Privacy Policy
Last updated: 26 January 2026
This Privacy Policy explains how Avenelle OÜ, a company incorporated under the laws of the Republic of Estonia (the Company, we, us, our), collects, uses, stores, and protects personal data when you access or use our website and services (the Service).
This Privacy Policy forms an integral part of the Terms of Service.
We value transparency and data protection. This Policy is intended to clearly explain what personal data is processed, for what purposes, on what legal basis, how long it is retained, and what rights you have under applicable data protection laws.
This Policy is drafted in accordance with:
● Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
● the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus);
● Directive 2002/58/EC (ePrivacy Directive), where applicable;
● other applicable EU and Estonian civil and consumer protection laws.
1. Data Controller
The data controller responsible for processing your personal data is:
Avenelle OÜ
Registration number: 17420427
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Pärnu mnt 105, 11312, Republic of Estonia
Email: privacy@roomora.space
Data Protection Officer (DPO). The Company has not appointed a Data Protection Officer, as it does not carry out large-scale systematic monitoring or processing of special categories of personal data within the meaning of Article 37 GDPR.
2. Categories of Personal Data We Process
We process only personal data that is necessary for providing the Service.
2.1 Identification & Contact Data
● email address;
● name or business name (if provided);
● account credentials.
2.2 Account & Order Data
● selected services and order details;
● payment status and transaction references;
● invoices and billing information.
The Company does not store full payment card details.
2.3 Communication Data
● messages submitted via contact forms;
● emails exchanged with customer support or legal teams.
2.4 Technical & Usage Data
● IP address (anonymized or truncated where possible);
● browser type, device type, operating system;
● access logs, timestamps, and interaction data (aggregated).
2.5 Content Data (Input / Output)
● Input Content (images uploaded by the user), which may incidentally include personal data;
● Output Content (AI-generated images) associated with the user account;
● generation metadata (timestamps, settings selected).
User instruction / sensitive data notice. Users are instructed not to upload personal data of third parties or special categories of personal data within the meaning of Article 9 GDPR. The Company does not intentionally process such data. If such data is uploaded, it may be processed incidentally to provide the Service and may be restricted, removed, or deleted where feasible.
3. Purposes of Processing
Personal data is processed strictly for the following purposes:
● providing and performing ordered Services;
● managing user accounts and order history;
● processing payments and refunds;
● responding to inquiries and support requests;
● ensuring platform security, integrity, and fraud prevention;
● complying with legal, accounting, and regulatory obligations.
The Company does not use personal data for advertising profiling, behavioral targeting, or resale. The Company does not use Input Content to train or improve AI models.
4. Privacy-by-Design & Data Minimization
The Company applies the principles of privacy-by-design and privacy-by-default in accordance with Article 25 GDPR. Personal data is:
● collected only where strictly necessary;
● processed only for clearly defined and legitimate purposes;
● limited in scope, access, and retention period.
Where technically feasible, data is anonymized, aggregated, or pseudonymized to reduce privacy risks.
5. Legal Bases for Processing (GDPR)
Personal data is processed on the following legal bases:
● Article 6(1)(b) GDPR – performance of a contract;
● Article 6(1)(c) GDPR – compliance with legal obligations;
● Article 6(1)(f) GDPR – legitimate interests (security, fraud prevention, service stability);
● Article 6(1)(a) GDPR – consent, where required (e.g. analytics cookies).
6. Payments
Payments are processed via certified third-party payment service providers (PSPs). The Company:
● does not store or process full payment card data;
● receives only limited transaction metadata necessary for accounting and support.
Payment providers process personal data in accordance with their own privacy policies and applicable financial regulations.
7. Data Sharing & Disclosure
Personal data may be shared only with:
● payment service providers;
● IT, hosting, infrastructure, and security providers;
● professional advisors (legal, accounting), where required;
● public authorities, where legally required.
All third parties are bound by confidentiality and data protection obligations. The Company does not sell, rent, or trade personal data.
7.1 Sub-processors
The Company maintains a rigorous selection and assessment process for all sub-processors. Each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures so that processing meets the requirements of the GDPR.
8. International Data Transfers
Personal data is primarily processed within the European Economic Area (EEA). Where personal data is transferred outside the EEA, the Company ensures an adequate level of protection by relying on:
● the EU–U.S. Data Privacy Framework, where applicable; or
● Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Data Retention
Personal data is retained only for as long as necessary:
● Input Content — typically deleted or anonymized within 30 days;
● Output Content — stored until deleted by the user or up to 24 months if inactive;
● account and order data — for the contractual duration and statutory periods;
● billing and tax data — as required by Estonian law;
● communications — as necessary to resolve inquiries or disputes;
● technical and security logs — in accordance with operational requirements.
10. Data Security
The Company implements appropriate technical and organizational measures under Article 32 GDPR, including:
● encrypted connections and secure transmission protocols;
● access controls and role-based permissions;
● internal data minimization and segregation;
● monitoring for unauthorized access and misuse.
10.1 Security Transparency
All data transmissions are protected using TLS encryption. Access to personal data is limited to authorized personnel on a need-to-know basis.
11. Automated Decision-Making & Profiling
The Service uses automated processing to generate AI-based Output Content. The Company does not make automated decisions that produce legal or similarly significant effects within the meaning of Article 22 GDPR.
12. Personal Data Breach Handling
In the event of a personal data breach, the Company will notify supervisory authorities and affected users as required by Articles 33 and 34 GDPR.
13. User Rights (GDPR)
You have the right to:
● access your personal data;
● request rectification or erasure;
● restrict or object to processing;
● request data portability;
● withdraw consent;
● lodge a complaint with a supervisory authority.
Requests may be submitted to: privacy@roomora.space
14. Cookies & Tracking
Cookies are used strictly in accordance with the Cookies Policy. Non-essential cookies are used only after obtaining your consent.
15. Third-Party Links
The Website may contain links to third-party websites. The Company is not responsible for their privacy practices.
16. Children’s Privacy
The Service is intended for individuals aged 18+. We do not knowingly process personal data of minors.
17. Changes to This Privacy Policy
The Company may update this Privacy Policy from time to time. The latest version becomes effective upon publication.
18. Supervisory Authority
In Estonia, the competent supervisory authority is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Website: https://www.aki.ee
19. Contact
For privacy-related questions or requests, please contact: privacy@roomora.space