Legal
Privacy Policy
This policy explains what personal data SSHOW collects, why we collect it, and the rights you have.
01
Scope & definitions
SSHOW (the “Service”) respects your privacy. This policy applies to s.show, our desktop and mobile apps, and any related services we operate. “Personal information” means information that identifies, relates to, or can reasonably be linked with an individual.
02
Information we collect
| Source | Required | What we collect |
|---|---|---|
| Email signup | Yes | Email, username, password (one-way hashed), signup time |
| Social signup | Yes | Provider ID, email, display name from Google or Apple |
| Profile | Optional | Nickname, bio, avatar |
| Two-factor auth | Optional | TOTP secret (encrypted), passkey public keys, hashed backup codes |
| Your content | Yes | Project files, uploaded media, fonts, audio, text, motion data |
| Access metadata | Auto | IP, user-agent, session ID, cookies, device IDs in apps |
| Payments (post-beta) | Yes | Handled by our payment processor; we receive only transaction ID, amount, and timestamp |
Things we never collect
National identifiers (e.g. Korean RRN, US SSN), precise geolocation, race, political views, religion, biometric templates, or any other special-category data.
03
How we use information
- Account & authentication — sign in, 2FA, password reset, abuse prevention.
- Service delivery — saving and syncing projects, team and space collaboration, share links, playback.
- Customer support — answering enquiries, sending notices.
- Security — anomaly detection, blocking unauthorised access, audit logs.
- Improvement — usage analytics, preferring pseudonymous or aggregate data.
- Legal compliance — to meet retention obligations under applicable law.
Legal bases (GDPR Art. 6): performance of contract (1, 2), legitimate interests (3, 4, 5), consent (marketing emails), legal obligation (6).
04
Retention
We delete personal data without undue delay once its purpose is fulfilled, except where law requires longer retention.
| Data | Period | Reason |
|---|---|---|
| Account info (active) | Until account deletion | Consent / contract |
| Account info (deleted) | Removed immediately | Consent / contract |
| Abuse records | 1 year after deletion | Dispute & legal duty |
| Access logs | 3 months | Communications law |
| E-commerce records | 5 years | Consumer protection law |
05
Sharing with third parties
We do not sell or rent your personal data, and we do not share it with third parties except: with your prior consent, when required by law or by a valid legal process, or in pseudonymised/anonymised form for statistics or research.
06
Sub-processors
| Processor | Purpose | Region |
|---|---|---|
| Oracle Cloud Infrastructure | Cloud hosting (servers, storage, DB) | Chuncheon (ap-chuncheon-1) |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Global edge |
| Google LLC | OAuth (Google), transactional email infra | USA |
| Apple Inc. | OAuth (Sign in with Apple) | USA |
| OpenAI, L.L.C. / Anthropic, PBC / Google LLC | Optional AI assistance (see §11) | USA |
07
International transfers
Some sub-processors operate outside your country. Transfers rely on Standard Contractual Clauses (EU/UK) and equivalent safeguards. Data in transit is protected by TLS 1.2+. You may decline international transfers, in which case some features (social sign-in, AI assistance) may be unavailable.
08
Your rights
- Access, rectify, erase, restrict, or object to processing.
- Withdraw consent at any time, without affecting prior lawful processing.
- Export your projects in portable formats (.sshow, .json) — data portability.
- Lodge a complaint with your supervisory authority (e.g. KOPICO in Korea, your DPA in the EU).
Most rights can be exercised on the profile page. For anything else, write to [email protected]. We respond within 30 days.
09
Deletion
Electronic data is destroyed using techniques that prevent recovery (e.g. cryptographic erasure, secure overwrite). Paper records, if any, are shredded or incinerated.
10
Cookies & similar technologies
We use only the cookies needed to keep you signed in, remember your language, and validate security tokens. We do not use third-party advertising cookies. You can block cookies in your browser, though some features may stop working.
11
AI features & your data
Some features (text generation, image cleanup, motion suggestions) call external AI APIs (e.g. OpenAI, Anthropic, Google Gemini) only when you explicitly request them. We follow these rules:
- Only the data needed for the request is sent.
- We never use your content to train AI models, and we set the “no training” option on the upstream provider.
- See the dedicated AI usage notice for full details.
12
Children’s privacy
SSHOW is not directed at children under 14 (or under 13 in the United States, per COPPA). If we learn that we have collected data from a child without proper consent, we will delete it promptly. If you are a parent or guardian, contact [email protected].
13
Security
- Passwords are stored only as one-way hashes (bcrypt, cost ≥ 12).
- All traffic is TLS 1.2+ in transit; sensitive fields (2FA secrets, etc.) are encrypted at rest.
- Access follows the principle of least privilege; admin actions are recorded in audit logs.
- We run regular vulnerability reviews and notify you of any breach without undue delay, as required by law.
14
Contact
- Privacy enquiries — [email protected]
- General support — [email protected]
15
Changes
- v1.0 — 2026-04-25 — Initial version (closed beta).
We will give at least 7 days’ notice of any change in advance on this page. Material or adverse changes will be announced 30 days in advance, and we will obtain new consent where required by law.