1. What Information We Collect

Below, we explain what types of data we collect when you use our Services.

User Content

We may collect and use your personal information when you register online or use our Services, such as personal identification information (name, email address, phone number), your biometric information, including any input, file or image uploads, or feedback you provide. We may also collect information about how you use our Services. This includes the types of content you view or engage with, the features you use, and the actions you take.

The collection and processing of your personal information is lawful as it is obtained with your consent and is necessary to provide customized Services and ensure security of your data.

Technical Information

We may collect certain types of personal information automatically when you use our Services. This includes the following types of information:

Log Data: This refers to information that is automatically sent by your browser whenever you visit our website. It includes your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and details of how you interacted with our website.

Usage Data: Additionally, we may collect details such as your time zone, country, user agent and version, type of computer or mobile device, computer connection, and similar information.Such data processing is carried out solely to make the use of our Services possible—for example, by establishing a connection or managing the session technically.

The collection of technical information is required to offer innovative Services, to improve our Services, and to enhance customer experience and satisfaction.

Communication Information

Additionally, if you communicate with us, we may collect your name, company name, job title, role, contact information, and the content of your messages. Processing of your personal communication is necessary to respond to the user queries, provide the highest quality of Services and to improve our business.

Social Media Information

When you interact with our social media pages on platforms like Instagram, Facebook, Medium, Twitter, YouTube, and LinkedIn, we may process personal information from you, such as your contact details and your profile information. We process information solely for the improvement and innovation of new technologies, and engagement with our users and consumers. Below, we provide you with an overview of the personal data processing activities that occur when you visit our profile pages.

Remember, you are not obliged to provide us with personal data on your social media in this context. However, certain functionalities of our profile pages may require processing of personal data. These functionalities will not be available or will be limited if certain data is not shared or processed.

Be mindful that when you visit our social media profiles, your personal data may be processed not only by us but often also by the operators of the respective social network. This may also happen even if you do not have a profile on the respective social network. The individual data processing operations and their scope vary depending on the operator of the respective social network. Therefore, for details on the collection and storage of your personal data as well as the nature, scope, and purpose of its use by the operator of the respective social network, you should refer additionally to the privacy policies of the respective social network operators. We strongly encourage you to review the privacy policies of any third‑party platforms you access from our services, as we are not responsible for their data practices, and while we take reasonable measures to safeguard your personal data and require our service providers to process it in accordance with applicable data protection laws (including GDPR), your interactions with those third‑party platforms are governed solely by their own terms and policies.

• The privacy policy for Instagram, operated by Meta Platforms Ireland Limited:: https://privacycenter.instagram.com/policy
• The privacy policy for X (Twitter): https://privacy.x.com/en
• The privacy policy for Youtube: https://policies.google.com/privacy?hl=en-US

We process your personal data in connection with our profile pages primarily to promote our Services and to communicate with interested parties or customers.

In some cases, regarding certain processing activities related to fan pages, we act jointly with the respective social network operator. For example, with regard to Instagram, we may be jointly responsible with Meta to a certain extent for the processing of so-called “Insights Data,” insofar as the processed data is used for the creation of “Page Insights.” In such cases, you may also exercise your personal data rights (e.g., access requests) directly against Meta. Apart from the aforementioned processing concerning Insights Data, we are solely responsible for any other processing related to Instagram by us (for example, if you contact us via Instagram and we process your data such as your name, login information and communication outside of Instagram to respond to your inquiry).

We are not required to notify you of the processing of your personal data in such circumstances to the extent allowed by law.

Cookies, and Analytics: We may collect the following information

When you use our Services, we use cookies and similar technologies to enhance your experience, remember your preferences, and analyze usage patterns. Non-essential cookies, such as those used for analytics or advertising, will only be set with your consent, which you can manage or withdraw at any time through our cookie settings. However, refusing a cookie may prevent you from using certain features or negatively impact the display and functionality of a website. We may use third-party analytics services that process information in accordance with data protection laws and appropriate safeguards.

What Are Cookies? Cookies are small text files that are stored on your device (computer, tablet, or mobile) when you visit a website. They help websites function properly, remember your preferences, and provide information to website owners about how users interact with the site.

Types of Cookies We Use:

• Essential Cookies: These cookies are necessary for the functionality of our Services and cannot be switched off in our systems. They are usually set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.
• Analytics and Performance Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Services.
• Functional Cookies: These cookies enhance functionality and personalization, such as remembering your preferences or settings.
• Advertising/Targeting Cookies: These cookies may be set by us or by third-party providers to build a profile of your interests and show you relevant advertisements on other sites.

2. How We Use Your Information

Improving our Services

We may use personal information and primary account data for specific purposes, including but not limited to providing, analyzing, and improving our Services, communicating with individuals, developing new programs and Services, preventing fraud and ensuring the security of our IT systems, complying with legal obligations, and protecting our rights, privacy, safety, or property, as well as those of our affiliates, users, or other third parties. We utilize the Content provided by users to enhance our Services, particularly in training the models that power Aiuta.

Our company prioritizes the aggregation and de-identification of personal information, for example, statistical data on geographic location of our users, age, gender, and trends. The main reasons for this are to analyze the effectiveness of our Services, enhance existing features, introduce new ones, and facilitate research. We also study the overall behavior and characteristics of our users. This aggregated information is shared with third parties. The collection of this aggregated information is carried out through our Services, using cookies, and other methods as outlined in this Privacy Policy. We take stringent measures to ensure that de-identified information remains anonymous and cannot be reidentified.

Use of Content

We utilize the Content provided by users to enhance our Services, particularly in training the models that power Aiuta. As part of our Privacy policy, your personal data may only be used for training our AI models with your express consent and opt-in function. You may withdraw your consent at any time by using our form for withdrawal of consent (Annex B). Once you withdraw your consent, your personal data will be removed as provided in Annex A. For detailed instructions on how users can choose not to have their Content used for training our models please contact us at legal@aiuta.com.

Cookies

We use cookies to:

• Ensure the proper functioning and security of our website and Services
• Remember your preferences and settings
• Analyze usage of our website to improve our Services
• Deliver relevant advertising (if applicable)

Managing your Cookie Preferences: When you first visit our website, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences or withdraw your consent at any time by accessing the cookie settings on our Website or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our Services. See Annex C for more information.

3. How We Share Your Information

Personal data collected in the context of using our Services will not be disclosed or otherwise transferred to third parties without your express consent, unless explicitly stated otherwise in this Privacy Policy.

An exception applies in cases where personal data must be disclosed due to a legal obligation (e.g., to public authorities or government bodies), insofar as we are legally required to do so. In such cases, the legal basis for the processing of your personal data is to comply with a legal obligation.

For the operation of the Services (such as website hosting), we may engage external service providers who process personal data on our behalf. These service providers process the data exclusively in accordance with our instructions.

We retain your access history and use details of the specific services you used, products or services you have used, chosen, or purchased to make suggestions to you for other products which we believe you will be interested in.

We retain and evaluate information on your recent visits to our website/platform and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive.

More information about retention policy for our Service users in EU, EEA, United Kingdom and Switzerland, please refer to Annex A (Data Retention Notice).

4. Data Security

We employ reasonable technical, administrative, and organizational measures to safeguard personal information from loss, misuse, unauthorized access, disclosure, alteration, or destruction, both online and offline. However, it's important to note that no Internet or email transmission is entirely secure or error-free. Specifically, emails sent to or from us may not be secure. Consequently, you should exercise caution when deciding what information you send to us via the Service or email. We also want to clarify that we are not responsible for any bypass of privacy settings or security measures on the Service or on third-party websites.

5. Data Retention

Unless a different storage period results from the other provisions of this Privacy Policy, we generally retain your personal data obtained in connection with the use of the Services only for the duration of consent or as long as necessary to fulfill the respective processing purpose. Thereafter, the data will only be retained to the extent and for as long as we are legally required to do so by applicable retention obligations.
If we no longer require your data for the purposes described above, it will be stored solely for the duration of the applicable legal retention period and will not be processed for any other purpose during that time.

Data retention notice for EU/EEA, United Kingdom and Switzerland are available here (See Annex A)

Anonymization of Data

We may anonymize or de-identify your personal information (so it can no longer be associated with you) for research or statistical purposes that we may share with third parties. In such cases, we may use this information indefinitely without further notice to you. If you are a user in the EEA, United Kingdom, and Switzerland, you will have the opportunity to opt-in for the use of your information for research or statistics as specified here.

6. Children's Privacy

With respect to children using our Services, we process certain personal data to identify children. We take reasonable steps to process personal data that is adequate, relevant, and limited to their identification with proper consent, and only as specified in the children’s data retention notice (Annex A).

Our Services are not designed for children under the age of 13. Aiuta does not intentionally gather personal information from children under the age of 13. If you suspect that a child under the age of 13 has provided personal information to Aiuta through our Services, please reach out to us at legal@aiuta.com. We will thoroughly investigate any such notifications and, if necessary, remove the Personal Information from our databases. If you are aged 13 or older but under 18, you must obtain consent from your parent or guardian to utilize our Services.

7. Your Rights

Depending on where you are located, whether it be the EEA, the UK, or anywhere else in the world, you may have certain legal rights regarding your personal information. These rights include the ability to:

• Access your personal information.
• Delete your personal information.
• Correct or update your personal information.
• Transfer your personal information elsewhere.
• Withdraw your consent to the processing of your personal information where we rely on consent as the legal basis for processing.
• Object to or restrict the processing of your personal information where we rely on legitimate interests as the legal basis for processing.
• Right to have your personal information erased. Your data may be automatically removed if you delete your account and request removal of all your personal data from our Services, including any identifiable data used in the training of AI models for which you expressly consented to. The data will be removed within 30 days from lodging the request for data removal. Your account registration and related data will then be automatically be removed.

If you believe that the processing of your personal data by us violates applicable data protection law, you have the right to lodge a complaint with the competent data protection supervisory authority.

We endeavor to protect your personal data through our organizational governance resources and comply with applicable laws and regulations. These include periodic data processing impact analyses, compliance reviews and audits under applicable data protection regulations.

If you have an Aiuta account, you can exercise these rights through your account. However, if you are unable to do so, please send your request to legal@aiuta.com.

8. International Data Transfers

Aiuta shares encrypted information internally across its offices and data centers, and externally with our partners/third parties to the extent such transfers are lawful, necessary, and based on legitimate purposes.

When you use our Service, you acknowledge and understand that your personal information will be transferred from your current location to our facilities and servers located in the United States and Canada, so data flows from the EU, EEA, United Kingdom, Switzerland to the US and Canada, and back. Aiuta will always use a lawful transfer mechanism to transfer your data outside of the designated countries including transfers based on an adequacy decision by an approved authority, standard contractual clauses or, where appropriate, derogations permitted by law. For example, we may transfer your data to operate and provide the services described in the Terms of Service, and to fix, analyze, and improve our Services.

Legal Basis for Processing (EEA, UK, or Swiss users)

• We process your personal information based on the following legal grounds:Fulfilling a contract with you when we provide and maintain our Services. This applies when we process account information, content, and technical information solely to provide our Services to you. If you do not provide this information, we might not be able to provide our Services to you.
• Our legitimate interests in protecting our Services from abuse, fraud, or security risks, as well as in developing, improving, or promoting our Services. This includes processing account information, content, social information, and technical information. Instructions on how you can opt out of our use of your information to train our models are available.
• Your consent when we ask for it to process your personal information for a specific purpose that we communicate to you. You have the right to withdraw your consent at any time.
• Compliance with our legal obligations when we use your personal information to comply with applicable law or when we protect our or our affiliates', users', or third parties' rights, safety, and property.

Data Controller

The data controller, in accordance with data protection law regarding our Services if you are in the EU, EEA, United Kingdom and Switzerland, is Aiuta Inc.

If you have any questions, concerns, or complaints regarding your data protection, you can contact us, in particular, via the following contact details:
Aiuta Inc., 850 New Burton Road, Suite 201, Dover, DE, United States
Email: legal@aiuta.com.

Legal Basis for Processing (Canadian users)

If you are located in Canada, the processing of your personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. We collect, use, and disclose your personal information only with your knowledge and consent, except where otherwise permitted or required by law. By using our Services, you consent to the collection, use, and transfer of your personal information as described in this Privacy Policy. You may withdraw your consent at any time, subject to legal or contractual restrictions, by contacting us at legal@aiuta.com. We will inform you of the implications of withdrawing consent.

Transfers of your personal information from Canada to the United States are made in accordance with applicable Canadian privacy law. We take contractual and other measures to protect your information during such transfers. You may direct any inquiries or complaints regarding cross-border transfers to our privacy contact listed above.

9. California Privacy Rights

In accordance with the law and with certain exceptions, California residents have specific privacy rights concerning their personal information. These rights include the right to be informed about how we process your personal information, including the specific pieces of information we have collected from you. Additionally, you have the right to request the deletion of your personal information, to correct any inaccuracies, and to be free from discrimination when exercising your privacy rights. It is important to note that we do not sell or share personal information as defined by the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Furthermore, we do not process sensitive personal information to make inferences about consumers. If you are a California resident and wish to exercise your CCPA privacy rights, please send your request to legal@aiuta.com.

Disclosure Of Personal Information

We provide a comprehensive and detailed explanation of how we disclose Personal Information. For more information on the personal information we collect, please refer to the section “What Information We Collect” above. To understand how we use personal information, please see the section “How We Use Your Information” above. Additionally, details on how we retain personal information can be found in the section “Data Security” above.

We disclose Identifiers, such as contact details, to our affiliates, vendors, service providers, law enforcement, and parties involved in transactions. This includes sharing Commercial Information, such as transaction history, network activity information, such as Content and how you interact with our Services, and geolocation data. Furthermore, we also share personal information, specifically your account login credentials, with our affiliates, vendors, service providers, law enforcement, and parties involved in transactions.

Verification

Verification is an essential step to safeguard your personal information from unauthorized access, alteration, or removal. Prior to allowing you to submit a request to know, correct, or delete your personal information, we may request you to verify your credentials. If you do not possess an account with us or if we suspect any fraudulent or malicious activity, we may require you to furnish supplementary personal information and proof of residency for the purpose of verification. If we are unable to verify your identity, we will be unable to fulfill your request to provide, correct, or delete your personal information.

Authorized Agents

You have the option to submit a rights request through an authorized agent. In such cases, the agent must present signed written permission to act on your behalf. Additionally, you may be required to independently verify your identity and submit proof of your residency with us. Authorized agent requests can be submitted to legal@aiuta.com.

10. Links To Other Websites

Our Aiuta Service may include links to websites that are not operated or controlled by Aiuta, such as social media platforms (referred to as “Third Party Sites”). Any information you share with these Third Party Sites will be governed by their specific privacy policies and terms of service, not this Privacy Policy. The inclusion of these links does not imply that Aiuta endorses or has reviewed these sites. To learn about the privacy practices and policies of these Third Party Sites, please contact them directly.

11. Changes To The Privacy Policy

We reserve the right to modify this Privacy Policy at any given time. When such changes occur, we will update the policy on this page, unless a different form of notice is mandated by applicable law.

Annex A — Data Retention Notice

Data Retention Notice for users in EU/EEA, United Kingdom and Switzerland

1. Data Retention

1.1 Active Accounts

Personal data processed for provision of the Services shall be retained for the duration of the contractual relationship.

1.2 Post-Termination

Following termination of the contractual relationship, consumer content shall be deleted or returned to the customer within 30-90 days.

Backup systems shall be overwritten according to standard backup cycles not exceeding 90–180 days.

1.3 Litigation

Your personal data may be retained beyond standard deletion periods where necessary for the establishment, exercise, or defense of legal claims (standard 3 years under civil law, and 6 years under UK contract/tort). Such data retention shall be restricted from active processing and retained only for legal and compliance purposes.

2. AI Training and Model Improvement Data

2.1 Lawful Basis

Your personal data is used for AI model training based on your explicit consent or legitimate interest, subject to document balancing test and the right to object. The legitimate interest is for example improvement of model accuracy, reduction of bias, enhancing security, and prevention of fraud.

2.2 Retention of Raw Training Data

Raw identifiable personal data that is used for AI model training shall be managed in accordance with strict retention procedures to ensure compliance with applicable data protection requirements.

• Such data will be retained only for the minimum period necessary to complete essential tasks including training validation, debugging processes, and quality assurance activities.
• The retention period for raw identifiable training data shall not exceed 12–24 months unless an extended period is justified by a clearly documented necessity.
• All retained raw training data will be subject to periodic review and deletion cycles to ensure that no data is kept longer than necessary.

2.3 Anonymization

Where feasible, personal data used for training AI models shall be handled with a focus on privacy protection.

Specifically:

• Personal data will be irreversibly anonymized whenever possible, ensuring that individuals can no longer be identified from the data.
• Alternatively, if anonymization is not feasible, data will be pseudonymized, with robust key management practices ensuring that only authorized personnel can re-identify individuals if absolutely necessary.

These practices support compliance with applicable data protection regulations and contribute to the safeguarding of individual privacy throughout the AI training lifecycle.

Once data is anonymized in accordance with GDPR standards, it is no longer classified as Personal Data.

2.4 Model Weights

Trained model parameters that do not permit re-identification of data subjects shall not be considered Personal Data and may be retained indefinitely.

If personal data can reasonably be reconstructed or inferred, retention shall follow applicable GDPR principles.

3. Retention of Log Files and Security Data

Server and access logs are maintained for a period of 14 days. This retention period may be extended if necessary to investigate an ongoing security incident. Extending retention is limited strictly to the needs of such investigations and only for as long as required to address the security concern. Security incident data will be retained for the entire duration of any investigation, and for any additional time required by applicable limitation periods. This ensures that all information relevant to the security incident is available for examination and compliance with legal or regulatory requirements.

4. Marketing and Analytics Data

This section outlines the retention policies for marketing and analytics data, ensuring that personal information related to marketing activities is managed in accordance with consent and inactivity guidelines.

4.1 Retention of Marketing Consent Records

Marketing consent records are retained for the duration of the individual’s consent and, following withdrawal, for a period of up to three (3) years solely for the purpose of demonstrating compliance with Article 7(1) GDPR and defending potential legal claims. During this post-withdrawal period, such records shall be restricted from further marketing use and retained only to the extent necessary to evidence consent history.

4.2 Deletion of Inactive Marketing Profiles

Marketing profiles that remain inactive for a duration of 24 months are subject to deletion. This practice ensures that outdated or unused personal data is not retained longer than necessary and supports the principle of data minimization.

5. Special Categories of Data

Special category data as defined in Article 9 Section 1 of the GDPR is afforded enhanced protection due to its sensitive nature.

5.1 Restrictions on Use for AI Training

Special category data shall not be utilized for AI training purposes unless explicit consent has been obtained, or another lawful basis is established. Any use of this data must be supported by appropriate legal grounds to ensure that individuals’ rights are protected.

5.2 Stricter Retention Limits

The retention of special category data is subject to more stringent limits compared to other types of personal information. Such data must only be kept for the shortest period necessary to fulfill the specific purpose for which it was collected, thereby minimizing risks associated with prolonged storage.

5.3 Deletion Upon Withdrawal of Consent

If an individual withdraws consent for the processing of special category data, such data must be deleted without undue delay. Any exceptions to immediate deletion are limited to cases where legal retention obligations require continued storage.

6. Special Categories of Data

Special category data is subject to enhanced protection due to its sensitive nature. The following requirements apply to the processing and retention of such data:

6.1 Restrictions on Use for AI Training

Special category data shall not be utilized for AI training models without explicit consent or the lawful basis permitting under applicable data protection law.

6.2 Stricter Retention Limits

This category of data is subject to stricter retention periods than other types of personal information. Retention must be limited to the shortest period necessary for the specific processing purpose.

6.3 Deletion After Withdrawal of Consent

If the user/consumer withdraws consent for the processing of special category data, such data will be deleted without undue delay unless there are overriding legal obligations that require continued retention.

7. Processor Deletion Obligations

Where the third party provider acts as a processor on behalf of the controller, the following obligations apply regarding the deletion and return of personal data.

7.1 Actions Upon Termination

Upon termination of the processing services, the provider must:

• Delete or return all personal data to the controller, in accordance with the controller’s instructions and choice.
• Delete any existing copies of the personal data, unless retention is required under applicable law.
• Provide written certification of the deletion of personal data upon request from the controller.

Retention of Children’s Data

1. General Principle

Children’s data, including biometric data, as well as images and photographs, shall be retained only for the minimum period strictly necessary to fulfill the specific purpose for which they were collected.

Such data must be kept in a form that permits their identification no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods only if the data are processed solely for archiving or statistical purposes and based on AIUTA’s technical and organizational safekeeping policies.

2. Ephemeral Processing

Where children’s images are processed solely for real-time service functionality (e.g., virtual try-on):

• Express parental consent must be obtained
• Images shall not be stored beyond the duration of the session
• Temporary technical copies shall be automatically deleted immediately after session termination
• No persistent storage shall occur unless expressly authorized under this Section.

3. Retention Where Storage Is Necessary

Where storage of children’s data is necessary, strict retention rules must be applied to ensure data is not held longer than required.

• Any biometric templates processed shall be deleted immediately once identification is completed.
• Upon account deletion or termination of the Service, the automatic deletion process will be completed within 30 days, unless otherwise mandated by law.
• For backup systems, stored data, including any images, will be overwritten as part of regular backup cycles not exceeding 30 days to ensure that data, including images, is not retained longer than necessary.

4. AI Training Restrictions

Children’s data, including images and photographs, shall not be retained for AI model training purposes unless all of the following safeguards are met:

• Explicit parental consent has been obtained, authorizing the use of the images for AI training purposes.
• A Data Protection Impact Assessment (DPIA) and/or Legitimate Interest Assessment has been documented and completed prior to any processing.
• The retention period for the raw data is specifically defined and strictly limited to what is necessary for the training purpose. Generally, raw, identifiable images and photographs used in AI training must not be retained beyond 12 months unless a different retention period is necessary and proportionate for the purpose for which they were collected.

Wherever possible, data/images shall be anonymized or irreversibly transformed before they are included in AI training datasets to minimize the risk to children’s privacy.

5. Withdrawal of Consent and Erasure

Where processing of children’s data, including images, is based on parental or child consent, specific procedures must be followed upon withdrawal of that consent.

• All data, including any images, must be deleted without undue delay once consent has been withdrawn. The automatic deletion process shall be completed within 30 days, unless otherwise mandated by law. Erasure will be carried out across all active systems handling the data, including images, and, where technically feasible, must also include archived systems.

6. Documentation and Review

AIUTA periodically reviews and updates the retention periods for children’s data processing.

Annex C — Processing Purposes & Legal Bases

The following table provides a detailed explanation of the processing purposes, the types of data processed, and the legal bases for the processing