Effective date: 15 July 2026
Version: 2.0
Supersedes: all previous versions

This Privacy Policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you have. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws.

It should be read together with our Terms of Service and our Cookie Policy.

1. Who we are

Venca, s.r.o., provider of the product AuraHomeAI (“AuraHomeAI“, “we“, “us“, “our“), is the controller of the personal data described in this Policy.

Muškátová 35, Hviezdoslavov, 930 41, Slovak Republic
Company ID (IČO): 55647677
VAT ID (IČ DPH): SK2122046487
Email: [email protected]
Website: www.aurahomeai.com

For questions about this Policy or to exercise your rights, contact [email protected].

2. Controller and processor roles

Our roles under the GDPR depend on the data:

  • For account data, billing data, website usage, and communications, we act as a controller — we decide why and how the data is processed. This Policy governs that processing.
  • For the photographs, floor plans and other content you upload for AI processing (“User Content“), where you use the Service in the course of a business, we act as a processor and you are the controller. That processing is governed by our Data Processing Agreement (see Section 12), not primarily by this Policy.

3. What data we collect

3.1 Data you provide

  • Account data: name, email address, company name, and password (stored only in hashed form).
  • Billing data: billing address, VAT ID where applicable, and payment-confirmation data. We do not store full payment-card numbers — card payments are handled by Stripe (see Section 5).
  • User Content: photographs, floor plans, property addresses, text inputs and prompts you upload for AI processing.
  • Communications: messages you send us by email, in-app chat or support requests.

3.2 Data we collect automatically

  • Device and connection data: IP address, browser type, operating system, device type and language preference.
  • Usage data: dates, times and interactions with the Service, such as features used and pages viewed.
  • Cookies and similar technologies: as described in our Cookie Policy. Non-essential cookies are set only with your consent.

3.3 Data from third parties

  • Payment processor: confirmation that a payment succeeded or failed, and limited fraud-prevention signals, from Stripe.

3.4 Special category and biometric data

The Service is not designed to collect, capture or store biometric identifiers, including facial-geometry scans, and does not knowingly do so. Our Terms require you not to upload images containing identifiable people. Please do not upload special category data (Article 9 GDPR).

4. Why we process your data, and the legal basis

We rely on the following legal bases under Article 6(1) GDPR:

Purpose Data used Legal basis (Art. 6(1) GDPR)
Create and manage your account; provide the Service; process your User Content into Outputs Account data, User Content (b) performance of a contract
Process payments and issue invoices Billing data (b) contract; (c) legal obligation (accounting law)
Respond to support requests Communications, account data (b) contract; (f) legitimate interests
Secure the Service, prevent fraud and abuse Device/connection data, usage data (f) legitimate interests (keeping the Service secure)
Fraud prevention on payments Signals from Stripe (f) legitimate interests; (c) legal obligation
Maintain and improve the Service using aggregated, non-identifiable technical data (error rates, processing times, feature usage) Aggregated/de-identified data (f) legitimate interests
Send service and account notifications Account data (b) contract
Send marketing messages Account data, email (a) consent, or (f) legitimate interests for existing customers where permitted; you can opt out at any time
Set non-essential cookies See Cookie Policy (a) consent
Comply with legal requests and defend legal claims As required (c) legal obligation; (f) legitimate interests

Where we rely on legitimate interests, we have balanced those interests against your rights. You can object to that processing — see Section 9.

We do not train AI models on your content

We do not use your User Content or Outputs to train or improve AI models, and our configuration with our AI infrastructure provider is set to prevent providers from using your content for training. The only data we use to improve the Service is aggregated and de-identified technical data, which cannot identify you.

5. Who we share data with

We share personal data only with the following categories of recipients, and only as needed:

  • AI infrastructure provider. To generate Outputs, your User Content is transmitted to our AI infrastructure provider (OpenRouter) and the model providers it routes to, which may process it outside the EEA. Our account is configured so that providers are not permitted to retain your content for training. See Section 7 on international transfers.
  • Hosting and storage. DigitalOcean, in the EU (Frankfurt region), hosts the Service and stores your data.
  • Payment processing. Stripe processes card payments and performs fraud prevention. Stripe acts as an independent controller for payment data under its own privacy policy.
  • Video delivery. Bunny.net delivers generated video content.
  • Product analytics and support. Tools such as PostHog, Mixpanel and Intercom help us understand usage and provide support. Analytics tools are loaded in line with your cookie choices.
  • Email and marketing automation. ActiveCampaign sends transactional and (where you have opted in) marketing email.
  • Network and security. Cloudflare provides content delivery and security.
  • Authorities and advisers. Law enforcement, regulators, or our professional advisers, where required by law or to establish or defend legal claims.
  • Business transfers. A successor entity, if we are involved in a merger, acquisition or asset sale. You will be notified if control of your data changes.

These providers act as our processors (except Stripe for payment data and the model providers, as noted) and are bound to use your data only on our instructions. We do not sell your personal data. An up-to-date list of our sub-processors is available on request at [email protected].

6. How long we keep your data

We keep personal data only for as long as the purpose requires:

Data Retention
User Content, Outputs and intermediate processing files Kept for as long as your account is active, so that you retain access to your content, and until you delete the content or close your account. Deleted within 30 days after you delete it or close your account.
Account data For the life of your account, then deleted within 30 days of closure.
Billing records and invoices 10 years, as required by Slovak accounting law. This overrides deletion requests for those specific records.
Access logs (including IP addresses) Up to 12 months, for security purposes.
Support communications Up to 24 months after the matter is resolved.

After these periods, data is deleted or irreversibly anonymized, subject to routine backup cycles and any legal hold.

7. International data transfers

Your data is hosted and primarily processed in the European Union (Frankfurt). A transfer outside the European Economic Area occurs when your User Content is processed by our AI infrastructure provider and the model providers it routes to, which may be located in the United States or elsewhere.

For those transfers, we rely on the European Commission’s Standard Contractual Clauses (or an equivalent safeguard) to ensure an adequate level of protection. You can request more information about these safeguards at [email protected].

8. Cookies and tracking

We use essential cookies to run the Service, and — only with your consent — analytics and marketing cookies. On our marketing website this includes advertising and retargeting technologies from third parties such as Meta (Facebook) and LinkedIn. You can manage your choices at any time through the cookie banner. Full details, including the specific cookies and their purposes, are in our Cookie Policy.

9. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — confirmation of whether we process your data, and a copy of it.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure — deletion of your data, subject to legal retention (e.g. billing records).
  • Restriction — to limit how we process your data.
  • Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Portability — to receive your data in a machine-readable format.
  • Withdraw consent — at any time, without affecting processing already carried out.

To exercise any right, email [email protected]. We may need to verify your identity. We respond within the time limits set by applicable law (one month under the GDPR, extendable where permitted).

If you are in the EU or EEA, you have the right to lodge a complaint with your local supervisory authority. In Slovakia this is the Úrad na ochranu osobných údajov Slovenskej republiky (dataprotection.gov.sk). If you are in the UK, you may contact the Information Commissioner’s Office (ico.org.uk).

10. US state privacy rights

If you are a resident of California or another US state with a privacy law, you may have the right to know what personal information we collect, to access or delete it, to correct it, and to opt out of its “sale” or “sharing”.

We do not sell your personal information for money. However, the advertising and retargeting technologies on our marketing website (for example, from Meta and LinkedIn) may constitute “sharing” for cross-context behavioral advertising under the California Consumer Privacy Act (CCPA/CPRA).

You can opt out of this sharing by rejecting marketing cookies in our cookie banner. We also honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sharing. To make any other US privacy request, email [email protected]. We will not discriminate against you for exercising these rights.

11. Data security

We use appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, secure EU hosting and periodic review. No system is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, or you suspect a data breach, contact us immediately at [email protected].

12. Data Processing Agreement

Where we process User Content on your behalf as a processor, our Data Processing Agreement (DPA) applies. It sets out the subject matter of the processing, our obligations, the safeguards for international transfers, and the list of sub-processors. The DPA is available on request at [email protected].

13. Children’s privacy

The Service is intended for professional and adult users and is not directed to anyone under 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it promptly.

14. Changes to this Policy

We may update this Policy to reflect legal, technical or business changes. We will post the updated version with a new effective date and, for material changes, notify you by email or in-app notice. Continued use of the Service after the changes take effect constitutes acceptance.

15. Contact

Venca, s.r.o.
Muškátová 35, Hviezdoslavov, 930 41, Slovak Republic
IČO: 55647677 · IČ DPH: SK2122046487
Email: [email protected]
Website: www.aurahomeai.com

This Privacy Policy applies worldwide and is designed to comply with the EU GDPR, the UK GDPR, and other applicable privacy frameworks.