Legal · v1.0.0

Privacy policy

Effective 23 May 2026

This policy explains how CineForge handles your personal data. We have written it in plain English because we want you to read it — and because if you cannot understand what we do with your data, your “consent” isn’t worth anything.

The short version: we collect the minimum we need to run the service, we never train our AI on your creative work, we name every third party who processes your data, and you can ask us to delete everything at any time.

01

Who we are

CineForge is operated by Core Media Group Ltd, a company registered in England and Wales (company number 16877158), registered office: 6 North Parade, Bath, BA1 1LF, United Kingdom.

For the purposes of UK GDPR, Core Media Group Ltd is the data controller for personal data processed through CineForge. We are registered with the Information Commissioner’s Office (registration number ZC177484).

We do not currently have a statutory Data Protection Officer (Core Media Group Ltd does not meet the size or activity thresholds requiring one). For any data protection matter, contact our privacy lead at hello@cineforge.co.uk.

02

What personal data we collect

We collect personal data in five categories:

  1. Account data. Your name (if provided), email address, hashed authentication credentials (held by Clerk on our behalf, not by us directly), and profile metadata such as your role and preferences. This is the minimum needed to give you an account.
  2. Content data. The projects you create, the briefs you write, the ideas, story bibles, characters, scenes, locations, and other creative material generated through CineForge. We treat this as confidential. We never use it to train AI models — see section 4.
  3. Usage data. Which features you use, how often, and aggregated metrics about generation runs (counts, durations, success rates). We do not log prompt content as part of usage data; we log the fact that a generation occurred and its operational characteristics, not what was inside it.
  4. Payment data. If you take a paid subscription, Stripe processes your card details on our behalf. We see only the transaction outcome (succeeded, failed, refunded), the amount, and a Stripe customer ID. We never see, store, or transmit your full card number.
  5. Technical data. IP address, browser type, and similar information necessary to deliver the service securely. We minimise the retention of this category aggressively (see section 7).

03

Lawful basis and purposes

Under UK GDPR Article 6, we must have a lawful basis for each purpose for which we process personal data. The table below sets out what we do and why we are allowed to do it.

PurposeData categoryLawful basis (UK GDPR Art. 6)
Creating and operating your accountAccount dataContract (6(1)(b))
Generating story bibles and scenes you requestContent dataContract (6(1)(b))
Processing payments and managing subscriptionsPayment data, account dataContract (6(1)(b))
Detecting and preventing fraud and abuseTechnical data, usage dataLegitimate interests (6(1)(f))
Improving the service via aggregated metricsUsage data (aggregated, non-content)Legitimate interests (6(1)(f))
Sending transactional emails (sign-in, receipts, completion)Account dataContract (6(1)(b))
Sending product news and updates (if you opt in)Account dataConsent (6(1)(a))
Complying with legal obligations (tax records, lawful disclosures)Payment data, account dataLegal obligation (6(1)(c))

We never process special category data (data revealing racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, etc.) unless you put it into a project yourself — for example, by writing a character with a specific health condition. In that case, the data exists in the “content data” category and is treated under the same confidentiality commitments as the rest of your content.

04

AI processing and our no-training commitment

CineForge generates story bibles, scenes, and related content using large language models from Anthropic and embedding models from OpenAI. When you generate content, the text of your prompt and the resulting output are transmitted to one of these providers for inference.

We do not use your content to train, fine-tune, or otherwise improve any AI model — our own or anyone else’s. This is a contractual commitment, not a policy choice we can change quietly. Specifically:

  • We use Anthropic’s and OpenAI’s zero-retention API endpoints. Your prompt content is processed for inference and then discarded by the provider; it is not retained, not reviewed, and not used for training.
  • We do not maintain any internal training dataset, fine-tuning corpus, or model-improvement pipeline that includes user content. The cinema profiles, audience profiles, and DNA library content we use to guide generation are content we create ourselves.
  • We may compute aggregated, non-content metrics for product improvement — for example, “47% of Pakistani Drama generations use the family-of-five archetype.” These metrics describe patterns of use; they never include the specific creative content you wrote or generated.

If we ever wanted to use customer content for any model-improvement purpose, we would need to change this policy first, give you 30 days’ notice by email, and give you the opportunity to delete your data before the change took effect. We have no plans to do this.

05

Who we share data with

We share personal data only with the sub-processors necessary to deliver the service. Each sub-processor is bound by a data processing agreement that requires equivalent protections to those in this policy.

The full current list — including company, country, what they process, and the lawful transfer mechanism for any international transfer — is at /privacy/subprocessors. We update that page when sub-processors change and email registered users at least 30 days before adding a new one.

We do not sell personal data. We do not share personal data with advertising networks. We do not share personal data with anyone for the purpose of profiling, scoring, or marketing to you on behalf of third parties.

We may disclose personal data where legally required — for example, in response to a court order or a properly-served information request from a regulator. Where lawful, we will tell you about the request before complying.

06

International transfers

Some of our sub-processors are located outside the United Kingdom, primarily in the United States. Where personal data is transferred outside the UK, we rely on one of the following lawful transfer mechanisms:

  • UK adequacy regulations for transfers to countries the UK Government has formally recognised as providing adequate protection.
  • The UK International Data Transfer Agreement (IDTA) or the European Commission’s Standard Contractual Clauses with the UK Addendum, for transfers to other countries.
  • The EU-US Data Privacy Framework, where the recipient is certified, for transfers to the United States.

The specific mechanism in use for each sub-processor is shown in our sub-processor list. You may request a copy of the relevant transfer agreement by emailing hello@cineforge.co.uk.

07

How long we keep data

We keep personal data only for as long as we need it. The retention period depends on the category:

Data categoryRetention period
Account dataFor the lifetime of your account, then 30 days after deletion request.
Content dataFor the lifetime of your account, then deleted within 30 days of account deletion. You can also delete individual projects at any time.
Usage data (aggregated, non-content)Retained indefinitely in aggregated form for product analytics; never re-associated with identifiable users.
Payment dataBilling records retained for 7 years per UK tax law (Finance Act 2008, Sched. 36). Stripe customer ID retained for the lifetime of the account.
Technical data (logs)30 days, then deleted. Logs are PII-redacted at write time.
Error reports (Sentry)90 days.

When you delete your account, we delete your content data within 30 days, deactivate access immediately, and retain only the minimum information necessary for legal and accounting purposes (typically the billing record under UK tax law, retained for seven years).

08

Your rights

Under UK GDPR you have the following rights:

  • Right of access. You can ask for a copy of the personal data we hold about you.
  • Right to rectification. You can ask us to correct inaccurate personal data. Most account fields you can edit yourself in /account.
  • Right to erasure (“right to be forgotten”). You can ask us to delete your personal data. We will do this unless we have a legal obligation to retain something (for example, a billing record).
  • Right to restrict processing. You can ask us to pause processing your data while a dispute is resolved.
  • Right to data portability. You can ask for your content data in a machine-readable format. CineForge also provides direct export of your projects from /account/exports.
  • Right to object. You can object to processing based on legitimate interests; we will stop unless we have an overriding lawful reason to continue.
  • Rights related to automated decision-making. We do not make decisions about you using purely automated means that produce legal or similarly significant effects. Generative output is not a decision about you.

To exercise any of these rights, email hello@cineforge.co.uk from the address associated with your account. We will respond within one month (this may be extended by two months for complex requests, in which case we will tell you why).

Exercising these rights is free. If a request is manifestly unfounded or excessive — for example, repeated identical requests — we may charge a reasonable fee or refuse it, and we will explain why.

09

Children

CineForge is for users aged 16 and over. Under UK GDPR, 16 is the age at which a child can give their own consent to information society services without parental authorisation. We do not knowingly collect personal data from anyone under 16.

If you believe a child under 16 has created an account, please email hello@cineforge.co.uk and we will investigate. Where we confirm the user is under 16, we will delete the account and all associated content within 30 days.

10

Security

We take security seriously, but no system is perfectly secure and we are honest about that. Our principal security measures are:

  • Authentication and session management handled by Clerk, an established specialist provider.
  • All data in transit encrypted using TLS 1.2 or higher.
  • Database (Neon) and object storage (Cloudflare R2) provide encryption at rest by default.
  • Access to production systems restricted to named engineers, authenticated through MFA, and logged.
  • Application logs redact request bodies and known PII fields before storage.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR Article 33, and we will notify you directly without undue delay where the breach is likely to result in a high risk to you.

11

Cookies

We use a small number of strictly necessary cookies and may, in future, use optional analytics cookies (with your consent). The specific cookies we set are listed in the Cookie Policy.

12

Changes to this policy

We will update this policy from time to time. If we make material changes — for example, a change in lawful basis, a new sub-processor in a new country, or any change affecting your rights — we will email registered users at least 30 days before the change takes effect.

Non-material changes (clarifications, formatting, fixing typos) will be reflected with an updated version number and effective date at the top of this page.

13

Complaints

If you are not satisfied with how we handle your personal data, we’d like the chance to fix it — please contact us first at hello@cineforge.co.uk.

You also have the right to complain to the Information Commissioner’s Office, the UK’s data protection regulator:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/make-a-complaint/

If you live outside the UK, you may also have a right to complain to your local data protection authority.

14

Contact

For any data protection matter, contact us at hello@cineforge.co.uk or write to:

Privacy, Core Media Group Ltd
6 North Parade
Bath BA1 1LF
United Kingdom

This document is version 1.0.0, effective 23 May 2026. We will notify registered users by email at least 30 days before any material change takes effect.

Questions? Email hello@cineforge.co.uk.

Privacy policy — CineForge