Privacy Policy
Last updated: July 3, 2026
This Privacy Policy explains how Everpop ("Everpop", "we", "us", or "our") collects, uses, shares, and protects information about you when you use our website and services (the "Service"). By using the Service, you agree to the practices described here. If you do not agree with this Policy, please do not use the Service.
Everpop is operated by Very - Fast Ltd. (Вери - Фаст ЕООД), an EOOD (single-member limited liability company) registered in Bulgaria under EIK 206337186, with registered seat at 29 Georgi Benkovski Str., 3000 Vratsa, Bulgaria (ул. Георги Бенковски №29, 3000 Враца). You can contact us at privacy@everpop.app for any data protection matter, or at support@everpop.app for general support. Our supervisory authority is the Commission for Personal Data Protection of the Republic of Bulgaria (kzld@cpdp.bg, cpdp.bg).
1. Information We Collect
We collect the following categories of information:
- Account information: name, email address, and password (stored hashed) when you register.
- Connected platform data: when you connect a YouTube channel or social account, we receive identifiers, channel/video metadata, and authorization tokens needed to provide the Service. Tokens are encrypted at rest. If you connect an optional Google Drive folder, we also receive the names, sizes, and IDs of video files in that one folder (see Section 5a).
- Content: videos, clips, captions, transcripts, and related metadata processed to deliver clipping and publishing features.
- Prompts & generated content: text prompts you submit in the Create studio, and the scripts, voiceovers, and videos generated from them.
- Clip ratings & notes: the thumbs-up/down and written comments you leave on your own clips. These are shown back to you and included in internal product-quality reviews; they are not used to train ranking models.
- Clip performance data: aggregate per-clip and per-channel metrics retrieved from platform analytics APIs you authorize (see Section 5). Never viewer-level data.
- Billing information: processed by our payment provider (Stripe). We do not store full card numbers.
- Usage data: log data, device/browser information, IP address, and product analytics about how you interact with the Service.
- Communications: messages you send to support.
2. How We Use Information
- To provide, operate, maintain, and improve the Service;
- To detect new uploads, generate clips, and publish content to platforms you authorize;
- To process payments, manage subscriptions, and prevent fraud;
- To communicate with you about your account, security, and updates;
- To monitor, secure, and troubleshoot the Service;
- To comply with legal obligations and enforce our Terms.
3. Legal Bases for Processing (EEA/UK)
Where the GDPR or UK GDPR applies, we process personal data on the bases of: performance of a contract (to provide the Service), legitimate interests (to operate and improve the Service and prevent abuse), consent (where required, e.g. certain cookies), and compliance with legal obligations. As the controller is established in Bulgaria, our lead supervisory authority is the Bulgarian Commission for Personal Data Protection (cpdp.bg).
4. How We Share Information
We do not sell your personal information. We share information only with service providers ("subprocessors") that help us run the Service, under contractual confidentiality and data-protection obligations. We may also disclose information to comply with law, enforce our Terms, or protect our rights, users, or the public.
5. YouTube / Google API Services
When you connect your YouTube channel, Google provides us with access limited to the following scopes: youtube.readonly (to detect new uploads on the channel you authenticate), youtube.upload (to publish vertical Shorts back to that same channel when you explicitly initiate a publish action or enable auto-posting), and yt-analytics.readonly (to retrieve aggregate performance metrics for your own channel and for the Shorts we publish on it). We store your channel_id, channel title, recent video metadata (titles, video_ids, thumbnails) for clip generation, OAuth tokens (encrypted at rest), and the video_ids of Shorts we publish.
Receipts & performance measurement.Using the analytics scope, we retrieve a fixed, limited set of aggregate metrics per published clip and per channel: views, estimated minutes watched, average view duration, average view percentage, subscribers gained, likes, shares, and comments. These are channel-level aggregates only — we never receive or store any information about individual viewers. We use these metrics to (a) show you your clips' real performance ("receipts"), and (b) improve clip selection for your own channel: each channel's model is trained solely on that channel's own clip features and aggregate results. You can exclude any published clip from this learning at any time (Receipts → "Learning off"), and disconnecting your channel stops all collection.
Public receipt pages. If — and only if — you generate and share a receipt link, the aggregate metrics above for that one clip become viewable by anyone holding the link. You control whether such links are created and where they are shared; they contain no account, email, or viewer information.
Limited Use.Everpop's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data; we do not use Google user data for serving advertisements (including retargeting, personalized, or interest-based advertising); we do not use Google user data to train generalized machine-learning models; and we do not allow humans to read Google user data unless we have your explicit consent for specific data, or it is necessary for security purposes or to comply with applicable law.
The Service uses YouTube API Services to provide its YouTube features. Your use of the Service's YouTube features is also subject to the YouTube Terms of Service and Google Privacy Policy. You can revoke our access at any time at myaccount.google.com/permissions.
5a. Google Drive Ingestion (Optional)
If you connect a Google Drive folder, you share that one folder with our service account (read-only). We access only files in that folder: we read file names, sizes, and IDs, and copy new video files into our storage (Cloudflare R2) to generate clips. We never see the rest of your Drive. Disconnecting the folder in Settings (or un-sharing it in Drive) stops all access immediately; videos already imported stay in your library until you delete them. Our use of information received from Google APIs — including Drive — adheres to the Google API Services User Data Policy, including the Limited Use requirements.
6. Meta Platform Data (Facebook + Instagram)
When you connect your Facebook account and/or Instagram Business or Creator account, Meta Platforms, Inc. provides us with limited information necessary to operate the connection: your Facebook user ID and name; the IDs and names of Facebook Pages you administer; your Instagram user_id, username, and account_type; and OAuth access tokens (including long-lived Page access tokens) used to publish content on your behalf when you explicitly initiate a publish action.
We use this data exclusively to (a) display the connected account in your dashboard, (b) publish the specific clips you select to your chosen destinations, and (c) honor your request to disconnect. We do not use this data for advertising, profiling, machine-learning training, or any purpose other than the publishing function you opt into.
Stored fields: Facebook user_id; Page IDs and names you select; Instagram user_id, username, account_type; OAuth tokens (encrypted at rest); video_ids of clips we publish. Deletion:triggered automatically within 24 hours of clicking "Disconnect" in Settings → Connections, or upon receipt of a deletion request at privacy@everpop.app. You can also revoke our access directly at facebook.com/settings → Apps and Websites.
We support Meta's Data Deletion Callback. Our callback endpoint is hosted at https://everpop.app/api/meta/data-deletion, and our user-facing deletion instructions are at everpop.app/data-deletion.
7. TikTok Data
When you connect your TikTok account, TikTok provides us with your open_id, display name, avatar URL, and OAuth access + refresh tokens, used solely to publish clips you explicitly select via the dashboard.
We do not read your TikTok feed, your followers, your comments, or any content other than what you produce through Everpop. We do not perform any growth automation, fake engagement, or bulk-posting from one account to many accounts. Each connection is single-creator, opt-in, and revocable at any time at Settings → Connections.
We honor TikTok's content removal: if a post is deleted on TikTok's side, we do not re-publish it. We comply with TikTok's Music Usage Confirmation and Branded Content Policy where applicable; commercial-content disclosure is surfaced in the publish dialog before the post is sent. Clips published to TikTok through Everpop are automatically labeled as AI-generated content (TikTok's is_aigc flag), as required by TikTok's rules for AI-assisted media.
Stored fields: open_id, display name, avatar URL, OAuth tokens (encrypted at rest), video_id of each published clip, your selected privacy_level and interaction settings per clip. Deletion: within 24 hours of disconnect or written request to privacy@everpop.app.
8. Subprocessors
We use the following subprocessors to operate Everpop. All are bound by data processing agreements compliant with GDPR Article 28. International transfers to processors outside the EEA rely on Standard Contractual Clauses approved by the European Commission.
- Vercel Inc. (USA) — application hosting
- Neon, Inc. (USA) — database hosting
- Upstash, Inc. (USA) — rate-limiting and job-queue infrastructure (may briefly process account emails and internal IDs)
- Cloudflare, Inc. (USA/EU) — CDN and object storage (R2)
- Stripe, Inc. (USA / Ireland) — payment processing (card data is sent to Stripe directly; we store only a customer_id reference)
- AI service providers — currently Anthropic, PBC (USA), Groq, Inc. (USA), and OpenAI, Inc. (USA) — (audio transcription, moment selection, script and metadata writing, text-to-speech, automated content-safety screening, and title/description suggestions, used to generate clips and prompt-generated shorts; the content sent to these providers includes your prompts, video transcripts and clip opening hooks, clip and source-video titles and descriptions, and clip thumbnail images, processed to deliver these features and to screen for prohibited content)
- Pexels (stock b-roll search) — receives only generic visual search keywords derived from generated scripts, never your personal data
- Resend, Inc. (USA) — transactional email delivery
- Crisp IM SAS (France) — support chat (loads only with your consent)
We will update this list when subprocessors change. Notice will be provided via the email address associated with your account at least 30 days before adding a new subprocessor that processes personal data. A current list of named subprocessors, including the specific AI service providers we use, is available to business customers and compliance teams on written request to privacy@everpop.app. See also our dedicated Subprocessors page and DPA summary.
9. Data Retention
We keep personal data only as long as necessary for the purposes described in this Policy, then delete or anonymize it. The periods below are indicative and may be extended where a longer period is required by law or to resolve a dispute or enforce our agreements:
- Account & profile data: kept for the life of your account and deleted promptly when you delete your account — in practice immediately, and within 30 days at the outside.
- Connected-platform tokens & identifiers: kept until you disconnect or delete your account; removed within 24 hours of a disconnect or platform deletion request (in practice within minutes for an in-app disconnect).
- Content (source videos, clips, posts) & receipts: for the life of your account, and deleted with it. Shorts published to your own channel remain there unless you remove them.
- Aggregate clip/channel analytics (receipts & learning): for the life of your account, or until you exclude a clip from learning.
- Billing & invoice records: retained for 10 years as required by the Bulgarian Accountancy Act and tax law. These records are held by our payment processor (Stripe); our own systems keep only a customer reference, which is removed when you delete your account.
- Audit & security logs: kept for fraud-prevention and security no longer than necessary for those purposes (up to 12 months), then deleted — except where a longer period is needed to resolve an open dispute or legal claim.
- Support communications: handled through our support processors (the Crisp chat widget and our email provider) and retained, per their settings and our policy, for up to 24 months after your last interaction.
- Data-deletion request records: retained as needed to evidence our compliance.
You may request deletion of your account and associated personal data at any time — see our Data deletion page.
10. Security
We implement technical and organizational measures designed to protect your information, including encryption of sensitive tokens, access controls, and signed webhooks. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Breach notification. In the event of a personal-data breach, we will notify the competent supervisory authority (in Bulgaria, the Commission for Personal Data Protection) without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33, unless the breach is unlikely to result in a risk to your rights and freedoms. Where a breach is likely to result in a high risk to you, we will also notify you without undue delay, as required by GDPR Article 34.
11. Your Rights
Depending on your location, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing or withdraw consent. To exercise these rights, contact us at privacy@everpop.app. You may also revoke connected-platform access at any time from your account or the relevant platform's settings. EU residents have the right to lodge a complaint with their local supervisory authority; in Bulgaria this is the Commission for Personal Data Protection (cpdp.bg).
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, request deletion, and not be discriminated against for exercising your rights. We do not sell or share personal information as defined by the CCPA/CPRA.
13. Cookies & Tracking
We use cookies and similar technologies for authentication and preferences. Strictly necessary cookies are always on. The only non-essential cookie is the support chat (Crisp), which loads after you accept; our product analytics runs server-side and sets no cookies. You can change or withdraw your cookie choice at any time. For full details — categories, providers, and durations — see our Cookie Policy.
14. International Transfers
Your information may be processed in countries other than your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers outside the EEA.
15. Children
The Service is intended for adults: it is not directed to anyone under 18, and we do not knowingly collect personal data from individuals under 18. If you believe someone under 18 has provided us data, contact us and we will delete it.
16. Changes to This Policy
We may update this Policy from time to time. Material changes will be posted on this page with a revised "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance.
17. Contact
Questions about this Policy? Contact us at privacy@everpop.app. Mailing address: Very - Fast Ltd., 29 Georgi Benkovski Str., 3000 Vratsa, Bulgaria.
