Privacy Policy

Last Updated: July 4, 2026

1. Who We Are

This Privacy Policy describes how [Company Legal Name] ("Roomlio", "we", "us", or "our") collects, uses, and discloses personal information when you use the Roomlio website and services (the "Service"). For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, [Company Legal Name] is the data controller for the personal information described in this Policy.

If you have any questions about this Policy or wish to exercise your rights, contact us at team@roomlio.space.

2. Personal Information We Collect

We collect the following categories of personal information:

  • Account information: Name, email address, password (stored hashed), and authentication provider identifiers (e.g., Google account ID if you sign in with Google).
  • Subscription and billing information: Plan, billing interval, subscription status, billing period dates, and the Stripe customer/subscription identifiers. Payment card details are processed and stored solely by Stripe — we never see or store your card number.
  • Generation content: Images and prompts you upload or submit, and the AI-generated output produced from them.
  • Usage data: Logs of features used, credits consumed, request timestamps, and error events.
  • Device and technical data: IP address, browser type and version, operating system, referring URL, and pages visited.
  • Communications: The contents of messages you send us (e.g., support requests).
  • Cookies and similar technologies: See our Cookie Policy.

3. How We Use Personal Information

We process personal information for the following purposes:

  • To create and maintain your account and provide the Service.
  • To process payments, manage subscriptions, and prevent payment fraud.
  • To generate images and videos from the prompts and images you submit.
  • To communicate with you about your account, security alerts, billing, and product updates.
  • To monitor, debug, and improve the Service.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
  • To comply with legal obligations.

4. Legal Basis for Processing (EU/UK Users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): to provide the Service and process payments.
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, debug, and improve the product. You may object to this processing at any time.
  • Consent (Art. 6(1)(a)): for non-essential cookies and direct marketing. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): to retain billing and tax records as required by law.

5. Sub-Processors and Service Providers

We share personal information with the following third parties who process it on our behalf, under contracts that include appropriate confidentiality and data-protection obligations:

  • Supabase — authentication, database, and storage hosting (United States).
  • Stripe, Inc. — payment processing, subscription management, fraud prevention (United States). See Stripe's Privacy Policy.
  • Google LLC — Google Analytics and (optionally) Google sign-in (United States). See Google's Privacy Policy.
  • Resend — Email delivery provider, transactional emails (e.g., password resets, billing notifications).

We do not sell personal information, and we do not share it for cross-context behavioural advertising. We may disclose information when required by law, court order, or to protect our rights, our users, or the public.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA) or the United Kingdom, including in the United States. Where personal information is transferred outside the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the EU-U.S. Data Privacy Framework (where applicable), and the UK International Data Transfer Addendum. Copies of these safeguards are available on request at team@roomlio.space.

7. Data Retention

We retain personal information only as long as necessary for the purposes set out above:

  • Account data: for the lifetime of your account. When you delete your account, account data is removed from our active systems within 30 days, except where retention is required by law.
  • Billing records: retained for the period required by applicable tax and accounting law (typically 6–10 years).
  • Generation content: retained while your account is active, deleted within 30 days of account deletion.
  • Usage logs and analytics: retained for up to 26 months in identifiable form.
  • Backups: deleted data may persist in encrypted backups for up to 90 days before being overwritten.

8. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your personal information (right to erasure).
  • Restrict or object to processing carried out under legitimate interests.
  • Receive a copy of your personal information in a portable format (data portability).
  • Withdraw consent, where processing is based on consent.
  • Lodge a complaint with a supervisory authority. EU residents can find their local authority at edpb.europa.eu; UK residents can contact the Information Commissioner's Office at ico.org.uk.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, to request deletion, to correct inaccurate information, and to opt out of sale/sharing for cross-context behavioural advertising (we do not sell or share for this purpose).

To exercise any of these rights, email team@roomlio.space from the email address associated with your account. We will respond within the timeframes required by applicable law (generally one month under GDPR; 45 days under CCPA). You can also delete your account directly from Account Settings, which will cancel any active Stripe subscription and delete your personal information.

9. Children's Privacy

The Service is not directed to children under the age of 16 (or the higher age set by your country's data-protection law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

10. Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), encryption at rest, role-based access controls, secret management, and regular security reviews. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

11. Automated Decision-Making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. AI generation features process your inputs to produce output but do not result in legal decisions about you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page and updating the "Last Updated" date above, and, where required by law, by sending you an email. Continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.

13. Contact Us

If you have any questions about this Privacy Policy, or to exercise your rights, contact us at:

[Company Legal Name]
[Registered Address]
Email: team@roomlio.space

© 2026 Roomlio. All rights reserved.