Privacy Policy
May 4, 2026
01.Data Controller
The controller for personal data collected via the Pix2Clip service is QR Communication, an SAS registered under SIREN 940 163 496, with its registered office at 23 rue de Richelieu, 75001 Paris, France. This policy informs the user, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and the amended French Data Protection Act of 6 January 1978, of the conditions under which personal data is collected, processed and retained. For any question or request to exercise rights, the contact is: contact@qrcommunication.com. QR Communication has not appointed a Data Protection Officer as it does not meet the mandatory designation criteria set out in Article 37 of the GDPR; nonetheless, an internal GDPR contact point is maintained at the above address.
02.Purposes and Legal Bases
Personal data is processed for the following purposes: (i) management of the user account and authentication — legal basis: performance of the contract (Article 6.1.b GDPR); (ii) processing of credit pack orders, invoicing and bookkeeping — legal basis: performance of the contract and legal obligations (Articles 6.1.b and 6.1.c); (iii) provision of AI generation services — legal basis: performance of the contract (Article 6.1.b); (iv) security of the service, fraud prevention and access log retention — legal basis: legitimate interest of the publisher (Article 6.1.f); (v) responding to user requests and support — legal basis: performance of the contract or legitimate interest; (vi) compliance with legal obligations (invoice retention, responses to authorities) — legal basis: Article 6.1.c.
03.Categories of Data Collected
The following data is collected: (i) identification and contact data (last name, first name, email address); (ii) authentication data (password stored in Argon2id hashed form, session tokens); (iii) billing data (billing address, transaction references, last four digits of the bank card transmitted by Viva Wallet, never the full number); (iv) technical connection data (IP address, user-agent, timestamp, session identifiers); (v) content uploaded or generated by the user (images, videos, audio files, text prompts); (vi) credit usage history; (vii) voice samples voluntarily provided by the user as part of the voice cloning feature — these constitute biometric data within the meaning of Article 9.1 GDPR and are subject to specific processing described in the dedicated section below. Apart from this opt-in feature, no sensitive data within the meaning of Article 9 GDPR is intentionally collected; users are reminded not to upload health, biometric or otherwise sensitive data in the service's other flows.
04.Biometric data – Voice cloning
The voice cloning feature relies on the processing of biometric data within the meaning of Article 9.1 GDPR: a few-seconds voice sample, voluntarily provided by the user, enables the generation of a voice model that can then synthesize new utterances. The legal basis for this processing is the data subject's explicit consent (Article 9.2.a GDPR), collected at the time the sample is uploaded. This consent is: freely given (the feature is optional and the service remains fully usable without it), specific (limited to voice cloning, with no reuse for other purposes), informed (the user is informed of the transfer to the subprocessor MiniMax in China and of the associated safeguards) and unambiguous (positive validation action separate from the Terms of Use). The user may withdraw consent at any time from their personal account; withdrawal triggers deletion of the voice model and source sample within a maximum of thirty days. Cloned voices are strictly tied to the account that created them: they are neither shared, sold, nor used to train third-party models. No other category of biometric data (fingerprints, facial recognition, etc.) is collected by the service.
05.Subprocessors and Non-EU Transfers
In accordance with Article 28 GDPR, QR Communication uses the following subprocessors, bound by data processing agreements: Hetzner Online GmbH (Germany) for application hosting; Scaleway SAS (France, fr-par region) for storage of generated files; Viva Payment Services SA (Greece) for payment processing; MiniMax (China) for generative AI models. The transfer to MiniMax constitutes a transfer outside the European Union to a country lacking an adequacy decision. This transfer is governed by the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914) and is limited to the prompts and files strictly necessary for the requested generation. Users are advised not to transmit sensitive personal information through prompts.
06.Retention Periods
The following retention periods apply: (i) user account data — for the entire duration of account activity, then three years after the last login for any prospecting purposes, in accordance with the CNIL guidelines on commercial prospecting; (ii) generated and uploaded content — one year from creation, unless deleted earlier by the user; (iii) invoices and accounting records — ten years, in accordance with Article L123-22 of the French Commercial Code; (iv) connection and security logs — one year, in accordance with CNIL recommendations and Article L34-1 of the French Postal and Electronic Communications Code; (v) payment data — for the time necessary to finalise the transaction, the bank retaining its own records.
07.Rights of Data Subjects
In accordance with Articles 15 to 22 GDPR, the user has the following rights: right of access (Art. 15), right of rectification (Art. 16), right to erasure or 'right to be forgotten' (Art. 17), right to restriction of processing (Art. 18), right to portability of data in a structured, machine-readable format (Art. 20), right to object to processing based on legitimate interest (Art. 21), and the right to define directives concerning the fate of their data after death. Most of these rights are exercised directly and immediately from the user account, in the section 'Settings > GDPR & my data'. This integrated panel allows: viewing and exporting all personal data as a ZIP file containing a portable JSON dump together with the user's generated files (Art. 15 and 20); granular management of marketing, analytics and personalization consents (Art. 7 and 21); suspension of processing in read-only mode (Art. 18); and a definitive account deletion request with a 30-day grace period, cancellable at any time from the same interface (Art. 17). For complex requests, prior questions, or for the right of rectification of data not editable from the account, the user may also write to contact@qrcommunication.com, accompanied where necessary by proof of identity; a response will be provided within one month, extendable by two months for complex requests. In the event of persistent disagreement, the user may lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.
08.Cookies
The use of cookies on the Pix2Clip service is detailed in the Cookie Policy, accessible from the website footer. Only cookies strictly necessary for the operation of the service (authentication, language preference, anti-CSRF token) are placed without prior consent, in accordance with Article 82 of the French Data Protection Act. Any future deposit of non-essential cookies (audience measurement, marketing) would be subject to prior, explicit and granular consent collected via the cookie banner displayed on the first visit. This consent remains revocable at any time from the user account's GDPR panel ('Settings > GDPR & my data'), as easily as it was given.