Privacy Policy


Effective Date: June 28, 2026

This Privacy Policy describes how Stonecraft Media ("Interact," "we," "us," or "our") collects, uses, and shares information when you use the Interact Video Platform (the "Service"). It covers two distinct groups: Publishers (businesses that create and embed interactive videos using our platform) and Viewers (end-users who watch those videos).

Geographic Restriction: The Service is available exclusively to businesses incorporated or operating in the United States. If you are not a US-based business, you are not authorized to access or use the Service.


1. Information We Collect

1.1 Information Publishers Provide

Account Information

  • Name, email address, company name, and role

  • HighLevel account credentials (location ID, company ID, user ID) when accessing via HighLevel

  • Authentication tokens and session data

  • Profile information and preferences

Content and Media

  • Media files you upload (videos and associated images, such as thumbnails)

  • Interactive video projects and their content, which you create and configure within the platform editor (including interactive elements such as buttons, forms, polls, quizzes, hotspots, and any other interactive elements we may release in the future)

  • Custom branding and theme settings

  • Project metadata and descriptions

Legal and Compliance Information

  • Policy-acceptance records — the version of the Terms, Privacy Policy, and Data Processing Addendum you accepted, with timestamp and IP address

  • Consent policy URLs and banner configuration

  • Contact Sync basis selections and legitimate-interest attestations

Communications

  • Support requests and correspondence

  • Feedback and survey responses

  • Email communications with our team

1.2 Information We Collect Automatically from Publishers

Usage Information

  • Pages visited and features used within the platform

  • Time spent on the platform

  • Actions taken (creating projects, uploading media, configuring elements, etc.)

  • Error logs and performance data

Device and Browser Information (Publisher sessions)

  • IP address

  • Browser type and version

  • Operating system and device type

  • Referrer URLs

1.3 Viewer Analytics Data

When end-users (Viewers) watch interactive videos published through Interact, we collect data on behalf of the Publisher. What we collect depends on whether the Viewer has consented to identified tracking.

Always collected — all Viewers (anonymous, no consent required):

  • Ephemeral session identifier

  • Video playback events (play, pause, seek, complete)

  • Node navigation paths through branching videos

  • Watch time and engagement metrics

  • Interactive element interactions (button clicks, poll votes, quiz answers, form submissions)

  • Coarse device type (mobile/tablet/desktop)

  • Country and region (state/province level)

Collected at the identified layer (activated automatically on deliberate play under the opt-out model, unless the Viewer opts out, GPC is present, or the Publisher has enabled affirmative-consent mode — see Section 4.2):

  • Persistent viewer identifier (cookie + localStorage, tied to a stable viewer record)

  • IP address

  • User-Agent string (browser type, version, OS)

  • Precise browser, OS, and device detail

Collected only with Viewer specific-consent (VPPA opt-in):

  • Video viewing activity forwarded to Publisher-configured third-party analytics providers (Google Analytics 4, Google Tag Manager, Facebook Pixel, Segment)

  • Precise geolocation (where Publisher has enabled this feature)

  • The verbatim disclosure text the Viewer accepted

Viewer-submitted contact information:

  • Name, email address, phone number, and any other fields included in Publisher's interactive forms, quizzes, or polls

  • This data is collected on behalf of the Publisher (Controller) and may be transmitted to Publisher's CRM via Contact Sync

What we do NOT collect from anonymous Viewers:

  • Raw User-Agent strings on anonymous sessions

  • Exact screen resolution or viewport dimensions

  • Any persistent browser identifier (no cookie, no localStorage write) until consent is granted

1.4 Information from Third Parties

HighLevel Integration

  • User profile data from the HighLevel user who installs the app (name and email of the installing account administrator)

  • Location and company information

  • OAuth tokens for API access

  • Account-lifecycle webhook events delivered by HighLevel (app install, uninstall, app update, and external-auth connection), used to keep your account state synchronized. These events carry account, subscription, and installer-administrator information only — they do not transmit your HighLevel contacts or end-customer records to us

Payment Processors

  • Transaction information (when applicable)

  • Billing details and payment history (processed by Stripe; we do not store raw card data)


2. How We Use Publisher Information

We use Publisher information to:

  • Create and manage your account

  • Process and store your media files

  • Render and deliver interactive videos to Viewers

  • Provide analytics and reporting dashboards

  • Record your acceptance of our Data Processing Addendum and other policies

  • Troubleshoot technical issues and monitor platform health

  • Maintain security and audit logs — we record authentication events (including successful logins, with the IP address and device/browser information associated with the login) to secure your account, investigate suspicious activity, and meet our security and accountability obligations

  • Send service-related notifications and product updates

  • Respond to support requests

  • Send marketing communications (with your consent; opt-out available at any time)

  • Detect and prevent fraud and abuse

  • Enforce our Terms of Service

  • Comply with legal obligations

We do not sell Publisher personal information to third parties.


3. How We Use Viewer Data

Viewer Data is processed on behalf of and under the instructions of the Publisher (who is the data Controller for Viewer Data). Interact acts as a data Processor. We use Viewer Data to:

  • Deliver interactive video playback and interactive elements

  • Record and report analytics to the Publisher

  • Transmit Viewer contact information to Publisher's CRM (Contact Sync, when enabled and lawfully authorized)

  • Forward events to Publisher-configured third-party analytics pixels (specific-consent tier only)

  • Record Viewer consent decisions for regulatory compliance

  • Enable Publisher to fulfill Viewer data subject requests (access, deletion, opt-out)

When acting as Processor, we do not use Viewer Data for our own advertising, cross-context behavioral profiling, or for the benefit of any party other than the Publisher whose embed delivered the video.

3.1 When Stonecraft Media Is Itself a Publisher

Stonecraft Media also uses the Interact Video Platform as a Publisher to create and embed its own content (for example, product demonstrations and marketing videos on Stonecraft's own websites). In that capacity, Stonecraft Media is the Controller of the Viewer Data collected from its own published content — not a Processor — because it determines the purposes and means of that processing for its own benefit. That Controller-side processing is governed by the Stonecraft Media Privacy Policy, not by the Processor framework in this Privacy Policy. This Privacy Policy continues to govern the operation of the Interact platform itself, including when Stonecraft Media is the Publisher using it.


4. Viewer Consent and Privacy Controls

Interact operates a multi-layer consent system within the embed player to ensure Viewers have meaningful control over how their data is used.

4.1 Anonymous Layer (No Consent Required)

All Viewers receive anonymous analytics — watch time, engagement, playback events — regardless of consent status. This layer uses only ephemeral session identifiers with no persistent browser storage and no fingerprinting data.

4.2 Standard Identified Layer (Consent or Opt-Out Model)

  • Opt-out model (default): Consistent with the prevailing US state-privacy opt-out model, the identified layer activates automatically when the Viewer deliberately begins playback. Viewers may opt out at any time via the persistent Privacy shield.

  • Affirmative-consent mode (Publisher-elected): Publishers may configure a project to display a consent banner and require the Viewer's affirmative acceptance before the identified layer activates. Interact provides this as a geo-aware tool: when a Publisher supplies a privacy-policy URL, the banner can be shown to Viewers in the EU, EEA, and UK, or to all Viewers, at the Publisher's election. A Publisher that targets or serves Viewers in the EU, EEA, or UK is solely responsible, as Controller, for electing and configuring this tool and for establishing any lawful basis or cross-border transfer mechanism those Viewers' laws (such as the GDPR or UK GDPR) require. Interact provides the banner and Global Privacy Control support as tools only; Interact does not itself assume controller obligations under the GDPR or UK GDPR. If a Publisher does not enable affirmative-consent mode, Viewers receive the opt-out model described above and the identified layer activates on deliberate play. Where the banner is enabled, Viewers may decline and playback continues anonymously. (See the Data Processing Addendum, EU/UK Addendum, which applies only to Publishers who indicate EU/UK targeting.)

  • GPC (Global Privacy Control): If the Viewer's browser sends a Sec-GPC: 1 signal, Interact honors it as a standing opt-out. Both the identified and specific-consent layers are suppressed. The shield displays "Opt-Out Preference Signal Honored" per Cal. Civ. Code §7025(c)(6).

4.3 Specific-Consent Tier (VPPA Opt-In)

Third-party pixel integrations (GA4, GTM, Facebook Pixel, Segment) and precise geolocation are gated on a distinct, unchecked, affirmative opt-in checkbox — separate from the standard consent banner. This checkbox is never pre-ticked. The Viewer sees the exact names of configured providers before opting in. The verbatim disclosure text is stored as a VPPA receipt.

4.4 Persistent Privacy Shield

A "Privacy" control is always visible on the player (in all regions, regardless of whether a banner was shown). Viewers can:

  • Toggle the standard identified layer on or off

  • Opt into or withdraw the specific-consent tier

  • Exercise "Do Not Sell or Share My Personal Information" (CCPA opt-out)

  • View the Publisher's privacy policy

Withdrawing consent is prospective — it stops future processing but does not automatically delete data already collected. Viewers may request deletion by contacting the Publisher.

4.5 Publisher-Push Consent

Publishers may signal Viewer consent into the embed player via the _iaq publisher-push API (e.g., when their own CMP has already obtained consent). When a Publisher signals analytics: true, the identified layer activates without showing a banner. Interact relies on the Publisher's representation that valid consent was obtained; Publisher is responsible for the validity of that representation under the Data Processing Addendum.


5. How We Share Information

5.1 Sub-Processors (Service Providers)

We share information with the following categories of service providers who process data on our behalf:

Provider Purpose Data Processed Supabase Database storage and authentication All platform data at rest Cloudflare Edge network, CDN, Workers runtime Data in transit; session processing Cloudflare R2 Media file storage Video files and thumbnails Sentry Error tracking and monitoring Error and diagnostic data, with automated PII-scrubbing applied; limited personal data may incidentally appear in error traces Stripe Payment processing Publisher billing data only

These providers are contractually obligated to protect information and use it only for the purposes we specify. See our Data Processing Addendum (Schedule C) for the full sub-processor list applicable to Viewer Data.

5.2 Publishers (for Viewer Data)

Viewer Data is made available to the Publisher whose embed delivered the video, through analytics dashboards and reports. Contact Sync transmits Viewer-submitted contact information to Publisher's connected CRM (e.g., HighLevel) when enabled and lawfully authorized.

5.3 Third-Party Pixels (Publisher-Configured)

When a Viewer grants specific-consent, video viewing events are forwarded to third-party analytics providers configured by the Publisher (GA4, GTM, Facebook Pixel, Segment). These providers receive data under their own terms and privacy policies. Interact does not control how these providers use the data after receipt. Publishers are responsible for their own DPAs with these providers.

5.4 Business Transfers

If Stonecraft Media is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify affected parties of any such change and any choices available.

5.5 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal processes (subpoenas, court orders), government or law enforcement requests, or to protect our rights, property, or safety or the safety of others.

5.6 Aggregate and De-Identified Data

We may share aggregate or de-identified information, including industry benchmarks, platform usage trends, and performance metrics. Where we maintain de-identified information, we keep it in de-identified form, take reasonable measures to ensure it cannot be re-associated with a particular individual, and do not attempt to re-identify it.

We do not sell personal information. We do not use personal information for cross-context behavioral advertising.


6. Cookies and Tracking Technologies

This section summarizes our use of cookies and similar technologies. For the full, itemized list of cookies and browser-storage keys, their durations, and purposes, see our Cookie Policy.

6.1 Publisher Platform (app.interactvideo.com)

We use essential session cookies for authentication and platform functionality. We do not use advertising cookies or third-party tracking pixels on the publisher-facing platform.

6.2 Viewer Embed Player

  • No persistent identifier before the identified layer activates: The embed player does not write the persistent viewer identifier until the identified layer activates — that is, on the Viewer's first deliberate playback under the opt-out model, or, where the Publisher has enabled affirmative-consent mode, only after the Viewer affirmatively accepts. No persistent identifier is written if the Viewer opts out or GPC is present.

  • Persistent viewer identifier: When the identified layer is active, a interact_viewer_id cookie and localStorage entry are written to recognize returning Viewers across sessions. The cookie has a 12-month (365-day) expiry.

  • Consent preference storage: The Viewer's consent decision (accept/decline/opt-out) is stored in localStorage under the key interact_consent_<projectId>. This entry is strictly necessary to honor the Viewer's own privacy choice; it stores only the consent decision itself and is not used for tracking, advertising, or analytics.

  • GPC honored: If the browser sends Sec-GPC: 1, no persistent identifier is written.


7. Data Storage and Security

7.1 Data Storage

All data is stored and processed on secure servers located in the United States. Interact does not operate infrastructure outside the United States.

International Viewers and cross-border transfer. Although the Service is available only to US-based Publishers, the interactive videos those Publishers embed may be watched by Viewers located outside the United States. If you are a Viewer located outside the United States, any data collected when you watch an embedded video will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those of your country. By watching an embedded video — and, where a consent banner is presented, by accepting it — you understand and consent to the transfer and processing of your data in the United States. Interact provides Publishers with consent tools (a geo-aware consent banner, a persistent Privacy shield, and Global Privacy Control support) to obtain any consent and provide any notice required for their non-US Viewers; the Publisher (as Controller) is solely responsible for enabling and configuring those tools, for establishing any lawful basis or cross-border data-transfer mechanism required by laws applicable to its Viewers' locations (such as the GDPR or UK GDPR), and for its own compliance with those laws. Interact does not itself assume controller obligations under any non-US privacy law. See Section 4.2 and the Data Processing Addendum (EU/UK Addendum).

7.2 Security Measures

We implement technical and organizational security measures including:

  • TLS 1.2+ encryption for all data in transit

  • AES-256 encryption at rest (managed by Supabase/PostgreSQL)

  • Row-Level Security (RLS) policies enforcing per-account data isolation

  • Account-scoped API queries preventing cross-tenant data access

  • Service-role database access restricted to internal worker operations

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7.3 Data Retention

Publisher account data: Retained for the duration of your account and a reasonable period thereafter.

Security and login audit logs: Authentication and login audit records (including the IP address, device/browser information, and timestamp of each login) are retained for 12 months for account-security, fraud-prevention, and accountability purposes, after which they are deleted or anonymized.

Viewer analytics data: Retained for the duration of the Publisher's account. Publishers may delete individual Viewer records at any time using the Viewer Data Deletion tool in Settings.

Consent records (decline/opt-out): Decline and opt-out records are maintained as anonymized records that carry no viewer identifier, and are retained for regulatory compliance. Because they carry no identifier by which to locate a particular individual, they cannot be individually deleted, and we do not attempt to re-associate them with any individual.

Backups: Data may be retained in backup systems for a limited rolling period after deletion requests are processed.


8. Your Rights and Choices

8.1 Publisher Rights

You have the right to:

  • Access your personal information

  • Correct inaccurate information in your account settings

  • Request deletion of your account and associated data

  • Export your content and data

  • Opt out of marketing communications at any time (click "unsubscribe" in any marketing email or contact [email protected])

8.2 Viewer Rights

Viewers exercise their rights primarily through the Publisher (who is the data Controller for Viewer Data). Publishers can fulfill deletion requests using the Viewer Data Deletion tool in Settings. Viewers may also contact us directly at [email protected] and we will assist in routing requests to the appropriate Publisher.

8.3 California Privacy Rights (CCPA/CPRA)

The rights in this section apply to personal information for which Interact is the business — principally Publisher account information. For Viewer Data, Interact acts as a service provider (processor) on the Publisher's behalf, and CCPA rights run against the Publisher as the business. Viewers should exercise their CCPA rights through the relevant Publisher, as described in Section 8.2; Interact will provide reasonable assistance to the Publisher in fulfilling those requests but does not independently respond to Viewer CCPA requests except to route them to the appropriate Publisher.

Subject to that distinction, California residents have the following rights:

Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation).

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. Viewers may exercise the "Do Not Sell or Share" opt-out via the Privacy shield in the embed player. Publishers may contact us at [email protected].

Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond the purposes for which it was collected.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Authorized Agents: You may use an authorized agent to submit a request to know, delete, correct, or opt out on your behalf. The agent must be a natural person or a business entity registered with the California Secretary of State. We may require the agent to provide proof of your written permission, may require you to verify your own identity directly with us, and may require you to confirm directly that you authorized the agent to act for you.

To exercise your rights, contact us at [email protected] with subject line "CCPA Request." We will confirm receipt of your request within 10 business days and describe how we will process it, including our verification process. We will respond substantively within 45 calendar days of receipt; if reasonably necessary, we may extend by an additional 45 days (90 days total) and will notify you of the extension and the reason.

8.4 Global Privacy Control (GPC)

We honor the Global Privacy Control signal (Sec-GPC: 1) for Viewers. When detected at the network edge, it is treated as a standing "Do Not Sell or Share" opt-out for that Viewer session. The embed player's Privacy shield displays "Opt-Out Preference Signal Honored" per Cal. Civ. Code §7025(c)(6).

We do not currently honor the legacy "Do Not Track" (DNT) browser header, as it has no standardized meaning. GPC is the standardized successor signal and is fully honored.


9. Video Privacy Protection Act (VPPA)

Interact's platform delivers video content. To the extent the VPPA (18 U.S.C. §2710) applies to video viewing records collected through the Service:

  • Anonymous viewing data (watch time, playback events with no persistent viewer identifier) is not "personally identifiable information" under the VPPA.

  • Identified viewing data is processed by Interact on the Publisher's behalf, incident to the ordinary course of Interact's business as a service provider, under a written Data Processing Addendum with the Publisher, consistent with 18 U.S.C. §2710(b)(2)(E).

  • Disclosure to third-party analytics providers (pixels) requires a distinct, affirmative, viewer-specific opt-in (the specific-consent tier). This opt-in cannot be bundled with general terms acceptance and is never pre-ticked.

  • Publishers who use the publisher-push consent API (_iaq) to signal Viewer consent represent to Interact that valid VPPA consent was obtained. Publisher bears sole responsibility for the validity of any such attestation.


10. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at [email protected]. Publishers are responsible for ensuring their interactive video content is appropriate for their audience and for obtaining any parental consent required by the Children's Online Privacy Protection Act (COPPA) if their content targets children.


11. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services (e.g., HighLevel, Google Analytics, Facebook). We are not responsible for the privacy practices of these third parties. When you enable third-party pixel integrations, those providers' own privacy policies govern their use of Viewer data. We encourage you to review those policies.


12. Data Processing Addendum

Publishers who use Contact Sync, pixel integrations, the publisher-push consent API (_iaq), or outbound webhooks are subject to our Data Processing Addendum ("DPA"), which is incorporated into the Terms of Service by reference and governs those features. It establishes Interact's role as data Processor, Publisher's role as Controller, and the obligations of each party with respect to Viewer Data.


13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via email notification to registered Publishers and prominent in-app notice. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.


14. Contact Us

If you have questions about this Privacy Policy or our privacy practices:

Stonecraft Media
Email: [email protected]
Legal inquiries: [email protected]

For data subject requests (access, deletion, correction, opt-out), please include:

  • Your full name and email address

  • Whether you are a Publisher or a Viewer

  • Description of your request

  • Verification information (account details if a Publisher)

We will respond to verified requests within 45 days, with a possible 45-day extension where permitted by applicable law.


By using the Interact Video Platform, you acknowledge that you have read and understood this Privacy Policy.

A software service by Stonecraft Media.

Support

Help Docs

Support Ticket

Proudly developed with ❤️ in Topeka, Kansas.

Copyright © 2026 Stonecraft Media. All Rights Reserved.