Privacy Policy

1.1. This Privacy Policy (the «Policy») defines the procedure for processing personal data and the measures the Operator takes to keep such data secure when Users interact with Welder AI, available at https://www.welderai.ru/.

1.2. This Policy has been prepared in accordance with the UK GDPR, the DPA 2018, the PECR and other applicable law of England and Wales.

1.3. The Policy applies to any information the Operator may obtain about a User while the User is using the Service.

Operator (data controller): Vladislav Smirnov, trading as a sole trader registered in the United Kingdom (the «Operator»).

Contact for any data-protection matter:

1. through the built-in Support Chat on the Site — preferred channel for active Users;
2. by email at hello@welderai.ru — recommended when the Support Chat is not available to You (for example, when the Account is inaccessible).

The Operator's other contact details are not published. Through either of the channels above, the User may submit any request relating to the processing of their personal data, including requests to access, rectify, erase or restrict information, to object to processing, to withdraw consent and to exercise any other right granted by the UK GDPR.

The Operator processes personal data on the following principles:

1. lawfulness and fairness;
2. limiting processing to specific, predetermined and lawful purposes;
3. preventing the merging of databases whose processing is conducted for incompatible purposes;
4. ensuring that the content and volume of processed data match the declared purposes;
5. data accuracy, sufficiency and currency;
6. storing data in a form that identifies the subject no longer than the purposes of processing require;
7. ensuring data security in line with Article 32 of the UK GDPR.

4.1. Data subjects: registered Users of the Service, visitors of the Site, persons contacting the Operator through the Support Chat.

4.2. Categories of processed data:

1. Identification data: email address, name or nickname, phone number (if provided).
2. Account data: login, password hash, session identifiers, access tokens.
3. Service-usage data: operation history (script, image and video generations), credit balance, credit-grant and credit-spend history, selected Plan.
4. Payment metadata: details of payment transactions (amount, date, status, transaction identifier at the payment provider). Full card data are not received or stored by the Operator and are processed by the payment provider directly.
5. Technical data: IP address, device, OS and browser type/version, screen resolution, HTTP referer, URL parameters, cookie identifiers, request timestamps.
6. User content: files uploaded by the User (images, audio, video, text), scripts entered by the User and other text inputs, and results generated from them.
7. Credentials for connected third-party publishing services — access tokens, refresh tokens and token validity, the identifier of the connected account / channel / page, public information (display name, handle, avatar URL, business-account and Page identifiers). See also Section 8 of this Policy.
8. Communications: message history in the Support Chat and other correspondence.

4.3. The Operator does not process special categories of personal data (race or ethnicity, political views, health data and the like) or biometric personal data, except where such data are intentionally uploaded by the User as part of content and are processed solely to provide the Service.

The Operator processes personal data for the following purposes:

1. registering and identifying the User in the Service;
2. providing the functionality of the Service within the selected Plan;
3. tracking and debiting credits in accordance with the pricing rules;
4. processing payments and issuing supporting documents;
5. publishing the User's generated content to external publishing platforms the User has connected (including TikTok, Instagram and YouTube) — strictly upon the User's explicit action and within the scope chosen by the User;
6. communicating with the User, including through the Support Chat, by email and via push notifications;
7. informing the User about new features, offers and Service updates (subject to the consents granted);
8. ensuring Service security, detecting and preventing unauthorised access, fraud and abuse;
9. analysing Service usage, developing and improving its quality;
10. complying with applicable law, including responses to lawful requests from competent state authorities;
11. protecting the rights and lawful interests of the Operator.

The Operator relies on the following lawful bases under Article 6 of the UK GDPR:

1. Consent (Article 6(1)(a)) — for optional cookies, marketing communications and any opt-in feature. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
2. Performance of a contract (Article 6(1)(b)) — for providing the paid functions of the Service to the User, including delivery of credits, generation operations and auto-publishing actions requested by the User.
3. Compliance with a legal obligation (Article 6(1)(c)) — for record-keeping required by HMRC, anti-money-laundering law and other legal obligations to which the Operator is subject.
4. Legitimate interests (Article 6(1)(f)) — for product analytics, abuse and fraud detection, network and information security, and for responding to law-enforcement and regulatory requests. The Operator balances these interests against the rights and freedoms of the User and conducts Legitimate Interests Assessments where appropriate.

7.1. Processing is carried out both by automated means and without them and includes: collection, recording, organisation, accumulation, storage, updating, retrieval, use, transfer (provision, access), depersonalisation, blocking, deletion and destruction.

7.2. The Operator processes personal data with the technical and organisational measures required by Article 32 of the UK GDPR and the DPA 2018.

8.1. Purpose of the integrations. Welder AI lets a User publish video content generated in the Service to the User's own accounts on third-party publishing platforms — TikTok, Instagram (Meta Platform) and YouTube (Google Platform). Integrations are activated only by an explicit User action (clicking «Connect» and completing the OAuth authorisation flow of the respective platform).

8.2. Permissions requested and categories of data received. On connection, the Operator requests from the platform and receives the following data (the minimum necessary for the auto-publishing function):

1. TikTok — scopes user.info.basic, video.upload, video.publish. Data categories: the user's open ID, display name and avatar URL; the video-upload status, the published-video identifier and publication metadata. The Operator does not request access to private messages, follow lists, watch history or any other information unrelated to publishing.
2. Instagram (Meta Graph API) — scopes instagram_basic, instagram_content_publish, pages_show_list, business_management (the last only when a Business account is connected). Data categories: the identifier of the connected Facebook Page and its linked Instagram Business account, display name / handle, avatar URL, the media-upload and publication status.
3. YouTube (Google API) — scopes https://www.googleapis.com/auth/youtube.upload and https://www.googleapis.com/auth/youtube.readonly. Data categories: channel identifier, channel name, avatar URL, video processing and publication status, the published-video identifier.

8.3. What the Operator does not receive and does not request: private messages or direct messages, drafts or unpublished content on the platforms, the User's subscriber or following lists, in-platform payment data, geolocation or other biometric data, or any data that requires elevated platform permissions (Advanced Access) beyond the scopes listed in §8.2.

8.4. Use of integration data. Information received during the connection flow is used by the Operator exclusively for the following limited purposes:

1. displaying the list of the User's connected accounts, channels and Pages in the Service interface;
2. performing the publishing operations (upload, publish) requested by the User;
3. tracking the publication status and surfacing the outcome in the interface;
4. displaying aggregate post performance — only where the corresponding scope has been granted and the User has explicitly opted in.

The Operator does not use data obtained through platform integrations for advertising, sale to third parties, credit decisions, HR decisions, training of its own or third-party machine-learning models, or for any purpose outside the explicitly stated auto-publishing function. See also Section 15 («Compliance with platform policies»).

8.5. Token storage and related data. For each connection the Operator stores:

1. the access token and refresh token in encrypted form (at-rest encryption), until the User disconnects the integration or the token expires under the platform's own rules, whichever comes first;
2. the connected-account identifier (open ID / channel ID / Page ID), display name or handle, and avatar URL — for displaying the list of connections in the Service interface;
3. where the corresponding scope has been granted, public account metrics (subscriber count, post count, account creation date) — for displaying a summary in the interface;
4. the identifier of each video published through the Service together with publication metadata — status (uploaded, processing, published, failed), publication date, URL of the published item, and the title, description and tags supplied by the User — for tracking the publication history in the interface.

Third-party tokens are used solely on the User's behalf and only for the scenarios described in §8.4. Retention periods are set out in Section 10.

8.6. Revoking access. The User may revoke an integration at any time (a) through the «Integrations» area of the Settings page of the Welder AI account, (b) through the platform's own settings (TikTok settings, Facebook Business settings, Google Account permissions). Upon disconnection, the Operator deletes the related access and refresh tokens and stops calling the platform's API on the User's behalf.

9.1. The Operator does not sell and does not disclose Users' personal data to third parties for marketing purposes.

9.2. To provide the Service the Operator engages providers of hardware, software and platform infrastructure under contracts that include confidentiality and security obligations. Without disclosing the specific provider names in this Policy, their functional categories are listed below:

1. Cloud infrastructure providers — for hosting the Site, databases and file storage, and for fault-tolerance and geo-distribution;
2. AI compute providers — for performing the generation of text, images and video and for processing User input;
3. Payment providers — for accepting payments, processing refunds and issuing fiscal documents;
4. Product analytics and behavioural-metric platforms — for studying Service usage, identifying bottlenecks and improving the interface;
5. Transactional email providers — for sending sign-up confirmations, receipts and notifications;
6. Abuse-prevention and security providers — for protection against bots, spam, fraud and load attacks;
7. External publishing platforms (TikTok, Instagram / Meta Platform, YouTube / Google Platform) — when the User uses auto- publishing functions, and only to the extent necessary to perform that function (see Section 8).

9.3. Data are disclosed to the engaged third parties only to the extent necessary to perform the respective function and only for the purposes listed in Section 5 of this Policy.

9.4. The Operator discloses personal data to public authorities only where required to do so by law, including in response to a binding court order or other lawful disclosure request issued by a competent authority.

10.1. The User's personal data are retained for as long as the Account is active and, after the Account is deleted, for 3 (three) years to protect the Operator's rights and lawful interests, unless statutory law requires a different period (in particular, data related to financial transactions are retained in accordance with HMRC self-employment record- keeping requirements — typically 6 years after the end of the relevant tax year).

10.2. Access tokens of third-party platforms (see Section 8) are retained until the User disconnects the integration or until the token expires, whichever is earlier. Upon disconnection the tokens are deleted from active stores; technical backups are rotated under a standard schedule and do not exceed 90 days.

10.3. Once retention periods expire, the data is destroyed or depersonalised.

11.1. Upon a User's request the Operator deletes the personal data associated with that User from active processing systems. A request may be submitted through any of the channels listed in the Callout above; in each case the Operator confirms account ownership (for example, by requiring a response from the registered email address or a response from an active Account session).

11.2. What is deleted on request: identification and account data, User content (scripts, uploaded materials, generated results), credentials of connected integrations (see Section 8), Support Chat message history.

11.3. What is retained and why: payment metadata and financial documents — in depersonalised or restricted form, for the periods required by applicable tax law (HMRC self-employment record- keeping requirements — typically 6 years after the end of the relevant tax year); information necessary to prevent fraud and abuse (such as a marker that an account was previously banned), in depersonalised form.

11.4. Deletion and publishing platforms. Deleting a Welder AI Account does not delete the materials the User has already published to TikTok, Instagram or YouTube — those materials are stored by the respective platform and can be removed only through that platform's own interface. The Operator does delete the platform access tokens it stored and stops all operations on the User's behalf.

12.1. The Site uses cookies and similar technologies (browser local storage, device identifiers) to provide Site functionality, persist user preferences, measure marketing-channel effectiveness and analyse visitor behaviour in depersonalised form.

12.2. Some cookies are strictly necessary and are set without the User's explicit consent — the Site cannot function without them. Other cookie categories are set on the basis of consent expressed by active interaction with the Site or, where available, through a dedicated banner.

12.3. The User may manage cookies through their browser settings, including blocking or deleting previously stored cookies. Disabling cookies may restrict Site functionality.

Under the UK GDPR and the DPA 2018, the User (as a data subject) has the following rights:

1. Right to be informed about how the personal data are processed (Articles 13-14 UK GDPR).
2. Right of access — to obtain a copy of the personal data the Operator holds about the User (Article 15).
3. Right to rectification — to have inaccurate or incomplete personal data corrected (Article 16).
4. Right to erasure («right to be forgotten») — to have personal data deleted in the circumstances set out in Article 17.
5. Right to restriction of processing (Article 18).
6. Right to data portability — to receive personal data in a structured, commonly used and machine-readable format and to have it transmitted to another controller (Article 20), to the extent technically feasible.
7. Right to object to processing based on legitimate interests, including objection to direct marketing at any time (Article 21).
8. Right to withdraw consent at any time, where processing is based on consent (Article 7(3)).
9. Rights related to automated decision-making — the Service does not subject Users to decisions based solely on automated processing that produce legal effects concerning them (Article 22).
10. Right to lodge a complaint with a supervisory authority— the Information Commissioner's Office (ICO) (ico.org.uk), or with the data-protection authority of the User's country of habitual residence within the United Kingdom.

The User may request Account deletion through the Account dashboard or the Support Chat. Account deletion does not automatically remove depersonalised data and information whose processing is required by law to be retained.

14.1. The Operator applies legal, organisational and technical safeguards to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution and other unlawful actions, including:

1. premises- and infrastructure-security regimes;
2. information-security tooling, including encryption of data in transit over public networks;
3. at-rest encryption of sensitive artefacts, including access tokens and refresh tokens of third-party platforms;
4. least-privilege access controls for staff and contractors;
5. regular auditing and monitoring of processing systems;
6. confidentiality clauses in contracts with engaged third parties.

14.2. Despite the measures taken, the Operator cannot guarantee absolute protection of personal data against any threat. The User assumes the risks associated with the use of the Internet.

15.1. Limited Use principle. The Operator processes data obtained through platform integrations solely to deliver and improve the auto-publishing function requested by the User. The Operator does not disclose this data to third parties, does not use it to build advertising profiles, does not sell it and does not use it to train its own or third- party machine-learning models, except where expressly permitted by applicable law or expressly agreed with the User.

15.1A. AI-Generated Content Labeling. The Service generates video content using generative artificial-intelligence models. The Operator ensures that:

• (a) all videos created by Users are disclosed as AI-generated on the target platform;
• (b) on Instagram / Facebook, where no native API flag exists, the Service applies the #AIgenerated hashtag automatically;
• (c) on YouTube, the Service sets containsSyntheticMedia=true on all videos.insert() API calls;
• (d) on TikTok, the Service sets the AI-generated toggle (is_aigc=true) where the API supports it.

The User remains responsible for verifying that the AI-disclosure is applied before publication.

15.2. YouTube API Services. When publishing to YouTube the Service uses YouTube API Services. The Service's use in this regard is governed by the YouTube Terms of Service and the Google Privacy Policy. The Service's use complies with the requirements of the Google API Services User Data Policy, including the Limited Use requirements. Access granted to the Service can be revoked through the Google Account permissions page.

15.3. TikTok for Developers. Publishing to TikTok is governed by the TikTok Developer Terms of Service and the TikTok Privacy Policy, and the published content is governed by the TikTok Community Guidelines and applicable law. Access can be revoked through TikTok → Manage Account → Apps and Websites.

15.4. Meta Platform (Instagram). Publishing to Instagram is governed by the Meta Platform Terms, the Meta Privacy Policy and the applicable Instagram Community Guidelines. Access can be revoked through Facebook Business Settings → Business Integrations or Instagram → Settings → Apps and Websites.

15.5. Incident notification. Where a security incident affecting data obtained through platform integrations is detected, the Operator notifies affected Users and the respective platforms within the timeframes required by applicable law and platform policies.

16.1. Personal data processed under this Policy may be transferred to and stored on infrastructure operated by providers outside the United Kingdom, and may be transferred to the third-party publishing platforms described in Section 9 (TikTok, Meta Platform, Google Platform), which independently act as controllers under their own privacy frameworks.

16.2. Any such international transfer is carried out in accordance with Chapter V of the UK GDPR and is supported by one of the following mechanisms:

1. a UK adequacy regulation in respect of the recipient country (Article 45);
2. appropriate safeguards under Article 46, in particular the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
3. a derogation for a specific situation under Article 49, including the User's explicit consent or the necessity of the transfer for the performance of a contract with the User.

16.3. On request, the Operator provides further information about the transfer mechanism in place for any specific recipient through the Support Chat.

17.1. The Service is not intended for use by persons under the age of 18 (eighteen). The Operator does not knowingly collect personal data of such persons.

17.2. If the Operator becomes aware that data of a minor has been collected without the consent of their legal representatives, such data is deleted as soon as practicable.

18.1. The Operator may amend this Policy at any time. The current version is always published at https://welderai.ru/legal/privacy. Material changes will be announced in the Service interface a reasonable time before they take effect.

18.2. Continued use of the Service following publication of a new version constitutes the User's acceptance of that version.

18.3. This Policy is issued in the English language and is governed by the law of England and Wales. A separate Russian-language privacy notice is maintained for Russian-language users; the two are independent documents and do not translate or override one another.