Privacy & Compliance

Privacy-by-Design Video API Patterns

Privacy-by-design means building privacy protection into the API itself — not bolting it on after. This guide covers the architectural patterns that make video APIs inherently private.

The Seven Privacy Principles Applied to APIs

Privacy-by-design originated with Ann Cavoukian's seven foundational principles. Here's how they apply to video API design:

  1. Proactive not reactive: Don't wait for breaches — prevent them architecturally
  2. Privacy as default: Maximum privacy with zero configuration
  3. Privacy embedded in design: Not a feature, an architecture
  4. Full functionality: Privacy AND utility, not privacy OR utility
  5. End-to-end security: From upload to deletion
  6. Visibility and transparency: Users know exactly what happens
  7. Respect for user privacy: User interests come first

Minimal Collection Patterns

Accept Only What You Need

Don't require metadata you won't use:

# Good - minimal required fields
POST /v1/enhance
{
  "video_url": "https://...",
  "output_format": "mp4"
}

# Bad - collecting unnecessary data
POST /v1/enhance
{
  "video_url": "https://...",
  "user_name": "...",      // Why?
  "user_email": "...",     // Why?
  "device_info": "...",    // Why?
}

Anonymous Processing

Allow processing without identifying the user:

  • API key identifies the account, not the end user
  • No user metadata required in requests
  • Correlation IDs are ephemeral, not persistent identifiers

No Telemetry on Content

Analytics should track usage patterns, not video content:

  • ✓ Track: request count, processing time, error rates
  • ✗ Don't track: video content, faces detected, objects in frame

Purpose Limitation Patterns

Single-Purpose Endpoints

Each endpoint does one thing:

  • /v1/enhance — enhances video, nothing else
  • /v1/transcode — transcodes, doesn't analyze
  • No "also analyze while you're at it"

No Secondary Use

Processed video is never:

  • Used for training
  • Aggregated for analytics
  • Shared with third parties
  • Retained beyond delivery

Explicit Processing Scope

The API response shows exactly what was done:

{
  "job_id": "job_abc123",
  "processing": {
    "operations": ["upscale_2x", "sharpen", "denoise"],
    "model_version": "real-esrgan-x2plus-v1.4",
    "no_face_restoration": true
  }
}

Storage Limitation Patterns

Automatic Expiration

All stored data has a built-in expiration:

  • Output URLs: 24 hours default
  • Job metadata: 30 days
  • Audit logs: 90 days

On-Demand Deletion

Users can delete immediately:

DELETE /v1/jobs/{job_id}

Response:
{
  "deleted": true,
  "deleted_at": "2026-07-11T14:30:00Z",
  "certificate_url": "https://..."  // Secure tier
}

No Retention Upgrade Path

There's no way to "keep it longer" after the fact. Retention must be specified at upload time.

Security by Default Patterns

Encryption Required

  • HTTPS-only — no HTTP endpoints
  • TLS 1.3 minimum
  • Certificate pinning for SDKs

Authentication Always

  • No anonymous endpoints
  • API key required on every request
  • Key rotation support

Rate Limiting and Abuse Prevention

  • Per-key rate limits
  • Abuse detection (unusual patterns)
  • Automatic throttling

Fail Secure

When something goes wrong, fail toward privacy:

  • Processing error → delete input and output
  • Network timeout → container destroyed
  • Authentication failure → no access, full stop

Frequently Asked Questions

Privacy-by-policy is a promise: 'we won't share your data.' Privacy-by-design is an architecture: 'we can't share your data.' One requires trust, one requires verification.

Yes — your API key identifies your account for billing, but you don't need to provide any end-user identifying information in your requests.

Every job response includes the exact operations performed, model versions used, and parameters applied.

Ready to get started?

Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.