EU/UK GDPR Information

Effective date: December 8, 2025

This page supplements the Privacy Policy of Reactivid and explains our practices under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR. Reactivid is operated by Ellwood Bristol (“Ellwood Bristol”, “we”, “us”, “our”), an AI-driven video generation and automation company based in Ontario, Canada. We process personal data of individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”) as described here.

1) Controller, Representatives & Contact

Data Controller: Ellwood Bristol (operator of Reactivid).
Unless stated otherwise, we are the controller of personal data collected via our websites and Reactivid Services.

Primary contact (privacy): craig@ellwoodbristol.com
Please include “GDPR request” or “privacy inquiry” in the subject line where possible.
Mailing address: Ellwood Bristol (Reactivid)
153 Bristol Place
Sault Ste. Marie, Ontario
Canada
EU Representative (Art. 27 GDPR): To be appointed; details will be published here when available.
UK Representative (Art. 27 UK GDPR): To be appointed; details will be published here when available.

When we process personal data on behalf of an organizational customer (for example, a studio, agency, production team, or enterprise using Reactivid), that organization is the controller and Ellwood Bristol (Reactivid) acts as its processor. In those cases, our Data Processing Addendum (“DPA”) applies and the customer’s instructions govern how we process data on their behalf.

2) Scope

This notice applies to personal data processed by Reactivid in connection with our websites, applications, and services (collectively, the “Services”). It does not apply to anonymous or aggregated information that cannot reasonably be linked to an identifiable person.

3) Key GDPR Definitions

Open definitions

Personal data: Any information relating to an identified or identifiable natural person (a “data subject”).
Processing: Any operation performed on personal data (for example, collection, storage, use, disclosure, structuring, deletion).
Controller: The party that determines the purposes and means of processing personal data.
Processor: The party that processes personal data on behalf of the controller.

4) Categories of Personal Data

Typical categories of personal data processed by the Services are:

Category	Examples	Source
Account & Profile	Name, email address, account ID, organization, role (e.g., editor, producer), authentication details, workspace settings, preferences (for example, theme, locale)	You / your organization
Project & Media Data	Scripts, text prompts, outlines, notes, generated voiceover audio, uploaded or generated video, images, captions, timelines, export configurations, and any metadata you attach to projects	You / your collaborators / your devices
Usage & Device	IP address, approximate region, device and browser information, unique identifiers, feature usage, interaction events, log entries, performance telemetry, error traces	Automatic (via the Service)
Support & Communications	Support tickets, email messages, in-product feedback, and diagnostics you choose to share when troubleshooting	You
Integrations (optional)	Data exchanged with tools you connect (for example, cloud storage, identity providers, editing workflows like NLE project exports) consistent with your settings	Third parties (as configured by you or your organization)

We do not intentionally seek to collect special categories of personal data within the meaning of Art. 9 GDPR (for example, health data, biometric identifiers used for identification, political opinions) or children’s personal data. Please avoid uploading content that includes sensitive personal data or identifiable minors unless you have a lawful basis and appropriate consent where required.

5) Lawful Bases for Processing (Art. 6 GDPR)

Depending on your relationship with us and the context of processing, we rely on one or more of the following lawful bases:

Contract — to provide, maintain, and support the Services you request (for example, managing your account, handling your Reactivid projects, generating voiceovers, timelines, and exports).
Legitimate interests — to secure, operate, and improve the Services (for example, telemetry, abuse prevention, internal analytics) in a way that does not override your fundamental rights and freedoms. We perform balancing tests where required.
Consent — for certain optional activities such as non-essential cookies/analytics, some marketing communications, or optional data uses permitted by law. You can withdraw consent at any time without affecting processing that occurred before withdrawal.
Legal obligation — to comply with applicable law, regulatory requirements, and lawful requests from authorities.

Purpose	Examples	Primary Lawful Basis
Deliver core Reactivid features	Account management, scripting, voiceover generation, storyboarding, export pipelines to editing tools	Contract
Support & operational communications	Responding to support tickets, service notifications, critical updates	Contract / Legitimate interests
Security & abuse prevention	Monitoring for fraud or abuse, access controls, incident response, rate limiting	Legitimate interests / Legal obligation
Product analytics & improvement	Aggregated feature usage metrics, performance diagnostics, testing new functionality	Legitimate interests / Consent (for certain cookies/analytics in EEA/UK)
Marketing (optional)	Email newsletters or campaigns you opt into about Reactivid updates	Consent (withdrawable at any time)
Legal & compliance	Record-keeping, responding to legal requests, enforcing our terms	Legal obligation / Legitimate interests

6) AI, Language Models & Voice Generation

Reactivid uses AI models (including large language models, text-to-speech systems, and related tooling) to help transform scripts and prompts into structured video assets, such as outlines, captions, and voiceovers. Outputs are probabilistic and may be inaccurate or incomplete; they are intended as assistive tools for human creators, not standalone advice or decisions.

We may use de-identified or aggregated usage data to evaluate and improve AI features (for example, understanding which workflows are frequently used and where models underperform). Where required by applicable law, we will seek consent or provide an opt-out for certain uses. Limited human review of de-identified samples may occur under strict confidentiality to evaluate quality and safety.

Where third-party AI providers are used, they act as processors or sub-processors under contractual terms that restrict their use of personal data and include appropriate safeguards.

7) Processors & Sub-Processors

We engage vetted service providers for hosting, storage, analytics, security, email delivery, support, and related services. Each provider is bound by a data processing agreement with confidentiality, security, and sub-processing obligations consistent with GDPR/UK GDPR.

A current list of material sub-processors can be made available on request and is generally provided to enterprise customers through our DPA or related documentation. We will notify customers of material changes to sub-processors in accordance with our contractual commitments.

8) International Data Transfers

Personal data may be processed in countries outside the EEA/UK, including Canada and the United States. Where data are transferred internationally, we implement appropriate safeguards such as:

EU Standard Contractual Clauses (“SCCs”) for transfers from the EEA, and the UK International Data Transfer Addendum for UK transfers;
Data transfer risk assessments and supplementary measures, where appropriate;
Contractual commitments with processors and sub-processors to maintain data protection standards equivalent to those required by GDPR/UK GDPR.

You may request more information about specific transfer mechanisms (with redactions for confidentiality) by contacting us at the email above.

9) Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this notice and our Privacy Policy, to comply with legal and regulatory obligations, to resolve disputes, and to enforce agreements. Retention periods vary by data type and context (for example, account records vs. project/media assets vs. technical logs).

When data are no longer needed, we delete or irreversibly de-identify them in accordance with our internal policies. Backup copies are kept only for limited periods required for resilience and disaster recovery.

10) Security (Art. 32 GDPR)

We implement technical and organizational measures appropriate to the risk, which may include encryption in transit, access controls, environment isolation, logging, least-privilege practices, and periodic security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authorities and affected users where required by law, and take reasonable steps to mitigate the impact.

11) Automated Decision-Making & Profiling

We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. The AI capabilities in Reactivid are designed to support creative and production workflows (for example, generating script suggestions or voiceover drafts) and remain subject to your control and editorial judgment.

12) Your GDPR Rights

Subject to the conditions and exceptions in GDPR/UK GDPR, you have the following rights with respect to your personal data:

Right of access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy of that data along with certain information.
Right to rectification (Art. 16): Request correction of inaccurate personal data and completion of incomplete data.
Right to erasure (Art. 17): Request deletion of personal data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected and no legal basis for retention applies).
Right to restriction (Art. 18): Request that we restrict processing in certain situations (for example, while we assess a contested accuracy claim).
Right to data portability (Art. 20): Receive personal data you provided to us in a structured, commonly used and machine-readable format, and transmit it to another controller where technically feasible and legally required.
Right to object (Art. 21): Object to processing based on our legitimate interests and to direct marketing (including related profiling). We will stop such processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is needed for legal claims.
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise these rights, contact us at craig@ellwoodbristol.com . We may need to verify your identity and may ask for additional information to process your request. We will respond within the timeframes required by applicable law.

Where we act as a processor for an organizational customer, we may direct you to contact that controller (for example, your studio, agency, or employer), and we will assist them in responding to your request as required by our DPA.

13) Complaints & Supervisory Authorities

If you believe that our processing of your personal data infringes GDPR/UK GDPR, you have the right to lodge a complaint with your local data protection authority (DPA) or, as applicable, the authority in the place of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first at craig@ellwoodbristol.com so we can attempt to address your concerns directly.

Finding Your Supervisory Authority

A list of EU data protection authorities is available from the European Data Protection Board (EDPB). UK residents may contact the Information Commissioner’s Office (ICO).

14) Cookies & Consent

For non-essential cookies and similar technologies in the EEA/UK, we seek prior consent via a banner or settings interface and provide a way to withdraw or change your choices at any time. For details on the types of cookies we use, retention periods, and how to manage your preferences, please see our Cookies Policy.

15) Controller–Processor Terms (DPA)

For organizational customers where Reactivid acts as a processor, our DPA incorporates the requirements of Art. 28 GDPR/UK GDPR, including:

Subject matter and duration of processing;
Nature and purpose of processing (for example, AI-assisted video scripting, voiceover generation, and export workflows);
Types of personal data and categories of data subjects;
Obligations and rights of the controller, including confidentiality and security measures;
Sub-processor controls, data subject request assistance, DPIA support, and audit rights where applicable.

Customers may request a copy of the DPA or its key terms by contacting us through the usual support channels or at the email listed above.

16) Changes to This GDPR Notice

We may update this page from time to time to reflect changes in our data processing activities, Services, or legal requirements. If changes are material, we will provide appropriate notice (for example, via the Reactivid interface or by email where appropriate) and update the effective date at the top of this page.

Quick Links

Non-Legal Advice

This page is for general information and does not constitute legal advice. For specific questions about your obligations under EU/UK data protection law and how Reactivid fits into your workflows, you should consult legal counsel.