Skip to main content
AlcheClipSign up

Security at AlcheClip

Effective April 25, 2026

Your videos are valuable. This page describes how AlcheClip stores, transports, and deletes the data you trust us with — and what we don't do with it.

Data in transit

Every connection to AlcheClip is served over TLS. Uploads from your browser to Supabase Storage use signed PUT URLs over HTTPS. The signing endpoint is rate-limited and short-lived (URLs expire in minutes, not hours). No video data ever travels unencrypted.

Data at rest

Source videos, generated clips, transcripts, and zip archives live in private Supabase Storage buckets. Per-user row-level security (RLS) policies enforce that one customer cannot access another customer's data even if they have the storage path. Supabase encrypts data at rest using AES-256.

Auto-deletion

Source uploads, generated clips, and zip archives auto-delete 30 days after the job is created. This is non-negotiable and applies to every plan including Pro. If you need a clip after 30 days, re-upload the source. We'll happily re-process it.

Account auth

Authentication is handled by Supabase Auth: email + password (with bcrypt hashing) or Google OAuth. Sessions are stored in HTTP-only secure cookies, refreshed via middleware, and protected by SameSite cookies to prevent CSRF.

Billing security

AlcheClip never sees your full credit card number. Card details and billing cycles are handled entirely by Stripe (PCI DSS Level 1 compliant). We store only the Stripe customer ID and the subscription state. Webhooks are signature-verified before processing.

What we don't do

  • We never train AI models on your videos. Not our own models, not OpenAI's. Whisper transcription runs against OpenAI's API where API requests are not used for training under standard API terms.
  • We never sell, share, or syndicate your videos. No affiliate networks. No data brokers. No marketing partners.
  • We never apply a watermark on the Basic or Pro plan. The pixels you receive are yours.

Sub-processors

We use a small, deliberately-chosen set of vendors to operate the Service. Each is bound by their own contract and security certifications:

  • Supabase — auth, Postgres, storage, realtime. SOC 2 Type 2.
  • Vercel — application hosting and serverless compute. SOC 2 Type 2.
  • Inngest — pipeline orchestration. SOC 2 Type 2.
  • OpenAI — Whisper transcription. SOC 2 Type 2 with enterprise data terms; API calls are not used for training.
  • Stripe — billing. PCI DSS Level 1.
  • Upstash — rate limiting (counters only, no content).

Reporting a vulnerability

Found something concerning? Email security@alcheclip.com. We triage every report, won't pursue legal action against good-faith researchers, and credit responsible disclosure when patches ship.

Status & incidents

Major incidents are communicated by email to active subscribers. A public status page is on the near-term roadmap. In the meantime, check Supabase status, Vercel status, and OpenAI status if AlcheClip feels degraded — most user-visible incidents trace to those upstreams.