Privacy Policy
Effective date: 2026-05-07 Last updated: 2026-05-07
This Privacy Policy explains how Viral Alchemy ("we", "us") collects, uses, shares, and protects personal information on viralalchemy.io and app.viralalchemy.io (the "Service"). We extend the rights described in this Policy — including those normally associated with the EU/UK GDPR — to all Users, regardless of location.
Questions: [email protected].
1. Controllers
- Viral Alchemy — controller for personal data we collect directly about you as a User. Operated from Lebanon.
- Paddle — independent controller for payment, billing, and tax data as our Merchant of Record. The Paddle entity that contracts with you depends on your location: Paddle.com Inc. (US), Paddle Payments Limited (UK), or Paddle.com Market Limited (rest of world — the default).
2. What we collect
From you: name, email, hashed password, profile preferences, content you upload or enter into the Service ("Your Inputs"), and support communications.
From your device: IP address, browser and device identifiers, language, usage events (pages viewed, clicks, session duration, errors, timestamps), and cookies as described in Section 6.
From connected third-party platforms (Meta/Instagram Graph API, TikTok, Reddit, YouTube): only what you authorize the platform to share — typically account profile, your posts, captions, and public engagement metrics. We do not post to your accounts unless you explicitly request it.
Billing data: handled by Paddle. We receive a transaction confirmation and limited metadata (plan, renewal date, country, masked card brand). We do not receive or store full card numbers.
Public content on third-party platforms used for trend detection is processed on the basis of our legitimate interest in operating the Service.
3. How we use personal data
| Purpose | Legal basis (GDPR framing) |
|---|---|
| Create and operate your account | Contract |
| Deliver the Service (research, scoring, script generation, analytics) | Contract |
| Process payments via Paddle | Contract; legal obligation |
| Service communications and support | Contract; legitimate interest |
| Marketing emails about Viral Alchemy | Consent (opt-in); withdraw at any time |
| Improve, debug, and secure the Service | Legitimate interest |
| Prevent fraud, abuse, and security incidents | Legitimate interest; legal obligation |
| Comply with law | Legal obligation |
We do not sell personal data. We do not use Your Inputs to train third-party foundation models.
4. AI processing
The Service uses Anthropic's API to score content and generate scripts. Your Inputs are sent to Anthropic solely to produce outputs for you. Anthropic commits by contract not to retain API data for training its foundation models. Outputs may be inaccurate, biased, or incidentally similar to other content — see Section 7 of the Terms of Service.
We may later offer a Bring Your Own Key (BYOK) option to Pro users. If you use BYOK, Your Inputs will be routed to the model provider you select and will be governed by that provider's terms and privacy policy instead of the arrangement above. We will update this Policy before enabling BYOK.
5. Subprocessors
| Recipient | Purpose | Location |
|---|---|---|
| Paddle (Paddle.com Inc. / Paddle Payments Limited / Paddle.com Market Limited) | Payment, tax, invoicing, fraud screening (Merchant of Record) | US / UK / EU |
| Microsoft Azure | Hosting, compute, storage, backups | EU / US |
| Anthropic | AI inference on Your Inputs to produce outputs | US |
| Meta | Instagram Graph API data exchange per permissions you grant (when you connect Instagram) | US |
We will update this list and notify Users before adding a new subprocessor that materially processes personal data. We may also disclose personal data to comply with a lawful request, to enforce our Terms or protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with advance notice to you).
6. Cookies
We use cookies and similar technologies that are (i) strictly necessary for authentication, security, and session management (no consent required); (ii) functional, to remember your preferences; and (iii) marketing, used on our public website (viralalchemy.io) to measure and attribute advertising campaigns, and set only with your opt-in consent via the cookie banner on your first visit.
Marketing cookies are not used inside the authenticated application (app.viralalchemy.io). You can withdraw consent or change cookie preferences at any time from the banner, or block cookies through your browser (some features may not function).
7. International transfers
Our subprocessors operate in the US, EU, and other regions, so your personal data may be transferred outside your country. Where we transfer personal data from the EU/UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses and supplementary safeguards as appropriate.
8. Retention
| Data | Retention |
|---|---|
| Account data | Life of the account + up to 90 days after deletion |
| Your Inputs and generated outputs | Life of the account + up to 30 days after deletion (backups cleared on the next cycle) |
| Billing and tax records | As required by applicable tax law (typically 7–10 years) — held by Paddle |
| Support communications | Up to 3 years after your last interaction |
| Marketing opt-in records | Until consent is withdrawn, then up to 30 days |
| Security and fraud logs | Up to 12 months |
On account deletion we will delete or anonymize your personal data within 90 days, except where law requires continued retention.
9. Your rights
Subject to local law, you have the rights to access, correct, delete, restrict or object to processing, portability, withdraw consent, and lodge a complaint with a supervisory authority.
To request deletion of your personal data, either delete your account from Account Settings or email [email protected] from the address on your account with the subject "Delete my data". We will respond within 30 days. California residents additionally have the right not to be discriminated against for exercising privacy rights, and may request the specific pieces of personal information we have collected.
10. Security
We implement reasonable technical and organizational measures including TLS encryption in transit, encryption at rest where applicable, access controls on a least-privilege basis, hashed credential storage, logging and anomaly detection, and routine updates. No system is perfectly secure; if we become aware of a breach affecting your personal data we will notify you and the applicable authorities as required by law.
11. Children
The Service is not intended for anyone under 18 and we do not knowingly collect personal data from children. If you believe we have, contact [email protected] and we will delete it.
12. Third-party links
The Service contains links to third-party websites, apps, and platforms we do not control. Their privacy practices are governed by their own policies.
13. Changes
We may update this Policy. For material changes we will post the updated Policy at viralalchemy.io/privacy and notify you by email at least 14 days before it takes effect.
14. Contact
- Privacy and data subject requests: [email protected]
- Legal: [email protected]
- Postal address: available on request to [email protected]
Operator: Viral Alchemy. Operated from Lebanon. Paddle is our Merchant of Record and an independent controller for billing data (Paddle.com Inc. for US buyers; Paddle Payments Limited for UK buyers; Paddle.com Market Limited for the rest of world).