VIRALMAXING

Privacy Policy

Last updated: 26/03/2026 (version 1.0)

1. Data Controller

The data controller responsible for your personal information is ИП Дрозд Илья Павлович, TIN (INN) 212885886929, OGRNIP 323210000044935, registered at: 428014, Россия, Чувашская Республика — Чувашия, г. Чебоксары, ул. Запрудная, д. 2.

We process personal data in accordance with internationally recognized privacy standards, including the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) for users located in the European Union and European Economic Area (EU/EEA), and applicable data protection laws of the Russian Federation (Federal Law No. 152-FZ "On Personal Data").

Data Protection Officer (DPO): The functions of the person responsible for organizing the processing of personal data are performed by ИП Дрозд Илья Павлович. For EU/EEA users: in accordance with Article 27 of the GDPR, our representative in the European Union is ИП Музыка Алексей Андреевич, Республика Беларусь, Минск, ул. Нёманская, 15, кв. 202. 220055.

For questions regarding the processing of your personal data, you can contact us at: Email: support@viralmaxing.com, Telegram: Lesha_Muzyka.

2. Data We Collect

We collect the following categories of personal data:

2.1. Registration Data

  • Email address
  • First and last name
  • Password (stored in encrypted form)
  • Time zone

2.2. Data from Third-Party Services (OAuth)

When you sign in or connect social media accounts, we receive data within the scope of the permissions you grant:

  • Google / YouTube: identifier, email, avatar, channel name, access tokens for video uploads
  • Yandex: identifier, email, avatar
  • Telegram: identifier, username, language, premium status
  • TikTok: identifier, display name, avatar, access tokens for publishing
  • LinkedIn: identifier, name, email, avatar, access tokens for publishing
  • Instagram: identifier, username, account type, access tokens for publishing and analytics
  • Threads (Meta): identifier, username, avatar, access tokens for publishing
  • Pinterest: identifier, username, avatar, access tokens, board data
  • Bluesky: handle, DID, display name, avatar, email, access tokens for publishing

2.3. Payment Data

  • Last 4 digits of your card number
  • Transaction history (amounts, dates, status)
  • Subscription data (plan, billing period, status)

Full card details (card number, CVV, expiration date) are never stored on our servers. Payment processing is handled by BePaid (primary, for international cards) and CloudPayments (for Russian cards). Both providers are PCI DSS certified.

2.4. Content and Activity

  • Scripts, posts, videos, and images you create
  • Search queries and saved search sessions
  • Account settings and preferences
  • Connected social media account information

2.5. Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Service interaction data (product analytics)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

3.1. General Legal Bases

  • Consent: when you register an account, connect social media platforms, or subscribe to communications. Consent is recorded at the time of the action (clicking the registration button, connecting an integration) along with the date, time, document version, and user identifier
  • Performance of a contract: to provide subscription services, process payments, generate content, and perform automated publishing
  • Legitimate interest: to ensure service security, prevent fraud, and improve the quality of the service based on analytics

3.2. Additional Bases for EU/EEA Users (GDPR)

  • Consent (Art. 6(1)(a) GDPR): for registration, activating analytical cookies, and subscribing to marketing communications. Consent is freely given, specific, informed, and unambiguous (Art. 7 GDPR). We record evidence of consent (timestamp, document version, IP address) and retain this record for the entire duration of processing and 3 years after its termination
  • Performance of a contract (Art. 6(1)(b) GDPR): to provide services, process payments, and generate content
  • Legitimate interest (Art. 6(1)(f) GDPR): to ensure security, prevent fraud, and improve the service. We conduct a balancing test for each processing activity based on legitimate interest

3.3. For California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not sell your personal information as defined by the CCPA. We do not use or share sensitive personal information for purposes other than those permitted by the CCPA. For details on your specific rights, see Section 11.3 below.

4. How We Use Your Information

  • To provide and maintain the functionality of the service
  • To associate the content you create with your account
  • To publish content to your connected social media platforms (with your permission)
  • To securely process payments
  • To process content through AI services (generation, transcription)
  • To provide analytics for your social media accounts
  • To send transactional notifications (verification codes, payment notifications)
  • To improve the service based on aggregated analytics data

5. Automated Data Processing

The service uses automated data processing technologies, including artificial intelligence (AI), in the following cases:

  • AI content generation: script texts, prompts, and descriptions are sent to third-party AI providers (via OpenRouter) for content generation. Data is not retained by AI providers after the request is processed
  • Content analytics (VM Score): automated assessment of viral potential based on engagement metrics (views, likes, comments). The result is a numerical score from 0 to 100 that does not affect your access to the service
  • Transcription: audio and video files are sent to third-party services for automatic conversion to text

We do not make decisions that have legal effects on you based solely on automated data processing. VM Score is an informational metric and does not affect your access to service features, the ranking of your content, or your terms of service. If you believe that automated processing has produced an erroneous result, you may contact our support team for a human review.

For automated data processing activities, including AI generation and content analytics, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR. The results of this assessment are available upon request by a supervisory authority.

6. Data Sharing with Third Parties

We do not sell personal data. Data is shared with the following categories of recipients solely to perform the functions of the service:

RecipientJurisdictionPurposeDataSafeguards
BePaidBelarusPayment processing (international)Payment dataPCI DSS, DPA
CloudPaymentsRussiaPayment processing (Russian cards)Payment dataPCI DSS
AI providers (OpenRouter)USAContent and script generationScript texts, prompts (no personal data)DPA, SCCs
SupadataUSAAudio/video transcriptionAudio/video filesDPA, SCCs
Cloudflare (R2)USA / GlobalFile storageVideos, images, exportsDPA, SCCs
ResendUSAEmail notificationsEmail address, message contentDPA, SCCs
PostHogUSA (EU hosting)Product analyticsPseudonymized usage events (user ID, actions; no name/email)DPA, EU data residency
Google AnalyticsUSA / IrelandWeb analyticsPseudonymized visit data (IP truncated, no direct identifiers)DPA, SCCs, IP anonymization

Note: DPA stands for Data Processing Agreement; SCCs stands for Standard Contractual Clauses (EU standard contractual clauses for international data transfers). Pseudonymized data refers to data that cannot be attributed to a specific individual without the use of additional information held separately (Art. 4(5) GDPR). This differs from anonymized data, which cannot be linked to an individual under any circumstances. We do not share direct identifiers (name, email) with analytics services.

7. Social Media Integrations

YouTube

Used to upload your videos with your permission. By authorizing through Google, you agree to the YouTube Terms of Service and Google Privacy Policy. Our use of data obtained through Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Threads (Meta)

threads_basic: Retrieval of basic profile information. threads_content_publish: Publishing content with your permission.

Other Platforms

TikTok, LinkedIn, Instagram, Pinterest, and Bluesky are used for automated content publishing with your permission. For each platform, only the necessary permissions are requested. You can disconnect any integration in your account settings at any time.

Media Resources and Templates

Viralmaxing provides access to a library of media resources (memes, images, music, fonts, templates). These resources are sourced from publicly available sources, user contributions, or under permissive licenses. We do not guarantee that all provided resources are free from copyright restrictions. Users are responsible for independently verifying rights before commercial use.

8. Cookies and Analytics

We use cookies and similar tracking technologies. Cookies are divided into the following categories:

8.1. Necessary Cookies

Functional cookies (authentication, session, user preferences) are essential for the operation of the service and do not require separate consent. The service cannot function properly without them.

8.2. Analytical Cookies

Analytical cookies are activated only after you provide explicit consent through the cookie consent banner displayed on your first visit. These include:

  • PostHog — product analytics to understand how users interact with the service. Profiles are created only for authenticated users (identified_only mode)
  • Google Analytics — web analytics for traffic analysis and marketing channel effectiveness. Used only in the production environment

8.3. Consent Management

You can withdraw your consent to analytical cookies at any time through the cookie settings on the website or by clearing cookies in your browser. Upon your next visit, the cookie consent banner will be displayed again. Declining analytical cookies does not affect the functionality of the service. When consent is withdrawn, we immediately cease collecting analytical data and delete previously set analytical cookies.

9. Data Storage and Protection

Data is stored using industry-standard encryption. Access to personal data is restricted and granted only to authorized systems.

Retention Periods

  • Account data: for the entire duration of your use of the service and 30 days after account deletion
  • Payment records: 5 years (as required by tax and accounting regulations)
  • Analytics data: 12 months
  • OAuth tokens: until revoked by you, token expiration, or 12 months of account inactivity (whichever comes first). After 12 months of inactivity, tokens are automatically revoked
  • Backups: 30 days

10. Cross-Border Data Transfers

When using the service, your data may be processed outside your country of residence by third-party services (AI providers, payment processors, cloud storage). The specific jurisdictions and safeguards for each recipient are listed in the table in Section 6. We ensure that all data transfers are conducted in accordance with applicable data protection laws and with adequate protective measures in place.

For EU/EEA users: cross-border data transfers to third countries (including the USA) are conducted on the basis of: (a) Standard Contractual Clauses (SCCs) as adopted by European Commission Decision 2021/914; (b) adequacy decisions; (c) the EU-U.S. Data Privacy Framework (DPF) for certified recipients in the United States — in accordance with Articles 46 and 49 of the GDPR. A Data Processing Agreement (DPA) has been concluded with each recipient, including technical and organizational protective measures.

For U.S. users: where we transfer data from the United States to other jurisdictions, we ensure that appropriate safeguards are in place, including contractual protections consistent with applicable U.S. state and federal privacy laws.

11. Your Rights

11.1. General Rights

Regardless of your location, you have the following rights regarding your personal data:

  • Right of access: obtain information about what personal data we process about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to deletion: request deletion of your data (learn more on the data deletion page)
  • Right to restrict processing: request restriction of processing of your data in certain circumstances
  • Right to withdraw consent: withdraw previously given consent to the processing of personal data at any time

We will respond to your request within 30 calendar days of receipt. In exceptional cases, this period may be extended by an additional 60 days with prior notice.

11.2. Additional Rights for EU/EEA Users (GDPR)

If you are located in the EU/EEA, you additionally have the following rights:

  • Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21 GDPR): object to the processing of your data based on legitimate interest
  • Right not to be subject to automated decision-making (Art. 22 GDPR): not be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you
  • Right to lodge a complaint: file a complaint with the data protection supervisory authority in your country of residence

Response time for EU/EEA user requests is 30 (thirty) calendar days from receipt (Art. 12 GDPR). In exceptional cases, the period may be extended by an additional 60 days with notification.

11.3. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the CCPA and CPRA:

  • Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share your data
  • Right to delete: request deletion of your personal information, subject to certain exceptions
  • Right to correct: request correction of inaccurate personal information
  • Right to opt out of sale/sharing: we do not sell or share your personal information as defined by the CCPA
  • Right to non-discrimination: you will not receive discriminatory treatment for exercising any of your CCPA rights
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond those permitted by the CCPA

To exercise your CCPA rights, contact us at support@viralmaxing.com. We will respond to verifiable consumer requests within 45 days, which may be extended by an additional 45 days with notice.

12. Applicable Law

This Privacy Policy is governed by the laws of the Russian Federation, including Federal Law No. 152-FZ "On Personal Data."

For users located in the EU/EEA, this Policy is supplemented by the provisions of the GDPR (Regulation (EU) 2016/679). In the event of a conflict between the provisions of this Policy and the GDPR, the GDPR provisions shall prevail for EU/EEA users.

For users located in California, this Policy is supplemented by the provisions of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). In the event of a conflict, the CCPA/CPRA provisions shall prevail for California residents.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated version on this page with the date of the update. For EU/EEA users, we will additionally notify you of material changes via email.

14. Contact

If you have any questions about this Privacy Policy or the processing of your personal data, please contact us:

Email: support@viralmaxing.com
Telegram: Lesha_Muzyka

We use cookies to improve our service. Learn more