Privacy Policy

This Privacy Policy explains how CueTheScene collects, uses, shares, retains, and protects your personal data when you use our service at cuethescene.com (the “Service”). It is written for compliance with the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR) as applicable.

Please read this Policy alongside our Terms of Service, Cookie Policy, and Acceptable Use Policy.

CueTheScene is a service operated by MARKETEZEAI LTD(“we”, “us”), a private limited company incorporated in England and Wales (Companies House number 16787865), with its registered office at 10 Shaw Green Crescent, Euxton, Chorley, PR7 6QR, United Kingdom. We are registered with the UK Information Commissioner’s Office as a data controller under reference ZC119363 (renewable annually; current registration expires 08 April 2027). We are the data controller for personal data processed in connection with the Service (except where this Policy or the Terms state that a third party acts as controller, e.g. Polar for payment processing). MARKETEZEAI LTD is not currently VAT-registered; a VAT registration number will be added here and to customer invoices if and when the company registers.

For data protection questions, complaints, or to exercise any right under this Policy, write to privacy@cuethescene.com. We aim to respond within 30 days and always within the statutory one-month window (extendable to three months for complex requests).

We are not currently required to appoint a Data Protection Officer under UK GDPR Article 37; if that changes with scale, we will publish the appointment on this page.

This Policy covers personal data we collect when you visit cuethescene.com, create an account, subscribe to the Service, upload Inputs, generate Output, connect third-party accounts (such as YouTube), contact support, or otherwise interact with us.

It does not cover third-party sites or services we link to. When you click out to a third-party site — including the source archives, music libraries, and publishing destinations referenced in the Service — that third party’s privacy policy governs your interaction with them.

We collect the following categories of personal data:

We do not intentionally collect special category data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, data concerning sex life or sexual orientation). If such data appears in an Input you upload, you are solely responsible for the lawfulness of that upload under Article 9 UK GDPR.

We rely on the following legal bases under Article 6 UK GDPR, by processing purpose:

• Delivering the Service to you — creating your account, authenticating you, processing your Inputs through the AI pipeline, generating Output, storing and delivering Output, managing your subscription, issuing invoices. Legal basis: performance of the contract between you and us (Art 6(1)(b)).
• Billing and tax — keeping accurate invoice and tax records. Legal basis: compliance with our legal obligations (Art 6(1)(c)), including retention under HMRC rules.
• Operational security, fraud prevention, and abuse monitoring — detecting account takeovers, rate-limit abuse, payment fraud, and use prohibited by the Acceptable Use Policy. Legal basis: legitimate interests (Art 6(1)(f)) — the interest being the protection of the Service, other users, and third parties; balanced against your interests and not overridden by them.
• Product analytics and improvement — understanding how the Service is used in aggregate so we can prioritise features and fix friction. We do not profile individuals. Legal basis: legitimate interests.
• Transactional emails — receipts, security alerts, renewal reminders, service updates. Legal basis: performance of the contract / legitimate interests.
• Marketing emails — only where you have opted in, or where we rely on the soft opt-in under PECR for communications about similar goods/services to an existing customer who had the opportunity to object at signup. Legal basis: consent (Art 6(1)(a)) or legitimate interests under PECR soft opt-in. You can withdraw at any time via the unsubscribe link in every marketing email.
• Legal, compliance, and dispute defence — responding to lawful requests, enforcing our Terms, defending legal claims. Legal basis: legal obligations and legitimate interests.

We share personal data with the sub-processors listed below to deliver the Service. Each is engaged under a written data-processing agreement that includes (where applicable) Standard Contractual Clauses for international transfers and commitments on security, sub-processing, and breach notification.

We review this list as our stack evolves and will notify active subscribers of material changes at least 30 days in advance by email.

Beyond the sub-processors above, we disclose personal data (a) to our professional advisers (accountants, lawyers) under duties of confidence; (b) to potential acquirers or successors in the event of a sale, merger, or restructuring, subject to confidentiality and compatible-purpose commitments; and (c) to government, regulators, or courts where we are legally required to do so, having first satisfied ourselves that the request is lawful.

We do not sell your personal data and do not allow any sub-processor to use it for their own marketing.

Some of our sub-processors are based outside the United Kingdom and the European Economic Area. Where personal data is transferred to a country that is not the subject of a UK or EU adequacy decision, we use the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (or the EU SCCs directly for EU transfers) as the transfer mechanism, and we conduct transfer risk assessments where appropriate. Copies of the SCCs in force for any specific sub-processor can be requested from privacy@cuethescene.com.

We retain personal data only for as long as necessary for the purposes it was collected, in line with the following periods:

• Active account data — for the lifetime of your account. Closing your account triggers deletion of account profile, Inputs, and Output from primary storage within 30 days (in practice, within minutes of you confirming the deletion); encrypted back-up copies are purged on our standard back-up rotation within a further 60 days.
• Cached generated media — some AI-generated derivative files (for example generated images and clip renders) are cached on our content-delivery network keyed by the content itself, not by your identity. When you delete your account we erase your account and every link between you and your media within minutes; any cached copy that remains holds no reference back to you and is rotated out on the normal cache-refresh cycle.
• Invoice and tax records — retained for 7 years after the end of the relevant tax year, as required by HMRC rules, regardless of account closure.
• Error logs (Sentry) — retained for 90 days.
• Product analytics events (PostHog) — retained for 12 months rolling.
• Support correspondence — retained for 3 years from last contact to allow for follow-up and dispute defence.
• Marketing opt-outs and suppression lists — retained indefinitely so that we can honour your opt-out even after you close your account.
• Security logs — retained for up to 12 months for incident investigation.

Where retention is driven by a legal obligation, we retain only what the obligation requires and delete the rest.

Under UK GDPR and EU GDPR you have the following rights:

• Access — to confirm what personal data we hold about you and receive a copy (Article 15).
• Rectification — to correct inaccurate or incomplete data (Article 16).
• Erasure— to have your data deleted in the circumstances set out in Article 17 (“right to be forgotten”). Closing your account is the standard way to exercise this right for account data.
• Restriction — to restrict our processing in the circumstances set out in Article 18.
• Portability — to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller (Article 20).
• Objection — to object to processing based on legitimate interests, and to object at any time to direct marketing (Article 21).
• Withdraw consent — where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Not be subject to solely automated decisions — see section 13.

To exercise any of these rights, email privacy@cuethescene.com with enough information to identify your account. We may need to verify your identity before acting, to protect your data from unauthorised requests. Responses are free of charge; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as permitted by Article 12.

You also have the right to complain to a supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO) at ico.org.uk or 0303 123 1113. In the EU, you may complain to the supervisory authority in your country of residence, your place of work, or where the alleged breach occurred. We would appreciate the chance to address your concern before you escalate.

The Service is not directed at children and is only available to persons aged 18 or over (see section 3 of the Terms of Service). We do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided us with personal data, please contact privacy@cuethescene.com and we will take reasonable steps to delete it.

We take technical and organisational measures appropriate to the nature of the data and the risk, including: TLS encryption in transit (HTTPS-only, HSTS enforced); encryption at rest for database storage, file storage, and OAuth tokens; single-sign-on via Clerk with optional multi-factor authentication; least-privilege access controls on production systems; logging and monitoring of production access; principal-based IAM on third-party dashboards; routine dependency vulnerability scanning; and documented incident response procedures.

No system is perfectly secure. If you believe your account has been compromised, contact security@cuethescene.com immediately.

We use a small number of cookies, all strictly necessary for the Service to function (authentication session, anti-CSRF). We do not use advertising or cross-site tracking cookies. Full detail is in our Cookie Policy.

We send transactional email in connection with your account (receipts, renewals, security alerts, service updates) — you cannot opt out of these while you hold an account, because they form part of the Service.

We send marketing email (product news, feature launches, tips) only where you have opted in during signup or where we rely on the PECR soft opt-in. Every marketing email carries a one-click unsubscribe link and your preference is honoured immediately and permanently.

We do not make decisions about you that have legal or similarly significant effects based solely on automated processing. AI models power the core product functionality (script generation, voice synthesis, video assembly) but they do not adjudicate eligibility, pricing, or any similar decision about you. Automated abuse-prevention flags (for example, suspected account takeover or payment fraud) are reviewed by a human before any account-level action is taken, except where an immediate hold is required to stop active harm.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in clear language, describing the nature of the breach, likely consequences, measures taken, and who to contact for more information.

We may update this Policy from time to time. Where an update materially affects how we process your personal data or your rights, we will provide at least 30 days’ notice by email and in-app before the change takes effect. Minor changes that clarify existing practice take effect on publication. The date at the top of this page records the most recent update.

For any question about this Policy or the personal data we hold about you, email privacy@cuethescene.com. We welcome feedback on how we can make this Policy clearer.