Privacy Policy

Last updated June 19, 2026

This Privacy Policy explains how Jonathan Tapiero, doing business as SepiaLab ("SepiaLab", "we", "us") collects, uses and protects personal information when you use the Sepia application at app.sepia-lab.com and the website at sepia-lab.com (together, the "Service").

We act as the controller of your personal information. For any privacy question, or to exercise your rights, contact our privacy officer at support@sepia-lab.com.

1. Information we collect

We collect the following categories of information:

  • Account information: your email address and authentication identifiers, managed through our identity provider (Amazon Cognito).
  • Content you provide: product images, briefs, prompts, brand details and any material you upload to generate videos.
  • Content we generate for you: the scripts, hooks, images, voiceovers and videos produced from your inputs.
  • Billing information: your plan, credit balance and transaction history. Card details are collected and stored directly by our payment processor (Stripe); we never receive or store full card numbers.
  • Usage and technical data: IP address, device and browser information, log events, and how you interact with the Service, used for security, debugging and improving the product.
  • Cookies: strictly necessary cookies for authentication and session management (see the Cookies section).

2. How we use your information

  • Provide, operate and maintain the Service, including generating and delivering your videos.
  • Process payments, manage your credit balance and prevent fraud.
  • Respond to support requests and communicate about your account (for example, transactional notifications).
  • Secure the Service, detect abuse and enforce our Terms.
  • Comply with legal and tax obligations.

3. Legal bases

Where the GDPR or similar laws apply, we rely on: performance of our contract with you (to deliver the Service), our legitimate interests (security, fraud prevention, product improvement), your consent (where required), and compliance with legal obligations.

4. Service providers and sharing

We do not sell your personal information. We share it only with service providers who process it on our behalf to run the Service:

  • Amazon Web Services (hosting, storage, identity, email), processing in the United States.
  • Stripe (payment processing and billing).
  • AI model providers used to generate your content, including Replicate, Google, ElevenLabs and similar vendors, which receive the inputs needed to produce your videos.
  • We may also disclose information where required by law, to protect our rights, or in connection with a business transfer.

5. International transfers

Our infrastructure and several providers are located in the United States. When we transfer personal information outside your country, we rely on appropriate safeguards such as standard contractual clauses where applicable.

6. Data retention

We keep account information for as long as your account is active. Uploaded content and generated content are retained while your account is active and for a limited period afterward so you can recover work and so we can meet legal, security and accounting obligations. Technical logs are kept for a limited period. When you ask us to delete your account, we delete or anonymize your personal information unless we must keep it to comply with the law (for example, tax records).

7. Your rights

Depending on where you live (including under Québec Law 25, PIPEDA, the GDPR and the CCPA), you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion of your information.
  • Request a portable copy of your information.
  • Object to or restrict certain processing, and withdraw consent.

8. Security

We use encryption in transit, access controls and reputable infrastructure providers to protect your information. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

9. Children

The Service is intended for users who are at least 18 years old and is not directed to children. We do not knowingly collect personal information from children.

10. Cookies

We currently use only strictly necessary cookies required to keep you signed in and to operate the Service. We do not use advertising cookies. If we later add analytics or other non-essential cookies, we will update this policy and request consent where required.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the date below and, for material changes, take reasonable steps to notify you.

12. Contact

Jonathan Tapiero, doing business as SepiaLab (NEQ 2281850307), Montréal, Québec, Canada. Privacy questions and requests: support@sepia-lab.com.