Effective Date: June 28, 2026
This Privacy Policy describes how Stonecraft Media ("Interact," "we," "us," or "our") collects, uses, and shares information when you use the Interact Video Platform (the "Service"). It covers two distinct groups: Publishers (businesses that create and embed interactive videos using our platform) and Viewers (end-users who watch those videos).
Geographic Restriction: The Service is available exclusively to businesses incorporated or operating in the United States. If you are not a US-based business, you are not authorized to access or use the Service.
Account Information
Name, email address, company name, and role
HighLevel account credentials (location ID, company ID, user ID) when accessing via HighLevel
Authentication tokens and session data
Profile information and preferences
Content and Media
Media files you upload (videos and associated images, such as thumbnails)
Interactive video projects and their content, which you create and configure within the platform editor (including interactive elements such as buttons, forms, polls, quizzes, hotspots, and any other interactive elements we may release in the future)
Custom branding and theme settings
Project metadata and descriptions
Legal and Compliance Information
Policy-acceptance records — the version of the Terms, Privacy Policy, and Data Processing Addendum you accepted, with timestamp and IP address
Consent policy URLs and banner configuration
Contact Sync basis selections and legitimate-interest attestations
Communications
Support requests and correspondence
Feedback and survey responses
Email communications with our team
Usage Information
Pages visited and features used within the platform
Time spent on the platform
Actions taken (creating projects, uploading media, configuring elements, etc.)
Error logs and performance data
Device and Browser Information (Publisher sessions)
IP address
Browser type and version
Operating system and device type
Referrer URLs
When end-users (Viewers) watch interactive videos published through Interact, we collect data on behalf of the Publisher. What we collect depends on whether the Viewer has consented to identified tracking.
Always collected — all Viewers (anonymous, no consent required):
Ephemeral session identifier
Video playback events (play, pause, seek, complete)
Node navigation paths through branching videos
Watch time and engagement metrics
Interactive element interactions (button clicks, poll votes, quiz answers, form submissions)
Coarse device type (mobile/tablet/desktop)
Country and region (state/province level)
Collected at the identified layer (activated automatically on deliberate play under the opt-out model, unless the Viewer opts out, GPC is present, or the Publisher has enabled affirmative-consent mode — see Section 4.2):
Persistent viewer identifier (cookie + localStorage, tied to a stable viewer record)
IP address
User-Agent string (browser type, version, OS)
Precise browser, OS, and device detail
Collected only with Viewer specific-consent (VPPA opt-in):
Video viewing activity forwarded to Publisher-configured third-party analytics providers (Google Analytics 4, Google Tag Manager, Facebook Pixel, Segment)
Precise geolocation (where Publisher has enabled this feature)
The verbatim disclosure text the Viewer accepted
Viewer-submitted contact information:
Name, email address, phone number, and any other fields included in Publisher's interactive forms, quizzes, or polls
This data is collected on behalf of the Publisher (Controller) and may be transmitted to Publisher's CRM via Contact Sync
What we do NOT collect from anonymous Viewers:
Raw User-Agent strings on anonymous sessions
Exact screen resolution or viewport dimensions
Any persistent browser identifier (no cookie, no localStorage write) until consent is granted
HighLevel Integration
User profile data from the HighLevel user who installs the app (name and email of the installing account administrator)
Location and company information
OAuth tokens for API access
Account-lifecycle webhook events delivered by HighLevel (app install, uninstall, app update, and external-auth connection), used to keep your account state synchronized. These events carry account, subscription, and installer-administrator information only — they do not transmit your HighLevel contacts or end-customer records to us
Payment Processors
Transaction information (when applicable)
Billing details and payment history (processed by Stripe; we do not store raw card data)
We use Publisher information to:
Create and manage your account
Process and store your media files
Render and deliver interactive videos to Viewers
Provide analytics and reporting dashboards
Record your acceptance of our Data Processing Addendum and other policies
Troubleshoot technical issues and monitor platform health
Maintain security and audit logs — we record authentication events (including successful logins, with the IP address and device/browser information associated with the login) to secure your account, investigate suspicious activity, and meet our security and accountability obligations
Send service-related notifications and product updates
Respond to support requests
Send marketing communications (with your consent; opt-out available at any time)
Detect and prevent fraud and abuse
Enforce our Terms of Service
Comply with legal obligations
We do not sell Publisher personal information to third parties.
Viewer Data is processed on behalf of and under the instructions of the Publisher (who is the data Controller for Viewer Data). Interact acts as a data Processor. We use Viewer Data to:
Deliver interactive video playback and interactive elements
Record and report analytics to the Publisher
Transmit Viewer contact information to Publisher's CRM (Contact Sync, when enabled and lawfully authorized)
Forward events to Publisher-configured third-party analytics pixels (specific-consent tier only)
Record Viewer consent decisions for regulatory compliance
Enable Publisher to fulfill Viewer data subject requests (access, deletion, opt-out)
When acting as Processor, we do not use Viewer Data for our own advertising, cross-context behavioral profiling, or for the benefit of any party other than the Publisher whose embed delivered the video.
Stonecraft Media also uses the Interact Video Platform as a Publisher to create and embed its own content (for example, product demonstrations and marketing videos on Stonecraft's own websites). In that capacity, Stonecraft Media is the Controller of the Viewer Data collected from its own published content — not a Processor — because it determines the purposes and means of that processing for its own benefit. That Controller-side processing is governed by the Stonecraft Media Privacy Policy, not by the Processor framework in this Privacy Policy. This Privacy Policy continues to govern the operation of the Interact platform itself, including when Stonecraft Media is the Publisher using it.
Interact operates a multi-layer consent system within the embed player to ensure Viewers have meaningful control over how their data is used.
All Viewers receive anonymous analytics — watch time, engagement, playback events — regardless of consent status. This layer uses only ephemeral session identifiers with no persistent browser storage and no fingerprinting data.
Opt-out model (default): Consistent with the prevailing US state-privacy opt-out model, the identified layer activates automatically when the Viewer deliberately begins playback. Viewers may opt out at any time via the persistent Privacy shield.
Affirmative-consent mode (Publisher-elected): Publishers may configure a project to display a consent banner and require the Viewer's affirmative acceptance before the identified layer activates. Interact provides this as a geo-aware tool: when a Publisher supplies a privacy-policy URL, the banner can be shown to Viewers in the EU, EEA, and UK, or to all Viewers, at the Publisher's election. A Publisher that targets or serves Viewers in the EU, EEA, or UK is solely responsible, as Controller, for electing and configuring this tool and for establishing any lawful basis or cross-border transfer mechanism those Viewers' laws (such as the GDPR or UK GDPR) require. Interact provides the banner and Global Privacy Control support as tools only; Interact does not itself assume controller obligations under the GDPR or UK GDPR. If a Publisher does not enable affirmative-consent mode, Viewers receive the opt-out model described above and the identified layer activates on deliberate play. Where the banner is enabled, Viewers may decline and playback continues anonymously. (See the Data Processing Addendum, EU/UK Addendum, which applies only to Publishers who indicate EU/UK targeting.)
GPC (Global Privacy Control): If the Viewer's browser sends a Sec-GPC: 1 signal, Interact honors it as a standing opt-out. Both the identified and specific-consent layers are suppressed. The shield displays "Opt-Out Preference Signal Honored" per Cal. Civ. Code §7025(c)(6).
Third-party pixel integrations (GA4, GTM, Facebook Pixel, Segment) and precise geolocation are gated on a distinct, unchecked, affirmative opt-in checkbox — separate from the standard consent banner. This checkbox is never pre-ticked. The Viewer sees the exact names of configured providers before opting in. The verbatim disclosure text is stored as a VPPA receipt.
A "Privacy" control is always visible on the player (in all regions, regardless of whether a banner was shown). Viewers can:
Toggle the standard identified layer on or off
Opt into or withdraw the specific-consent tier
Exercise "Do Not Sell or Share My Personal Information" (CCPA opt-out)
View the Publisher's privacy policy
Withdrawing consent is prospective — it stops future processing but does not automatically delete data already collected. Viewers may request deletion by contacting the Publisher.
Publishers may signal Viewer consent into the embed player via the _iaq publisher-push API (e.g., when their own CMP has already obtained consent). When a Publisher signals analytics: true, the identified layer activates without showing a banner. Interact relies on the Publisher's representation that valid consent was obtained; Publisher is responsible for the validity of that representation under the Data Processing Addendum.
We share information with the following categories of service providers who process data on our behalf:
Provider Purpose Data Processed Supabase Database storage and authentication All platform data at rest Cloudflare Edge network, CDN, Workers runtime Data in transit; session processing Cloudflare R2 Media file storage Video files and thumbnails Sentry Error tracking and monitoring Error and diagnostic data, with automated PII-scrubbing applied; limited personal data may incidentally appear in error traces Stripe Payment processing Publisher billing data only
These providers are contractually obligated to protect information and use it only for the purposes we specify. See our Data Processing Addendum (Schedule C) for the full sub-processor list applicable to Viewer Data.
Viewer Data is made available to the Publisher whose embed delivered the video, through analytics dashboards and reports. Contact Sync transmits Viewer-submitted contact information to Publisher's connected CRM (e.g., HighLevel) when enabled and lawfully authorized.
When a Viewer grants specific-consent, video viewing events are forwarded to third-party analytics providers configured by the Publisher (GA4, GTM, Facebook Pixel, Segment). These providers receive data under their own terms and privacy policies. Interact does not control how these providers use the data after receipt. Publishers are responsible for their own DPAs with these providers.
If Stonecraft Media is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify affected parties of any such change and any choices available.
We may disclose information if required to do so by law or in response to valid legal processes (subpoenas, court orders), government or law enforcement requests, or to protect our rights, property, or safety or the safety of others.
We may share aggregate or de-identified information, including industry benchmarks, platform usage trends, and performance metrics. Where we maintain de-identified information, we keep it in de-identified form, take reasonable measures to ensure it cannot be re-associated with a particular individual, and do not attempt to re-identify it.
We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
This section summarizes our use of cookies and similar technologies. For the full, itemized list of cookies and browser-storage keys, their durations, and purposes, see our Cookie Policy.
We use essential session cookies for authentication and platform functionality. We do not use advertising cookies or third-party tracking pixels on the publisher-facing platform.
No persistent identifier before the identified layer activates: The embed player does not write the persistent viewer identifier until the identified layer activates — that is, on the Viewer's first deliberate playback under the opt-out model, or, where the Publisher has enabled affirmative-consent mode, only after the Viewer affirmatively accepts. No persistent identifier is written if the Viewer opts out or GPC is present.
Persistent viewer identifier: When the identified layer is active, a interact_viewer_id cookie and localStorage entry are written to recognize returning Viewers across sessions. The cookie has a 12-month (365-day) expiry.
Consent preference storage: The Viewer's consent decision (accept/decline/opt-out) is stored in localStorage under the key interact_consent_<projectId>. This entry is strictly necessary to honor the Viewer's own privacy choice; it stores only the consent decision itself and is not used for tracking, advertising, or analytics.
GPC honored: If the browser sends Sec-GPC: 1, no persistent identifier is written.
All data is stored and processed on secure servers located in the United States. Interact does not operate infrastructure outside the United States.
International Viewers and cross-border transfer. Although the Service is available only to US-based Publishers, the interactive videos those Publishers embed may be watched by Viewers located outside the United States. If you are a Viewer located outside the United States, any data collected when you watch an embedded video will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those of your country. By watching an embedded video — and, where a consent banner is presented, by accepting it — you understand and consent to the transfer and processing of your data in the United States. Interact provides Publishers with consent tools (a geo-aware consent banner, a persistent Privacy shield, and Global Privacy Control support) to obtain any consent and provide any notice required for their non-US Viewers; the Publisher (as Controller) is solely responsible for enabling and configuring those tools, for establishing any lawful basis or cross-border data-transfer mechanism required by laws applicable to its Viewers' locations (such as the GDPR or UK GDPR), and for its own compliance with those laws. Interact does not itself assume controller obligations under any non-US privacy law. See Section 4.2 and the Data Processing Addendum (EU/UK Addendum).
We implement technical and organizational security measures including:
TLS 1.2+ encryption for all data in transit
AES-256 encryption at rest (managed by Supabase/PostgreSQL)
Row-Level Security (RLS) policies enforcing per-account data isolation
Account-scoped API queries preventing cross-tenant data access
Service-role database access restricted to internal worker operations
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
Publisher account data: Retained for the duration of your account and a reasonable period thereafter.
Security and login audit logs: Authentication and login audit records (including the IP address, device/browser information, and timestamp of each login) are retained for 12 months for account-security, fraud-prevention, and accountability purposes, after which they are deleted or anonymized.
Viewer analytics data: Retained for the duration of the Publisher's account. Publishers may delete individual Viewer records at any time using the Viewer Data Deletion tool in Settings.
Consent records (decline/opt-out): Decline and opt-out records are maintained as anonymized records that carry no viewer identifier, and are retained for regulatory compliance. Because they carry no identifier by which to locate a particular individual, they cannot be individually deleted, and we do not attempt to re-associate them with any individual.
Backups: Data may be retained in backup systems for a limited rolling period after deletion requests are processed.
You have the right to:
Access your personal information
Correct inaccurate information in your account settings
Request deletion of your account and associated data
Export your content and data
Opt out of marketing communications at any time (click "unsubscribe" in any marketing email or contact [email protected])
Viewers exercise their rights primarily through the Publisher (who is the data Controller for Viewer Data). Publishers can fulfill deletion requests using the Viewer Data Deletion tool in Settings. Viewers may also contact us directly at [email protected] and we will assist in routing requests to the appropriate Publisher.
The rights in this section apply to personal information for which Interact is the business — principally Publisher account information. For Viewer Data, Interact acts as a service provider (processor) on the Publisher's behalf, and CCPA rights run against the Publisher as the business. Viewers should exercise their CCPA rights through the relevant Publisher, as described in Section 8.2; Interact will provide reasonable assistance to the Publisher in fulfilling those requests but does not independently respond to Viewer CCPA requests except to route them to the appropriate Publisher.
Subject to that distinction, California residents have the following rights:
Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. Viewers may exercise the "Do Not Sell or Share" opt-out via the Privacy shield in the embed player. Publishers may contact us at [email protected].
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond the purposes for which it was collected.
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Authorized Agents: You may use an authorized agent to submit a request to know, delete, correct, or opt out on your behalf. The agent must be a natural person or a business entity registered with the California Secretary of State. We may require the agent to provide proof of your written permission, may require you to verify your own identity directly with us, and may require you to confirm directly that you authorized the agent to act for you.
To exercise your rights, contact us at [email protected] with subject line "CCPA Request." We will confirm receipt of your request within 10 business days and describe how we will process it, including our verification process. We will respond substantively within 45 calendar days of receipt; if reasonably necessary, we may extend by an additional 45 days (90 days total) and will notify you of the extension and the reason.
We honor the Global Privacy Control signal (Sec-GPC: 1) for Viewers. When detected at the network edge, it is treated as a standing "Do Not Sell or Share" opt-out for that Viewer session. The embed player's Privacy shield displays "Opt-Out Preference Signal Honored" per Cal. Civ. Code §7025(c)(6).
We do not currently honor the legacy "Do Not Track" (DNT) browser header, as it has no standardized meaning. GPC is the standardized successor signal and is fully honored.
Interact's platform delivers video content. To the extent the VPPA (18 U.S.C. §2710) applies to video viewing records collected through the Service:
Anonymous viewing data (watch time, playback events with no persistent viewer identifier) is not "personally identifiable information" under the VPPA.
Identified viewing data is processed by Interact on the Publisher's behalf, incident to the ordinary course of Interact's business as a service provider, under a written Data Processing Addendum with the Publisher, consistent with 18 U.S.C. §2710(b)(2)(E).
Disclosure to third-party analytics providers (pixels) requires a distinct, affirmative, viewer-specific opt-in (the specific-consent tier). This opt-in cannot be bundled with general terms acceptance and is never pre-ticked.
Publishers who use the publisher-push consent API (_iaq) to signal Viewer consent represent to Interact that valid VPPA consent was obtained. Publisher bears sole responsibility for the validity of any such attestation.
The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at [email protected]. Publishers are responsible for ensuring their interactive video content is appropriate for their audience and for obtaining any parental consent required by the Children's Online Privacy Protection Act (COPPA) if their content targets children.
The Service may contain links to third-party websites or integrate with third-party services (e.g., HighLevel, Google Analytics, Facebook). We are not responsible for the privacy practices of these third parties. When you enable third-party pixel integrations, those providers' own privacy policies govern their use of Viewer data. We encourage you to review those policies.
Publishers who use Contact Sync, pixel integrations, the publisher-push consent API (_iaq), or outbound webhooks are subject to our Data Processing Addendum ("DPA"), which is incorporated into the Terms of Service by reference and governs those features. It establishes Interact's role as data Processor, Publisher's role as Controller, and the obligations of each party with respect to Viewer Data.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via email notification to registered Publishers and prominent in-app notice. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our privacy practices:
Stonecraft Media
Email: [email protected]
Legal inquiries: [email protected]
For data subject requests (access, deletion, correction, opt-out), please include:
Your full name and email address
Whether you are a Publisher or a Viewer
Description of your request
Verification information (account details if a Publisher)
We will respond to verified requests within 45 days, with a possible 45-day extension where permitted by applicable law.
By using the Interact Video Platform, you acknowledge that you have read and understood this Privacy Policy.
A software service by Stonecraft Media.
Proudly developed with ❤️ in Topeka, Kansas.
Copyright © 2026 Stonecraft Media. All Rights Reserved.