Back

Privacy Policy

Effective Date: February 4, 2026 — Last Updated: February 4, 2026

1. Identity and Data Roles

This Privacy Policy describes how EuroRaven, s.r.o. (operating as Xroad Studio, hereinafter "we", "us", or "our"), a company organized under the laws of the Czech Republic, IČO: 17874904, with its registered office at Korunní 2569/108, Vinohrady, 101 00 Praha, processes personal data.

We act as:

  • Data Controller: For Account Data and Financial Metadata under the EU GDPR and applicable United States State Privacy Laws.
  • Data Processor: For the Creative Inputs (prompts, images, videos) you upload; we process this data solely on your behalf to facilitate AI generation.

Contact: [email protected]

2. Categories of Data Collected

We collect information you knowingly provide and technical data collected automatically:

  • Account Data: Email address and authentication tokens.
  • Creative Inputs (Content): Text prompts, images, or video files you upload for AI processing.
  • Biometric and Likeness Data: If you upload content containing human faces, we process facial geometry to map features. By uploading such content, you explicitly consent to the processing of this data for the sole purpose of content generation. You may withdraw this consent at any time by deleting your account or contacting support; however, this will prevent the use of features requiring facial mapping.
  • Support Data: Information shared during communication with our support team.

3. Technical Data and Safety

  • Connection Data: IP address, browser type, and operating system.
  • Safety Telemetry: Data processed to comply with our legal obligations under the EU AI Act and other applicable safety regulations to prevent the generation of harmful, illegal, or non-consensual content.
  • API Logs: Success/failure responses from AI providers to manage credit consumption and troubleshoot technical errors.
  • Developer API Request Logs: For Creator and Business subscribers using our public posting API, we record the timestamp and originating IP address of each request against the API key used. These logs are retained for 90 days and used solely for abuse prevention and account security.

4. Financial and Payment Data

Xroad Studio utilizes an Authorized Reseller and Merchant of Record (MoR) model.

  • No Direct Collection: We do not collect or store credit card numbers or full billing addresses.
  • Reseller Role: All payment data is handled exclusively by our MoRs. They act as separate Data Controllers for your payment details. We receive only a confirmation of successful payment and the country of origin for tax compliance.

5. Storage and Cookies

We use browser-based storage (cookies/localStorage) for essential functionality:

  • Authentication: Necessary cookies to maintain your login status (Supabase).
  • Job Persistence: We store Job IDs and generation status locally and in our database for up to one year to ensure your history remains available throughout your subscription.

Managing Preferences: You can accept or reject analytics cookies via our cookie banner when you first visit. To change your preferences later, clear your browser storage and refresh the page to see the banner again, or adjust cookie settings in your browser.

6. Analytics Monitoring

With your consent via our cookie banner, we use PostHog to track anonymous interactions to optimize the user interface and platform performance.

7. Purposes of Processing

We process data under the following legal grounds (GDPR Article 6):

  • Contract: Delivering the AI assets you generate.
  • Legitimate Interest: Platform security, fraud prevention, and safety monitoring.
  • Consent: Non-essential analytics and biometric feature mapping.
  • Legal Obligation: Tax, accounting, and safety compliance.

8. AI Data Governance & No-Training Promise

  • No Training: Your private Inputs and generated Outputs are not used to train, retrain, or improve foundational AI models.
  • Provider Contracts: We utilize enterprise-tier APIs that are contractually prohibited from using your data for their own model development.
  • No Public Gallery: Xroad Studio is a private creative environment. We do not feature user-created content in public galleries or marketing materials without explicit, separate written consent.

9. Data Sharing & Sub-Processors

We share data only with strictly necessary recipients to provide the Services. We may update our sub-processors as our technology evolves:

  • Generative AI Engines: Specialized third-party APIs for media generation. Processing by these engines is also subject to their respective privacy and safety policies.
  • Cloud Infrastructure: Supabase (Database), Hetzner (Asset Storage), and Vercel/Render (Hosting).
  • Compliance: Our Authorized MoR for global payments.

10. International Data Transfers

Our primary infrastructure is located in the European Union. However, specific AI models and sub-processors may process data on secure servers in the United States. We ensure protection by relying on the EU-US Data Privacy Framework (DPF) for certified providers and Standard Contractual Clauses (SCCs) for providers not covered by the DPF.

11. Data Retention and Purging

  • History Storage: Assets are stored for up to one year (based on your specific plan).
  • Account Deletion: Upon account termination or a valid deletion request, all personal data and creative assets will be permanently purged within 30 days.
  • Financials: Transaction confirmation metadata is kept for 5 years for tax audit purposes.

12. Data Security

We implement industry-standard security controls, including TLS 1.3 encryption. In the event of a security breach, we will notify you and the Czech Office for Personal Data Protection (UOOU) in accordance with GDPR Article 33.

13. Your Rights (GDPR & US Regional)

Users in the EEA, UK, and applicable US states have the following rights:

  • Access & Portability: Request a copy of your personal data.
  • Rectification & Erasure: Request correction or permanent deletion of your account.
  • Withdraw Consent: Withdraw consent for biometric processing at any time.
  • No Sale or Sharing: Xroad Studio does not sell your personal data or creative inputs to third parties for monetary or other valuable consideration.

To Exercise Rights: Contact us at [email protected] from the email associated with your account. We will respond to all valid requests within 30 days.

Right to Lodge a Complaint (GDPR Art. 77): If you are located in the EEA and believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority in your country of residence. Our lead supervisory authority is the Office for Personal Data Protection of the Czech Republic (UOOU)uoou.gov.cz.

14. Age Limitations

Our services are strictly intended for individuals 18 years of age or older. We do not knowingly collect personal data from minors. If we become aware of an account belonging to a minor, we will terminate it and remove all associated data immediately.

15. Policy Updates

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website, updating the "Last Updated" date, and where appropriate, notifying you via email. We encourage you to review this policy periodically.

16. Contact

EuroRaven, s.r.o.
Korunní 2569/108, Vinohrady
101 00 Praha, Czech Republic
IČO: 17874904
Email: [email protected]