longwave
← Back to home

Trust Center

Security, privacy, and compliance - how we protect your data and your creators' accounts.

GDPR

Compliant

OpenSSL

AES-256-CBC

Snyk Security Headers

A grade

updown.io

99.9% UPTIME

updown.io

PCI DSS

Payments via Stripe

Companies Office NZ

Co. No. 1396666

GOOGLE LIMITED USE

Policy compliant

Credential encryption

All OAuth tokens are encrypted at rest using AES-256-CBC before being written to the database. Keys are never logged or transmitted to third parties.

Infrastructure

Hosted on Vercel (edge) and Supabase (Postgres, AWS US West 2 - Oregon). Temporary file processing via Cloudflare R2. Automatic daily database backups.

Data minimisation

We collect only what's needed to operate the service. We do not sell or share your data. YouTube and X credentials are used solely to upload content on your behalf.

Short-lived data

Source video files are never stored long-term. Shorts source videos exist only in worker memory during clipping. Episode upload files are deleted from Cloudflare R2 the moment the YouTube upload completes.

What we store - and what we don't

Every category of data we touch, where it lives, and exactly when it's deleted.

OAuth tokens

Supabase (US West 2)Until you disconnect

AES-256-CBC encrypted at rest. Never logged or transmitted.

Source videos (Shorts)

Worker memory only2 - 5 minutes during clipping

Held in RAM, never written to disk or cloud storage. Deleted immediately after clips are generated.

Episode files (Episode Upload)

Cloudflare R2 (temporary)Until YouTube upload completes

Uploaded directly from your browser to R2. Permanently deleted once the YouTube upload finishes.

Generated Shorts clips

Worker filesystem (temporary)Until uploaded to YouTube/X

Deleted from our servers immediately after upload to your channel. Not retained.

Analytics data

Not storedNever persisted

Fetched live from YouTube Analytics API on demand. Displayed in your dashboard only - never stored in our database.

Account data

Supabase (US West 2)While account is active

Email address, YouTube channel ID, and channel name. Full deletion available on request.

Built on enterprise infrastructure

Every component of shortshorts runs on infrastructure trusted by the world's largest companies.

Vercel

Edge hosting & CDN

The dashboard and all API routes run on Vercel's global edge network. Automatic TLS, DDoS protection, and zero-downtime deployments.

Supabase

Database & storage

Postgres database hosted on AWS US West 2 (Oregon). Row-level security enforced on all tables. Automatic daily backups.

Cloudflare R2

Temporary file processing

Episode files uploaded for Hub processing land in R2 temporarily. Files are deleted as soon as the YouTube upload completes - R2 is never used as long-term storage.

Stripe

Payments

All billing is handled by Stripe. We never store card details. Stripe is PCI DSS Level 1 certified - the highest available standard.

Google Cloud

OAuth & YouTube API

Authentication and channel publishing use Google's official OAuth 2.0 and YouTube Data API v3. We comply with Google API Services User Data Policy Limited Use requirements.

Google Gemini API

AI content generation

Video transcripts and metadata are sent to Google Gemini to generate titles, descriptions, chapters, hashtags, and captions. Text only - no raw video files. Your data is not used to train or improve Gemini or any other AI model.

Fly.io

Geo-IP upload proxy

Upload requests are optionally routed through Fly.io's global edge network to ensure correct geo-attribution on YouTube uploads. Fly.io is SOC 2 Type II certified.

Google for Startups

Cloud Program member

Accepted into the Google for Startups Cloud Program - Google's vetted startup support program providing infrastructure credits, mentorship access, and technical resources.

Security contact

Found a vulnerability? Please report it responsibly.

security@shortshorts.ai