Privacy Policy
This Privacy Policy describes how HuMe GmbH (“we,” “us”) collects, uses, and protects information when you use PumpedReels (“the Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).
Last updated: 2026-05-20
1. Data controller
HuMe GmbH
Postgasse 8b, 1010 Vienna, Austria
Commercial register: FN 602205x
Contact: hello@hummelmedia.io
2. What we collect
2.1 Videos you upload
When you upload a video to PumpedReels, the video file is transmitted to and stored on our infrastructure for the purpose of generating an analysis report. Videos may include audio, visual content including faces, and any other material you choose to upload.
2.2 Account information
If you create an account, we collect your email address and any display name you choose to set. Email is required for authentication and transactional communication.
2.3 Anonymous usage data
If you use PumpedReels without creating an account, we set a cookie
(pumpedreels_anon_id) containing a randomly generated
identifier. We also temporarily store the IP address from which your
request originated for the sole purpose of enforcing rate limits on
anonymous usage.
2.4 Analysis results
The Service generates structured analysis data about the uploaded video, including derived signals such as visual composition metrics, audio measurements, and transcribed speech. This analysis is associated with the video upload and stored for the retention period described below.
2.5 Payment metadata
Credit purchases are processed by Lemon Squeezy (Merchant of Record). We receive only metadata about your purchase (order ID, credit amount, timestamp). We never receive or store payment card information.
2.6 Analytics
We use Vercel Analytics, a privacy-friendly analytics service that does not use cookies, does not store personal data, and does not share information with third parties. Analytics data is aggregated and cannot identify individual users.
3. Biometric data notice
PumpedReels analyzes the visual composition of uploaded videos, which can include detecting faces and their position within the frame using on-device computer vision (MediaPipe). This processing may constitute “biometric data” under Article 9 GDPR.
We do not perform facial recognition. We do not match faces against any database, store biometric templates, or identify individuals from their facial features. The processing is limited to measuring the position and area of detected faces within the video frame, for the purpose of scoring composition factors in the analysis report.
Lawful basis: explicit consent (Article 9(2)(a) GDPR), provided when you upload a video knowing it will be analyzed. You may withdraw consent at any time by deleting your videos or requesting account deletion.
4. How we use your data
- Generating and delivering your analysis report
- Operating and improving the Service
- Sending transactional emails (account login, video expiration notice, analysis completion notification, purchase receipts)
- Enforcing rate limits on anonymous usage
- Complying with legal and tax obligations under Austrian law
5. Lawful bases for processing
We process personal data on the following lawful bases under GDPR:
- Performance of a contract (Article 6(1)(b)) — processing necessary to deliver the analysis you requested
- Legitimate interests (Article 6(1)(f)) — anonymous rate limiting, fraud prevention, service operation
- Consent (Article 6(1)(a) and 9(2)(a)) — for biometric data processing and optional features
- Legal obligation (Article 6(1)(c)) — retention of payment records per Austrian tax law
6. Data retention
- Anonymous video uploads: 7 days from upload, then automatically deleted
- Authenticated user video uploads: 30 days from upload, then automatically deleted
- Analysis result text: deleted with the corresponding video
- Account data: retained until you request account deletion
- IP addresses (rate limiting): 7 days rolling window
- Payment records: 7 years (required by § 132 BAO Austrian Federal Fiscal Code)
7. International data transfers
To deliver our service, we transfer data to subprocessors located outside the European Economic Area, primarily in the United States. These transfers are protected by:
- EU Standard Contractual Clauses (SCCs) with each subprocessor
- The EU-US Data Privacy Framework (where the subprocessor is certified)
You consent to these international transfers by using the Service. The full list of subprocessors is below.
8. Subprocessors
We use the following subprocessors to deliver the Service. Each is bound by a data processing agreement and contractual obligations regarding the handling of your data.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting, analytics | USA |
| Supabase | Database, authentication, email delivery | EU (Ireland) |
| Cloudflare R2 | Video file storage | EU (Eastern Europe) |
| Modal Labs Inc. | Compute infrastructure for analysis worker | USA |
| Google Cloud (Vertex AI) | Multimodal video analysis (Gemini 2.5 Flash) | USA (us-central1) |
| Deepgram | Speech-to-text transcription | USA |
| OpenRouter | Text LLM routing | USA |
| Anthropic | Text LLM (via OpenRouter) — analysis consolidation, voice rewriting | USA |
| Lemon Squeezy | Payments (Merchant of Record) | USA |
9. Your rights under GDPR
You have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Restriction — request that we limit processing
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, where consent is the lawful basis
- Complaint to supervisory authority — Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at
To exercise any of these rights, contact us at hello@hummelmedia.io. We respond to verified requests within 30 days.
10. Security
We implement reasonable technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest where supported by our subprocessors, access controls, and regular security review. No system is perfectly secure; we cannot guarantee absolute protection against unauthorized access.
11. Children
PumpedReels is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has used the Service, contact us so we can take appropriate action.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 30 days before taking effect, or by a prominent notice on the Service.
13. Contact
Questions about this policy or your data:
hello@hummelmedia.io