This article supplements the Terms of Service and Privacy Policy. For definitions of Customer Data, Personal Data, and Sensitive Data, and for details on Shotstack's role as a data processor, refer to those documents.
Shotstack operates under a shared responsibility model when it comes to personal data in the rendering pipeline. Render payloads are not anonymized. The JSON you submit is processed as-is to produce your output. It is your responsibility to ensure that PII is not included in render payloads unless you have appropriate controls in place.
Note that our Privacy Policy prohibits the submission of Sensitive Data (as defined in the policy) to the Service. This article addresses the broader category of personal data that may legitimately be included in render payloads, such as names or contact details used in personalised videos.
β
Where personal data can enter
Personal data can be introduced into the rendering pipeline through several vectors:
Merge field values: Dynamic data injected into templates at render time (names, addresses, etc.)
Text and caption content: Text or captions hardcoded into the JSON payload
Auto-generated captions: Speech-to-text transcription captures everything spoken in source audio, which may include names, phone numbers, or other personal information
Source media: Images, videos, and audio files referenced by URL may themselves contain personal data
Webhook callback URL query parameters: Query strings appended to your callback URL are stored alongside the render record
Data retention and deletion
The following retention practices apply specifically to data processed through the rendering pipeline. For retention of account and personal data, see our Privacy Policy.
Source media: Purged immediately after rendering. Source files are processed on a dedicated compute instance provisioned for each render and do not persist beyond the render lifecycle.
Render payloads (JSON): Retained as part of your render history and accessible via the dashboard and API. Payload data can be deleted on request and automatically deleted for inactive accounts.
Output files: Stored for 24 hours via temporary hosting and deleted automatically thereafter. If you have opted into the Serve API (CDN hosting), output files are retained until you delete them via the dashboard or API. You can opt out of CDN hosting at any time.
Inactive accounts: As per our Terms of Service, accounts inactive for three months will be deleted along with all associated data.
You are responsible for managing the retention of your render history and CDN-hosted output files in accordance with your own data protection obligations. Shotstack provides the tools to delete this data on your schedule.
Recommendations
Use merge fields to keep PII out of stored templates. Define templates with placeholder merge fields and inject personal data only at render time. This avoids persisting PII in saved templates.
Use opaque reference IDs in webhook callbacks. Pass an internal reference ID in your callback URL query string rather than PII such as email addresses or names.
Review source audio before auto-captioning. Speech-to-text transcription captures everything spoken in the audio track. Preview transcriptions to ensure no unintended personal data is rendered into a video.
Delete ingested source files after renders complete. If source media contains sensitive content, remove the files from your hosting or storage once rendering is finished.
Route output to your own S3 bucket or opt out of CDN hosting. For renders containing personal data, self-host the output rather than relying on Shotstack's CDN.
Treat output files as containing PII. Rendered text and captions are permanently embedded in output video and image files. Handle, store, and distribute output files in accordance with your data handling policies.
Further information
For questions about data processing, deletion requests, or to request a Data Processing Agreement for your organization, contact [email protected].