This policy explains what information Epitome collects when you use our website and platform, what we do with it, and the controls you have. It applies to producers, coordinators, and crew who interact with anything we publish at withepitome.com or run at app.withepitome.com.
Epitome is operated by Epitome Technologies, Inc. ("Epitome," "we," "us," or "our"), a company based in the United States. We build software that helps physical-production teams in film, television, and advertising plan a shoot — from call sheet to crew grid to schedule — by combining producer prompts, uploaded crew lists, and AI-generated production documents.
Our website is www.withepitome.com. The product itself runs at app.withepitome.com.
This policy is a starting point and may be updated as the product evolves. The version and effective date at the top of this page tell you which revision is in force.
We collect different categories of information depending on whether you're an account holder (a producer, coordinator, or other team member who signs in to the app) or a crew member whose information has been added by someone else for a production.
When you add crew to a project — typically by uploading a crew list or pasting one in — we process the personal information needed for that crew member to do their job. That can include:
When we receive crew information from you, we treat that crew member as a third-party data subject. You are responsible for making sure you have the right to share their information with us — see "Your rights" and our Terms of Service.
producers@epitome.film or any other support address.We use the information described above to:
We do not sell personal information, and we do not use your or your crew's data to train third-party AI models for anyone else's benefit. Production content you upload is used to generate output for your own production, not as training data for general-purpose models.
If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires us to identify a legal basis, we rely on:
For your own account information — your name, email, sign-in events, support tickets — Epitome acts as a controller. We decide what to collect and why.
For the crew personal information you upload in order to staff a production, Epitome acts as a processor on your behalf. You are the controller; we handle the data on your instructions, the way our software is designed to. If a crew member contacts us directly to exercise a right (access, deletion, correction), we will help, but we may need to coordinate with the producer who originally added them.
We rely on the following companies to run Epitome. The list is current as of the effective date above and may change; material changes will be reflected in this page.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Authentication, Postgres database, row-level security | United States |
| Railway | Backend application hosting | United States |
| Vercel | Frontend and marketing-site hosting, edge CDN | United States |
| Resend | Transactional email delivery | United States |
| Google Cloud (Gemini API) | Crew-list extraction and natural-language production assistance | United States |
| Google Maps Platform | Geocoding, location search, weather lookup | United States |
| logo.dev | Brand and client logo enrichment | United States |
We require each sub-processor to handle the data we send them only for the purposes described above and to maintain commercially reasonable security.
Epitome is operated from the United States, and most of our sub-processors store data there. If you access the service from another country, your information will be transferred to and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent mechanisms to legitimize the transfer.
We keep account and production data for as long as your account is active. When you ask us to delete an account, or when an account has been inactive for an extended period, we delete or anonymize the associated data within a reasonable window — typically within 90 days — except where we are required to retain it for legal, tax, or accounting reasons.
Backups are rotated continuously and are typically purged within 30 days, after which deleted data is no longer recoverable.
Aggregate analytics that contain no personal information may be retained indefinitely.
Depending on where you live, you may have the right to:
To exercise any of these, email privacy@withepitome.com. We respond to verified requests within 30 days, or sooner if the law in your jurisdiction requires it.
If you live in California, you have the right to know what categories of personal information we collect and disclose, the right to request deletion of your personal information, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information.
We do not sell personal information for money, and we do not share it for cross-context behavioral advertising. We do disclose personal information to the sub-processors listed above in order to provide the service.
To submit a verifiable consumer request, email privacy@withepitome.com with "California Privacy Request" in the subject line. You may also designate an authorized agent to make a request on your behalf.
We will not discriminate against you for exercising any of your CCPA rights.
If you live in the EEA, the UK, or Switzerland, the legal bases described in Section 04 apply, and you have the additional rights described in Articles 15–22 of the GDPR.
Epitome currently does not maintain an EU representative, as required activity is below the threshold; this will be revisited as our European customer base grows. In the meantime, you can contact us at privacy@withepitome.com for any GDPR matter.
We design Epitome with defense in depth. Data is encrypted in transit using TLS, encrypted at rest by our database provider, and protected at the row level inside Postgres so that organizations can only see their own records. Our authentication uses ES256 signed JSON Web Tokens validated against the Supabase JWKS on every request.
Access to production systems is limited to a small number of engineers, controlled by single sign-on and audited.
No system is perfectly secure. If you suspect your account has been compromised, email security@withepitome.com and we will investigate.
Epitome is a workplace tool, not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If a production includes minor talent or crew, the producer is responsible for handling that information in accordance with the laws applicable to their jurisdiction and union rules; Epitome is not the controller of that information.
If you believe a child's information has been provided to us, contact privacy@withepitome.com and we will delete it.
We will update this policy when our practices change. The version and effective date at the top of the page indicate the current revision. For material changes, we'll post a notice on the marketing site and, when appropriate, email account holders before the change takes effect.
For privacy questions or to exercise any right described above:
If you're unsatisfied with our response, you have the right to complain to a supervisory authority in your country of residence.