Slatesslates

// legal

Privacy Policy

Last updated: March 19, 2026

See also: Terms of Service · Contact

1. Who We Are

Blueprint Online Learning Inc., doing business as Slates (“Slates,” “slates-social,” “we,” “us,” or “our”), is an AI video and image creation studio operated from British Columbia, Canada. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Slates desktop application (also known as slates-social), website (slates.video), and related services (collectively, the “Service”).

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

  • Email address — required for account creation and authentication
  • Display name — if provided
  • Hashed password — stored securely; we never store plaintext passwords

2.2 Payment Information

  • Billing details are processed entirely by Stripe, our third-party payment processor.
  • We do not store your credit card number, expiration date, or CVV on our servers. We receive only transaction confirmations, amounts, and Stripe customer IDs.
  • Purchase history (license purchases and credit top-ups) is stored on our servers for billing and support purposes.

2.3 Usage and Generation Data

  • When you generate content via Proxy Mode (Slates Credits), we store: the text prompt submitted, the AI model used, timestamp, credit cost, and result status (success/failure). This data is necessary for credit billing, failed-generation refunds, and service improvement.
  • Credit balance and transaction history are maintained on our servers.

2.4 Technical and Device Data

  • IP address — collected during authentication and API requests
  • Application version — sent with API requests for compatibility
  • Operating system type — for support and compatibility
  • Error and crash reports — diagnostic information that does not include your prompts or generated content

2.5 Website Analytics Data

On our website (slates.video), we use PostHog for product analytics. This includes pages visited, session duration, referral source, browser type, general geographic region, and conversion events (such as purchases and checkout interactions). When you make a purchase, your email address is associated with your analytics profile to connect your site activity with your account. We do not build individual behavioral profiles. The desktop application does not include third-party analytics or tracking.

2.6 Locally Stored Data (Desktop App)

API keys (BYOK Mode) are encrypted using OS-level encryption (Electron safeStorage, which uses macOS Keychain, Windows DPAPI, or Linux secret store depending on your OS). Your API keys are never transmitted to, stored on, or accessible by Slates servers. We have no ability to access or recover your API keys.

  • Application preferences and settings — stored locally on your device
  • Generated content — images and videos are saved to your local device. We do not upload, store, or have access to your generated files.

3. How We Use Your Information

PurposeLegal Basis
Provide and operate the ServiceContractual necessity
Process payments and manage creditsContractual necessity
Send transactional emailsContractual necessity
Detect and prevent fraud or abuseLegitimate interest
Fix bugs and improve performanceLegitimate interest
Website analyticsLegitimate interest / Consent
Respond to support requestsContractual necessity
Comply with legal obligationsLegal obligation

We do not use your information to:

  • Train AI models
  • Sell or rent your personal data to third parties
  • Sell or share your data with third parties for their own advertising purposes
  • Send unsolicited marketing emails (unless you opt in)

4. AI Generation and Third-Party Processing

Proxy Mode (Slates Credits)

When you generate content using Slates Credits, your prompt and generation parameters are transmitted from the desktop app to Slates' proxy servers, which then forward the request to the appropriate third-party AI provider (Google, fal.ai, or others).

  • What passes through our servers: your text prompt, selected model, generation parameters (resolution, duration, style settings)
  • What we log: prompt text, model used, timestamp, credit cost, result status. We retain generation logs for 12 months.
  • What we do NOT do: we do not review or analyze prompts in real time. Content moderation is handled by the AI providers' built-in safety systems. We do not use your prompts to train any models.

BYOK Mode

When you generate content using your own API keys (BYOK Mode), your requests are sent directly from the desktop application to the third-party AI provider. These requests do not pass through Slates' servers. We do not log, intercept, or have visibility into BYOK-mode generations.

Third-Party AI Provider Policies

Each AI provider processes your data according to their own privacy policies:

We select AI providers that commit to not using API-submitted data for model training, but we cannot guarantee or enforce their internal practices.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only with the following third parties, and only as necessary:

Third PartyPurpose
StripePayment processing (email, billing info, transaction data)
PostHogWebsite analytics and conversion tracking (page views, events, email on purchase)
Meta (Facebook/Instagram)Advertising measurement and conversion optimization (pixel events, click identifiers)
Google AdsAdvertising measurement and conversion attribution (click identifiers)
Google, fal.aiAI generation (prompts and parameters, Proxy Mode only)
Fly.ioServer hosting and infrastructure

We may also disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of Slates, our users, or the public.

In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity. We will notify affected users via email before any such transfer.

6. Cookies and Tracking

Website (slates.video)

  • Strictly necessary cookies — for authentication and session management (no consent needed)
  • PostHog analytics — tracks page views, session activity, and conversion events. PostHog also forwards certain conversion events (purchases, checkout interactions) to our advertising platforms via server-side integrations (Conversions API) for campaign measurement.
  • Meta Pixel — measures advertising performance and conversion events. Sets cookies including _fbc and _fbp to attribute website activity to Meta ad campaigns.
  • Advertising click identifiers — when you arrive from an ad, the URL may contain click identifiers (such as fbclid, gclid, or ttclid) placed by the advertising platform. We store these identifiers to measure campaign performance and attribute conversions.

We use advertising and conversion tracking technologies solely to measure the performance of our own advertising campaigns. We do not sell your data to advertisers or allow third parties to use our website for their own ad targeting.

Desktop Application

The Slates desktop application does not set cookies or include any third-party tracking, analytics, or telemetry beyond the error reporting described in Section 2.4.

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

DataRetention
Account informationDuration of account + 30 days
Payment & billing records7 years (tax compliance)
Generation logs12 months
Website analytics14 months
Server & proxy logs30 days
Support communications2 years after resolution
Locally stored dataUntil you uninstall the app

After the applicable retention period, data is permanently deleted or anonymized so it can no longer identify you.

8. Data Security

  • Encryption in transit — all data transmitted between the desktop app, our servers, and third-party providers uses TLS/HTTPS encryption
  • Encryption at rest — server-side data is encrypted at rest
  • BYOK key encryption — API keys are encrypted using OS-level cryptography (macOS Keychain, Windows DPAPI, or Linux secret store)
  • Password hashing — account passwords are cryptographically hashed and salted
  • Access controls — internal access to user data is restricted to authorized personnel on a need-to-know basis

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security.

9. Your Privacy Rights

All Users

Regardless of your location, you may:

  • Access your personal data by contacting us
  • Correct inaccurate personal data
  • Delete your account and personal data (see Section 11)
  • Object to certain processing activities
  • Withdraw consent where processing is based on consent

European Economic Area (EEA) and United Kingdom

Under the GDPR, you additionally have the right to:

  • Data portability — receive your data in a machine-readable format (JSON or CSV)
  • Restrict processing in certain circumstances
  • Lodge a complaint with your local data protection supervisory authority

We will respond to GDPR requests within 30 days (extendable by 60 days for complex requests, with notice). For international transfers outside the EEA/UK, we rely on Standard Contractual Clauses or equivalent legal mechanisms.

California Residents

Under the CCPA/CPRA, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Opt out of the sale or sharing of your personal information — we do not sell or share your personal information
  • Non-discrimination for exercising your privacy rights

We will respond to CCPA requests within 45 days (extendable by 45 days with notice).

Canadian Residents

Under PIPEDA and BC PIPA, you have the right to:

  • Access your personal information held by us
  • Challenge the accuracy and have it corrected
  • Withdraw consent for non-essential processing
  • Challenge our compliance with applicable privacy laws

We will respond to access requests within 30 days.

To exercise any of these rights, contact us at hello@slates.video.

10. Children's Privacy

Slates is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a user under 18, we will delete the account and associated data promptly. If you believe a child has provided us with personal information, please contact us immediately at hello@slates.video.

11. Account Deletion

You may request deletion of your account and personal data at any time by using the account deletion option in the application or by contacting us at hello@slates.video.

What happens when you delete your account:

  • We will verify your identity before processing the deletion.
  • There is a 7-day grace period during which you may cancel the deletion request.
  • After the grace period, we will permanently delete your account information, generation logs, and associated data within 30 days.
  • Any remaining credit balance is forfeited upon account deletion.

Data we may retain after deletion:

  • Payment and billing records for 7 years (tax and financial compliance)
  • Anonymized or aggregated data that can no longer identify you
  • Data required to comply with a legal obligation or defend legal claims

12. Breach Notification

In the event of a data breach that poses a real risk of significant harm:

  • We will notify the Office of the Privacy Commissioner of Canada and the BC Information and Privacy Commissioner as soon as feasible.
  • We will notify affected users via email as soon as feasible, describing the nature of the breach, the data involved, and steps you can take to protect yourself.
  • Where required, we will notify the relevant EU supervisory authority within 72 hours.

13. International Data Transfers

Slates is operated from Canada. Your data may be processed in Canada, the United States (where some of our infrastructure providers and AI providers operate), and other countries where third-party AI providers may process generation requests. Canada has been recognized by the European Commission as providing an adequate level of data protection. For transfers to other countries, we ensure appropriate safeguards are in place.

14. Changes to This Policy

  • Material changes will be communicated via email at least 30 days before they take effect.
  • Non-material changes may take effect immediately upon posting.
  • If you continue to use the Service after changes take effect, you accept the updated policy.

15. Contact Us

For privacy-related questions, data access requests, or to exercise any of your rights:

Email: hello@slates.video

We aim to respond to all privacy inquiries within 30 days.

← Back to Home