Privacy Policy

Last updated: February 2026 — Version 1.0

1. WHO WE ARE

This Privacy Policy applies to Send Video by Comet Studios ("we", "us", "the Operator"), a service of Comet Studios Pty Ltd, located at 81-83 Campbell Street, Surry Hills, NSW 2010, Australia. We also operate in New Zealand and may operate localised versions of this platform in other jurisdictions.

We operate the Send Video platform (sendvideo.comet-studios.com), which enables businesses to send, track, and manage professional marketing video emails. We also provide a Send on Behalf B2B outreach service where we send emails on behalf of our clients to business contacts.

For the purposes of the General Data Protection Regulation (GDPR), we act as a Data Processor when sending emails on behalf of our clients, and as a Data Controller for the client account data we collect directly.

Contact: privacy@comet-studios.com

2. WHAT DATA WE COLLECT

2.1 Client Account Data (Controller)

When you create a Send Video account, we collect:

  • Email address and password (hashed, never stored in plain text)
  • Business name, legal business name, and ABN
  • Contact name and phone number
  • Business address (street, city, state, postcode)
  • Brand settings (logo URL, brand colours)
  • Payment information (processed by Stripe — we do not store card details)

2.2 Client Contact Lists (Processor)

Clients may upload their own contact lists for email campaigns. We store only the minimum data required for email delivery:

  • Name
  • Email address
  • Company name
  • Phone number

This data is provided by the client, who acts as the Data Controller. We process it solely for the purpose of delivering emails on their behalf.

2.3 Send on Behalf Contact Data (Processor)

For our Send on Behalf B2B outreach service, we source business contact data from publicly available directories, government registries, and professional listings. This data is limited to:

  • Name
  • Business email address
  • Company name
  • Phone number

This is publicly available business information only. We do not collect personal or consumer data. The client never sees individual contact details — only aggregated delivery statistics.

2.5 Website Scanning for Content Creation

Our content creation services (Video Reels, Slide Decks, Talking Heads, Guided Tours) use automated website scanning technology to capture page content and screenshots from business websites for the sole purpose of creating promotional video content. This scanning is entirely separate from our contact data sourcing.

Website scanning for content creation:

  • Does not extract, collect, or store email addresses, phone numbers, or any contact information from the websites scanned
  • Captures only visual page content (text, images, layout) for video generation
  • Is not "address harvesting" as defined by the NZ Unsolicited Electronic Messages Act 2007 (Section 9) or the AU Spam Act 2003
  • Operates independently from the Send on Behalf outreach service

Contact data for the Send on Behalf service is sourced through entirely separate channels — public business directories, government registries, and professional listings — as described in section 2.3 above.

2.4 Technical & Usage Data

  • IP addresses (for T&Cs acceptance records and security)
  • Session data (HTTP-only secure cookies for authentication)
  • Email delivery status (sent, delivered, bounced, failed)
  • Video view and engagement statistics

3. LEGAL BASES FOR PROCESSING

Under the GDPR (Article 6):

  • Contract performance (Art. 6(1)(b)): Processing client account data to provide the services you have subscribed to.
  • Legitimate interest (Art. 6(1)(f)): B2B outreach to business contacts using publicly available information, where the recipient's reasonable expectation includes receiving relevant business communications. This is balanced against the minimal nature of the data processed and the functional unsubscribe mechanism provided.
  • Legal obligation (Art. 6(1)(c)): Maintaining records as required by the Spam Act 2003 (Cth), including suppression lists and delivery logs.
  • Consent (Art. 6(1)(a)): Where clients explicitly accept our Terms & Conditions and authorise sends on their behalf.

Under Australian Privacy Act 1988:

We comply with the Australian Privacy Principles (APPs). Business contact information sourced from publicly available sources is handled in accordance with APP 3 (collection) and APP 6 (use and disclosure).

Under New Zealand Privacy Act 2020:

We comply with the Information Privacy Principles (IPPs). We collect personal information directly from individuals where possible (IPP 2), for lawful purposes connected to our business functions (IPP 1), and take reasonable steps to ensure accuracy (IPP 8). The NZ Privacy Act applies to all businesses handling NZ residents' data regardless of revenue or size.

4. OUR ROLE AS DATA PROCESSOR

When we send emails on behalf of our clients (both from their own contact lists and via the Send on Behalf service), we act as a Data Processor under GDPR Article 28. In this capacity:

  • We process data only on documented instructions from the client (the campaign request).
  • We ensure that persons authorised to process the data have committed to confidentiality.
  • We implement appropriate technical and organisational security measures (see Section 7).
  • We do not engage sub-processors without the client's knowledge (see Section 6).
  • We assist the client in responding to data subject access requests.
  • We delete or return all personal data at the end of the service relationship, subject to legal retention requirements.
  • We make available all information necessary to demonstrate compliance.

The client (Data Controller) is responsible for ensuring they have a lawful basis for the communications sent on their behalf, as outlined in our Terms & Conditions.

5. HOW WE USE YOUR DATA

  • To deliver email campaigns on behalf of clients
  • To track email delivery status and video engagement
  • To manage subscriptions and process payments
  • To maintain suppression lists and honour unsubscribe requests
  • To comply with legal obligations (Spam Act record-keeping)
  • To protect our sending reputation and prevent abuse
  • To provide aggregated reporting to clients

We do not sell, rent, or trade personal data to third parties. We do not use personal data for profiling or automated decision-making.

6. SUB-PROCESSORS & THIRD PARTIES

We use the following sub-processors to deliver our services:

Service Purpose Location
StripePayment processingUSA (Privacy Shield / SCCs)
SMTP2GOEmail deliveryNew Zealand
VultrServer hosting & object storageAustralia (Sydney)
CloudflareCDN & DDoS protectionGlobal (edge network)
AWS PollyText-to-speech (no personal data)Australia (Sydney)

Each sub-processor is bound by their own privacy policies and data processing terms. We do not share contact data beyond what is necessary for email delivery (SMTP2GO receives recipient email addresses for delivery only).

7. DATA SECURITY

  • All data is transmitted over HTTPS/TLS encryption
  • Passwords are hashed using bcrypt (never stored in plain text)
  • Sessions use HTTP-only secure cookies with rate-limited login attempts
  • Database access is restricted to application-level service accounts
  • Payment card data is handled entirely by Stripe (PCI DSS compliant) — we never see or store card numbers
  • Regular security updates and monitoring on all servers

8. DATA RETENTION

  • Client account data: Retained for the duration of the account and 12 months after closure, then deleted.
  • Email delivery logs: Retained for 3 years as required by the Spam Act 2003 (Cth).
  • Suppression lists: Retained permanently to ensure we never re-contact someone who has unsubscribed.
  • T&Cs acceptance records: Retained permanently as proof of agreement.
  • Payment records: Retained as required by Australian tax law (5 years).
  • Contact list data: Retained for the duration of active campaigns plus 12 months, then deleted unless legally required.

9. INTERNATIONAL DATA TRANSFERS

Our primary servers are located in Sydney, Australia. Where data is transferred to sub-processors outside Australia (e.g., Stripe in the USA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Sub-processors with certified compliance frameworks (Privacy Shield, SOC 2, ISO 27001)
  • Assessment of adequacy under APP 8 (cross-border disclosure) of the Australian Privacy Act

10. YOUR RIGHTS

Under GDPR (EU/UK residents):

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
  • Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
  • Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest, including direct marketing.
  • Right to Lodge a Complaint: You may complain to your local supervisory authority (e.g., the ICO in the UK, or the relevant DPA in your EU member state).

Under Australian Privacy Act:

  • APP 12 — Access: You may request access to the personal information we hold about you.
  • APP 13 — Correction: You may request correction of inaccurate information.
  • Complaints: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Under New Zealand Privacy Act 2020:

  • IPP 6 — Access: You may request access to the personal information we hold about you.
  • IPP 7 — Correction: You may request correction of inaccurate, misleading, or out-of-date information.
  • Mandatory Breach Notification: We are required to notify affected individuals and the NZ Privacy Commissioner if a privacy breach is likely to cause serious harm.
  • Complaints: You may lodge a complaint with the Office of the Privacy Commissioner (OPC) at privacy.org.nz.

For email recipients (contacts):

  • Every email includes a functional unsubscribe link. Unsubscribe requests are honoured within 5 business days.
  • Once unsubscribed, your email is permanently added to a suppression list and you will never receive further emails from that sender through our platform.
  • You may contact us directly at privacy@comet-studios.com to exercise any of the rights listed above.

To exercise any of these rights, contact us at privacy@comet-studios.com. We will respond within 30 days (or one month under GDPR).

11. COOKIES & SESSIONS

We use only essential cookies required for the operation of the platform:

  • Session cookie (sv_session): HTTP-only secure cookie for authentication. Expires on browser close or after inactivity.
  • Theme preference (sv-theme): Local storage item for dark/light mode. Not a cookie, not transmitted to our servers.

We do not use analytics cookies, advertising cookies, or third-party tracking. No consent banner is required as we use only strictly necessary cookies.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated to registered clients via email. The latest version is always available at sendvideo.comet-studios.com/privacy.

13. CONTACT

For any privacy-related questions, data access requests, or complaints:

  • Email: privacy@comet-studios.com
  • Post: Privacy Officer, Comet Studios Pty Ltd, 81-83 Campbell Street, Surry Hills, NSW 2010, Australia

14. GOVERNING LAW

This Privacy Policy is governed by the laws of New South Wales, Australia for Australian operations, and by the laws of New Zealand for New Zealand operations, without prejudice to applicable GDPR provisions for EU/UK data subjects or the NZ Privacy Act 2020 for NZ data subjects.