Legal

Data Usage Policy

Last updated: March 28, 2026

Purpose

To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

Scope

All Aspect Ratio, Inc. data, information and information systems.

General Requirements

Aspect Ratio, Inc. classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements. Information systems and applications shall be classified according to the highest classification of data that they store or process. Aspect Ratio, Inc. does not use customer data to train artificial intelligence or machine learning models. Customer data processed by AI features (transcription, object detection, facial recognition, metadata generation) is used solely to provide the requested service and is not retained for model training purposes.

1. Data Classification

To help Aspect Ratio, Inc. and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.

Data Ownership

Customer-uploaded content (media files, images, videos, audio, documents) remains the property of the customer. Aspect Ratio, Inc. owns all system-generated metadata, including but not limited to: AI-generated transcripts, auto-tags, object detection labels, and analytics data. Comments and annotations are owned by the user who created them but are licensed to the workspace for the purpose of collaboration; they are managed as part of the associated asset's lifecycle.

Biometric Data

Facial recognition features process biometric data, which is classified as Confidential and subject to additional protections. Users must explicitly opt-in to facial recognition features through workspace enrollment, which includes acknowledgment of biometric data processing in the applicable privacy policy, data usage agreement, and AI agreement. Biometric data (facial embeddings and reference images) is processed solely to identify individuals across customer assets and is never used for model training or shared with third parties except as required to provide the service.

Confidential

Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Examples include:
  • Customer Data
  • Customer-uploaded media files and assets
  • Biometric data (facial recognition embeddings and reference images)
  • AI-generated transcripts and metadata
  • Personally identifiable information (PII)
  • Company financial and banking data
  • Salary, compensation and payroll information
  • Strategic plans
  • Incident reports
  • Risk assessment reports
  • Technical vulnerability reports
  • Authentication credentials
  • Secrets and private keys
  • Source code
  • Litigation data

Restricted

Aspect Ratio, Inc. proprietary information requiring thorough protection; access is restricted to personnel with a "need-to-know" based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include:
  • Internal policies
  • Legal documents
  • Meeting minutes and internal presentations
  • Contracts
  • Internal reports
  • Slack messages
  • Email
  • Audit logs and activity tracking data

Public

Documents intended for public consumption which can be freely distributed outside Aspect Ratio, Inc. Examples include:
  • Marketing materials
  • Product descriptions
  • Release notes
  • External facing policies

2. Data Handling

Confidential Data Handling

Confidential data is subject to the following protection and handling requirements:
  • Access for non-preapproved roles requires documented approval from the data owner
  • Access is restricted to specific employees, roles and/or departments
  • Confidential systems shall not allow unauthenticated or anonymous access
  • Confidential Customer Data shall not be used or stored in non-production systems/environments
  • Confidential data shall be encrypted at rest and in transit over public networks in accordance with the Cryptography Policy
  • Mobile device hard drives containing confidential data, including laptops, shall be encrypted
  • Mobile devices storing or accessing confidential data shall be protected by a log-on password (or equivalent, such as biometric) or passcode and shall be configured to lock the screen after five (5) minutes of non-use
  • Backups shall be encrypted
  • Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CDs, or DVDs
  • Paper records shall be labeled "confidential" and securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures
  • Hardcopy paper records shall only be created based on a business need and shall be avoided whenever possible
  • Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
  • Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner

Customer Media and AI Data Handling

  • Customer data is never used to train AI or machine learning models operated by Aspect Ratio, Inc. or its subprocessors
  • Data transmitted to AI subprocessors (including transcription and object detection services) is encrypted in transit and processed solely to deliver the requested feature
  • AI subprocessors are contractually prohibited from using customer data for model training

Local Cache and Mount Handling

  • When customers use the desktop mount feature, media data is streamed to a local cache on the customer's device
  • Cached data is stored in a customer-specified location with configurable size limits
  • Locally cached data is subject to the same access controls as cloud-stored data
  • Customers may pin files for offline access; pinned files are stored outside the cache and persist until unpinned
  • Aspect Ratio, Inc. does not have access to or control over data stored in customer local caches
  • Shared links inherit the permission level specified by the creator (view, download, comment, edit, full access)
  • Access to shared links by authenticated users is logged and auditable
  • Access to completely public (unauthenticated) shared links is not tracked at the individual level
  • Shared link data is retained according to the same policies as the source asset

Data Residency and Storage Tiers

  • Primary storage (Cloudflare R2): Customers may select their preferred geographic region for data storage
  • Cold storage (Wasabi S3): Available as a customer-selected option for archival purposes; region is determined by Aspect Ratio, Inc.
  • Data in both storage tiers is subject to identical security controls, encryption standards, and retention policies

Enterprise Snapshots

  • Enterprise snapshots provide point-in-time recovery of workspace data
  • Snapshots are accessible only to workspace owners and administrators
  • Snapshots are retained until explicitly deleted by the customer
  • Deleted snapshots are recoverable for sixty (60) days

Subprocessor Data Handling

  • All data transmitted to subprocessors is encrypted in transit using TLS 1.2 or higher
  • Subprocessors are selected and managed in accordance with the Third-Party Management Policy
  • Subprocessors processing customer data are contractually bound to equivalent data protection standards

Restricted Data Handling

Restricted data is subject to the following protection and handling requirements:
  • Access is restricted to users with a need-to-know based on business requirements
  • Restricted systems shall not allow unauthenticated or anonymous access
  • Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
  • Paper records shall be securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures
  • Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed

Public Data Handling

No special protection or handling controls are required for public data. Public data may be freely distributed.

3. Data Retention

Aspect Ratio, Inc. shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.

Customer Asset Retention

  • Deleted assets are moved to a workspace trash folder, where they remain until the workspace owner permanently deletes them or empties the trash
  • All previous versions of assets are retained for the lifetime of the asset
  • Upon permanent deletion (trash folder emptied or individual file permanently deleted), assets are recoverable by contacting Aspect Ratio, Inc. support within sixty (60) days
  • After sixty (60) days, permanently deleted assets are irrecoverable

AI-Generated Data Retention

  • AI-generated metadata (transcripts, auto-tags, object labels, facial recognition embeddings) is retained for the lifetime of the associated asset
  • Upon permanent deletion of the source asset, AI-generated metadata is retained for sixty (60) days and then permanently deleted
  • Facial recognition reference images and embeddings follow the same retention schedule

Audit Log Retention

  • Audit logs are retained indefinitely while the associated workspace is active
  • Upon workspace deletion, audit logs are retained for sixty (60) days and then permanently deleted

Comments and Annotations Retention

  • Comments and annotations are retained for the lifetime of the associated asset
  • Upon permanent deletion of the source asset, comments and annotations follow the same sixty (60) day recovery window
  • Comments and annotations deleted independently of their source asset are immediately removed and not recoverable

4. Data and Device Disposal

Data classified as restricted or confidential shall be securely deleted when no longer needed. Aspect Ratio, Inc. shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Aspect Ratio, Inc. requirements for secure data disposal shall be used for storage and processing of restricted or confidential data. Aspect Ratio, Inc. shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of, disposal. Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure method. Personally identifiable information (PII) shall be collected, used and retained only for as long as the company has a legitimate business purpose. PII shall be securely deleted and disposed of following contract termination in accordance with company policy, contractual commitments and all relevant laws and regulations. PII shall also be deleted in response to a verified request from a consumer or data subject, where the company does not have a legitimate business interest or other legal obligation to retain the data.

Customer Churn and Workspace Deletion

  • Upon contract termination or customer-initiated workspace deletion, all customer data (media files, metadata, comments, AI-generated data, and associated records) is scheduled for deletion
  • Deleted workspace data is recoverable within sixty (60) days if the customer chooses to reactivate their account
  • After sixty (60) days, all data is permanently and irrecoverably deleted from all storage systems

Distributed Storage and Cache Purging

  • Upon permanent deletion, data removal requests are propagated to all storage tiers (primary, cold storage, and CDN edge caches)
  • CDN edge caches expire according to configured TTL values; cached data is not accessible after the source is deleted due to authentication requirements
  • Storage providers (Cloudflare R2, Wasabi S3, AWS) handle physical media disposal in accordance with their respective security certifications and Aspect Ratio, Inc. contractual requirements

AI Model Input Disposal

  • Custom object training samples and facial recognition reference images are deleted according to the same schedule as customer assets
  • Upon permanent deletion, these inputs are removed from processing queues and any temporary storage within sixty (60) days
  • AI subprocessors do not retain customer inputs beyond the time required to process the request

5. Data Retention Matrix

Here is the retention matrix to render as a table:
System or ApplicationData DescriptionRetention Period
Aspect Platform (AWS)File metadata (database records, asset metadata, workspace configuration)Lifetime of asset + 60 days after permanent deletion
Cloudflare R2Primary distributed media storageLifetime of asset + 60 days after permanent deletion
Wasabi S3Cold storage / archival mediaLifetime of asset + 60 days after permanent deletion
Aspect PlatformWorkspace trash folderUntil customer empties trash
Aspect PlatformEnterprise snapshotsUntil customer deletes + 60 days
Aspect PlatformAI-generated metadata (transcripts, tags, labels)Lifetime of source asset + 60 days
Aspect PlatformFacial recognition data (embeddings, reference images)Lifetime of source asset + 60 days
Aspect PlatformComments and annotationsLifetime of source asset + 60 days
Aspect PlatformAudit logsLifetime of workspace + 60 days
DeepgramTranscription processingNo retention (processed and discarded)
OpenAIAI feature processingNo retention (processed and discarded)
WorkOSAuthentication and SSO logsPer WorkOS data retention policy
VercelApplication and error logs30 days
StripeBilling and payment records7 years (legal/tax requirement)
GitHubDeployment and CI/CD logs90 days
Aspect PlatformTemporary files / ephemeral storageAutomatically deleted when process completes

6. Policy Compliance

Aspect Ratio, Inc. will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Exceptions

Requests for an exception to this Policy must be submitted to the CISO for approval.

Violations and Enforcement

Any known violations of this policy should be reported to the CISO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Contact Us

If you have any questions about this Data Usage Policy, please contact us: Email: security@aspect.inc

Get started

For every aspect of the creative workflow.