Privacy Policy
Last updated: March 30, 2026
Festivawl Nexus SRL (“we”, “us”, “our”) operates BrandRoom (www.brandroom.pro), an AI-powered service that generates professional branded video-call backgrounds. This Privacy Policy explains what personal data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable laws.
By using BrandRoom you agree to the practices described below. If you do not agree, please do not use the service.
1. Data Controller
Festivawl Nexus SRL
Email: privacy@brandroom.pro
2. Data We Collect
2.1 Account Data
When you create an account we collect your email addressand, if you sign up with a password, a securely hashed version of that password. If you sign in with Google, we receive the email address and basic profile info provided by Google’s OAuth service. We do not store your Google password.
BrandRoom does not request access to your Gmail messages, Google Drive files, Google Contacts, or Google Calendar data.
2.2 Uploaded Content
To generate a branded background you upload a logo image. The logo is stored in a private, user-scoped storage bucket and is only accessible by you through signed, time-limited URLs.
2.3 Webcam & Camera Captures
If you choose to use the lighting-analysis feature, a webcam photois captured and sent to our configured AI provider, such as Google’s or OpenAI’s image service, for analysis. The photo is used solely to determine your ambient lighting conditions so the generated background matches your environment.
We do not store webcam captures on our servers after processing is complete. The webcam image is used only as a temporary lighting reference for the generation request.
2.4 Generated Images
Each generated background image is stored in a private bucket tied to your account and accessible via signed URLs that expire within 30 days.
2.5 Payment Data
Payments are processed entirely by Stripe. We never receive or store your full credit-card number. We retain only the Stripe session identifier, the credit pack purchased, and the amount paid for our internal records.
2.6 Guest Checkout
If you purchase credits without an existing account, we automatically create an account using the email address you provide at checkout. You will receive an invitation email to set a password and access your credits. This is necessary to deliver the purchased service.
2.7 Usage Data
We record generation metadata (room style chosen, logo position, lighting preset, resolution, watermark status) to track credit usage and improve the service. We do not use any third-party analytics, advertising, or tracking technologies.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate the service (account, generation, history) | Performance of contract |
| Process payments and manage credits | Performance of contract |
| Send transactional emails (confirmation, password reset, guest-checkout invitation) via Supabase | Performance of contract |
| Improve image-generation quality and service reliability | Legitimate interest |
| Comply with legal obligations (e.g. tax records) | Legal obligation |
4. Third-Party Processors
We share personal data only with the following processors, each bound by data-processing agreements:
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, file storage, transactional email | Email, hashed password, uploaded logos, generated images, generation metadata. Also sends confirmation, password-reset, and guest-invitation emails on our behalf. |
| AI generation provider (for example Google or OpenAI) | AI image generation and lighting analysis | Logo images, room templates, webcam photos (for lighting analysis) |
| Stripe | Payment processing | Email address, payment amount, pack type |
Additionally, the following services load assets into your browser but do not receive personal data:
| Service | Purpose | What Loads |
|---|---|---|
| Unicorn Studio (via jsDelivr CDN) | Decorative animated background on the homepage and dashboard | A JavaScript file and scene data. No personal data is transmitted. |
| @imgly/background-removal | Client-side logo background cleanup for JPG uploads | An AI model that runs entirely in your browser to clean logo backgrounds before upload. No image data leaves your device for this step. |
We do not sell, rent, or trade your personal data with any other third parties.
5. Cookies & Local Storage
BrandRoom uses only essential cookies required for authentication (Supabase session tokens). We do not use advertising, analytics, or marketing cookies.
We also use your browser’s localStorage and sessionStorage to temporarily save draft generation state so you can resume after sign-in. This data is automatically cleared after 24 hours and never sent to third parties.
6. Data Retention
- Account data: retained as long as your account is active. Deleted upon account deletion.
- Logos & generated images: stored in private buckets. Signed URLs expire within 30 days. Files are deleted when you delete your account.
- Payment records: retained for 7 years to comply with Romanian tax and accounting regulations.
- Webcam captures: processed in memory during the API call and not persisted on our servers.
7. International Data Transfers
Our processors may process data outside the European Economic Area (EEA). Where this occurs, transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognised under GDPR Chapter V.
8. Data Security
We apply industry-standard security measures including: HTTPS for all traffic, Row-Level Security on every database table (users can only access their own data), time-limited signed URLs for stored files, and server-side validation of all inputs. While we take reasonable precautions, no system is 100% secure, and we cannot guarantee absolute security.
9. Your Rights (GDPR)
As a data subject in the EU/EEA you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure (“right to be forgotten”) — request deletion of your personal data.
- Restriction — ask us to limit processing in certain circumstances.
- Data portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email us at privacy@brandroom.pro. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian data-protection authority (ANSPDCP) or your local supervisory authority.
10. Account Deletion
You can delete your account at any time from your Account Settings page. Upon deletion:
- Your profile, logos, and generated images are permanently removed.
- Purchase records are retained for the legally required period (see Section 6).
11. Children’s Privacy
BrandRoom is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email or by posting a notice on the service. The “Last updated” date at the top reflects the most recent revision.
13. Contact
For any privacy-related questions or requests, reach us at:
privacy@brandroom.pro