Privacy Policy

Last Updated: December 9, 2025

Introduction
Information We Collect
How We Use Your Information
Legal Basis for Processing (GDPR)
Cookies and Tracking Technologies
Third-Party Service Providers
Data Security
Data Retention
International Data Transfers
Your Privacy Rights
California Privacy Rights (CCPA)
Children's Privacy
Data Breach Notification
Changes to This Privacy Policy
Contact Us

Introduction

Welcome to EyeCap, an AI-powered video generation platform designed to help SaaS founders and marketers create promotional UGC-style videos for their products.

This Privacy Policy explains how EyeCap ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our platform at eyecap.app (the "Service"). This policy applies to all users globally, including those in the European Union (EU), European Economic Area (EEA), United Kingdom (UK), United States (including California), and Latin America.

Key Information:

Service Provider: EyeCap is owned and operated by an individual based in Costa Rica
Geographic Scope: Our services are available to users in the EU/EEA, United States, and Latin America
Compliance: This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws

By using EyeCap, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

Information We Collect

We collect various types of information to provide and improve our Service.

1. Information You Provide Directly

Account Information

When you create an EyeCap account, we collect:

Email address (required for account creation and login)
Password (stored in hashed form using industry-standard encryption)
User ID (automatically generated unique identifier)

Profile Information

When you complete your profile or use the Service, we may collect:

Full name (optional)
Company size (to personalize your experience)
Role (e.g., Founder, CMO, Marketing Manager)
Content interests (to improve recommendations)
Avatar/profile picture (optional)
Timezone (for scheduling and notifications)
Preferences including:
- Theme preferences (light/dark mode)
- Notification settings
- Email communication preferences

Content and Project Data

When you use EyeCap's video generation features, we collect:

Product information: Product names, descriptions, and details you provide
Uploaded files: Images and videos you upload as product assets
Campaign data: Campaign names, descriptions, and organization details
Video generation parameters: Settings and preferences for AI-generated videos
Generated videos: Videos created by our AI system based on your inputs

Workspace and Team Data

If you use our collaboration features:

Workspace names and settings
Team member roles (owner, admin, member, viewer)
Workspace invitations (email addresses of invited users)

Billing and Subscription Information

For paid services, we collect:

Subscription plan type (Free, Starter, Pro, Enterprise)
Payment information (processed securely by Stripe - we do not store full credit card details)
Stripe customer ID and subscription ID
Billing address (as required by payment processor)
Credit usage and transaction history

2. Information Collected Automatically

Technical and Usage Data

When you use EyeCap, we automatically collect:

IP address (for security, rate limiting, and fraud prevention)
Browser type and version
Device information (operating system, device type)
Authentication tokens (JWT tokens for session management)
Usage data: Features used, actions taken, videos generated
Access logs: Timestamps, pages visited, API requests made
Error logs: Technical errors and application crashes

Cookies and Similar Technologies

We use cookies and similar technologies to:

Maintain your login session
Remember your preferences
Ensure security through CSRF protection
Prevent automated abuse

See our Cookie Policy for detailed information.

3. Information from Third-Party Sources

OAuth Authentication

If you sign up or log in using third-party services (Google or GitHub), we receive:

Email address from your OAuth provider
Profile information (name, profile picture) as authorized
OAuth provider user ID
OAuth access tokens (managed securely by our authentication provider)

Waitlist Information

If you join our waitlist before creating an account, we collect:

Email address
Signup timestamp
reCAPTCHA verification data (to prevent spam)

How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery and Account Management

Create and manage your EyeCap account
Authenticate your identity and maintain your login session
Provide access to video generation features and tools
Process your uploaded assets and generate AI-powered videos
Manage your subscription and billing
Track your credit usage and transactions

Service Improvement and Development

Understand how users interact with our platform
Identify and fix technical issues and bugs
Develop new features and improve existing functionality
Optimize video generation quality and performance
Analyze usage patterns to enhance user experience

Communication

Send transactional emails (account confirmations, password resets, billing notifications)
Notify you about important service updates or changes
Respond to your support requests and inquiries
Send administrative messages about your account

Security and Fraud Prevention

Detect and prevent fraudulent activity and security threats
Monitor for unauthorized access or abuse of the Service
Enforce our Terms of Service
Implement rate limiting to prevent spam and abuse
Verify user authenticity through reCAPTCHA

Legal Compliance

Comply with applicable laws and regulations
Respond to legal requests from authorities
Protect our legal rights and interests
Maintain records for tax and accounting purposes

Analytics and Performance Monitoring

Monitor application performance and uptime
Track and analyze errors through our error tracking system
Generate aggregated analytics about platform usage
Evaluate the effectiveness of our Service

Legal Basis for Processing (GDPR)

For users in the European Union, EEA, and UK, we process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Article 6(1)(b))

We process your personal information to fulfill our contract with you, including:

Creating and managing your account
Providing video generation services
Processing payments and managing subscriptions
Delivering customer support

Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate business interests, including:

Improving and optimizing our Service
Ensuring platform security and preventing fraud
Analyzing usage patterns to enhance user experience
Conducting internal research and development
Marketing our services (with opt-out options)

We balance these interests against your rights and will not process data where your rights override our legitimate interests.

Consent (Article 6(1)(a))

For certain processing activities, we rely on your explicit consent:

Optional profile information (full name, avatar)
Marketing communications (where required by law)
Non-essential cookies (if implemented)

You may withdraw your consent at any time.

Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal requirements:

Tax record retention
Responding to valid legal requests
Compliance with data protection laws

Cookies and Tracking Technologies

EyeCap uses cookies and similar technologies to provide and improve our Service.

Types of Cookies We Use

Essential Cookies (Strictly Necessary)

These cookies are required for the Service to function properly:

Authentication cookies (prefix: sb-*): Maintain your login session
Session management cookies: Keep you logged in across pages
CSRF protection tokens: Prevent cross-site request forgery attacks
Security cookies: Protect against unauthorized access

Duration: Session-based with automatic refresh Can be disabled: No (Service will not function properly without these)

Preference Cookies

Theme preference: Remember your light/dark mode choice
Language settings: Store your language preference (if applicable)

Duration: Persistent (until you clear them) Can be disabled: Yes (but your preferences won't be saved)

Cookie Characteristics

Our cookies have the following security features:

HTTP-only flags: Prevents JavaScript access to sensitive cookies
Secure flags: Cookies only transmitted over HTTPS
SameSite attributes: Protection against CSRF attacks

Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from using key features of EyeCap, including logging in and accessing your account.

For more detailed information, please see our Cookie Policy.

Do Not Track (DNT)

EyeCap does not currently respond to Do Not Track (DNT) browser signals. However, we do not track you across third-party websites for advertising purposes.

Third-Party Service Providers

To provide and improve our Service, we work with trusted third-party service providers who process your data on our behalf. We ensure these providers implement appropriate security measures and comply with applicable data protection laws.

Infrastructure and Backend Services

Supabase

Purpose: Database hosting, user authentication, file storage, and backend infrastructure
Data Shared: All account data, user content, uploaded files, authentication tokens
Location: Distributed globally (specific regions configurable)
Privacy Policy: https://supabase.com/privacy
Safeguards: Industry-standard encryption, access controls, data processing agreement

AI Video Generation

Kie.ai / Sora 2 API

Purpose: Generate AI-powered videos from your product assets
Data Shared: Temporary signed URLs to your uploaded images/videos, video generation parameters
Access Duration: Time-limited signed URLs (1-2 hours expiration)
Data Storage: Your original assets remain on our servers; Kie.ai only accesses them temporarily
Note: Your content is NOT used to train AI models

Payment Processing

Stripe

Purpose: Process payments, manage subscriptions, handle billing
Data Shared: Email address, billing information, payment details
Security: PCI-DSS compliant; we do not store full credit card numbers
Privacy Policy: https://stripe.com/privacy
Location: United States with global infrastructure

Monitoring and Analytics

Better Stack / Logtail

Purpose: Application logging, performance monitoring, and debugging
Data Shared: API request logs, error messages, user context (user ID, email), performance metrics
Retention: Configurable (typically 90 days)
Privacy Policy: https://betterstack.com/privacy

Sentry

Purpose: Error tracking, performance monitoring, debugging
Data Shared: Error stack traces, user context (user ID, email), request metadata, performance data
Data Minimization: We configure Sentry to minimize personally identifiable information in error reports
Privacy Policy: https://sentry.io/privacy/
Location: United States

Authentication Services

Google OAuth

Purpose: Allow sign-in with Google account
Data Shared: Email address, profile information (name, picture)
Privacy Policy: https://policies.google.com/privacy

GitHub OAuth

Purpose: Allow sign-in with GitHub account
Data Shared: Email address, username, profile information
Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

Bot Prevention

Google reCAPTCHA v3

Purpose: Prevent automated abuse and spam (particularly on waitlist signup)
Data Shared: User interaction data, browser information, cookies
How It Works: Analyzes user behavior to generate a spam score
Privacy Policy: https://policies.google.com/privacy

Waitlist Management

Google Sheets API

Purpose: Store and manage waitlist email signups
Data Shared: Email addresses, signup timestamps
Access: Limited to service account for automated writes
Privacy Policy: https://policies.google.com/privacy

Data Processing Agreements

We maintain data processing agreements (DPAs) with our key service providers to ensure they:

Process data only according to our instructions
Implement appropriate security measures
Assist with data subject requests (access, deletion, etc.)
Notify us of any data breaches

Data Security

We take the security of your personal information seriously and implement industry-standard measures to protect it.

Technical Security Measures

Encryption

Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
Data at Rest: All data stored in our databases and file storage is encrypted at rest
Password Security: Passwords are hashed using bcrypt, a strong one-way cryptographic algorithm

Access Controls

Row-Level Security (RLS): Database policies ensure users can only access their own data
Authentication: All API requests require valid JWT authentication tokens
Authorization: Role-based access control for team workspaces
Least Privilege: Service accounts and integrations have minimal necessary permissions

Application Security

Rate Limiting: Prevents brute force attacks and API abuse
CSRF Protection: Tokens prevent cross-site request forgery
Input Validation: All user inputs are validated and sanitized
SQL Injection Prevention: We use parameterized queries and ORM safeguards
XSS Protection: Content Security Policy and output encoding prevent script injection

File Security

Private Storage Buckets: Uploaded files are not publicly accessible
Signed URLs: Temporary time-limited URLs for file access
MIME Type Validation: File uploads are validated for correct types
Size Limits: File size restrictions prevent storage abuse
- Product assets: 100MB maximum
- Generated videos: 500MB maximum

Network Security

Secure Cookies: HTTP-only and Secure flags on authentication cookies
CORS Configuration: Restricted cross-origin requests
Security Headers: Implemented via Helmet.js middleware

Operational Security Measures

Monitoring and Detection

Real-time Error Monitoring: Sentry alerts us to security issues
Structured Logging: Comprehensive logs for security auditing
Anomaly Detection: Unusual activity triggers alerts

Incident Response

Security Incident Plan: Documented procedures for handling breaches
Notification Process: Users will be notified within 72 hours of discovering a breach affecting their data
Breach Assessment: We evaluate the scope and impact of any security incident

Access Management

Limited Access: Only authorized personnel have access to production systems
Service Role Keys: Backend service keys are stored securely and never exposed to clients
Regular Audits: Periodic review of access permissions

Limitations

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for:

Maintaining the confidentiality of your password
Logging out of shared or public devices
Notifying us immediately of any unauthorized access

Data Retention

We retain your personal information only as long as necessary to provide our Service and comply with legal obligations.

Active Accounts

While your account is active, we retain:

Account and profile data: For the duration of your account
Content and files: Until you delete them or close your account
Usage logs: Typically 90 days (configurable)
Billing records: For the duration of active subscriptions plus 7 years (for tax/legal compliance)

Deleted Accounts

When you request account deletion:

Grace Period: Your account is marked for deletion with a 30-day grace period
During Grace Period: You can contact support to cancel the deletion request
After 30 Days: Your data is permanently deleted from our active systems, including:
- Profile information
- Products and campaigns
- Uploaded assets and generated videos
- Credit transaction history (except legally required billing records)

Cascading Deletion

When your account is deleted, the following data is automatically deleted:

All products you created
All product assets (images and videos you uploaded)
All campaigns
All generated videos
Workspace memberships
Workspace invitations
Credit transactions (except billing records required by law)

Retention for Legal Compliance

Certain data may be retained beyond account deletion:

Billing records: 7 years (tax and accounting requirements)
Legal disputes: Until resolution of any legal claims
Fraud prevention: Anonymized data for security purposes

Backup Retention

Backup Systems: Deleted data may persist in backup systems for up to 30 additional days
Final Deletion: After backup rotation, data is permanently and irreversibly deleted

Third-Party Services

Please note that:

Logs in Logtail/Sentry: May be retained according to those services' retention policies (typically 30-90 days)
Waitlist Data: Email addresses in Google Sheets are not automatically deleted; contact us to request removal
OAuth Providers: Data held by Google/GitHub is subject to their retention policies

International Data Transfers

EyeCap is operated from Costa Rica, and we use service providers located in various countries, including the United States and European Union. This means your personal information may be transferred to, stored, and processed in countries outside your country of residence.

Transfers Outside the EEA/UK

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

Your data may be transferred to countries that do not have the same data protection laws as the EEA
We ensure appropriate safeguards are in place for such transfers

Safeguards for International Transfers

We implement the following protections:

Standard Contractual Clauses (SCCs)

We use EU-approved Standard Contractual Clauses with service providers in countries without adequacy decisions
SCCs provide contractual guarantees for the protection of your data

Adequacy Decisions

Where possible, we use service providers in countries recognized by the European Commission as providing adequate data protection

Additional Security Measures

End-to-end encryption for data in transit
Encryption at rest in all storage systems
Regular security assessments of service providers

Consent to Transfer

By using EyeCap, you acknowledge and consent to the transfer of your personal information to countries outside your country of residence, including countries that may not provide the same level of data protection as your country. We will take all reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.

Your Rights Remain Protected

Regardless of where your data is processed, you retain all privacy rights granted under applicable laws (GDPR, CCPA, etc.) as described in this Privacy Policy.

Your Privacy Rights

Depending on your location, you have various rights regarding your personal information.

Rights for All Users

Right to Access

You can access most of your personal information through your EyeCap account settings at any time, including:

Profile information
Products and campaigns
Generated videos
Credit usage history

To request a complete copy of all data we hold about you, contact us at moises.quesada30@gmail.com.

Right to Rectification/Correction

You can update or correct your personal information through your account settings. If you cannot make corrections yourself, contact us for assistance.

Right to Deletion

You can request deletion of your account and associated data:

Go to Settings � Profile � Danger Zone
Click "Delete Account"
Confirm deletion request
30-day grace period begins
After 30 days, data is permanently deleted

Alternatively, contact us to request deletion.

Note: Some data may be retained for legal compliance (see Data Retention section).

Right to Object

You can object to certain processing of your data:

Marketing communications: Unsubscribe via email links or account settings
Optional data collection: Choose not to provide optional profile information

Right to Restriction

You can request we temporarily restrict processing of your data in certain circumstances (e.g., while we verify accuracy of data you've disputed).

Additional Rights for EU/EEA/UK Users (GDPR)

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us to request a data export.

Right to Withdraw Consent

Where we process data based on consent, you can withdraw consent at any time:

This does not affect the lawfulness of processing before withdrawal
Withdrawing consent may limit your ability to use certain features

Right to Lodge a Complaint

If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection authority:

EU users: Contact your national Data Protection Authority
UK users: Information Commissioner's Office (ICO) - https://ico.org.uk

Right Not to Be Subject to Automated Decision-Making

We do not make decisions based solely on automated processing that significantly affects you. While we use AI to generate videos, this is at your direction and does not involve automated decisions about you.

How to Exercise Your Rights

Through Your Account:

Log in to your EyeCap account
Go to Settings to update or delete information

Contact Us:

Email: moises.quesada30@gmail.com
Subject line: "Privacy Rights Request"
Include: Your name, email address, and specific request

Response Time:

We will respond to your request within 30 days (GDPR) or 45 days (CCPA)
For complex requests, we may extend this by an additional 30-45 days with notice

Verification:

To protect your privacy, we may ask you to verify your identity before processing requests
We may ask for additional information to confirm you are the account holder

No Fee:

We do not charge a fee for exercising your privacy rights
We may charge a reasonable fee for manifestly unfounded or excessive requests

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.

Categories of Personal Information We Collect

Under the CCPA, we collect the following categories of personal information:

Category	Examples	Collected
Identifiers	Name, email address, IP address, user ID	Yes
Personal information under California Customer Records statute	Name, email, billing address, payment information	Yes
Commercial information	Subscription plan, purchase history, credit transactions	Yes
Internet or network activity	Browsing history on our site, interactions with our Service	Yes
Geolocation data	General location based on IP address	Limited
Professional or employment information	Role (e.g., Founder, CMO, Marketer), company size	Yes
Inferences	Preferences and characteristics derived from usage	Limited
Sensitive personal information	Account login credentials (password)	Yes

Categories of Sources

We collect personal information from:

Directly from you: Account registration, profile completion, file uploads
Automatically: Usage data, cookies, log files
Third parties: OAuth providers (Google, GitHub), payment processors (Stripe)

Business or Commercial Purposes for Collection

We collect and use personal information for:

Providing and managing our video generation Service
Processing transactions and managing subscriptions
Customer support and communication
Security, fraud prevention, and legal compliance
Service improvement and analytics
Marketing (with opt-out options)

Categories of Third Parties We Share Information With

We share personal information with:

Service providers: Supabase, Kie.ai, Stripe, Sentry, Better Stack, Google (OAuth, Sheets, reCAPTCHA)
Professional advisors: Lawyers, accountants (as needed)
Legal authorities: When required by law

Your CCPA Rights

1. Right to Know

You have the right to request:

Categories of personal information we collected about you
Categories of sources from which we collected personal information
Business/commercial purpose for collecting or selling personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information we collected about you

2. Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention).

3. Right to Correct

You have the right to request correction of inaccurate personal information.

4. Right to Opt-Out of Sale or Sharing

We do NOT sell your personal information. We do not and will not sell your data to third parties for monetary or other valuable consideration.

We may "share" personal information for analytics purposes. You can opt out of this sharing by contacting us.

5. Right to Limit Use of Sensitive Personal Information

We only use sensitive personal information (passwords) for essential service provision. We do not use it for other purposes requiring an opt-out option.

6. Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights, including by:

Denying goods or services
Charging different prices or rates
Providing different quality of services
Suggesting you will receive different prices or quality of services

How to Exercise Your CCPA Rights

Submit a Request:

Email: moises.quesada30@gmail.com
Subject: "California Privacy Rights Request"
Include: Your name, email address, and specific request (know, delete, correct, opt-out)

Verification:

We will verify your identity by asking you to log in to your account or confirm your email address
For deletion requests, we may require additional verification

Authorized Agents:

You may designate an authorized agent to submit requests on your behalf
We require written authorization from you and verification of the agent's identity

Response Time:

We will respond within 45 days of receiving your request
If we need more time, we will notify you and may extend up to 90 days total

No Fee:

You may exercise these rights free of charge
We may charge a reasonable fee for excessive or manifestly unfounded requests

California "Shine the Light" Law

California Civil Code Section 1798.83 allows California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Do Not Sell My Personal Information

We do not sell your personal information. As stated above, EyeCap does not sell, rent, or trade user data to third parties for monetary or other valuable consideration.

Children's Privacy

EyeCap is a business-to-business (B2B) SaaS platform intended for professional use by marketers, founders, and business professionals. Our Service is not directed to individuals under the age of 18 (or 16 in the European Economic Area).

Age Restrictions

We do not knowingly collect personal information from individuals under 18 years of age (16 in EEA)
By using EyeCap, you represent that you are at least 18 years old (16 in EEA)
If you are under 18 (16 in EEA), you may not create an account or use our Service

Parental Notice

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at moises.quesada30@gmail.com.

Our Response

If we become aware that we have collected personal information from a child under the applicable age without proper parental consent:

We will take immediate steps to delete that information from our servers
We will terminate the associated account
We will notify the email address associated with the account

Compliance

COPPA (US): Children's Online Privacy Protection Act
GDPR Article 8: Processing of children's data in information society services
Local Laws: We comply with applicable age restrictions in all jurisdictions where we operate

Data Breach Notification

While we implement robust security measures to protect your data, no system is completely immune to breaches. In the event of a data breach that affects your personal information, we are committed to transparency and timely notification.

Our Notification Process

Timeline

Discovery: We will investigate and confirm the breach as quickly as possible
Assessment: We will assess the scope, severity, and impact of the breach
Notification: We will notify affected users within 72 hours of confirming the breach (GDPR requirement)

What We Will Tell You

Our notification will include:

Nature of the breach: What happened and what data was affected
When it occurred: Timeline of the incident
Data involved: Categories and types of personal information compromised
Number of affected users: Approximate scale of the breach
Potential consequences: What risks you may face
Our response: Steps we've taken to contain and remediate the breach
Your actions: Recommended steps you should take to protect yourself
Contact information: How to reach us with questions or concerns

How We Will Notify You

Primary method: Email to the address associated with your account
Secondary method: In-app notification when you next log in
Public notice: For large-scale breaches, we may post a notice on our website

Regulatory Notification

Where required by law, we will also notify:

Data Protection Authorities: Within 72 hours of becoming aware of the breach (GDPR)
California Attorney General: For breaches affecting 500+ California residents (CCPA)
Other Authorities: As required by applicable laws in affected jurisdictions

Your Responsibilities

To help protect your account:

Monitor your account for suspicious activity
Change your password immediately if you suspect compromise
Enable two-factor authentication (when available)
Contact us if you notice unauthorized access

Prevention and Preparedness

We maintain:

Incident Response Plan: Documented procedures for handling breaches
Regular Security Audits: Proactive identification of vulnerabilities
Employee Training: Staff education on security best practices
Encryption: Multi-layer encryption to minimize breach impact

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You of Changes

Material Changes

For significant changes that affect your rights or how we handle your data, we will:

Email notification: Send an email to the address associated with your account at least 30 days before the changes take effect
In-app notification: Display a prominent notice when you log in
Update date: Change the "Last Updated" date at the top of this policy

Minor Changes

For non-material changes (e.g., clarifications, formatting updates, contact information changes):

We will update the "Last Updated" date
We may not send individual notifications
We encourage you to review this policy periodically

Your Acceptance

Continued Use: By continuing to use EyeCap after changes take effect, you accept the updated Privacy Policy
Disagreement: If you do not agree with the changes, you should stop using our Service and may request account deletion
Material Changes: For material changes, we may require you to actively accept the new terms before continuing to use certain features

Version History

We maintain a record of significant policy changes. You can request information about previous versions by contacting us.

Review Frequency

We recommend reviewing this Privacy Policy periodically, especially:

Before providing new types of personal information
When using new features
At least once per year

Contact Us

We are committed to addressing your privacy concerns and questions. Please don't hesitate to reach out.

Privacy Inquiries

For questions or concerns about this Privacy Policy or our privacy practices:

Email: moises.quesada30@gmail.com Subject Line: "Privacy Inquiry - EyeCap"

Data Subject Requests

To exercise your privacy rights (access, deletion, correction, portability, etc.):

Email: moises.quesada30@gmail.com Subject Line: "Privacy Rights Request" Include: Your name, account email address, and specific request

Data Protection Officer (DPO)

As a small operation, we currently do not have a designated Data Protection Officer. Privacy matters are handled directly by the owner. As we grow, we will appoint a DPO if required by law.

Business Information

Service Name: EyeCap Operated by: Individual proprietor Location: Costa Rica Website: eyecap.app

EU Representative

Under GDPR Article 27, if we process personal data of EU/EEA individuals and meet certain thresholds, we may be required to appoint an EU representative. Currently, as a small operation, we handle EU inquiries directly. As we grow, we will appoint a representative if required.

Response Time

General inquiries: Within 5 business days
Data subject requests: Within 30 days (GDPR) or 45 days (CCPA)
Urgent security matters: Within 24-48 hours

Complaints and Supervisory Authorities

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with:

For EU/EEA Residents

Your national Data Protection Authority. Find your authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK Residents

Information Commissioner's Office (ICO) Website: https://ico.org.uk Phone: 0303 123 1113

For California Residents

California Attorney General's Office Website: https://oag.ca.gov/contact

Additional Resources

Thank you for trusting EyeCap with your personal information. We are committed to protecting your privacy and being transparent about our data practices.

This Privacy Policy is effective as of December 9, 2025, and applies to all users of the EyeCap platform.