Motion Index — Privacy Policy

Last updated: March 2026

1. Who We Are

Motion Index ("we," "us," "our") operates the platform at motionindex.io — a search engine for product films, providing a curated video reference library and creative workspace for motion design and filmmaking professionals. We are based in Norway and act as the data controller for personal data processed through the Service.

For questions about this policy or your data, contact us at [contact@motionindex.io].

2. What Data We Collect

2.1 — Account Information

When you create an account, we collect:

  • Email address
  • Password (stored as a one-way hash — we never store or see your actual password)
  • Name (optional)
  • Profile image URL (optional)
  • Authentication provider (if using Google or Apple sign-in)

2.2 — Device and Session Information

When you use the Service, we automatically collect:

  • IP address
  • User agent (browser type and version)
  • Device type and identifier
  • Session timestamps (login time, last active)

This information is used to manage your active sessions, enforce device limits, and maintain account security.

2.3 — Usage Data

We collect basic usage metrics to improve the Service:

  • Account creation date
  • Last active date
  • Total time spent in the Service
  • Days active and current usage streak
  • API request count (rolling 30-day window)

2.4 — User-Created Content

We store content you create within the Service:

  • Collections and saved references
  • Canvas projects, drawings, and annotations
  • Files you upload to the Service
  • Project version history
  • Collaboration settings and shared project configurations

2.5 — Payment Information

Payment data is collected and processed by Stripe, our payment processor. We do not store your credit card number, CVV, or full payment card details on our servers. Stripe provides us with limited billing information (card type, last four digits, expiration date) for display in your account settings.

3. What We Do NOT Collect

  • We do not use Google Analytics or any similar page-view analytics
  • We do not use session replay or screen recording tools
  • We do not use marketing cookies or tracking pixels
  • We do not use third-party advertising trackers
  • We do not sell your personal data to anyone
  • We do not build advertising profiles based on your usage

4. How We Use Your Data

We use the data we collect for the following purposes:

| Purpose | Legal Basis (GDPR) | |---|---| | Providing and operating the Service | Performance of contract (Art. 6(1)(b)) | | Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) | | Sending account-related emails (verification, trial reminders, billing) | Performance of contract (Art. 6(1)(b)) | | Maintaining account security and managing sessions | Legitimate interest (Art. 6(1)(f)) | | Monitoring for abuse and enforcing Terms of Service | Legitimate interest (Art. 6(1)(f)) | | Diagnosing errors and improving platform stability | Legitimate interest (Art. 6(1)(f)) | | Complying with legal obligations (tax records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) |

We do not use your data for targeted advertising, profiling, or automated decision-making that produces legal effects.

5. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

5.1 — Payment Processing

| Service | Data Shared | Purpose | |---|---|---| | Stripe (US) | Email, tokenized payment card data, subscription status | Payment processing, billing, invoicing |

Stripe's privacy policy: https://stripe.com/privacy

5.2 — Video Platforms

| Service | Data Shared | Purpose | |---|---|---| | YouTube (Google, US) | Your IP address, standard embed request data | Video playback via iframe embed | | Vimeo (US) | Your IP address, standard embed request data | Video playback via iframe embed |

When you play a video through an embed on Motion Index, your browser makes a direct connection to YouTube or Vimeo. This is standard web behaviour for embedded video players and is subject to those platforms' own privacy policies.

5.3 — Infrastructure and Operations

| Service | Data Shared | Purpose | Location | |---|---|---|---| | AWS S3 | Uploaded files, cached images | Media storage | EU (eu-central-1, Frankfurt) | | Sentry | Error traces (cookies scrubbed), performance data at 10% sample rate | Error tracking and performance monitoring | US | | Resend | Email address, email content | Transactional emails (verification, billing) | US | | Google Fonts | Standard font request data (IP address) | Font loading (Geist Sans, Geist Mono) | US |

5.4 — Search and Analysis

| Service | Data Shared | Purpose | |---|---|---| | OpenAI (US) | Video/frame metadata (not user personal data) | Generating search embeddings for similarity search |

OpenAI is used to generate vector embeddings from video metadata to power visual and semantic search. No personally identifiable user data is sent to OpenAI. The data processed consists of video frame characteristics and metadata, not user information.

5.5 — Authentication

| Service | Data Shared | Purpose | |---|---|---| | Google OAuth | OAuth tokens, email address | Social login | | Apple OAuth | OAuth tokens, email address | Social login |

When you choose to sign in with Google or Apple, the authentication provider shares your email address and a unique identifier with us. We do not receive your password from these providers.

6. International Data Transfers

Motion Index is operated from Norway (EEA). Some of our third-party service providers are based in the United States. When personal data is transferred outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Provider-specific data protection agreements

7. Data Retention

| Data Type | Retention Period | |---|---| | Account information | Until you delete your account | | Session data | Automatically pruned when sessions expire or are revoked | | Usage metrics | Until you delete your account | | User content (collections, projects, uploads) | Until you delete the content or your account | | Payment and billing records | As required by Norwegian tax law (typically 5 years) | | Error logs (Sentry) | 90 days | | Transactional email records | 30 days |

When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (such as billing records for tax compliance).

8. Your Rights (GDPR)

As a user in the EEA or Norway, you have the following rights under the General Data Protection Regulation:

  • Access — You can request a copy of the personal data we hold about you.
  • Rectification — You can ask us to correct inaccurate personal data.
  • Erasure — You can ask us to delete your personal data (subject to legal retention requirements).
  • Restriction — You can ask us to restrict processing of your data in certain circumstances.
  • Portability — You can request your data in a structured, machine-readable format.
  • Objection — You can object to processing based on legitimate interest.
  • Withdrawal of consent — Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at [contact@motionindex.io]. We will respond within 30 days as required by GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): https://www.datatilsynet.no.

9. Cookies and Local Storage

Motion Index uses minimal cookies and browser storage. For full details, see our Cookie Policy.

In summary:

  • Authentication cookies — Required for you to stay logged in. These are essential and cannot be disabled while using the Service.
  • Local storage — Used to remember your UI preferences (theme, display mode, grid settings, sort preferences) and to cache gallery data for performance. This data stays on your device and is not transmitted to our servers.

We do not use marketing cookies, advertising trackers, or third-party analytics cookies.

10. Children's Privacy

Motion Index is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [contact@motionindex.io].

11. Security

We take reasonable technical and organisational measures to protect your personal data, including:

  • Passwords stored using one-way hashing (never stored in plain text)
  • Cookie-based authentication with secure session management
  • HTTPS encryption for all data in transit
  • Media storage in EU-based AWS infrastructure (Frankfurt)
  • Error tracking with cookies and sensitive data scrubbed before transmission
  • Console logging stripped in production (except error-level events)

No system is perfectly secure. While we take data protection seriously, we cannot guarantee absolute security. If we become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice within the Service at least 14 days before the changes take effect.

The current version of this policy is always available at motionindex.io/privacy.

13. Contact

For questions about this Privacy Policy, data requests, or privacy concerns:

Email: [contact@motionindex.io] Website: motionindex.io Supervisory authority: Datatilsynet (Norwegian Data Protection Authority) — https://www.datatilsynet.no

This Privacy Policy was last updated on [date].

Privacy Policy — Motion Index | Motion Index