Privacy Policy

• Performance of a contract (Article 6(1)(b) GDPR) — to register your Account, deliver the Services you request, generate AI content from your prompts, process payments, and provide customer support. Data is retained while your Account is active.
• Legal obligations (Article 6(1)(c) GDPR) — to keep accounting, tax, and anti-money-laundering records as required by Polish law, including:
  • the Accounting Act of 29 September 1994;
  • the Tax Ordinance of 29 August 1997;
  • the Counteracting Money Laundering and Terrorist Financing Act of 1 March 2018.
• Legitimate interests (Article 6(1)(f) GDPR) — to secure the Services, prevent fraud and abuse, monitor and improve product performance, defend legal claims, and conduct limited direct marketing of our own similar services to existing Customers. You may object to processing on this basis at any time.
• Consent (Article 6(1)(a) GDPR) — for non-essential cookies, marketing and advertising analytics, newsletter sign-ups, and similar activities. You may withdraw consent at any time without affecting processing carried out before withdrawal.

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Website owners use cookies to make their websites operate, improve functionality and user experience, as well as to provide reporting information.

We may set our own cookies and use third parties cookies (e.g. for advertising, interactive content and analytics).

We use different types of cookies, including:

• Essential website cookies: these are important cookies as they are necessary to provide you with services available through our Website, such as access to secure areas.
• Performance and functionality cookies: these cookies are necessary to enhance the performance and functionality of our Website but are non-essential to their use. However, without these cookies, certain functionality may become unavailable.
• Analytics and customization cookies: these cookies collect information that is used either in aggregate form to help us understand how our Website is being used or how effective our marketing campaigns are, or to help us customize our Website for you in order to enhance your experience.
• Advertising cookies: these cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed, and in some cases selecting advertisements that are based on your interests.

You may opt out from cookies at any time by customizing your cookie preferences. However, in some cases we will not be able to provide you with all services.

By browsing and using our Website and Services, you agree to the use of cookies and similar technologies as stated in this Privacy Policy.

We may receive some information about you, such as name, email address, demographic information, IP address, location from third parties.

We collect information about your activity on our Website to enable us to:

• measure and analyze traffic and browsing activity on our Website;
• show advertisements for our products and/or services to you on third-party sites;
• measure and analyze the performance of our advertising campaigns.

You may decline to have your personal data collected via third party tracking technologies by navigating to the settings feature in your browser and declining all third party cookies or declining third party cookies from specific sites, or, for mobile, limiting ad tracking or resetting the advertising identifier via the privacy settings on your mobile device.

You can use the following third party tools to decline the collection and use of information for the purpose of serving you interest based advertising:

• The NAI's opt-out platform
• The EDAA's opt-out platform
• The DAA's opt-out platform

We do not share personal data you have provided to us without your consent, unless:

• Doing so is appropriate to carry out your own request;
• We believe it is needed to enforce our Terms, or if it is legally required;
• We believe it is needed to detect, prevent or address fraud, security or technical issues;
• Otherwise protect our property, legal rights, or that of others.

As per above, we may need to share personal data with our service providers that perform certain tasks on our behalf and who are under our control (our "Service Providers") in order to provide products or services to you. Unless we tell you differently, our Service Providers do not have any right to use personal data or other information we share with them beyond what is necessary to assist us. You hereby consent to our sharing of personal data with our Service Providers, namely:

We may also share data with social-platform APIs (YouTube, Instagram, Pinterest) when you explicitly connect those accounts to publish content created in the Services. The list above represents the subprocessors active as of the "Last updated" date. We will update this Privacy Policy when we add or remove subprocessors. To request the current list at any time, email info@shortodella.com.

Several of our subprocessors are located outside the European Economic Area (EEA), in particular in the United States, the United Kingdom, Switzerland, the United Arab Emirates, Singapore, and China. When we transfer personal data to such countries, we rely on the following safeguards under Chapter V GDPR:

• Adequacy decisions of the European Commission (e.g. UK, Switzerland, and the EU-U.S. Data Privacy Framework where the recipient is certified);
• Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical and organizational measures (e.g. encryption in transit and at rest);
• Your explicit consent for the specific transfer, where applicable.

You can request copies of the safeguards in place for transfers to a specific subprocessor by emailing info@shortodella.com.

We perform limited profiling for product analytics and advertising. Specifically:

• We use Google Analytics 4 and PostHog to understand aggregated usage patterns (which features are used, conversion funnels, retention).
• We use the Pinterest Conversions API and the Meta (Facebook / Instagram) Pixel and Conversions API, together with similar tools listed in the subprocessor table below, to measure the performance of our advertising campaigns and to show our ads to people similar to existing Customers ("look-alike" audiences). These activities are based on your consent (Article 6(1)(a) GDPR), which you can withdraw via our cookie banner or by using the opt-out tools listed in the "Opting-Out" section.
• We do not make decisions that produce legal or similarly significant effects about you solely by automated means within the meaning of Article 22 GDPR. Account suspensions, content removals, and similar enforcement actions are reviewed by humans before taking effect.
• Generative AI features process your prompts and Customer Content to produce Generated Output. This is performance of the contract you entered into by using the Services and is not "profiling" of your personal traits — see the next section for details.

The Services let you generate images, videos, voiceovers, and other media using third-party AI models. To do this, we transmit your prompts, uploaded reference materials, and other inputs ("Customer Content") to the AI providers listed in the subprocessor table. These providers process the data only to return the requested generation.

No training of foundation models on your data. We do not use your Customer Content, prompts, or Generated Output to train our own AI models. We require contractual or product-level commitments from third-party AI providers that data submitted via API is not used to train their public foundation models, and we use providers' "no-training" data settings where available. We cannot guarantee third-party behaviour beyond their published policies.

Storage. Customer Content and Generated Output are stored in our Cloudflare R2 buckets under our control. Generated Output is associated with your Account so you can re-access it. You may delete individual assets or your entire Account at any time; deletions propagate to backups within a reasonable period.

Sensitive data. Please do not upload special-category personal data (Article 9 GDPR — e.g. health, biometric, racial/ethnic, religious, sexual orientation data) or government-issued IDs to the Services. The Services are not designed to process such data.

We only use your personal data for the following purposes:

• to provide you with the Services that you requested;
• to promote the use of our Services to you;
• to analyze and improve our Services;
• to send you informational and promotional content that you may subscribe to or unsubscribe;
• to bill and collect payment for Services ordered;
• to send you notifications, including notifications on change of our Services;
• to communicate with our Customers about our Website and Services and provide customer support in response to their inquiries;
• to enforce compliance with our Terms and applicable law;
• to protect our rights and safety as well as the rights and safety of our customers and third parties;
• to meet legal requirements;
• to provide information to representatives and Service Providers;
• to prosecute and defend a court, arbitration, or similar legal proceeding;
• to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
• to provide suggestions about products or services that you may be interested in and which you may opt out;
• to transfer your information in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition.

• Right of access to personal data processed by us (Article 15 of the GDPR).
• Right to rectify entrusted personal data, including their correction (Article 16 of the GDPR).
• Right to delete personal data from our systems, the so-called "right to be forgotten", if in your opinion there are no grounds for us to process your data, you can request that we delete it (Article 17 of the GDPR).
• Right to restrict the processing of personal data. You may request that we restrict the processing of personal data only to their storage or to the performance of activities agreed with you, if we have incorrect data about you or process them unjustifiably; or you do not want us to delete them because they are necessary for you to establish, pursue or defend claims; or for the duration of the objection to data processing (Article 18 of the GDPR).
• Right to data portability. You have the right to receive from us, in a structured, commonly used, and machine-readable format (e.g. ".csv" format), personal data relating to you held by us on the basis of a contract or consent. This right will be granted when we have data in electronic format. If data is only in paper form, you will not be able to use this right. You can commission us to transfer this data directly to another entity (Article 20 of the GDPR).
• The right to withdraw consent to the processing of personal data. At any time you have the right to withdraw consent to the processing of personal data that we process on the basis of consent in accordance with Article 7(3) GDPR. The withdrawal of consent shall not affect the lawfulness of any processing performed on the basis of your consent prior to its withdrawal. Withdrawal of consent occurs by sending an e-mail to info@shortodella.com.
• Right to object. You may object to the processing of your data if the basis for the use of data is our legitimate interest in accordance with Article 21 GDPR. In such a situation, after examining your request, we will no longer be able to process the personal data subject to the objection on this basis, unless we demonstrate the existence of legitimate grounds for the processing that are considered to override your interests, rights, and freedoms.
• Right to lodge a complaint with a supervisory authority. If you believe that our processing violates the GDPR, you may lodge a complaint with the supervisory authority of the EU member state of your habitual residence, place of work, or place of the alleged infringement. For Polish residents this is the President of the Personal Data Protection Office (Prezes UODO, https://uodo.gov.pl/).

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods:

• Account data and Customer Content — for the lifetime of your Account, plus a short grace period (typically up to 30 days) after deletion to allow recovery from accidental deletions; backups are purged within a reasonable additional period.
• Generated Output — stored under your Account until you delete it or your Account.
• Billing and tax records — retained for the period required by Polish accounting and tax law (currently 5 years from the end of the relevant fiscal year).
• Application logs (wooLog) — rolling window of approximately 60–90 days.
• Marketing-consent records — until you withdraw consent, plus a short audit trail proving the legal basis.

Our primary databases are located in the European Union. Some subprocessors process data in other regions as described above; in those cases the safeguards listed in the "International transfers" section apply.