Privacy Policy & DPA

CATCHUPS.AI PRIVACY POLICY & DPA Last Updated: June 2026 This document serves as both the Privacy Policy and the Data Processing Agreement ("DPA") between Catchups Video Ltd. ("Company", "Data Processor") and the business entity utilizing the service ("Client", "Data Controller"). 1. INTRODUCTION AND COMPLIANCE FRAMEWORK This DPA is designed to ensure compliance with the Israeli Privacy Protection Law (5741-1981), the EU General Data Protection Regulation (GDPR), and relevant international data processing frameworks. Client accepts and agrees to be bound by the terms of this Privacy Policy & DPA by actively checking the consent box during registration or onboarding, creating an account, or by otherwise accessing or utilizing the Catchups.ai API, system, and services. 2. DATA PROCESSING ROLES & INSTRUCTION MANDATE • Processor (Catchups.ai): Processes personal data, client-supplied brand assets, and contextual inputs solely on behalf of, and in strict accordance with, the documented instructions of the Data Controller, including the provisions of this Agreement. • Controller (Client): Retains sole ownership, control, and responsibility for establishing a legitimate legal basis (such as explicit consent, legitimate interest, or contractual necessity) for all inputs, search topics, URLs, media assets, and any brand or personal data fetched, submitted, or processed by the Service at the Controller's direction. • Third-Party URL Data Responsibility: Client explicitly acknowledges and warrants that if any URL, prompt, or targeted asset provided by the Client to the Service contains personal data or Personally Identifiable Information (PII) of third parties (including but not limited to names, emails, professional history, or images residing on the targeted web pages), the Client is solely responsible for ensuring that all legally required notices, consents, and authorizations have been obtained from such data subjects prior to directing the Company to process, crawl, fetch, or synthesize such data. 3. TYPES OF DATA AND SYSTEM PROCESSING SCOPE The categories of data processed under this agreement include: • Lead Data: Professional contact information (names, corporate emails, billing details, company roles, and system interaction logs) processed for corporate account management, integration assistance, customer support, and subscription auditing. • Contextual Inputs & Media Assets: Text prompts, search topics, keywords, URLs, and brand-supplied assets (including corporate logos, brand styles, trademarked materials, and reference images) submitted via the API or designated dashboards. • Crawled/Fetched Content: Any text, metadata, images, or assets dynamically retrieved from the Client-supplied URLs under the Client's direct instruction. To the extent this crawled content contains personal data, it shall be processed strictly as Customer Personal Data under this DPA. • End-User Privacy Safeguards: Catchups.ai does not proactively collect, harvest, or store PII of the Controller's end-users (such as viewer names, IP addresses, or emails) unless explicitly required for a custom, isolated feature requested by the Controller. We employ strict pseudonymization and anonymization techniques to process system analytics. 4. TECHNICAL & ORGANIZATIONAL SECURITY MEASURES • Encryption Standards: All personal and proprietary data processed by Catchups.ai is encrypted in transit using TLS 1.3 (or higher) and at rest using industry-standard AES-256 encryption. • Hosting Security: Our processing infrastructure is hosted within secure, ISO 27001, SOC2 Type II certified cloud environments provided by AWS and Google Cloud Platform (GCP). • Incident Management: In the event of a confirmed security breach impacting the Data Controller's processed data, the Data Processor shall notify the Data Controller without undue delay, and no later than seventy-two (72) hours following confirmation. Processor shall provide Controller with sufficient information to allow Controller to meet any obligations to report or inform data subjects or data protection authorities under applicable privacy laws. 5. SUB-PROCESSORS AND CROSS-BORDER TRANSFERS • Upstream AI Sub-Processors: Data Controller authorizes Data Processor to engage third-party AI sub-processors (including but not limited to OpenAI, Google Cloud AI, and industry-standard cloud text-to-speech providers) to synthesize text, process speech, and render video Output. Data is transmitted to these sub-processors via secure, non-training corporate API channels. • Data Isolation Contract: We enforce strict data-protection agreements with all sub-processors, ensuring they do not retain, train on, or repurpose Controller data for general model improvement or third-party purposes. • Cross-Border Transfers: To the extent that data transfers occur between Israel, the European Economic Area (EEA), and the United States, the parties shall rely on Standard Contractual Clauses (SCCs) or adequacy decisions approved by the relevant data protection authorities. 6. DATA RETENTION & DELETION POLICY • Auditing Logs: API transaction logs are retained for twelve (12) months solely for security auditing, rate-limiting enforcement, and fraud prevention. • Output Storage: Rendered video Output files are stored securely for the duration of the Client's active commercial subscription. • Deletion Mandate: Upon contract termination or explicit request by the Data Controller, Data Processor shall delete or permanently anonymize all Client-specific data within sixty (60) days, excluding any records required to be retained by applicable law or financial auditing standards. 7. AI TRAINING & CONTEXTUAL ISOLATION GUARANTEE • No General Training: Data Processor guarantees that it does not utilize proprietary Client inputs, Client Targeted Assets, niche business topics, crawled URL content, or private contextual data to train, tune, or optimize general-purpose generative AI models. • Strict Isolation: Your enterprise business context, proprietary assets, and targeted brand data remain completely logically isolated from other clients and models. 8. AUDIT RIGHTS & COMPLIANCE DEMONSTRATION Data Controller has the right to verify Processor's compliance with this DPA. Once per calendar year, Enterprise Clients may request a summary of the latest independent security audits or a standardized self-assessment compliance questionnaire to verify Processor's adherence to the technical and organizational measures outlined herein. 9. CONTACT INFORMATION For legal and data protection inquiries, please contact: • Catchups Video Ltd. • Data Protection & Legal Affairs: legal@catchups.ai • Technical Operations & Security: support@catchups.ai