Privacy Policy
Last updated: 14 April 2026
This Privacy Policy explains how Stensyl (stensyl.ai), operated by Archademia Ltd, collects, uses, and protects your personal data. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller is Archademia Ltd, registered in England and Wales. Company number: 13602105. Registered address: Independence House, 6 Tapton Way, Liverpool, Merseyside, L13 1DA.
We have not appointed a Data Protection Officer as we do not meet the threshold requiring one under UK GDPR Article 37. For all data protection queries, contact: hello@stensyl.ai
2. What We Collect
Data you provide directly
| Data | When | Purpose |
|---|---|---|
| Email address | Account creation, waitlist signup | Account management, communications |
| Name (optional) | Account profile | Personalisation |
| Payment information | Subscription/purchase | Payment processing (handled by Stripe; we never see your full card number) |
| Images, audio, video, and 3D files you upload | Using the platform | Processing your generation requests |
| Prompts and settings | Using the platform | Processing your generation requests |
Data collected automatically
| Data | How | Purpose |
|---|---|---|
| IP address | Server logs | Security, abuse prevention, approximate location for compliance |
| Browser and device info | Standard web headers | Platform compatibility, debugging |
| Usage data | First-party analytics (no third parties) | Pages visited, referrer, approximate country, device/browser/OS, and ad campaign parameters if you clicked through from an ad. Runs in one of two modes depending on your cookie choice (see Cookie Policy below). Stored for 90 days then automatically deleted. Opt out entirely via Do Not Track or Global Privacy Control. |
| Cookies | See Section 7 | Authentication, preferences, analytics |
Data we do NOT collect
- We do not collect biometric data
- We do not collect data from social media profiles unless you explicitly connect them
- We do not purchase data from third-party brokers
- We do not use your uploads, prompts, or generated outputs to train AI models (see Section 5)
3. Legal Basis for Processing
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the service (account, generations) | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Sending service-related emails (receipts, account changes) | Performance of a contract (Art. 6(1)(b)) |
| Platform analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails (product updates, blog posts) | Consent (Art. 6(1)(a)); you can unsubscribe at any time |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
4. How We Use Your Data
4.1 To operate the platform: creating your account, processing your generations, managing your subscription and credits.
4.2 To process payments via Stripe. We pass your email and subscription details to Stripe for payment processing. We never store your full card details.
4.3 To send you essential service emails: receipts, subscription confirmations, credit alerts, security notices. You cannot opt out of these as they are necessary for the service.
4.4 To send you marketing communications: product updates, new features, blog posts. Only with your consent. You can unsubscribe at any time via the link in every email.
4.5 To improve the platform. We analyse aggregated, anonymised usage patterns (which models are popular, average generation times, error rates) to improve the service. This analysis uses only aggregate statistics. Your individual prompts, uploads, and outputs are not used for this purpose.
4.6 To prevent abuse. We monitor for violations of our Acceptable Use policy and may review flagged content.
5. Your Uploads and Generated Content
5.1 Images, audio, video, and other files you upload, and prompts you submit, are processed solely to fulfil your generation requests. They are transmitted to the relevant third-party AI model provider for processing and then returned to us.
5.2 We do not use your uploads, prompts, or generated outputs to train AI models.
5.3 Generated outputs (images, videos, audio, 3D models) are stored on our own infrastructure (Supabase storage). When a provider returns a generated file, we download it to our storage. The provider's temporary copy typically expires within hours to days depending on the provider.
5.4 You can delete generated content at any time from your dashboard. When you delete content, it is removed from our storage within 30 days to allow for backup cycle completion. Orphaned temporary files are automatically cleaned up by a scheduled maintenance process.
5.5 Third-party AI model providers process your inputs on their own infrastructure in order to generate outputs. Our access to those providers is governed by B2B agreements between Archademia Ltd and each provider. Under those agreements, certain providers may retain or use your inputs and outputs for their own purposes, including model training and improvement. This is separate from our own commitment in 5.2 above. It reflects what happens on the provider's infrastructure, which we do not control. Specifically:
- fal.ai retains generated media on their CDN for a limited period (typically 7 days) before deletion.
- Runway reserves the right to use inputs and outputs for model training on non-Enterprise API plans.
- Kling (Kuaishou) retains a permanent, royalty-free licence to use content for AI training and promotional purposes.
- ElevenLabs retains a perpetual licence to create derivatives from voice data for model improvement.
We select providers with strong data handling practices and maintain a reference page at stensyl.ai/providers linking to their privacy policies and terms of service.
5.6 Generated output URLs. Your generated files are stored in our storage using unique, non-guessable file paths. Files are accessible via direct URL without additional authentication, which enables features such as sharing and embedding. However, file paths cannot be listed or enumerated by other users. Access requires knowing the exact URL.
6. Data Sharing
We share your data only with:
| Recipient | What | Why |
|---|---|---|
| Stripe | Email, subscription data | Payment processing |
| Supabase | Account data, generation records | Database and authentication hosting |
| Vercel | IP address, request data | Website hosting and CDN |
| AI Model Providers | Prompts, uploaded files, generation parameters; outputs are generated and initially stored on provider infrastructure before being transferred to our storage | Processing your generation requests |
| Brevo | Email address, name | Transactional and marketing email delivery |
We do not sell your personal data to anyone. We do not share your data with advertisers. We do not share your data with data brokers. We do not send analytics data to any third-party analytics provider. All analytics are first-party (see Section 7 and the Cookie Policy).
7. Cookies
Essential cookies: Required for the platform to function, including authentication and session management. These cannot be disabled.
Analytics cookies: Help us understand how the platform is used. You can opt out of these via the cookie banner on first visit.
We do not use advertising or tracking cookies.
8. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
Right of access: Request a copy of all personal data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your personal data ("right to be forgotten"). Note: we may retain certain data where required by law (e.g., financial records for HMRC).
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, email hello@stensyl.ai. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Data Retention
| Data | Retention Period |
|---|---|
| Account data | Until you delete your account + 30 days |
| Generated outputs (images, videos, audio, 3D) | Until you delete them + 30 days |
| Generation metadata (prompt, model, parameters, status) | Until you delete your account + 30 days |
| Payment records | 7 years (HMRC requirement) |
| Server logs (IP, requests) | 90 days |
| Waitlist emails | Until you unsubscribe or the waitlist closes |
| Seedance 2.0 generation logs | Minimum 12 months (see Section 12) |
When you delete your account, we delete or anonymise your personal data within 30 days, except where we are legally required to retain it. Account deletion removes all your stored files from our infrastructure and deletes any third-party resources created on your behalf (such as cloned voices held by external providers).
10. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS on all connections, including internal services)
- Encryption at rest (via Supabase and Stripe's infrastructure)
- Row Level Security on database tables (Supabase RLS) enforcing per-user data isolation
- Secure authentication via Supabase Auth
- No storage of card details (handled entirely by Stripe, PCI DSS compliant)
- User ID derived from authenticated sessions only; never accepted from client requests
- Scrubbed server-side logging: personal data such as email addresses and prompt content is excluded from application logs
- Regular security reviews of dependencies and access controls
11. International Transfers
Your data may be transferred to and processed in countries outside the UK, specifically:
United States: Supabase, Vercel, Stripe, fal.ai, Runway, Google, Anthropic, OpenAI, ElevenLabs, and Perplexity all operate infrastructure in the US. US transfers are protected by Standard Contractual Clauses (SCCs) and/or UK International Data Transfer Agreements (UK IDTAs), as adopted by these providers.
China: ByteDance operates the Seedance 2.0 video generation model, and Kuaishou operates the Kling video generation model. When you use Seedance 2.0 specifically, your prompts, reference files, and a unique user identifier are processed on ByteDance's infrastructure. See Section 12 for full details of the Seedance 2.0 data flow. In respect of Kling, generation requests are routed via fal.ai's infrastructure; we have confirmed with fal.ai that Kling inference runs on fal.ai's own GPU infrastructure and does not route directly to Kuaishou's servers in China. If this changes, we will update this policy accordingly.
- The transfer to ByteDance (China) is conducted via fal.ai (US) as an intermediary processor, and is necessary for the performance of the service you have requested (UK GDPR Art. 49(1)(b)). You can avoid this transfer entirely by choosing not to use the Seedance 2.0 model.
12. Seedance 2.0: Data Processing
In plain English: When you use Seedance 2.0, your prompts and uploads are sent through fal.ai to ByteDance's infrastructure in China. A unique identifier tied to your Stensyl account is included with every request, and we keep logs of your Seedance generations. This is specific to Seedance 2.0. Other models on Stensyl do not involve ByteDance.
12.1 Data Transmitted. When you use Seedance 2.0, the following data is sent to fal.ai and ByteDance for processing:
- Your text prompt
- Any reference files (images, audio, video clips) you include
- A unique end user identifier linked to your Stensyl account
- Generation parameters (resolution, duration, aspect ratio, audio settings)
12.2 Data We Log. In addition to the data transmitted, Stensyl logs: timestamps, generation status, error categories, and the fal.ai request ID for each Seedance 2.0 generation.
12.3 Processing Chain.
- Stensyl (United Kingdom): data controller
- fal.ai (United States): data processor, routing generation requests
- ByteDance (China): sub-processor, running the Seedance 2.0 model
This chain is specific to Seedance 2.0. Other models on Stensyl involve different processors (see Section 6).
12.4 Purpose. Prompts, references, and parameters are processed solely to generate the video content you requested. The end user identifier is required by our distribution agreement for user identification and compliance. Generation logs are maintained to comply with identification and restriction requests if required by ByteDance or fal.ai.
12.5 Retention. Generated video URLs expire within 24 hours on ByteDance's infrastructure. Seedance 2.0 generation logs are retained by Stensyl for a minimum of 12 months.
12.6 Your Choice. You are not required to use Seedance 2.0. All other video, image, 3D, audio, and writing models on Stensyl remain available without the data processing described in this section. If you do not wish your data to be processed by ByteDance, simply choose a different video model.
13. Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer via email before your data is transferred or becomes subject to a different privacy policy.
14. Children
Stensyl is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will delete their account and associated data.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the platform. The "Last Updated" date at the top will always reflect the most recent version.
As AI-specific regulations develop in the UK and internationally, we will update this policy to reflect any new requirements.
16. Contact
For privacy-related questions or to exercise your data rights:
Email: hello@stensyl.ai
Data Controller: Archademia Ltd
Cookie Policy
Essential cookies keep you logged in and the platform working. These are required.
Analytics. We run first-party analytics only. No Google Analytics, no Meta Pixel, no third-party marketing trackers. Analytics runs in one of two modes depending on your cookie choice:
1. Accepted mode. If you accept cookies (or you are signed in, which counts as accepting), we store a random anonymous ID in your browser's localStorage so we can group your page views into sessions and recognise you across visits. This ID is not linked to your name, email, or any other personal data. You can clear it at any time by clearing your browser storage.
2. Cookieless mode. If you reject cookies, we still count your visit, but we store nothing on your device. Instead, we derive a temporary ID on our server by hashing your truncated IP address together with your user-agent string and a daily rotating salt. That ID only works for one day; by the next day, the salt has rotated and your previous visits cannot be linked to the new ones. This mode is PECR-exempt because nothing is stored on your device, and it relies on UK GDPR Article 6(1)(f) legitimate interest as the lawful basis. It is the same technique used by privacy-respecting analytics providers like Plausible and Fathom.
Opting out entirely. If you enable Do Not Track or Global Privacy Control in your browser, we honour both signals and do not track your visit at all, not even in cookieless mode.
Analytics data is automatically deleted after 90 days. We do not sell or share analytics data with third parties.
Data controller: Archademia Ltd. For questions, contact hello@stensyl.ai.