Ferment — Privacy Policy

Last updated: June 1, 2026

This policy explains what we collect, why, how we handle it, and the choices and rights you have. The short version: we collect what we need to run Ferment, we use trusted providers to process it, and we don’t sell your personal information or your content, and we don’t use it for advertising.

It’s published by 4x10 Inc., a Delaware corporation (“Ferment,” “we,” “us”) — the company behind Ferment Cuts, Ferment Studio, the Ferment Engine, and our websites and apps (the “Services”). It covers visitors, people who sign up, and account holders. For the personal data described here, 4x10 Inc. is the controller. This policy works alongside our Terms of Service.

Contents

1. What we collect and why
2. How we use your information
3. How AI features handle your content
4. Voice and biometric data
5. The mobile app and Apple
6. Cookies, analytics, and diagnostics
7. When we share information
8. How we keep your data safe
9. How long we keep it
10. Deleting your content and account
11. Your privacy rights
12. California privacy rights
13. Other U.S. state privacy rights
14. EU, UK, and Switzerland (GDPR)
15. Children and minors
16. Where your data lives
17. Changes to this policy
18. Contact

1. What we collect and why

Our rule is to collect only what we need to run the Services.

Account and identity. Your email address, and — if you use Sign in with Apple — an identifier and the email you choose to share (which may be a private Apple relay address). You can start as a guest, in which case we create a temporary account tied to your device until you add an email. You can also add optional profile details and a short “creator profile” you write to guide the AI.

Billing. If you buy a subscription or credits, your payment is handled by Stripe (web) or Apple (iOS). Card numbers go straight to them and don’t reach our servers. We keep a transaction record — last four digits, billing country, plan, renewal date — for invoicing, taxes, fraud prevention, and support.

Your content. The video, audio, images, voice recordings, and project data you upload or create, plus the prompts and instructions you give the AI and your conversation history with the assistant.

Derived data. To run features, we also create data derived from your Content — for example transcripts, captions, scene boundaries, beat and audio analysis, embeddings, object and scene detections, edit decisions, render graphs, and generated outputs.

Voice and biometric data. If you use voice cloning, we process your voice recordings and create a voice model. This can be biometric data and gets special treatment — see Section 4.

Usage and technical data. Technical information we need to run and protect the Services: your IP address, device and app version, operating system, language, time zone, and (on mobile) a push-notification token and its permission state. We also track your credit usage, storage usage, and the operations you run.

Diagnostics. Limited crash and error data so we can fix problems (see Section 6).

Messages to us. If you email support or answer a survey, we keep that correspondence for context.

Some of this is sensitive information under certain laws — in particular your biometric data (voiceprints). We treat it accordingly (Sections 4, 12, 13).

2. How we use your information

We use the information above to:

• provide the Services — store your content, run the edits and AI operations you ask for, render and deliver your exports;
• handle billing — process payments, apply credits, send invoices, prevent fraud;
• communicate with you — sign-in links, service and account notices, and (if you opt in) product updates you can unsubscribe from anytime;
• keep things secure — authenticate you, prevent abuse, and protect the Services and our users;
• support you — answer questions and troubleshoot; and
• maintain and improve the Services — understand how features are used and build better ones. Where the law allows, this may include using content to train and improve our models, using de-identified or aggregated data where we can — except that we won’t use your voice or biometric data, or the faces or voices of other people who appear in your content, to train models without consent (Section 4).

We don’t sell your personal information or your content, we don’t “share” it for cross-context behavioral advertising, and we don’t build advertising profiles.

3. How AI features handle your content

Many features use AI. To do what you ask — transcribe a clip, generate captions, synthesize a voice, analyze audio, render a video, or answer in the assistant — we and our third-party AI providers process your content. That means some of your content (video, audio, voice recordings, images, and prompts) is sent to those providers to run the operation. They process it to provide their service to us, under their own terms.

The AI features are tools you direct. We don’t make decisions about you that produce legal or similarly significant effects based solely on automated processing — you request and control the outputs. AI output can be inaccurate; our Terms of Service explain what that means for how you use it. Some AI-generated or AI-edited output may carry labels, metadata, watermarks, or provenance signals where required by law, platform rules, or our safety practices.

4. Voice and biometric data

If you create a cloned or “brand-kit” voice — from your own voice, or someone else’s voice you have the right and their written consent to use — we collect the voice recordings and generate a voiceprint (a mathematical representation of the voice’s characteristics). Depending on where you live, this may be biometric data, a biometric identifier, or sensitive data under laws including the Illinois Biometric Information Privacy Act (BIPA), the Texas CUBI Act, Washington’s biometric law, and state privacy laws such as Colorado’s, Connecticut’s, and Virginia’s. Voice features are available only to adults 18 and older (see our Terms), and we don’t knowingly create a voiceprint from anyone under 18. Here’s how we handle this data:

• Purpose. We collect and process voice data only to create, train, store, and operate the voice model you request and to deliver the audio you ask us to generate. We don’t use it to infer characteristics about you, or to profile or target you.
• Who processes it. Your recordings and voiceprints are stored in our own cloud storage (on Nebius and Tigris), and we use a third-party voice-AI provider to create and run your voice model (our current provider is named in Section 7). We choose a provider whose terms don’t claim the right to train its own general models on your inputs. The provider stores a voice model on its side to generate speech; when you delete a voice or your account, we delete our copy and instruct the provider to delete its voice model and the source audio. It’s an independent company acting under its own terms; we don’t control it. We don’t share your voice data with anyone else except as described below.
• Consent. We process your voice data and voiceprint only with your opt-in consent, given before collection through a consent step that describes what we collect, the specific purpose, and how long we keep it. You can withdraw consent at any time by deleting the voice or your account; withdrawal doesn’t affect processing already done.
• Retention and destruction. We keep voice data and voiceprints only as long as needed for that purpose. Consistent with BIPA, we permanently destroy them when the purpose is satisfied, or within three (3) years of your last interaction with us, whichever comes first. Where Texas law applies, we destroy them no later than one (1) year after the purpose expires. When you delete a voice or your account, we promptly remove the associated recordings and voiceprints from active storage and delete them from backups on our normal backup cycle, and we instruct our voice-AI provider to delete its voice model and the source audio — except for limited records the law requires us to keep — using methods designed to make the data unrecoverable.
• No sale, no profit, limited disclosure. We do not sell, lease, trade, or profit from your voice or biometric data, and we don’t disclose it except: with your consent; to service providers acting for us under confidentiality and security obligations, solely to run the feature; as required by law; or under a valid warrant or subpoena.
• No training without consent. We don’t use your voice or biometric data to train general-purpose models for us or anyone else without your separate opt-in.
• Security. We protect this data using at least the reasonable standard of care in our industry, including encryption in transit and at rest.

This section is published, in part, to meet the written-policy requirement of the Illinois Biometric Information Privacy Act.

5. The mobile app and Apple

Permissions. Our app asks before using privacy-sensitive features of your device: camera (to record video), microphone (to record audio, including voice recordings), photo library (to save your exports), and notifications. These are optional and you control them in your device settings; some features won’t work without them. We don’t request your contacts or precise location.

Sign in with Apple. If you use it, we receive a unique identifier and, if you choose to share them, your name and email (which may be an Apple relay address). We use this only to create and secure your account.

No tracking. We do not track you across other companies’ apps or websites, and we don’t share your data with data brokers or advertising networks. Because we don’t “track” as Apple defines it, we don’t show the App Tracking Transparency prompt.

In-app purchases. Subscriptions and credits bought in the app are processed through Apple In-App Purchase. Apple processes the payment — we never receive your full card details — and we use a subscription-management provider to validate and track your subscription, which receives your purchase and device-technical information.

Deleting your account in the app. You can delete your account and its data from within the app — see Section 10.

6. Cookies, analytics, and diagnostics

Website. Our websites use only cookies that are strictly necessary to make the site work (for example, security and basic functionality) and to remember your sign-in and preferences. We do not use third-party analytics, advertising cookies, or tracking pixels, so we don’t show a cookie banner. You can control cookies in your browser, though some features may not work without them. If we ever add analytics that require it, we’ll ask for consent where the law requires. Because we don’t track you across sites or apps, we don’t change our behavior in response to browser “Do Not Track” or Global Privacy Control signals — there’s nothing for them to opt you out of.

Diagnostics. Our mobile app uses a crash-reporting provider to collect limited crash and error information (device model, OS and app version, and technical error details) so we can fix bugs. It’s configured to minimize personal data — it doesn’t capture your videos or screen content — and we don’t use it for analytics, profiling, or advertising.

7. When we share information

We share information only as needed to run the Services or as described here. We don’t sell it, and we don’t publish your Content, list it publicly, or make it visible to other users — you control any sharing by exporting, inviting someone, or connecting a third-party service.

• Service providers (subprocessors). Trusted providers for cloud hosting and storage, AI and media processing, payments, communications, security, and diagnostics. Our infrastructure runs on Nebius, where we also run most AI processing in-house; we store files and data (including voice recordings and voiceprints) on Nebius and Tigris (object storage); for models we don’t run ourselves we use inference providers such as Fal, Replicate, and Fireworks (video and media) and Inworld AI (voice synthesis and cloning); and payments go through Stripe (web) and Apple (iOS). We use additional providers for things like subscription management, email, communications, security, and diagnostics, and may add or change providers as the Services evolve. They may use your data only to provide their service to us. Where available, we use provider settings intended to limit retention and prevent provider training, though retention can vary by provider and feature; we may publish and update a subprocessor list with the key providers and what they handle.
• At your direction. If you connect a third-party service or share something yourself, we exchange the data needed to do that.
• Legal and safety. We may disclose information if required by valid legal process, or where we believe in good faith it’s necessary to comply with law, enforce our Terms, or protect the rights, safety, or security of our users, the public, or Ferment. Where allowed, our policy is to require proper legal process and to notify affected users.
• Business transfers. In a merger, acquisition, or sale of assets, your information may transfer as part of the deal; we’ll require it to stay protected under this policy or notify you of changes.
• Aggregated or de-identified data. We may use and share data that no longer identifies you for any purpose.

8. How we keep your data safe

We protect your data with encryption in transit (TLS), access controls, and other technical and organizational safeguards, and we limit who on our team can access it. Our team doesn’t access the content in your account unless it’s needed to provide support, troubleshoot, investigate abuse or security issues, comply with law, or with your permission. As required by New York’s SHIELD Act and similar laws, we maintain reasonable administrative, technical, and physical safeguards, and if a breach affecting your personal information occurs, we’ll notify you and the authorities as required by law. No system is perfectly secure, so we can’t guarantee absolute security — but we work hard to protect your information. To report a security concern, email support@ferment.run.

9. How long we keep it

We keep information for as long as we need it for the purposes in this policy, then delete or de-identify it:

• Your content — while your account is active (see Section 10 for deletion).
• Voice and biometric data — per the schedule in Section 4.
• Account and usage data — while your account is active and for a limited period afterward for security and records.
• Billing records — as long as required for tax, accounting, and legal purposes.
• Support messages — for as long as useful to help you.

Guest accounts and their content are temporary and may be deleted after a period of inactivity.

10. Deleting your content and account

You can delete content in the app, and you can delete your whole account at any time from within the app (and on the web). When you delete your account, it’s deactivated and your content becomes inaccessible right away. For a short window afterward you may be able to restore your account; after that, your content is permanently removed from our active systems within a reasonable time and from routine backups after that — except anything we must keep to meet a legal obligation, resolve a dispute, or enforce our agreements, and your voiceprint, which we destroy promptly on the faster schedule in Section 4. If deletion takes a little time to complete, we’ll let you know. Once content is permanently deleted we can’t recover it, so export anything you want to keep first.

11. Your privacy rights

Wherever you live, we try to offer the same core rights over your personal information:

• Access — get a copy of what we hold about you.
• Correct — fix information that’s wrong.
• Delete — ask us to delete your information (this may mean closing your account, since the Services may not work without it).
• Portability — receive your information in a portable form.
• Object or restrict — object to or limit certain processing.
• Withdraw consent — where we rely on consent (such as biometric data or marketing), withdraw it anytime.

You can do many of these yourself in your account. Otherwise email support@ferment.run and we’ll help. We respond within the time the law requires (generally 45 days in the U.S. or one month in the EU/UK, extendable for complex requests). We may need to verify your identity first (usually by confirming you control the account), and some information may be exempt under applicable law. We won’t discriminate against you for exercising these rights. If an authorized agent contacts us for you, we’ll ask for proof you authorized them.

12. California privacy rights

If you’re a California resident, the CCPA/CPRA gives you the rights in Section 11 plus the disclosures below. Together with any short notice we show when we collect your information, this policy is our “notice at collection.”

Categories we collect. In the last 12 months we’ve collected: identifiers (email, account and device identifiers); commercial information (purchases); internet/network and usage activity; audio, visual, and electronic information (your content); sensitive personal information — namely biometric information (voiceprints) and the contents of communications you create; and inferences. Sources: you, your device, and our payment processors. Purposes: to provide, secure, support, and improve the Services, process payments, and comply with law (see Section 2).

Sensitive personal information. We use your sensitive information (including biometric data) only to provide the features you ask for and for other purposes permitted without a right to limit — so we don’t offer a separate “limit” option, and we don’t use it to infer characteristics about you.

We don’t sell or share. We do not sell your personal information and do not share it for cross-context behavioral advertising, and we haven’t in the last 12 months. Because of that, we don’t provide a “Do Not Sell or Share My Personal Information” link, and there’s no sale or share for opt-out signals like Global Privacy Control to act on. We don’t knowingly sell or share the information of anyone under 16. We also don’t disclose your personal information to third parties for their own direct marketing, so there’s nothing to request under California’s “Shine the Light” law (Civil Code §1798.83).

Exercising your rights. Use the options in Section 11. You may also appeal a decision (see Section 13), and you won’t be discriminated against for exercising your rights.

13. Other U.S. state privacy rights

If you live in a state with a comprehensive privacy law (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Florida, and others), you may have some or all of these rights:

• access/confirm, correct, delete, and obtain a portable copy of your personal data;
• opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling with legal or similarly significant effects — we do none of these, so there’s nothing to opt out of, and we honor recognized universal opt-out signals to the extent they apply;
• control over sensitive data — we process biometric data and other sensitive data only with your opt-in consent, and only to provide what you ask for; you can withdraw consent anytime; and
• appeal — if we deny a request, you can appeal by emailing support@ferment.run; if you’re still unsatisfied, you can contact your state Attorney General.

To exercise any of these, use the options in Section 11.

14. EU, UK, and Switzerland (GDPR)

If you’re in the EEA, UK, or Switzerland, 4x10 Inc. is the controller of your personal data, and the GDPR and UK GDPR apply.

Legal bases. We rely on:

Voiceprints are special-category data and we process them only with your explicit, opt-in consent, which you can withdraw at any time (Section 4).

Your rights. Access, rectification, erasure, restriction, objection (including to legitimate-interests processing and marketing), portability, and withdrawing consent. You also have the right to complain to your local supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk); in the EU, your national authority.

Automated decisions. We don’t make decisions with legal or similarly significant effects about you based solely on automated processing; our AI runs under your direction.

International transfers. Your data is processed in the United States and other countries. Where we transfer EEA, UK, or Swiss data, we use appropriate safeguards — the European Commission’s Standard Contractual Clauses (with the UK Addendum), and, where we are certified, the EU-US Data Privacy Framework and its UK and Swiss extensions. You can ask us for a copy of these safeguards.

EU/UK representatives. If and when we offer the Services in the EEA or UK and Article 27 requires it, we will appoint a representative in the EEA and in the UK — and a Data Protection Officer if the law requires one — and publish their contact details here.

15. Children and minors

The Services are for adults. You must be 18 or older to use them (13–17 only with a parent or guardian who agrees and supervises — see our Terms). The Services aren’t directed to children under 13, and we don’t knowingly collect their personal information; if we learn we have, we’ll delete it — including any audio containing a child’s voice. We don’t knowingly sell or share, or use for targeted advertising, the personal information of anyone under 16. New York residents under 18 have additional protections under the New York Child Data Protection Act, which we follow. If you believe a child has given us personal information, email support@ferment.run.

16. Where your data lives

We’re a U.S. company, and your information is processed in the United States and in other countries where we or our service providers operate. Laws there may differ from your own. By using the Services, you understand your information will be transferred and processed in these locations, with the safeguards in Section 14 where they apply.

17. Changes to this policy

We may update this policy to reflect new practices or legal requirements, and we review it at least once a year. If a change is significant, we’ll update the date above and let you know by email or in the app. Using the Services after a change takes effect means you accept the updated policy. For material changes to how we use your voice or biometric data, we’ll ask for fresh opt-in consent rather than relying on your continued use.

18. Contact

Questions, requests, or concerns about your privacy?

4x10 Inc. 228 Park Avenue S, PMB 85451 New York, NY 10003, USA support@ferment.run