Privacy Policy

afterSora is a trading style of Blu Zetta Limited. For this policy, "afterSora", "we", "us", and "our" mean the operator of the afterSora website, checkout, dashboard, generation tools, support channels, and related services.

Our registered business address is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. For privacy, account, billing, or support requests, contact us at [email protected] or use the contact form available from the site navigation.

Where we decide why and how personal data is processed, we act as controller. Where we process data on behalf of another organisation under written instructions, we act as processor for that organisation.

This policy applies to personal data processed through afterSora, including the public website, pricing and checkout pages, account dashboard, video and image generation workflows, character, world, preset, storyboard, remix, re-cut, loop, blend, support, email, analytics, and administrative tools.

It also applies when you access afterSora through our mobile apps for iPhone, iPad, or Android, including apps distributed through Apple App Store, TestFlight, Google Play, Google Play internal testing, or similar official store testing channels.

It does not replace separate notices or terms from third-party payment processors, AI model providers, hosting providers, analytics providers, identity providers, Apple, Google, app stores, device operating systems, or platforms you use to access or share afterSora content. Those third parties may process personal data under their own terms and privacy notices.

When you use the afterSora mobile app on iPhone, iPad, or Android, we process the account, creative, payment, support, and technical data described in this policy. The app is a companion to afterSora.com: it lets users create or sign in to an account, receive starter credits, buy mobile credit packs where available, open the afterSora studio, use device-supported security features, and add creative reference material.

• Apple App Store and TestFlight: Apple may process Apple ID, device, purchase, subscription or in-app purchase, crash, diagnostic, refund, tax, and compliance information under Apple's own terms and privacy notices. We may receive App Store transaction identifiers, product identifiers, signed transaction data, environment, purchase status, and related metadata so we can verify purchases, allocate credits, prevent fraud, and provide support.
• Google Play and Android testing tracks: Google may process Google account, device, purchase, tax, refund, license testing, crash, diagnostic, and Play Console information under Google's own terms and privacy notices. We may receive Google Play product identifiers, purchase tokens, order IDs, package name, purchase state, test purchase status, and related metadata so we can verify purchases, allocate credits, prevent fraud, and provide support.
• Camera permission: the mobile app may request camera access so you can capture a visual reference for creative generation workflows. Camera access is user initiated. You can deny or revoke camera permission in your device settings, but camera capture features may not work without it.
• Photo and video access: where the app or operating system allows you to select media, media access is used to let you choose creative reference material for your own afterSora projects. We do not use photo or video permissions to scan your library in the background.
• Biometric unlock: if you enable biometric unlock, authentication is handled by the device operating system, such as Face ID, Touch ID, fingerprint, or Android biometric services. We do not receive or store your biometric template.
• Device and app data: the app may process install identifiers, device type, operating system, app version, package or bundle identifier, crash/error information, push or app-state events where enabled, and local preferences needed for login, onboarding, purchase recovery, security, and support.

We collect and generate different categories of personal data depending on how you use afterSora.

• Account data: email address, password hash, login status, account identifiers, account settings, credits balance, plan, purchase history, support status, and authentication metadata.
• Checkout, app store, and billing data: selected plan, credit pack, promotion code, payment status, payment processor identifiers, Apple App Store or Google Play product identifiers, purchase tokens, transaction identifiers, order IDs, package or bundle identifiers, purchase state, transaction timestamps, billing name, billing country, order value, currency, card brand, card checks, failure reasons, refund records, and fraud or risk signals. We do not intentionally store full card numbers, CVV codes, Apple ID passwords, or Google account passwords.
• Creative workspace data: prompts, optimized prompts, drafts, storyboards, timeline settings, generation settings, aspect ratio, duration, model choice, quality choice, seed settings, character records, worlds, presets, uploaded images, uploaded videos, reference media, active world images, custom preset images, generated media, thumbnails, downloads, share links, and related metadata.
• Technical, app, and usage data: IP address, device type, browser type, mobile operating system, app version, package name, bundle ID, install identifier, approximate location derived from IP, referring URLs, pages viewed, buttons clicked, timestamps, error logs, crash or diagnostic data, generation job status, model responses, rate limits, security events, cookies, local storage, device preferences, and similar identifiers.
• Support and communication data: name, email, message content, screenshots, files, order dates, issue descriptions, correspondence, support outcomes, and preferences.
• Marketing and promotion data: promo links used, source, campaign, claimed or unclaimed status, referral source, consent status, email preferences, and interactions with promotional pages.
• Information from third parties: payment confirmations, webhook events, fraud checks, analytics events, email delivery events, model provider job data, storage events, or information you authorise another service to send to us.

afterSora is a creative AI product and is not designed for processing highly sensitive personal data. Unless we specifically ask for it, do not submit special category data, health data, biometric data for identification, criminal offence data, government identifiers, payment card secrets, passwords for other services, confidential third-party information, or personal data about children.

If your prompt, upload, world, preset, character, or support message contains personal data about another person, you are responsible for having a lawful basis, consent, licence, release, or other permission to use it. This is especially important for likenesses, voices, private images, minors, clients, employees, performers, and copyrighted or confidential material.

• Directly from you when you create an account, buy credits, enter prompts, upload media, configure settings, submit support requests, use the dashboard, or use the mobile app.
• Automatically from your browser, device, or app through server logs, cookies, local storage, device preferences, analytics events, security tools, app-state events, error logs, and generation job telemetry.
• From service providers such as Apple, Google, app stores, payment processors, email providers, hosting providers, analytics providers, fraud prevention providers, and AI model infrastructure providers.
• From public or third-party sources where you use a social, referral, promotion, or campaign link that identifies the source of your visit.

We use personal data only where we have a lawful basis under applicable data protection law.

• To provide the service and perform our contract with you: create accounts, authenticate users, process checkout, verify app-store purchases, allocate credits, run generations, show media, maintain libraries, provide downloads, recover pending purchases, process support, and manage credits.
• For legitimate interests: secure the service, prevent fraud and abuse, debug failures, monitor reliability, improve product performance, understand feature usage, protect our rights, enforce terms, and operate business reporting. We balance these interests against your rights and expectations.
• To comply with legal obligations: keep accounting and tax records, respond to lawful requests, comply with consumer, payment, sanctions, anti-fraud, data protection, and regulatory obligations, and preserve evidence where required.
• With consent: send optional marketing where consent is required, use non-essential cookies or similar technologies where consent is required, or process data for a specific purpose you agree to.
• To protect vital interests or public interests: only in rare cases, for example where a serious safety issue or legal emergency requires action.

To generate or transform media, afterSora may transmit your prompts, uploads, reference images, reference videos, active world images, custom preset images, character data, storyboard panels, settings, and relevant metadata to AI model providers, infrastructure providers, moderation systems, storage providers, or job queues. This is necessary to deliver the generation features you request.

AI providers and infrastructure providers may process inputs and outputs to perform generation, safety checks, abuse prevention, troubleshooting, billing, rate limiting, reliability monitoring, and compliance. Some providers may retain limited operational logs or media for defined periods under their own terms, policies, or legal obligations.

Generated output can be unpredictable. We may use automated systems to reject, block, moderate, or fail requests that appear unsafe, unlawful, infringing, abusive, technically invalid, unsupported by a model, or inconsistent with provider rules. We may store failure reasons and relevant prompt context so we can support users and improve reliability.

Payments are processed through payment service providers such as Square or any replacement processor we use. We receive payment status, transaction IDs, card brand, country, checks, failure reasons, and related order data, but the processor handles sensitive card details. Do not send card numbers, CVV codes, or bank credentials to support.

Mobile app credit purchases may be processed by Apple App Store In-App Purchase or Google Play Billing. Apple or Google handles the store payment flow and may process tax, refund, fraud, account, and device information under their own policies. We receive limited store transaction metadata needed to verify purchases, allocate credits, recover pending purchases, prevent duplicate fulfillment, manage refunds, respond to disputes, keep accounting records, and protect live users from service abuse.

We use checkout, account, promotion, IP, device, app, and payment metadata to prevent fraud, verify orders, allocate credits, manage refunds, respond to disputes, keep accounting records, and protect live users from service abuse.

We use cookies, local storage, app storage, device preferences, and similar technologies to keep you signed in, remember settings, support checkout, recover pending purchases, protect accounts, improve reliability, measure usage, and understand how people use afterSora. Some technologies are strictly necessary for the site or mobile app to work. Others, such as analytics or marketing tools, may require consent depending on your location and the technology used.

You can control cookies through your browser and, where available, site consent controls. Blocking essential cookies may prevent login, checkout, dashboard features, media playback, or security checks from working correctly.

We do not sell personal data in the ordinary meaning of selling customer data. We share personal data only where reasonably necessary for the service, compliance, security, or business operations.

• AI model and infrastructure providers for generation, transformation, safety review, moderation, reliability, and job processing.
• Apple, Google, app stores, and payment processors for in-app purchases, checkout, refunds, payment authentication, purchase verification, fraud checks, and disputes.
• Hosting, database, CDN, storage, logging, backup, email, analytics, support, and security providers.
• Professional advisers such as accountants, lawyers, insurers, auditors, and compliance consultants.
• Regulators, law enforcement, courts, payment networks, or other authorities where legally required or where necessary to protect rights, users, systems, or the public.
• A buyer, investor, lender, successor, or restructuring party if the business, assets, or service are involved in a merger, acquisition, financing, sale, insolvency, or reorganisation.
• Other users or the public only where you choose to share content, create public links, publish media, or otherwise make content available.

We are based in the United Kingdom, but our providers, users, processors, model infrastructure, and storage locations may be in the UK, European Economic Area, United States, or other countries. Where personal data is transferred internationally, we use appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, UK international data transfer agreements or addenda, contractual protections, technical safeguards, or another lawful transfer mechanism.

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Retention periods vary by data type.

• Account records are usually kept while your account remains active and for a reasonable period afterwards for support, security, audit, and legal purposes.
• Order, app-store purchase, payment, refund, tax, and accounting records may be kept for at least six years or longer if required by law, dispute, audit, app-store, or payment network rules.
• Generated media, uploads, prompts, drafts, worlds, presets, characters, storyboards, and logs may be retained while needed to provide your library, downloads, support, safety, abuse prevention, debugging, and product reliability.
• Failed generation context and error logs may be retained for troubleshooting, abuse prevention, support, and quality improvement.
• Support records may be kept for a reasonable period after resolution so we can evidence decisions and respond to follow-up questions.
• Backups may retain data for a limited period after deletion from live systems before they are overwritten.

We use administrative, technical, and organisational measures designed to protect personal data, including access controls, authentication, logging, transport security, environment separation, least-privilege access, backup practices, and service monitoring. No online service can guarantee absolute security, so you must keep your password secure, use a unique password, and tell us immediately if you suspect unauthorised access.

Depending on your location and the data involved, you may have rights to request access, correction, deletion, restriction, portability, objection to certain processing, withdrawal of consent, and review of certain automated decisions. These rights are not absolute and may be subject to exemptions, verification, legal retention duties, fraud prevention, or the rights of others.

To exercise rights, email [email protected] from your account email where possible. We may need to verify your identity and clarify your request. If you are in the UK, you also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint.

afterSora is not intended for children. You must not create an account or use the service if you are under the minimum age required to enter into these terms in your country. Do not upload images, videos, voices, likenesses, or personal data of children unless you have the necessary authority, consent, and lawful basis, and the content is lawful, safe, and permitted by our terms and provider rules.

We use automated systems for login security, abuse prevention, generation routing, moderation, payment risk signals, rate limits, error handling, and credit allocation. These systems can block or fail requests, limit account actions, or require manual review. We do not intend to make solely automated decisions that produce legal or similarly significant effects unless permitted by law and subject to appropriate safeguards.

We may update this policy when the service, providers, legal requirements, or data practices change. If changes are material, we will take reasonable steps to bring them to your attention, such as posting a notice on the site, updating the date above, or contacting account holders where appropriate. Continued use after an update means the updated policy applies from its effective date.

For privacy requests, account questions, billing issues, support, or complaints, contact afterSora at [email protected]. You can also use the contact form from the site navigation.