Privacy Policy
Effective date: 2026-06-28
Guillotine is an on-device, non-linear video editor for Android, tablets, and Chromebooks. In short: Guillotine has no servers of its own, no account system, and no first-party analytics. Your media and projects stay on your device unless you choose to use a third-party AI service. The app does show ads via Google AdMob (see “Advertising” below) and uses your device’s advertising identifier for that purpose.
The short version
- We (the developer) do not collect, store, or receive your data on any server we control.
- We do show ads through Google AdMob, which collects your device’s advertising ID and related data to serve and measure ads — the one third-party SDK in the app.
- Editing, playback, thumbnails, waveforms, all frame/audio analysis (ML Kit + MediaPipe vision and the local silence heuristic), an optional on-device LLM, and on-device speech recognition (Vosk) all run locally on your device. Your video is never uploaded for analysis — cloud AIs only ever act as text controllers (see below).
- The app only sends data over the network when you trigger an action that uses a third-party service you configured (a cloud AI controller, image generation, or crash reporting).
- API keys you enter are encrypted on your device and are sent only to the matching provider, only in requests you initiate.
Information stored on your device
The app stores the following locally (in app-private storage), not on any server we run:
- Projects — your timeline, edits, keyframes, text, and settings, auto-saved so work is not lost and restored on next launch.
- Media references — links (URIs) to the video/audio/image files you import. The app keeps read access to those files; it does not copy or upload them.
- Settings — including AI provider choice, selected models, prompt history, and a crash-relay URL (if you set one).
- API keys — encrypted at rest using Android’s Jetpack Security (
EncryptedSharedPreferences, backed by the Android Keystore).
Uninstalling the app removes this local data.
Third-party AI services (only when you use them)
Guillotine lets you use external AI services by bringing your own API key. When, and only when, you run one of these actions, the relevant content is sent directly from your device to the provider you selected — it does not pass through any server we operate:
- AI assistant / editing control — when you use a cloud AI (Google Gemini, OpenAI, Anthropic, OpenRouter, Groq, xAI, or Mistral) as the assistant, only text is exchanged: your instructions and the project/timeline state go to the provider, and it replies with tool calls that drive the editor. The provider does not receive your media or frames — the actual keep/remove analysis and any background removal run on your device (ML Kit + MediaPipe). The free on-device LLM brain keeps even that text local.
- Generative object removal — the object is detected and masked on-device; only the individual masked frame(s) + mask are sent to Leonardo.ai (with your key) to be repainted.
- Image generation — your text prompt is sent to Leonardo.ai (with your key) or, for the free no-key option, to Pollinations.ai.
- Transcription / captions — handled on-device with Vosk if you configure a local speech model; otherwise audio is sent to OpenAI Whisper using your key.
Your use of these services is governed by their privacy policies and terms. Free, no-key on-device options (ML Kit vision, Vosk speech, the local heuristic analyzer) never transmit your media off the device. Representative provider policies: Google Gemini, OpenAI, Anthropic, OpenRouter, Groq, xAI, Mistral, Leonardo.ai, Pollinations.ai.
Crash reporting (optional, off by default)
Crash reporting is disabled unless you enter a crash-relay URL in Settings. If you enable it, then after a crash the app captures a report and sends it — on the next launch — to the relay endpoint you configured (which you host), which files it as an issue in your project’s issue tracker. A report contains:
- the exception type and stack trace,
- device model, Android version, and app version,
- a short slice of the app’s own recent log output (logcat).
These technical logs could incidentally include text relevant to the crash. Reports go only to the endpoint you set up; if you never set a relay URL, nothing is sent. The credential used to file issues lives in your relay’s server-side secret and is never included in the app.
Automation interface (MCP) and optional cloud relay
For power users and AI tooling, Guillotine runs a small local automation server (the Model Context Protocol, MCP) while the editor is open. It lets an external AI tool read and edit the current project — list clips, set prompts, run analysis, apply edits. It carries your project/editing data, not your media files, and:
- access requires a bearer token shown in Settings — a request without it is rejected;
- it does not send anything on its own — it only responds to a tool you connect.
Optionally, you can enable an encrypted cloud relay so a tool can reach the editor without being on the same network. When enabled, the app opens an outbound, encrypted connection to a Cloudflare Worker that you deploy and configure. Messages are end-to-end encrypted with a key derived from your MCP token, so the relay only ever passes ciphertext between your tool and the app and cannot read your editing traffic. This relay is off by default; if you never enable it, the app makes no such connection.
Advertising (Google AdMob)
Guillotine displays ads served by Google AdMob — an app-open ad on launch, a bottom banner, and an interstitial shown when you start an export. To serve and measure these ads, the Google Mobile Ads SDK collects your device’s advertising identifier (AD_ID) and related technical/usage data. This data is processed by Google, not by us, and is governed by how Google uses information from apps that use its services and Google AdMob privacy. Where required by law (e.g., the EEA/UK), a consent prompt governs whether personalized ads are shown; you can also reset or limit ad personalization in Settings → Google → Ads.
Permissions
- Internet — to call the AI providers, the ad service, the crash relay you configure, and (if you enable it) the MCP cloud relay you configure.
- Advertising ID (
com.google.android.gms.permission.AD_ID) — used by Google AdMob to serve ads. - Storage access (Storage Access Framework) — only the specific media files you pick are accessible to the app; it does not scan your library.
- Media output (MediaStore) — to save exported videos to your Movies folder.
- Notifications + foreground service (
POST_NOTIFICATIONS,FOREGROUND_SERVICE,FOREGROUND_SERVICE_MEDIA_PROCESSING,WAKE_LOCK) — to keep a long operation (analysis, generative removal, or export) running with a progress notification while the app is in the background. Purely local; nothing is transmitted.
The app does not request location, contacts, the microphone, or the camera; it only works with media you explicitly import.
Analytics and tracking
Children’s privacy
Guillotine is a general-purpose creative tool and is not directed at children under 13. It does not knowingly collect personal information from children.
Data retention and deletion
- Local data persists until you delete a project, clear the app’s storage, or uninstall.
- To stop using a third-party provider, remove its API key in Settings.
- To stop crash reporting, clear the crash-relay URL in Settings.
- Content already sent to a third-party provider is subject to that provider’s retention policy.
Changes to this policy
If this policy changes, the “Effective date” above will be updated and the revised version will be published in the app’s repository.
Contact
Questions about this policy: open an issue at github.com/HereLiesAz/Guillotine/issues or email hereliesaz@gmail.com.