GDPR by architecture

GDPR-Compliant Video Editor with no data transfer

No uploadNo EU-to-third-country transferNo DPA needed

Most GDPR worries about online video editors come from one architectural fact: when you upload a video to a cloud editor, you are transferring personal data (the people in the video, the audio of their voices, the metadata of where and when it was recorded) to a third-party processor. That transfer triggers most of the heavy GDPR machinery: a Data Processing Agreement, lawful basis review, cross-border transfer mechanisms, breach notification procedures, the right to erasure across replicas.

Honest scope

This page describes how VidStudio satisfies the practical GDPR concern around video content. We are not a Data Protection Officer service, and this page is not legal advice. The architectural fact (your video stays on your device) is what makes most GDPR concerns inapplicable in the first place.

Try it now

The architecture above runs every tool below. Pick one to start.

Open the Video Editor

or jump directly to a tool

Auto Caption Compress Resize Trim Watermark Thumbnails

How this fits GDPR-Compliant Video Editor

VidStudio does not have any of that machinery because it does not have the transfer it would manage. The file you drop on the page is read by your browser tab. Speech recognition runs locally against a Whisper model that downloads once and caches in your browser. Video processing runs through FFmpeg compiled to WebAssembly, also locally. The captioned or compressed or trimmed output is written back to your disk. None of that involves a server-side processor that handles your video.

What we do collect, separately from your video, is standard product telemetry: page views, error reports (Sentry), and Core Web Vitals (Vercel Analytics). That telemetry is GDPR-relevant in its own right, and we follow the usual playbook for it: cookie consent, opt-out, the standard subprocessor list. The point is that the video itself is not on that list, because the video does not go anywhere.

The architectural points that do the work

No controller-to-processor transfer of video content

GDPR Article 28 requires a Data Processing Agreement between a data controller and any processor that handles personal data on the controller's behalf. Because VidStudio never receives your video, there is no processor relationship to formalise for that content.

No cross-border data flow

Cross-border transfers (especially EU-to-US) trigger Standard Contractual Clauses and Transfer Impact Assessments under Schrems II. None of that applies to a video that stays on your laptop in the country where you opened the browser.

Right to erasure is trivial

Closing the tab clears the working data. There is no backup, no log entry, no replica in three regions. The right-to-erasure obligation, which is operationally painful for cloud services, is satisfied by the architecture itself.

Cookie banner honesty

We do use product analytics (Vercel) and error tracking (Sentry). Those use cookies and are subject to consent. Our cookie banner reflects that. Neither system receives video content.

How to verify the GDPR-relevant claims yourself

01 Open DevTools

On any VidStudio tool page, open browser DevTools and switch to the Network panel.

02 Filter to fetch and XHR

Apply the Network panel's filter to fetch and XHR requests so you only see the application traffic.

03 Drop a video and run the tool

Drop any video file in and let the tool process it. Compress, resize, or generate captions, whichever flow you want to inspect.

04 Read the requests

You will see the application bundle, the WASM binary, and the Whisper model (first visit only). You will not see any request containing your video. That is the architectural claim, observed directly.

Frequently asked questions

Does GDPR apply to using VidStudio?

GDPR applies to anyone processing personal data of people in the EU and UK. If your video contains identifiable people, you are processing personal data when you edit it. The good news: VidStudio is not the processor; you are. The video stays on your device, so the cross-border processor question does not apply.

Do you sign a Data Processing Agreement?

For video content, no, because we do not act as a processor of that content. We do not see, store, or transmit it. For the small amount of telemetry we do collect (page views, error logs), the standard subprocessor terms apply through Vercel and Sentry.

Where is my video stored?

In your browser tab's memory while you are working with it. The browser may temporarily write to local OPFS storage for memory-efficient processing of large files; that storage is origin-bound and clears on cache purge or tab close. Nothing about your video is stored on our infrastructure.

What about the Whisper model download? Is that a transfer?

The Whisper model weights are bundled into our static build. When your browser fetches the model, it is fetching a static file the same way it fetches an image. The model is the same for every user; nothing about your video influences which model file is fetched.

Can I use VidStudio under a UK GDPR / EU GDPR / Swiss FADP regime?

Yes. The architectural fact is the same regardless of jurisdiction. The video does not leave your device, so the rules about transferring personal data to a processor do not apply to the video itself. Local telemetry rules (cookies, opt-out) still apply.

Is this legal advice?

No. This page describes our architecture. A privacy lawyer who knows your specific use case and jurisdiction should sign off on the actual compliance position. The point of this page is that the architecture removes most of the questions you would normally have to answer.