your content, and your usage data. If you are in the EU/UK, the GDPR applies to your data and your local consumer-protection law applies too.

02What we collect

You give us: email, name (if you tell us), password hash (Argon2id), payment method (held by Stripe — we see last 4 digits and expiry), provider API keys (encrypted with AES-256 using a key only you can derive), Suno URLs / mp3 / wav files, prompts, storyboards, renders.

We observe: sign-in events with IP and user-agent, request logs (response code, latency, payload size — not body), render queue events, billing events from Stripe, publishing events from TikTok / Reels / Shorts.

We don't collect: location more precise than country (from IP), device fingerprints, ad identifiers, contacts, calendar, microphone, camera.

03Why we collect it

• To deliver the service — render, store, publish, bill (contract performance, Art. 6(1)(b) GDPR).
• To keep accounts safe — 2FA, fraud detection, audit logs (legitimate interest, Art. 6(1)(f) GDPR).
• To comply with the law — invoices, tax records, copyright takedowns (legal obligation, Art. 6(1)(c) GDPR).
• To improve the product — only aggregated, anonymized analytics. We don't profile individuals.

04Sub-processors

We share data with the third parties strictly necessary to run the service:

• Hetzner Online (DE) — compute & storage
• Stripe (IE / US) — payments & invoicing
• Postmark (US) — transactional email
• Cloudflare (US) — DNS, CDN, DDoS
• Sentry (US) — error monitoring · scrubbed of PII before send

Renders are produced by providers you choose and connect (Runway, Kling, Luma, Pika, OpenAI, Anthropic, ElevenLabs, Suno). Their privacy practices apply to data passed to them.

Updated list: motionsteer.com/legal/subprocessors. We notify you 30 days before adding a new sub-processor.

05Where data lives

Primary storage in Falkenstein, DE (Hetzner fsn1). Cold archives in eu-central-1 (AWS Frankfurt). Stripe is multi-region; payments may transit US for the card networks.

EU users' data stays in EU unless you connect a provider hosted elsewhere — in which case your renders may transit to where that provider runs.

06How long we keep it

• Account: while it's open + 30 days after deletion.
• Renders & projects: while it's open + 30 days, then deleted.
• Audit logs: 7 years (regulatory).
• Invoices & tax records: retained as required by Ukrainian tax law.
• Sentry errors: 90 days.

07AI training & our content

We do not train models on your content. Tracks, prompts, storyboards, and renders go to the providers you connected, governed by their privacy practices. Suno, Runway, Kling, Luma, Pika, OpenAI, Anthropic each say whether they train on inputs — turn off training in their own dashboards if you don't want it.

08Your rights

Under GDPR (and similar laws), you have the right to:

• Access a copy of your data (one-click export from account settings)
• Correct inaccurate data
• Delete your data (from account → danger zone)
• Restrict or object to processing
• Port your data to another service
• Withdraw consent where we asked for it
• Complain to your data-protection authority — for EU/UK residents, your national DPA; in Ukraine, the Ukrainian Parliament Commissioner for Human Rights (Ombudsman)

09Cookies

One first-party essential cookie for sign-in. One first-party preference cookie for theme/density. That's it. No analytics cookies. No third-party cookies.

10Contact our DPO

Privacy contact · privacy@motionsteer.com · PGP key on request.