Privacy Policy

1. Introduction

OpenStory (“we”, “us”, “our”) is an AI-powered video generation platform that transforms film scripts into complete video productions. We are committed to protecting the privacy of individuals who use our platform, visit our website, or otherwise interact with us.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with:

• The Privacy Act 1988 (Cth), the Australian Privacy Principles (“APPs”), and the Privacy and Other Legislation Amendment Act 2024 (Australia)
• The General Data Protection Regulation (EU) 2016/679 (“GDPR”), where we offer services to individuals in the European Economic Area (“EEA”) or United Kingdom
• Applicable US state privacy laws, including the California Consumer Privacy Act as amended by the CPRA (“CCPA”), to the extent their thresholds are met

Where provisions apply only to users in a particular jurisdiction, we indicate this with a label.

2. Scope

This Privacy Policy applies to personal information collected through:

• The OpenStory platform and web application (https://vgen.gradientcm.com)
• Our application programming interfaces (APIs)
• Communications with us, including email and support channels
• Any related services, tools, or features we provide

3. What Is Personal Information

Under the Australian Privacy Act, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether it is recorded in a material form or not. Following the 2024 amendments, this definition encompasses technical identifiers such as IP addresses where they can be used to reasonably identify an individual.

GDPR Under the GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.

4. Information We Collect

4.1 Information You Provide Directly

• Account information: name, email address, password (stored in hashed form), and account preferences.
• Payment information: billing address and payment details. Payment card information is processed by our third-party payment processor and is not stored on our servers.
• Content and scripts: film scripts, scene descriptions, character descriptions, creative briefs, and other content you upload or input for video generation.
• Communications: messages you send to us via email, support requests, or feedback forms.

4.2 Information Collected Automatically

• Usage data: features used, actions taken, generation history, timestamps, and session duration.
• Device and technical data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Log data: server logs recording access times, pages viewed, referring URLs, and error reports.
• Cookies and similar technologies: we use cookies, local storage, and similar tracking technologies to operate and improve the platform (see Section 17).

4.3 Information from Third Parties

• Authentication providers: if you sign in using a third-party service (e.g., Google), we receive your name, email, and profile picture as authorised by you.
• Analytics providers: aggregated and pseudonymised usage analytics.

5. How We Use Your Information

We collect and use personal information only for purposes that are reasonably necessary for, or directly related to, our functions and activities (APP 6). These purposes include:

• Providing and operating the platform: processing your scripts, generating video content, managing your account, and delivering our services.
• AI processing: analysing scripts to identify scenes, characters, and visual elements, and generating images, video, and motion content using AI models (see Section 7).
• Improving our services: analysing usage patterns, diagnosing technical issues, developing new features, and enhancing platform performance.
• Communications: sending service-related notices, responding to inquiries, and providing customer support.
• Security and fraud prevention: detecting, preventing, and addressing security incidents, fraud, and abuse.
• Legal compliance: complying with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Marketing (with consent): sending promotional communications where you have opted in. You may opt out at any time.

6. Lawful Basis for Processing (GDPR)

GDPR Under the GDPR, we must have a lawful basis for each processing activity involving personal data of individuals in the EEA or UK.

6.1 Performance of a Contract (Article 6(1)(b))

Processing necessary to perform our contract with you: creating and managing your account, processing scripts and generating video content, processing payments, and providing customer support.

6.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests where not overridden by your rights: improving and optimising the platform, ensuring security and preventing fraud, enforcing our terms of service, and administrative purposes. You have the right to object to this processing (see Section 13).

6.3 Consent (Article 6(1)(a))

Where we rely on your consent: sending marketing communications and placing non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations: tax reporting, responding to lawful government requests, and data breach notification requirements.

6.5 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our use of AI models to process user-submitted content, as required under GDPR Article 35 for processing that uses innovative technologies and may result in high risk to data subjects. A summary is available on request.

7. AI Processing & Transparency

OpenStory uses artificial intelligence and machine learning systems to analyse scripts, generate visual content, and produce video outputs.

7.1 How We Use AI

• Large language models (LLMs) analyse your script content, identify scenes, generate character descriptions, and create visual prompts.
• Image generation models create character sheets, scene images, and visual assets.
• Video generation models produce motion content and assemble final video outputs.
• You retain the ability to review, modify, and regenerate any AI-produced output.
• No automated process is used to deny you access to our services or to make decisions that produce legal effects concerning you.

7.2 Third-Party AI Providers

Your content is processed by the following categories of third-party AI service providers. We maintain Data Processing Agreements (DPAs) with each provider.

Each DPA includes purpose limitation, data retention limits, sub-processor notification, breach notification, audit rights, and deletion on termination. We will update this section as provider relationships change.

7.3 Training Data

We do not use your scripts, content, or personal information to train AI models. Your content is processed solely for generating outputs you have requested. Our third-party AI providers operate under API terms that exclude customer data from model training.

7.4 AI-Generated Content Labeling

We are implementing measures to ensure AI-generated video content is marked in a machine-readable format as AI-generated (using C2PA metadata standards where technically feasible), identifiable as artificially generated content, and labeled visibly where required by applicable law. These measures are being implemented ahead of the EU AI Act Article 50 transparency deadline of 2 August 2026.

7.5 Australian ADM Transparency

In compliance with the automated decision-making transparency requirements under the Privacy and Other Legislation Amendment Act 2024 (effective 10 December 2026), our AI systems process account identifiers, script content, and usage data. These automated processes determine scene breakdowns, character generation, visual prompts, and video assembly. They are core to service delivery and do not make decisions that could reasonably be expected to significantly affect your rights or interests beyond generating creative content based on your inputs.

8. Disclosure of Personal Information

We may disclose personal information to:

• Service providers: cloud hosting, payment processors, email delivery, and analytics providers who process data on our behalf under contractual obligations.
• AI model providers: third-party AI services (see Section 7.2).
• Professional advisors: lawyers, accountants, and auditors where necessary.
• Law enforcement and regulators: where required by law, court order, or regulatory obligation.
• Business transfers: in connection with a sale or transfer of the business.

We do not sell your personal information. We do not share personal information for cross-context behavioural advertising.

9. International Data Transfers

OpenStory is based in Australia and operates cloud infrastructure and third-party services in multiple countries. Your personal information may be transferred to and processed in:

9.1 Safeguards for Australian Users (APP 8)

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in accordance with the APPs, through contractual arrangements and data processing agreements.

9.2 Safeguards for EEA/UK Users

GDPR Australia does not have an EU adequacy decision. For transfers of personal data from the EEA or UK, we rely on:

• Standard Contractual Clauses (SCCs): European Commission SCCs (module 2: controller-to-processor) with service providers and AI model providers, supplemented by additional technical and organisational measures where necessary.
• EU-US Data Privacy Framework: Where our US-based providers are certified under the Framework.
• Transfer Impact Assessments: We conduct TIAs to evaluate the legal framework in each destination country and implement supplementary measures where risks are identified.

You may request a copy of the relevant transfer safeguards by contacting privacy@vgen.gradientcm.com.

10. Data Retention

• Account information: retained for the duration of your account and 12 months after deletion, unless a longer period is required by law.
• Generated content: retained while your account is active. Deleted within 90 days of account deletion.
• Usage and log data: retained for up to 24 months, then aggregated or deleted.
• Payment records: retained for 7 years as required by Australian taxation law.
• Support communications: retained for 24 months after resolution.
• AI provider processing: providers do not retain input or output data beyond the API request (zero-data-retention).

When personal information is no longer needed, we take reasonable steps to destroy or de-identify it (APP 11.2).

11. Data Security

We take reasonable technical and organisational measures to protect personal information (APP 11.1; GDPR Article 32), including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Contractor and staff confidentiality obligations
• Incident response and data breach notification procedures

No method of electronic storage or transmission is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

12. Your Rights — Australia

12.1 Access (APP 12)

You may request access to personal information we hold about you. We will respond within 30 days.

12.2 Correction (APP 13)

You may request correction of inaccurate, incomplete, out-of-date, irrelevant, or misleading personal information. We will respond within 30 days.

12.3 Anonymity and Pseudonymity (APP 2)

Where practicable, you may use a pseudonym or choose not to identify yourself. However, this may limit access to some platform features.

12.4 Direct Marketing (APP 7)

You may opt out of marketing communications at any time via the unsubscribe link or by contacting privacy@vgen.gradientcm.com.

12.5 Direct Right of Action

Under the Privacy and Other Legislation Amendment Act 2024, individuals may seek damages directly from APP entities through the Federal Court for serious or repeated interferences with privacy, without first needing to lodge a complaint with the OAIC.

13. Your Rights — EU/EEA (GDPR)

GDPR If you are located in the EEA or UK, you have the following rights. Contact privacy@vgen.gradientcm.com to exercise them. We will respond within 30 days.

• Access (Article 15): Obtain confirmation of processing and a copy of your personal data.
• Rectification (Article 16): Correct inaccurate or incomplete data.
• Erasure (Article 17): Request deletion where data is no longer necessary, you withdraw consent, you object to processing, or data was unlawfully processed.
• Restriction (Article 18): Request restricted processing while accuracy is verified, if processing is unlawful, or pending an objection assessment.
• Portability (Article 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
• Object (Article 21): Object to processing based on legitimate interests. You have an absolute right to object to direct marketing.
• Automated decisions (Article 22): Not be subject to solely automated decisions producing legal or similarly significant effects. Our AI processing generates creative content and does not produce such effects.

You may lodge a complaint with your local supervisory authority. A full list is at edpb.europa.eu.

EU Representative

Under GDPR Article 27, non-EU controllers must appoint a representative in the EU. We will appoint an EU representative and update this section with their contact details as we scale our services to EEA users. In the meantime, all privacy enquiries can be directed to privacy@vgen.gradientcm.com.

14. Your Rights — United States

US Several US states have enacted comprehensive privacy laws, including California (CCPA/CPRA), Texas (TDPSA), Colorado, Connecticut, Virginia, and others. The applicability of these laws depends on whether specific thresholds are met (e.g., revenue, volume of consumers, or data sales). As OpenStory grows, we are committed to complying with all applicable US state privacy requirements. This section describes the rights we will honour for US users.

14.1 Your Rights

• Right to Know / Access: Know what personal information we collect, use, and disclose, and request a copy.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioural advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

14.2 How to Exercise Your Rights

Email privacy@vgen.gradientcm.com with your request. We will verify your identity and respond within 45 days.

14.3 Global Privacy Control

We honour the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information.

14.4 California Disclosures

If and when CCPA thresholds are met, we will maintain a full set of California-specific disclosures including categories of personal information collected and disclosed, a “Do Not Sell or Share” mechanism, and CCPA-specific metrics. We do not currently meet CCPA applicability thresholds.

15. Statutory Tort for Serious Invasions of Privacy

From 10 June 2025, Australia’s statutory tort for serious invasions of privacy (Schedule 2 of the Privacy and Other Legislation Amendment Act 2024) provides individuals with a personal right of action where their privacy has been seriously invaded through intrusion upon seclusion or misuse of personal information. This applies regardless of entity turnover. We have implemented measures to prevent any conduct that could constitute a serious invasion of privacy.

16. Children’s Privacy

OpenStory is not directed at children. We do not knowingly collect personal information from children without appropriate consent.

• Australia: Users must be at least 18 years of age, or have parental consent, to create an account. We are monitoring Australia’s Children’s Online Privacy Code (to be registered by 10 December 2026).
• EU: Users must meet the minimum age for consent in their Member State (13–16 depending on country). Below that age, consent must come from a parent or guardian.
• US: We comply with COPPA and do not knowingly collect personal information from children under 13. The FTC’s amended COPPA Rule (compliance deadline 22 April 2026) broadens the definition of personal information and strengthens protections.

If we become aware that we have collected personal information from a child without appropriate consent, we will delete that information promptly.

17. Cookies & Tracking Technologies

• Strictly necessary: essential for authentication and security.
• Functional: remembering your preferences and settings.
• Analytics: understanding how users interact with the platform.

GDPR For EEA/UK users, non-essential cookies are only placed with your prior consent. You can manage preferences through the cookie banner or your account settings.

You can manage cookies through your browser settings. We honour the Global Privacy Control signal as a cookie opt-out where required by law.

18. Notifiable Data Breaches

Australia (Part IIIC, Privacy Act)

We will assess suspected breaches within 30 days and notify the OAIC and affected individuals as soon as practicable if the breach is likely to result in serious harm.

EU/EEA (GDPR Articles 33–34)

GDPR We will notify the relevant supervisory authority within 72 hours. Where a breach poses high risk to individuals, we will also notify affected data subjects without undue delay.

United States

US We will comply with applicable state data breach notification laws.

19. Complaints

If you believe we have breached applicable privacy laws, contact privacy@vgen.gradientcm.com. We will acknowledge within 5 business days, investigate and respond within 30 days.

If unsatisfied, you may escalate to:

20. Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on our website with an updated “Last Updated” date. Where required by law, we will seek your consent before materially changing how we process your personal information.

21. Contact Us