Privacy Policy

OnTarget Studio — by OnTarget Creators Ltd

Effective Date: 18 February 2026 Last Updated: 26 February 2026

1. Who We Are

OnTarget Studio is operated by OnTarget Creators Ltd ("OnTarget Creators", "we", "us", "our"), a New Zealand company registered at 2/33 Beedley Street, Spreydon 8024, Canterbury, New Zealand.

• Website: ontargetcreators.com
• Product: OnTarget Studio (studio.ontargetcreators.com)
• Contact: privacy@ontargetcreators.com
• Data Protection Contact: privacy@ontargetcreators.com OnTarget Creators Ltd does not meet the thresholds for mandatory DPO appointment under GDPR Article 37. All data protection inquiries are handled by our Data Protection Contact.

As a New Zealand-registered company, we are governed by the New Zealand Privacy Act 2020. We are also the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) as supplemented by the Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and the Australian Privacy Act 1988 for users in those jurisdictions.

2. What This Policy Covers

This policy explains how we collect, use, store, share, and protect your personal information when you use OnTarget Studio — an AI-powered YouTube script generation platform.

This policy applies to all users worldwide, including users in New Zealand, Australia, the European Union, the United Kingdom, and the United States.

Governing Privacy Law

As OnTarget Creators Ltd is registered in New Zealand, the New Zealand Privacy Act 2020 is our primary governing privacy law. We also comply with:

• The Australian Privacy Act 1988 for users in Australia (data stored in Sydney)
• The EU General Data Protection Regulation (GDPR) for users in the EU/EEA
• The California Consumer Privacy Act (CCPA) for users in California, USA
• The UK General Data Protection Regulation (UK GDPR) as supplemented by the Data Protection Act 2018 for users in the United Kingdom

Where these laws conflict, we apply the law that provides the greatest protection to your personal information.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address — from your Google or Microsoft account via OAuth
• Display name — from your Google or Microsoft account
• Profile picture URL — from your Google account (if available)
• Authentication provider ID — your Google or Microsoft user identifier

We use Google OAuth and Microsoft OAuth exclusively. We do not offer email/password registration. We do not collect or store passwords.

3.2 Content You Create

When you use our features, we collect the content you provide:

• Script generation: Video topics, context notes, duration preferences
• Competitor analysis: YouTube channel URLs (public data), your unique angle description
• Title generation: Seed titles and topics
• Outlier Chat (Archer): Your chat messages about channel strategy
• Audio generation: Voice and speed preferences

3.3 AI-Generated Content

We store content generated by our AI on your behalf:

• Research documents, concept blueprints, scripts, titles, descriptions, tags
• Competitor analysis insight cards and channel style profiles
• Audio files generated from your scripts
• Chat conversation history with Archer (our strategy advisor)

3.4 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe (our payment processor). We collect:

• Your email and name (for billing)
• Subscription plan and billing status
• Stripe customer identifier

We never collect, see, or store your credit card number, CVV, or bank details. Stripe handles all payment card data under PCI DSS Level 1 compliance.

3.5 Usage and Credit Data

We automatically collect:

• Credit balance and transaction history (credits used per feature)
• Subscription tier (Free, Annual, or Founding)
• Feature usage patterns (which tools you use)

3.6 Technical Data

We automatically collect:

• Cookies: Authentication session cookies only (required for the service to function)
• Device information: Browser type, operating system, device type (collected by Sentry for error monitoring in production only)
• Server access logs: IP address, user agent, request timestamps (collected by Vercel for security and debugging, retained 30 days)
• Preferences: Theme selection (dark/light mode), stored locally on your device

We do not use Google Analytics, tracking pixels, session recording, or any third-party advertising or analytics tools.

4. How We Use Your Information

For processing based on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 10.2).

We do not use your data for:

• Advertising or ad targeting
• Selling to third parties
• Profiling or automated decision-making that affects your rights
• Training our own AI models

4.1 Automated Processing

OnTarget Studio uses AI to generate content (scripts, titles, research, strategy advice) based on your inputs. This automated processing:

• Does not constitute automated decision-making under GDPR Article 22 -- AI outputs are content suggestions that do not produce legal or similarly significant effects on you
• Does not involve profiling -- we do not analyze your personal characteristics to predict behavior, preferences, or interests
• You retain full editorial control over all AI-generated content

5. AI Processing and Third-Party AI Providers

OnTarget Studio uses multiple AI providers to generate content for you. We do not send your email, name, account information, or any personal identifiers to any AI provider. AI providers receive only the content data necessary to perform their specific function.

5.1 AI Providers — Script Generation Pipeline

5.2 AI Provider — Channel Strategy Features (DeepSeek)

Our competitor analysis, channel name generation, title description, and Outlier Chat (Archer) features are powered by DeepSeek, an AI provider based in China (People's Republic of China).

What DeepSeek receives:

• Competitor analysis: Public YouTube channel data, video transcripts, your channel positioning notes
• Channel names: Niche/competitor context
• Title descriptions: Video titles, channel style data
• Outlier Chat: Your chat messages about channel strategy, channel context, YouTube video metadata

What DeepSeek does NOT receive:

• Your email address
• Your name
• Your user ID or account information
• Your payment information
• Your IP address

Important notice about Outlier Chat: Archer is designed for YouTube channel strategy discussions. We apply automated filters to strip common personal data patterns (email addresses, phone numbers, financial information) from your messages before they are sent to DeepSeek. However, you control what you type. Please do not share personal, financial, or sensitive information in the chat.

China data transfer: Data sent to DeepSeek is processed in China. China does not have an EU or UK adequacy decision under GDPR/UK GDPR, and does not have privacy laws comparable to the NZ Privacy Act 2020 or Australian Privacy Act 1988. We protect this transfer through:

• Standard Contractual Clauses (SCCs) between OnTarget Creators Ltd and DeepSeek, under Commission Implementing Decision (EU) 2021/914 (Module 2: Controller to Processor)
• A Transfer Impact Assessment (TIA) documenting the risks of Chinese data protection and surveillance laws, and the supplementary safeguards we apply
• Technical measures: no personal identifiers sent, input sanitization before transmission, output scanning before delivery, encryption in transit (TLS 1.2+)
• Purpose limitation: only channel strategy and content data is transmitted (never account, payment, or contact information)

Your consent is required. Before you can use any DeepSeek-powered feature for the first time, you will be asked to explicitly consent to this data transfer after reviewing the risks and safeguards. You may decline and continue using all other OnTarget Studio features (script generation, title generation, audio generation) without any data being sent to China. You may withdraw your consent at any time via your account settings or by contacting privacy@ontargetcreators.com.

5.3 AI Provider Data Use Policies

We use all AI providers under their API/business terms, which prohibit using your data to train their models. Your content is processed and returned — it is not retained by AI providers for training purposes.

6. Who We Share Your Data With

We share your personal data only with the service providers ("sub-processors") necessary to operate OnTarget Studio. We do not sell your data.

If we add or change sub-processors, we will update this section and notify you via email or in-app notification at least 14 days before the change takes effect.

7. International Data Transfers

Your data is stored primarily in Sydney, Australia (Supabase). Depending on the features you use, your data may be transferred to:

United States

Most of our service providers are based in the United States. For transfers from the EU, we rely on:

• The EU-US Data Privacy Framework (DPF) for participating providers
• Standard Contractual Clauses (SCCs) approved by the European Commission

For transfers from the United Kingdom, we rely on:

• The UK Extension to the EU-US Data Privacy Framework for participating providers
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs approved by the UK Information Commissioner's Office (ICO)

For transfers from New Zealand, we comply with Information Privacy Principle 12 of the NZ Privacy Act 2020 by:

• Making you aware of overseas transfers at or before the time of collection
• Taking reasonable steps to ensure overseas recipients comply with privacy protections comparable to those in the NZ Privacy Act
• Using Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs) where the recipient country does not provide comparable protections

For transfers from Australia, we comply with Australian Privacy Principle 8 by:

• Taking reasonable steps to ensure overseas recipients do not breach the Australian Privacy Principles
• Using Standard Contractual Clauses (SCCs) with US-based providers
• Conducting Transfer Impact Assessments (TIAs) for transfers to jurisdictions without substantially similar privacy laws
• Obtaining express consent before transferring data to China (via DeepSeek-powered features)

China (People's Republic of China)

Data is transferred to China only when you use features powered by DeepSeek (competitor analysis, channel names, title descriptions, Outlier Chat). See Section 5.2 for details on safeguards, consent requirements, and your right to decline.

No data is transferred to China when you use the script generation pipeline (research, concept, script, titles, audio).

8. How We Protect Your Data

We implement the following technical and organizational measures:

• Encryption in transit: All data transmitted over TLS 1.2 or higher
• Encryption at rest: Database encrypted with AES-256 (managed by Supabase)
• Row Level Security (RLS): Every database table enforces user-level access — you can only see your own data
• OAuth-only authentication: No passwords stored; authentication delegated to Google and Microsoft
• Input sanitization: All user inputs are sanitized before processing, including chat messages sent to AI providers
• Output scanning: AI-generated responses are scanned before delivery
• Rate limiting: All features are rate-limited to prevent abuse
• Minimal tracking: No analytics tools, no advertising pixels, no session recording. Only essential authentication cookies and production error monitoring (Sentry, 10% sampling).
• Credit system with atomic operations: Financial operations (credit deductions) use database-level atomic transactions to prevent race conditions

8.1 Data Breach Notification

In the event of a notifiable privacy breach, we will comply with breach notification requirements under all applicable laws.

New Zealand (Privacy Act 2020, Part 6): If we become aware of a privacy breach that has caused, or is likely to cause, serious harm to affected individuals, we will:

1. Notify the Office of the Privacy Commissioner (OPC) as soon as practicable after becoming aware of the breach (section 114)
2. Notify affected individuals as soon as practicable by email (section 115), unless an exception applies
3. Provide a description of the breach, kinds of personal information involved, likely consequences, remedial action taken, and our contact details (section 116)

Australia (Notifiable Data Breaches scheme, Part IIIC): If an eligible data breach occurs (unauthorized access, disclosure, or loss likely to result in serious harm), we will:

1. Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
2. Notify affected Australian users as soon as practicable by email
3. Provide our identity and contact details, a description of the breach, kinds of information involved, and recommended steps for affected individuals

European Union (GDPR Articles 33-34): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (Article 33) and notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34).

United Kingdom (UK GDPR Articles 33-34, Data Protection Act 2018): We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach (Article 33 UK GDPR) and notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34 UK GDPR).

United States (state breach notification laws): We will comply with all applicable state data breach notification laws, including California Civil Code Section 1798.82, notifying affected users and relevant state authorities as required by applicable law.

If you believe you have been affected by a data breach involving your personal information, contact us immediately at privacy@ontargetcreators.com.

9. How Long We Keep Your Data

When you delete your account, all your data is deleted within 30 days, except:

• Credit transaction records (retained 7 years, anonymized — required by law)
• Data already in rotating backups (exits within 7 days of backup rotation)

10. Your Rights

10.1 Rights for All Users

Regardless of where you are located, you can:

• Access your data — request a copy of all data we hold about you
• Correct your data — update your profile information
• Delete your account and all associated data
• Withdraw consent for marketing emails at any time (one-click unsubscribe)

10.2 Additional Rights for EU/EEA and UK Users (GDPR / UK GDPR)

If you are in the European Union, European Economic Area, or the United Kingdom, you also have the right to:

• Data portability — receive your data in a structured, machine-readable format (JSON/CSV)
• Restrict processing — request that we limit how we use your data
• Object to processing — object to processing based on legitimate interest
• Lodge a complaint — with your local data protection authority
• Withdraw consent — for any processing based on consent (e.g., marketing, China data transfers), without affecting the lawfulness of prior processing

To exercise these rights, contact us at privacy@ontargetcreators.com. We will respond within 30 days.

Note: Some data may be retained after account deletion where we have a legal obligation (e.g., credit transaction records retained for 7 years for tax compliance -- see Section 9).

10.3 Additional Rights for California Users (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Correct inaccurate personal information we maintain about you
• Delete your personal information
• Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Categories of personal information collected:

• Identifiers (email, name, Google/Microsoft user ID)
• Internet activity (feature usage, error traces)
• Commercial information (subscription tier, credit balance)

Categories of personal information disclosed for a business purpose:

• Identifiers (to authentication providers, payment processor, email marketing)
• User-generated content (to AI providers for content generation)

How to submit CCPA requests: You may exercise your CCPA rights by:

1. Emailing privacy@ontargetcreators.com with subject "CCPA Request"
2. Using the Export My Data or Delete Account options in Settings > Data & Privacy in your account

We will respond within 30 days. We may request verification of your identity before processing your request.

Authorized agents: You may designate an authorized agent to submit CCPA requests on your behalf. Your agent must provide signed written authorization or a power of attorney. We may verify your identity directly before processing the request.

Categories of sources from which we collect personal information:

• Directly from you (account registration, content inputs, chat messages)
• From authentication providers (Google, Microsoft -- during OAuth sign-in)
• Automatically from your device (Sentry error monitoring, Vercel access logs)

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (email, name, OAuth provider IDs)
• Internet or other electronic network activity (feature usage patterns, error traces)
• Commercial information (subscription tier, credit balance, transaction history)
• User-generated content (scripts, titles, chat messages, competitor analyses)

Because we do not sell or share your personal information as defined by the CCPA/CPRA, we do not provide a "Do Not Sell or Share My Personal Information" link. If our practices change, we will provide this link prominently on our website.

10.4 Additional Rights for New Zealand Users (Privacy Act 2020)

If you are in New Zealand, you have the right to:

• Access your personal information under Information Privacy Principle 6
• Correct your personal information under Information Privacy Principle 7
• Complain to us or to the Office of the Privacy Commissioner (OPC) if you believe we have breached the Information Privacy Principles

To exercise these rights, contact us at privacy@ontargetcreators.com. We will respond as soon as reasonably practicable, and in any case within 20 working days after receiving your request (as required by section 48 of the NZ Privacy Act 2020). We may extend this timeframe under section 50 if necessary, and will notify you if an extension applies.

Internal complaints procedure: If you believe we have breached the Information Privacy Principles, you may submit a complaint to privacy@ontargetcreators.com with subject line "Privacy Complaint". We will acknowledge your complaint within 5 working days and investigate and respond within 20 working days. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner (OPC) at https://www.privacy.org.nz.

10.5 Additional Rights for Australian Users (Privacy Act 1988)

If you are in Australia, you have the right to:

• Access your personal information under Australian Privacy Principle 12
• Correct your personal information under Australian Privacy Principle 13
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

To exercise these rights, contact us at privacy@ontargetcreators.com. We will respond within 30 days.

11. Cookies and Local Storage

We use minimal cookies and local storage:

We do not use:

• Tracking cookies
• Third-party cookies
• Advertising cookies
• Analytics cookies

Because we only use strictly necessary cookies, we do not require cookie consent under GDPR (Recital 30, ePrivacy Directive Art. 5(3) exemption for necessary cookies). However, we disclose all cookies transparently in this policy.

For more details, see our Cookie Policy.

12. Children's Privacy

OnTarget Studio is not intended for children. We do not knowingly collect personal data from anyone under the age of 16.

If you are under 16, you may not use OnTarget Studio or create an account.

If we discover that we have collected personal data from a child under 16, we will delete that data promptly. If you believe a child under 16 has created an account or provided us with personal information, please contact us at privacy@ontargetcreators.com.

Parents and guardians: If you believe your child under 16 has created an account, please contact us to request deletion.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email or through an in-app notification
• Where required by law, obtain your consent before applying changes

We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights:

• Email: privacy@ontargetcreators.com
• Mail: OnTarget Creators Ltd, 2/33 Beedley Street, Spreydon 8024, Canterbury, New Zealand
• Website: ontargetcreators.com

For EU-specific inquiries, you may also contact your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For UK inquiries, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

For New Zealand inquiries, you may contact the Office of the Privacy Commissioner (OPC) at https://www.privacy.org.nz.

For Australian inquiries, you may contact the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

This Privacy Policy was last reviewed on 2026-02-26.