2.1 Introduction

This Privacy Policy explains how BunnyEnhancer ("we", "us", "our"), operated at https://bunnyenhancer.com, collects, uses, stores, and protects your personal information. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2.2 Information We Collect

2.2.1 Account Information

When you register, we collect:

- Email address (required)

- Name (optional)

- Username (optional)

- Phone number (optional)

- Password (securely hashed, never stored in plaintext)

- Account creation date and IP address

2.2.2 Authentication Data

We store authentication-related information including:

- Session tokens and session metadata

- Passkey/WebAuthn credentials (if enabled)

- Email verification status

- Multi-session data (if using multiple sessions)

2.2.3 Billing Information

For payment processing:

- Subscription plan details and status

- Credit balance and usage history

- Transaction records and credit purchase history

- Paddle customer and subscription identifiers

**Important:** Credit card numbers, bank account details, and other sensitive payment information is collected and stored exclusively by Paddle.com, our payment processor. We never have access to or store your payment card details.

2.2.4 Bunny.net Integration Data

When you connect your Bunny.net account:

- Bunny.net API key (encrypted at rest using AES-256-GCM)

- Bunny.net Account ID

- Video library IDs and names

- Pull zone configurations

- Video metadata (titles, GUIDs, encoding status)

2.2.5 Usage Data

We automatically collect:

- Tool usage logs (which tools used, timestamps, credit costs, operation status)

- IP addresses associated with tool operations

- User agent strings

- Error logs and debugging information

2.2.6 Analytics Data

We use Vercel Analytics to collect aggregated, anonymized usage data:

- Page views and navigation patterns

- Performance metrics (page load times)

- Geographic region (country-level, not precise location)

- Device type and browser information

Vercel Analytics is privacy-focused and does not use cookies or track individual users across sites.

2.2.7 Cookies and Tracking Technologies

We use cookies and similar technologies:

**Essential Cookies (Always Active):**

- Better Auth session cookies: Authentication and session management

- `cookieConsent`: Stores your cookie preferences (365 days)

- These are required for the Service to function and cannot be disabled

**Analytics Cookies (Optional, Consent Required):**

- Google Analytics: `_ga`, `_gid`, `_ga_*` (if enabled and consented)

- Used to understand usage patterns and improve the Service

- Can be disabled via the cookie consent banner

**Cookie Consent:**

- A cookie consent banner is displayed on your first visit

- You can accept all cookies, reject non-essential cookies, or customize your preferences

- Your preferences are stored and respected across sessions

- You can change your preferences at any time from the cookie settings

2.3 How We Use Your Information

2.3.1 Service Provision

- Creating, authenticating, and managing your account

- Processing tool requests and executing operations on your behalf

- Managing credits, subscriptions, and billing

- Providing customer support and responding to inquiries

- Sending transactional emails (verification, password reset, billing notifications)

2.3.2 Service Improvement

- Analyzing aggregated usage patterns to improve features

- Identifying and fixing bugs and performance issues

- Optimizing tool performance and user experience

- Developing new tools and features based on usage data

2.3.3 Security and Fraud Prevention

- Detecting and preventing unauthorized access to accounts

- Monitoring for abusive behavior and Terms of Service violations

- Protecting against fraud, spam, and illegal activity

- Maintaining audit trails for security investigations

2.3.4 Legal Compliance

- Complying with tax, accounting, and financial reporting obligations

- Responding to valid legal requests and court orders

- Protecting our legal rights and enforcing our agreements

- Retaining records as required by applicable law

2.3.5 Communications

- Sending service-related notifications (maintenance, updates, security alerts)

- Sending promotional emails about new features (only with your consent)

- You can opt-out of promotional communications at any time

2.4 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

1. **Contractual Necessity (Art. 6(1)(b)):** To provide the Service you signed up for, manage your account, process payments, and fulfill our obligations under these Terms

2. **Legitimate Interest (Art. 6(1)(f)):** To improve the Service, prevent fraud, ensure security, and maintain our systems

3. **Consent (Art. 6(1)(a)):** For optional analytics cookies and promotional marketing communications

4. **Legal Obligation (Art. 6(1)(c)):** To comply with tax, accounting, anti-money laundering, and other legal requirements

2.5 Data Sharing and Disclosure

2.5.1 Third-Party Service Providers

**Paddle.com (Payment Processing)**

- Role: Merchant of Record for all transactions

- Data shared: Email, billing address, transaction amounts

- Stores: Payment card information, invoices, tax records

- Privacy Policy: https://www.paddle.com/legal/privacy

**Bunny.net (CDN/Stream Service)**

- Role: Third-party service that processes your API requests

- Data shared: Your API key (via encrypted server-side requests), operation parameters

- Note: We act as an intermediary; your content is stored on Bunny.net's infrastructure

- Privacy Policy: https://bunny.net/privacy

**Vercel Analytics (Website Analytics)**

- Role: Privacy-focused analytics provider

- Data shared: Aggregated, anonymized page view and performance data

- Note: Does not use cookies or track individual users

- Privacy Policy: https://vercel.com/legal/privacy-policy

**Google Analytics (Optional, With Consent)**

- Role: Website usage analytics

- Data shared: Anonymized browsing data (only if you consent)

- IP anonymization is enabled

- Privacy Policy: https://policies.google.com/privacy

**Resend (Email Delivery)**

- Role: Transactional email delivery service

- Data shared: Email address, email content (verification, notifications)

- Privacy Policy: https://resend.com/legal/privacy-policy

2.5.2 When We Share Data

We may disclose your information:

- To the service providers listed above, solely to operate the Service

- If required by law, court order, or valid legal process

- To protect our rights, property, or safety, or that of our users

- With your explicit consent

- In connection with a merger, acquisition, or sale of assets (with prior notice)

2.5.3 We Never:

- Sell your personal data to third parties

- Share data with advertisers or data brokers

- Use your Bunny.net data for any purpose other than providing the Service

- Transfer data without adequate protection measures

2.6 Data Storage and Security

2.6.1 Where We Store Data

- Primary database: Self-hosted PostgreSQL on secured infrastructure in the United States

- Payment data: Stored exclusively by Paddle.com

- Analytics data: Vercel Analytics (aggregated, anonymized); Google Analytics (if consented)

- Email delivery: Processed by Resend

2.6.2 Security Measures

We implement comprehensive security measures including:

- **Encryption in transit:** All connections secured via TLS/HTTPS

- **Encryption at rest:** Sensitive data (API keys) encrypted using AES-256-GCM with unique initialization vectors

- **Password security:** Passwords hashed using industry-standard algorithms (never stored in plaintext)

- **Access controls:** Role-based access control with admin/user separation

- **Session management:** Secure session tokens with configurable expiration and multi-session support

- **Input validation:** Server-side validation on all API endpoints

- **Dependency security:** Regular security audits and automated vulnerability scanning of dependencies

- **Database security:** Encrypted connections, parameterized queries (SQL injection prevention)

2.6.3 Data Retention

- **Active account data:** Retained while your account is active

- **Deleted account data:** All personal data permanently deleted within 90 days of account deletion

- **Billing records:** Retained for 7 years (tax and legal compliance requirements)

- **Tool usage logs:** Retained for 2 years for audit and dispute resolution

- **Audit trails (transactions):** Retained for 5 years

- **Server logs:** Retained for 30 days for debugging and security purposes

2.6.4 Account Deletion

When you delete your account:

- All sessions and authentication data are immediately revoked

- Your Bunny.net API keys are permanently deleted

- Billing records, transactions, and usage logs are removed

- All associated data is cascaded-deleted from our systems

2.7 Your Rights

2.7.1 Rights Under GDPR (EEA/UK Users)

**Right to Access (Art. 15):** Request a copy of all personal data we hold about you, in a structured and machine-readable format.

**Right to Rectification (Art. 16):** Correct inaccurate personal data or update incomplete information via your account settings or by contacting support.

**Right to Erasure (Art. 17):** Request deletion of your personal data. We will comply unless data retention is required by law.

**Right to Restriction (Art. 18):** Request limitation of processing in certain circumstances (e.g., while we verify accuracy of your data).

**Right to Data Portability (Art. 20):** Receive your data in a portable format (JSON/CSV) and transfer it to another service.

**Right to Object (Art. 21):** Object to processing based on legitimate interest or to direct marketing at any time.

**Right to Withdraw Consent (Art. 7(3)):** Withdraw cookie consent anytime via the cookie banner, or unsubscribe from marketing emails. Withdrawal does not affect lawfulness of prior processing.

**How to Exercise Your Rights:**

- Email: [email protected]

- Account Settings: Update profile information, delete account

- Cookie Banner: Manage cookie preferences

- We will respond within 30 days of receiving your verified request

2.8 International Data Transfers

- Our primary infrastructure is located in the United States

- If you are located outside the US (including EEA/UK), your data is transferred to and processed in the United States

- We ensure adequate protection for international transfers through:

- Standard Contractual Clauses (SCCs) where applicable

- Your explicit consent by using the Service

- Paddle.com complies with applicable data transfer regulations as Merchant of Record

2.9 Children's Privacy

- The Service is not intended for users under 18 years of age

- We do not knowingly collect personal data from children

- If we become aware that we have collected data from a minor, we will promptly delete it

- Parents or guardians can contact us at [email protected] to report concerns

2.10 Changes to Privacy Policy

- We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements

- Material changes will be notified via email to your registered address or through a prominent notice on the Service

- The "Last Updated" date at the top of this page will be revised accordingly

- Continued use of the Service after notification constitutes acceptance of the updated Privacy Policy

- Previous versions are available upon request

2.11 Data Protection Contact

For privacy-related inquiries, data access requests, or complaints:

- Email: [email protected]

- General support: [email protected]

- Response time: Within 30 days (GDPR) / 45 days (CCPA)

2.12 Supervisory Authority

If you are in the EEA/UK, you have the right to lodge a complaint with your local data protection authority if you believe your privacy rights have been violated.

**EU Supervisory Authorities Directory:** https://edpb.europa.eu/about-edpb/board/members_en

**UK Information Commissioner's Office:** https://ico.org.uk

3. Cookie Policy

3.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide functionality, remember your preferences, and understand how you use the Service.

3.2 Types of Cookies We Use

3.2.1 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled:

| Cookie Name | Purpose | Duration | Provider |

|------------|---------|----------|----------|

| Better Auth session | Authentication and session management | Session / configurable | bunnyenhancer.com |

| `cookieConsent` | Stores your cookie preferences | 365 days | bunnyenhancer.com |

3.2.2 Analytics Cookies (Optional, Consent Required)

These cookies help us understand how you use the Service:

| Cookie Name | Purpose | Duration | Provider |

|------------|---------|----------|----------|

| `_ga` | Distinguishes unique users | 13 months | Google Analytics |

| `_gid` | Distinguishes unique users | 24 hours | Google Analytics |

| `_ga_*` | Stores session state | 13 months | Google Analytics |

**Note:** Vercel Analytics, which we also use, does not set any cookies.

3.3 Managing Cookie Preferences

**Cookie Consent Banner:**

- Displayed on your first visit

- Options: "Accept All", "Reject Non-Essential", or "Customize"

- Preferences saved for 1 year

**Changing Preferences:**

- Use the cookie settings option in the site footer or consent banner

- Clear cookies in your browser settings

- Note: Blocking essential cookies will prevent the Service from functioning

**Browser-Level Controls:**

- Chrome: Settings > Privacy and Security > Cookies

- Firefox: Preferences > Privacy & Security > Cookies

- Safari: Preferences > Privacy > Cookies

- Edge: Settings > Cookies and Site Permissions

3.4 Third-Party Cookies

Third-party cookies may be set by:

- **Google Analytics:** If you consent to analytics cookies

- **Paddle.com:** Temporarily during the checkout/payment process

These third parties operate under their own privacy and cookie policies.

3.5 Do Not Track (DNT)

We respect Do Not Track browser signals. When DNT is enabled, we will not load optional analytics cookies regardless of your cookie consent preference.

4. Data Breach Notification

In the event of a data breach that affects your personal information:

- We will investigate and assess the scope of the breach within 72 hours

- Affected users will be notified via email with details about the breach and steps taken

- Relevant supervisory authorities will be notified as required by GDPR (within 72 hours)

- We will provide information about what data was affected and recommended protective actions

5. Contact Us

For any questions, concerns, or requests regarding these Terms, Privacy Policy, or your data:

**General Support:** [email protected]

**Privacy & Data Requests:** [email protected]

**Website:** https://bunnyenhancer.com

**Response Time:** Within 5 business days (general inquiries), 30 days (data rights requests)

6. Acceptance

By creating an account on BunnyEnhancer (https://bunnyenhancer.com), you acknowledge that you have read, understood, and agree to be bound by these Terms of Service and Privacy Policy.