[ Legal · Privacy ]
Privacy Policy
Last updated May 10, 2026
This Privacy Policy describes how North Model Labs, Inc. (“NORTH”, “we”, “us”) collects, uses, and shares information when you visit northmodellabs.com, use the public demos on our marketing site, contact us through the partnerships form, or use the NORTH Realtime Avatar API and Dashboard.
This page covers the public marketing site and demos. Use of the NORTH API by authenticated developers is governed additionally by the data-processing terms in your customer agreement.
1. What we collect
1.1 Marketing site visitors
The marketing site does not run third-party analytics, advertising pixels, or session-replay tools. Server logs at our hosting provider (Vercel) record the IP address, user agent, and URL of every request for operational and security purposes. These logs are rotated by Vercel and we do not aggregate them into a profile.
1.2 Public demos (no signup required)
When you use the realtime or offline demo on the homepage, we process:
- The face image you upload. The image is uploaded to our API for the duration of the demo session and is not retained for training, advertising, or any other purpose. Realtime demo sessions are terminated and deleted automatically within 60 seconds. Offline-generated clips are stored briefly so you can play them back, then expire.
- The text script (offline demo only), used to generate the lip-synced clip.
- Your IP address, used to enforce per-visitor and global rate limits on the demo. The IP is not stored in any persistent database and is not associated with the uploaded image.
Biometric note. Some jurisdictions, including Illinois (BIPA), Texas (CUBI), and the European Union (GDPR Article 9), treat face-image data as biometric or specially-protected personal data. We process face images only as ephemeral inputs to render the demo and do not derive, store, or sell biometric identifiers from them. If you do not consent to this processing, please do not upload a face image.
1.3 Partnership / contact form
When you submit the partnership form on /partnerships, we collect the fields you provide (name, email, company domain, message). These are sent by our transactional-email provider (Resend) to the NORTH team and stored in our email inbox.
1.4 Dashboard, API, and SDK users
If you sign up for the NORTH Dashboard, you also enter into our authentication provider's flow (Clerk). Clerk handles account creation, login, password reset, and session management. We receive your email address, name, and account identifier from Clerk. API and SDK usage generates per-key usage records (count of requests, GPU-seconds consumed, error rates) used for billing and operational metrics.
2. How we use it
- To operate and secure the marketing site and demos.
- To respond to contact form messages and partnership inquiries.
- To authenticate Dashboard users and provision API keys.
- To bill for API usage and enforce rate limits and quotas.
- To debug, monitor, and improve the service.
We do not sell personal data. We do not use face images or text scripts uploaded through the public demos to train, fine-tune, or evaluate any model.
3. Sub-processors
We use a small number of vendors to operate the service. Each is bound by contractual confidentiality and security terms.
- Vercel — Web hosting and serverless functions (United States).
- Clerk — Authentication for the Dashboard (United States).
- Tigris Data — Object storage for sample avatar media (United States).
- Resend — Transactional email for the contact form (United States).
- ElevenLabs — Text-to-speech for the homepage demo audio (United States).
- NORTH Atlas inference infrastructure — Hosted GPU inference for the avatar model (United States and partner regions for enterprise customers).
4. Retention
- Demo face uploads: ephemeral. Realtime sessions are torn down within ~60 seconds. Offline-generated clips expire automatically.
- Contact form submissions: retained in our email inbox indefinitely unless you ask us to delete them.
- Dashboard account data: retained while your account is active; deleted on request (see Section 7).
- API usage records: retained for at least 12 months for billing, audit, and security purposes.
- Server logs:retained per Vercel's default log-retention policy.
5. Security
All traffic to and from the site is encrypted in transit over HTTPS. We enforce a strict Content Security Policy, deny framing, restrict referrer information, and rate-limit state-changing endpoints. Demo uploads are validated for file type and size before being forwarded to inference. We do not store payment information; billing is handled by our processor.
6. International users
Our servers are located in the United States. By using the site from outside the United States, you consent to the transfer and processing of your data in the United States and other countries where our sub-processors operate. For EU/UK visitors: we rely on Standard Contractual Clauses with sub-processors that operate outside the EU/UK where required.
7. Your rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete personal data we hold about you, to object to certain processing, or to lodge a complaint with a data protection authority. To exercise any of these rights, email eric@northmodellabs.com. We will respond within 30 days.
8. Children
The service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
9. Changes
We may update this Privacy Policy from time to time. Material changes will be reflected in the “Last updated” date at the top of this page and announced through the Dashboard where appropriate.
10. Contact
Questions about this policy or about how we handle your data? Email eric@northmodellabs.com.