logo

Book a demo

logo
logo

Book a demo

Privacy policy

Effective date: 2025-08-02

Entity: Saltfish AB, Roslagsgatan 45, 113 54 Stockholm, Sweden ("Saltfish", "we", "us", "our")

Contact: simon@saltfish.ai

Saltfish provides an avatar-creation studio and an embeddable video widget (the "Service"). This Policy explains how we handle personal data when you visit saltfish.ai, use our Studio as a customer, or interact with a customer's embedded Saltfish Widget.

1) Roles and scope

Website & Studio. For saltfish.ai and the Saltfish Studio (accounts, billing, support), Saltfish is the data controller.

Embedded widget. When customers deploy the widget on their own sites/apps and their end users view or interact with it, Saltfish acts as a data processor to those customers (the controllers).

Creators vs. Viewers. "Creators" are our customers' personnel who record or upload content to create avatars and generate outputs in the Studio. "End Users (Viewers)" are individuals who view or interact with the embedded widget on customer properties; they do not create avatars.

Customer analytics dashboards. We produce aggregated/de-identified metrics for each customer's dashboard (e.g., view and completion rates for that customer's deployments). These metrics are provided to that customer and are not used to train models or for unrelated product improvement.

Session recordings (optional). The widget supports optional session replay (i.e., logging DOM events to reconstruct user flows) if the customer enables it. This does not involve screen, audio, or video capture. Customers are responsible for masking inputs and avoiding collection of personal or sensitive data in replays.

2) What we collect

A. Website visitors

  • Device and log information (e.g., IP address, browser/OS, referring URL, timestamps).

  • Cookie/ID data for basic analytics and A/B testing on our site (no third-party advertising).

B. Customer admins (Studio users / Creators)

  • Account details (name, email).

  • Authentication via password or SSO (if enabled).

  • Billing/subscription details (handled by a payment processor).

  • Support communications (typically email or Slack with your team).

C. End users of customer deployments (Viewers)

Customer-directed content path:

  • Inputs from Creators (e.g., recorded video/audio) to create avatars in the Studio.

  • Generated outputs (avatar video/audio) that customers embed in the widget; End Users then view these assets.

  • Event/telemetry about widget interactions by End Users (e.g., load events, completion rates).

  • Optional session recordings if the customer enables this feature.

Special categories and sensitive data. Our Service is not designed to collect special-category data under GDPR Article 9 (e.g., information revealing racial or ethnic origin, religious beliefs, health) or other sensitive data (e.g., government IDs, precise geolocation). Customers must not submit such data unless it is strictly necessary and supported by a valid legal basis (typically explicit consent) with appropriate safeguards (data minimization, masking/redaction, limited retention). We process any such data only on the customer's documented instructions.

3) How we use data and legal bases

Provide and secure the Service

  • Examples: account creation, avatar rendering, delivery, abuse prevention, QA

  • Legal basis: contract (Art. 6(1)(b)); legitimate interests for security (Art. 6(1)(f))

Customer support and communications

  • Examples: respond to admin inquiries, service updates

  • Legal basis: contract / legitimate interests

Customer analytics dashboards

  • Examples: show each customer metrics about their widget deployments (e.g., completion rates)

  • Legal basis: contract / legitimate interests

Website analytics and A/B tests

  • Examples: measure usage of saltfish.ai

  • Legal basis: consent where required (cookies); legitimate interests otherwise

Compliance and recordkeeping

  • Examples: invoices, tax, legal requests

  • Legal basis: legal obligation

No model training on customer content. Saltfish does not use customer videos, audio, Outputs, or other customer content to train or improve models or products, and we require our service providers to honor the same restriction.

4) Cookies and similar technologies

  • Cookies/SDKs are used only for analytics and A/B testing on saltfish.ai.

  • We will implement a consent banner (e.g., Usercentrics) in the EU/UK so visitors can manage non-essential cookies.

  • We do not run behavioral advertising or sell/share personal information for cross-context advertising.

  • We honor Global Privacy Control (GPC) signals for our website where applicable (see Section 12).

5) Service providers (sub-processors)

We work with carefully selected service providers that host infrastructure, process payments, generate media on our behalf, or support operations. These providers may handle personal data only to provide services to us and under appropriate contractual terms.

  • Infrastructure/hosting: cloud services in EU regions.

  • Payments: third-party payment processor (controller for card data).

  • Media generation: audio/video generation providers used by Saltfish to deliver requested features.

  • Support/ops: email and workspace tools for customer communications.

Transparency. We keep an up-to-date list of material service providers available to customers upon request, and we will provide prior notice of material changes as required by our customer agreements.

Note on provider policies. Some providers publish their own retention or training terms. Customers should review those providers' policies to understand how content is handled by them. Saltfish does not authorize providers to use customer content for their own purposes beyond what is necessary to deliver the requested service.

6) International data transfers

We primarily process data in the EU. Some service providers may process in other jurisdictions (including the United States). Where required, we use appropriate transfer tools such as the EU Standard Contractual Clauses and, if applicable, the UK Addendum or other valid transfer mechanisms.

7) Data retention

  • Account and admin data: kept for the life of the account and 90 days after closure, then deleted or archived as required by law.

  • Avatar inputs/recordings and generated media: retained while the customer's project/account is active and deleted on request or 90 days after termination.

  • Session recordings (optional): default retention 30 days when enabled by the customer (customers may request a different period).

  • Logs/telemetry: retained for approximately 90 days.

  • Backups: deletions propagate as backups naturally rotate (typically within about 35 days).

We may keep minimal records as needed for legal, tax, or security purposes.

8) Security

We employ technical and organizational measures including TLS in transit, encryption at rest, role-based access/least privilege, secrets management, audit logging, and vulnerability management. We maintain an incident response plan and will notify affected customers without undue delay and in any event within 72 hours after confirmation of a personal-data breach.

9) Your rights

Depending on your location, you may have rights to access, rectify, delete, port, restrict, or object to certain processing, and to withdraw consent where we rely on consent.

  • Website/Studio users: contact simon@saltfish.ai (subject: "Privacy Request").

  • End Users (Viewers) of a customer deployment: please contact the customer (site/app owner) directly; we will assist them as their processor.

We verify requests via your account email or other reasonable steps. We respond within 30 days in the EEA/UK and 45 days in the U.S. (with permitted extensions). You may appeal a denied request by replying to our decision email. You may also lodge a complaint with your local data protection authority in the EEA/UK.

10) Children

The Service is intended for business users and is not directed to children. We do not knowingly collect data from anyone under 13 (or under 16 in the EEA/UK without appropriate consent). If you believe a child has provided data, contact us and we will delete it.

11) Avatars, likeness, and voice

The Service processes video/audio to create avatar outputs at our customers' direction. We do not create or store biometric identifiers intended to uniquely identify a person (such as face-geometry templates or voiceprints).

Prohibited uses. The Service may not be used for biometric identification, liveness detection, or identity recognition of individuals, and may not be used to impersonate real people without proper authorization. These restrictions apply to all customer deployments and content.

12) Do Not Sell/Share and Global Privacy Control

We do not sell personal information and do not share it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals on our website where applicable, which allow users to signal opt-out/consent preferences via their browser or extensions.

13) Law enforcement and legal requests

We review requests for legal validity, seek to narrow scope, and notify relevant customers or users before disclosure unless legally prohibited or there is a clear risk of harm or emergency.

14) Changes to this Policy

We may update this Policy. For material changes, we will provide advance notice (e.g., 14–30 days) via the Service or email where feasible. We will post the Effective Date and provide prior versions upon request.

15) Contact

Questions or requests: simon@saltfish.ai

If you are an End User (Viewer) of a customer deployment, please contact that customer (the site/app owner) first; we'll assist them as needed.