Legal
Privacy Policy
Last updated: July 5, 2026
This Privacy Policy describes how Invictus Logic LLC (“Vubio,” “we,” “us”) collects, uses, shares, and protects information in connection with the Vubio service, websites, and applications (the “Service”). Please do not use the Service if you are not comfortable with the practices described here.
1. Information we collect
We collect information directly from you, automatically when you use the Service, and from third parties such as the social platforms you connect and our payment provider.
- Account information. Your name, email address, password (stored in hashed form by our authentication provider), and organization or workspace details.
- Content you provide. Screen recordings and other media you upload, reference images used to create a persona, product and brand descriptions, hooks, captions, keywords, and settings.
- Generated content. The reels, images, on-screen text, captions, and personas the Service creates from your inputs, together with related metadata.
- Connected-account data. When you connect a social media account, we and our publishing provider receive access tokens and identifiers that let us publish and manage content on your behalf, along with basic account details (such as handle, platform, and status) and, where you enable it, message and comment data needed to run the features you turn on.
- Payment information. Subscriptions are processed by our payment provider, Polar, which acts as the merchant of record and collects your payment details directly under its own privacy policy. We receive subscription status, plan, billing-period information, and limited billing metadata, but we do not collect or store your full card details.
- Usage and device data. Log data, device and browser information, approximate location inferred from IP address, and product-analytics events about how you use the Service.
- Communications. Messages you send us, including support requests.
2. How we use information
- to provide, operate, secure, maintain, and improve the Service;
- to generate content from your inputs and to schedule and publish it to the accounts you connect, at your direction;
- to process subscriptions, enforce usage allowances, and prevent abuse and fraud;
- to provide support and respond to your requests;
- to understand usage and improve features through analytics;
- to promote the Service, including by featuring customer names, logos, and content published publicly through the Service, as described under Marketing showcase below and subject to the opt-out described there;
- to comply with legal obligations and enforce our Terms.
2a. AI processing of your content
To generate content, the Service sends your inputs (such as screen recordings, reference images, and text) to third-party artificial-intelligence providers that process them on our behalf to produce output, under their own service terms. We do not use your content to train AI models of our own. Do not upload content you are not permitted to share or process, or that you do not want processed by AI providers.
2b. Reference images and personas
To create a synthetic persona, you upload a reference face image. Our AI providers process that image on our behalf to generate images and video frames depicting the persona. That processing may involve the detection or analysis of facial features that some laws treat as biometric data. We handle this data as follows.
- Purpose limitation. Face images and any facial-feature data derived from them are used only to create and render your persona and to generate the content you request. We do not use them to identify or authenticate any person, we do not perform facial recognition, we do not use them for surveillance or to build advertising profiles, and we do not use them to train models of our own. Content generated with your persona that you publish publicly may later appear in our marketing as described in Section 2c and in our Terms of Service.
- Consent. We collect and process face images only with the consent you give through a separate confirmation presented when you upload a reference image, in addition to your acceptance of our Terms of Service, and we keep a record of when you gave it. If you upload an image of someone else, you must first have that person’s written consent, as our Terms require.
- No sale. We do not sell, lease, or trade face images or derived data, and we do not disclose them except to the service providers that process them for us under confidentiality and security obligations, or as required by law.
- Retention and destruction. Face images and derived data are kept only while needed to provide the Service. We delete them from systems under our control within 30 days after you delete the related persona or profile or close your account, and in any event no later than three years after your last interaction with the Service, except for limited backup copies overwritten in the ordinary course and records we must keep by law. Where our AI providers hold copies to process content for us, we instruct them to delete or de-identify those copies, and their retention is governed by our agreements with them. This section is our written retention and destruction policy for this data.
Where your local law treats face images as sensitive data and requires consent, you provide that consent by uploading the image and creating a persona, and you can withdraw it at any time by deleting the persona or profile or by closing your account; withdrawal stops future processing but does not affect processing that already occurred or content already generated or published.
2c. Marketing showcase
As described in our Terms of Service, we may identify our customers and feature content that has been published publicly through the Service in our own marketing. For example, we may display a customer’s name and logo on our website, link to or embed published posts, and cite performance results such as view counts. We only feature content after it has been made public on your connected platforms, and we do not use unpublished drafts, raw uploads, reference face images, or private messages in marketing. Where the GDPR or UK GDPR applies, we rely on our legitimate interest in promoting the Service. You can opt out at any time by emailing support@vubio.ai from the email address on your account; within 30 days we will stop creating new marketing materials that feature you and will remove your name, logo, and content from our website and social media accounts, though materials already distributed outside our control may persist.
3. How we share information
We do not sell your personal information. We share information only as described here:
- Service providers (subprocessors). We use trusted vendors to run the Service, including for database, storage, and authentication; payments and billing; social-media publishing and inbox; AI content generation; hosting and infrastructure; and product analytics. These vendors are permitted to process your information as needed to provide their services to us, under confidentiality and security commitments; our AI providers process your inputs to generate your content under their service terms. A current list of our subprocessors is available on request at the contact below.
- Connected platforms. When you publish or automate through a connected social platform, the relevant content and instructions are sent to that platform, whose own privacy policy then governs the content it receives.
- At your direction. Where you enable a feature (for example, comment-to-direct-message automation), we process and share the data that feature requires.
- Legal and safety. We may disclose information if required by law, or where we reasonably believe it is necessary to protect our rights, the Service, or the safety of any person.
- Business transfers. Information may be transferred as part of a merger, acquisition, financing, or sale of assets, subject to this Policy.
3a. Data we process on your behalf
Some features, such as the unified inbox, comment and direct-message automation, and analytics, involve personal information about people who interact with your connected social accounts, such as commenters and message senders. We process that information as your service provider (processor), only at your direction and only to provide the features you enable. For that information, you act as the controller or business: you are responsible for having a lawful basis to collect and use it, for providing any notices required to those individuals, and for honoring their privacy rights. If someone contacts us directly about information we hold on your behalf, we may forward the request to you or act on your documented instructions. This Policy describes the processing we carry out for our own purposes and does not replace your own privacy obligations to your audience.
4. Data retention
We retain information for as long as your account is active and as needed to provide the Service, and afterwards as needed to comply with our legal obligations, resolve disputes, and enforce our agreements. When you delete content or your account, we delete or de-identify the associated data within a reasonable period, except for content already published to third-party platforms, limited backup copies, and records we must retain by law. In particular: reference images and persona data are deleted as described in Section 2b; uploaded source media may be deleted earlier once it is no longer needed for a draft or scheduled post, as described in the Service; backup copies are purged on a rolling cycle of limited duration; and we keep limited billing, security, and audit records for as long as the law requires or a claim could reasonably arise. We may also delete or de-identify content and data associated with accounts that have no active subscription and have been inactive for an extended period, as described in our Terms.
5. Security
We use reasonable administrative, technical, and organizational measures designed to protect information, including access controls, encryption in transit, and tenant isolation. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. You are responsible for keeping your account credentials safe. If we become aware of a security incident affecting your personal information, we will notify you and any relevant regulator as required by applicable law; to the extent permitted by law, we may provide notice by email or through the Service, and our obligations in connection with any incident are those required by applicable law.
6. Your rights and choices
Depending on where you live, you may have rights to access, correct, export, delete, or restrict the processing of your personal information, and to object to certain processing. You can update much of your information in the Service, delete profiles and content, and close your account. To make a request or ask a question, contact us at the address below; we may need to verify your identity before acting.
- EEA/UK. Where the GDPR or UK GDPR applies, we process your information on the following legal bases: performance of our contract with you (providing the Service, generating and publishing content at your direction, billing, and support); our legitimate interests (securing and improving the Service, preventing fraud and abuse, product analytics, and promoting the Service, including the marketing showcase described in Section 2c); your consent, where required (for example, for reference face images where your local law treats them as sensitive data, as described in Section 2b); and compliance with legal obligations. Where we rely on consent, you may withdraw it at any time with effect for the future. You may object to processing based on legitimate interests, and you may lodge a complaint with your local supervisory authority.
- California. Where the CCPA/CPRA applies: the information described in Section 1 falls into these statutory categories: identifiers (name, email address, IP address); commercial information (subscription and billing records); internet or other electronic network activity (usage and device data); audio, visual, or similar information (recordings, images, and generated media); approximate geolocation (inferred from IP address); professional information (organization details); inferences used for product analytics; and sensitive personal information (reference face images and account log-in credentials). We collect these categories from the sources, for the purposes, and with disclosure to the categories of recipients described in Sections 1 through 3, and we retain them as described in Section 4. We do not sell personal information and we do not share it for cross-context behavioral advertising, and we have not done so in the preceding 12 months, including the personal information of anyone under 16. We use sensitive personal information only to provide the Service you request and for purposes permitted by section 1798.121, and we do not use it to infer characteristics about you. You have the rights to know, access, correct, delete, and port your personal information, and to be free from discrimination for exercising your rights. You may submit requests at the contact below, including through an authorized agent; we will verify your identity before acting.
- Other U.S. states. Residents of certain states (for example, Virginia, Colorado, Connecticut, and Texas) have similar rights to access, correct, delete, and obtain a copy of their personal information, and to opt out of targeted advertising, sales, and certain profiling, none of which we engage in. If we decline a request, you may appeal by replying to our response, and we will answer your appeal as required by the law of your state.
7. International data transfers
We are based in the United States and process information in the United States and in other countries where we and our providers operate. These countries may have data-protection laws different from those in your region. Where the GDPR, UK GDPR, or Swiss law applies to a transfer of your information outside your region, we use appropriate safeguards where required, such as the European Commission’s Standard Contractual Clauses (with the UK Addendum or the UK International Data Transfer Agreement where applicable), adequacy decisions, or a provider’s certification to the EU-U.S. Data Privacy Framework. You may request more information about these safeguards at the contact below.
8. Cookies and analytics
We use cookies and similar technologies that are necessary to sign you in and keep the Service secure, and we use a product-analytics provider to understand and improve usage. You can control cookies through your browser settings, though disabling some may affect how the Service works. Some browsers transmit Do Not Track signals; because there is no common standard for interpreting them, the Service does not respond to Do Not Track signals. Where the law requires, we treat Global Privacy Control signals as a request to opt out of the sale or sharing of personal information, although we do not sell or share personal information.
9. Children’s privacy
The Service is not directed to, and may not be used by, anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you in advance by email or by prominent notice in the Service, and where applicable law requires your consent to a change, we will obtain it. Each version applies from its effective date, and your continued use of the Service after that date constitutes acceptance.
11. Contact
Invictus Logic LLC, a District of Columbia limited liability company, is the data controller for the personal information described in this Policy, except for the information we process on your behalf as described in Section 3a, for which you or your organization is the controller. For privacy questions or requests, contact us at support@vubio.ai.