Proom LTD – Privacy Policy

1) Who we are & how to contact us

Controller: PROOM LTD, a private company limited by shares incorporated in England and Wales (Company No. 16358924), registered office: 51 Balmore Street, London, N19 5DA, United Kingdom. This information appears on our Certificate of Incorporation (see page 1).

• Email (privacy): privacy@proom.ai
• Email (support): support@proom.ai
• Postal: PROOM LTD, 51 Balmore Street, London, N19 5DA, United Kingdom

If you are a business customer using Proom on behalf of your organisation, your organisation is the controller for end‑user data it supplies to us; in that case we act as processor and will provide a Data Processing Addendum on request.

2) Scope

This policy covers personal data we process when you:

• visit our sites and apps,
• create an account or subscribe,
• upload assets (text, images, audio, video, prompts),
• generate outputs (videos, audio, images, scripts),
• connect social accounts (e.g., Instagram, TikTok, YouTube, Pinterest, Threads, Facebook, Bluesky) to auto‑publish,
• interact with support, billing, or marketing.

3) What we collect

• Account & identity data: name, display name, handle, email, password hash, profile photo, organisation, role.
• Auth data: session identifiers, security tokens, multi‑factor data (via Clerk).
• Billing data: subscription plan, invoices, partial payment card info and billing address (processed by Stripe; we do not store full card numbers).
• Technical data: device and browser info, IP address, time zone, app version, crash logs, diagnostic data, cookies and similar technologies.
• Usage data: actions taken in the product (e.g., prompt runs, renders, settings), timestamps, feature adoption, referral/UTM data.
• Customer Content: assets you upload or provide (scripts, images, audio/voice samples, video, brand assets), including any personal data contained in those assets.
• Outputs: content generated or assembled by/through the Service at your direction (e.g., videos with voice‑over and lip‑sync).
• Social‑connection data (optional): social platform account IDs/handles, OAuth tokens or app tokens, granted scopes/permissions, scheduling metadata, and post/engagement metadata returned by platforms.
• Communications: support messages, email correspondence, feedback, survey responses, and abuse reports.
• Recruitment (if you apply): CV, contact details, interview notes.
• Special categories & biometric data. We do not intentionally collect special category data (e.g., health, religion) and we do not create or use biometric identifiers for the purpose of uniquely identifying a person. Features like lip‑sync or voice generation process audio/visual characteristics to render outputs, not to identify you. Please avoid uploading sensitive data unless necessary and permitted.

4) Where we get your data

• Directly from you (account set‑up, uploads, prompts, support).
• Automatically (cookies, SDKs, logs, device/app telemetry).
• From connected platforms when you enable auto‑posting or analytics retrieval.
• From vendors who process on our behalf (e.g., fraud prevention, payments).
• From publicly available sources where you make information public (e.g., social handles you choose to connect).

5) How we use data & legal bases

We rely on the following UK GDPR legal bases:

6) AI/ML processing – how your data flows

To provide the Service, we route your prompts, assets, and metadata to AI/ML providers you choose or that power the feature, such as OpenAI, Google Cloud Vertex AI, AWS, ElevenLabs, Hume, Fal.ai, and Replicate. We also rely on Clerk (authentication), Stripe (payments), Upstash (Redis) and Railway (hosting/infrastructure). Some providers may process data for safety and abuse prevention and publish their own privacy terms. We contractually restrict providers from using Customer Content for their own training where those options exist, but some may collect service‑metadata (e.g., API logs) as described in their policies.

Model training. Proom does not use your Customer Content for training our models unless you opt‑in. You can opt out at any time; this will not affect processing needed to deliver the Service (e.g., rendering your video).

7) Auto‑posting & connected accounts

If you connect social accounts, we store encrypted OAuth tokens and the scopes you grant. We use them only to perform actions you enable (e.g., posting, scheduling, fetching stats). You can revoke access at any time in Proom or in the social platform's own settings. Content you publish to social platforms is governed by those platforms' privacy policies; they become independent controllers for that data.

8) Sharing your information

We share personal data with:

• Service providers / sub‑processors that help us run the Service (listed in Appendix A below).
• Connected platforms you authorise (for auto‑posting, analytics retrieval).
• Professional advisers and insurers (legal, compliance, accounting).
• Law enforcement or regulators where required by law.
• Corporate transactions (merger, acquisition, restructuring), subject to appropriate safeguards.

We do not sell personal data.

9) International transfers

We host and process data primarily in the United States and may transfer data to other countries where we or our providers operate. Where required, we use appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (SCCs) or other valid transfer mechanisms, plus technical and organisational measures (encryption in transit/at rest, access controls).

10) Data retention

We retain personal data for the shortest time necessary for the purposes described above:

• Account & workspace data: for the life of the account and up to 24 months after closure (for reactivation, dispute handling, backups).
• Customer Content & Outputs: for the life of the project/account and your configured archives; you can delete items at any time; backups may persist for up to 90 days.
• Auth/session tokens: active session duration and short grace periods; revoked tokens are purged promptly.
• Logs & telemetry: typically 30–180 days, depending on system and security needs.
• Billing records: at least 6 years to satisfy UK tax and accounting obligations.
• Abuse/fraud records: as long as reasonably necessary to protect the Service and users.

11) Security

We use administrative, technical, and physical safeguards, including encryption in transit and at rest, role‑based access control, secrets management, network isolation, and logging/alerting. No system is 100% secure; we maintain an incident‑response process and will notify you and/or regulators of a data breach where legally required.

12) Your rights (UK/EEA)

You may have the right to access, rectify, erase, restrict, port, or object to certain processing, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). To exercise rights, contact privacy@proom.ai. We may need to verify your identity and your relationship to any account or organisation.

13) Marketing & communications

• Transactional emails (service, billing, security) are mandatory for account operation.
• Marketing is sent only with your consent (or, for B2B, where permitted under PECR on a legitimate‑interest basis). You can unsubscribe at any time via footer links or in settings.

14) Cookies & similar technologies

We use cookies/SDKs to run our site (essential), remember preferences, analyse usage, and—if you allow—support marketing. Where required, we request your consent via a cookie banner. You can change preferences in our cookie manager and in your browser settings. See our Cookie Policy for details (categories, purposes, retention).

15) Children

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided data, contact privacy@proom.ai so we can delete it.

16) Automated decision‑making & profiling

We use automated systems for content safety checks, spam/abuse prevention, and to prioritise support or quality control. These do not produce legal or similarly significant effects on individuals. You can contact us to request human review of automated decisions that materially affect you.

17) Changes to this policy

We may update this policy from time to time. Material changes will be notified via the Service or email at least 30 days before they take effect (unless a change is required sooner by law or for security). Your continued use after the effective date constitutes acceptance.

18) Contact & complaints

Questions about privacy or data requests: privacy@proom.ai

Postal: PROOM LTD, 51 Balmore Street, London, N19 5DA, United Kingdom.

You can lodge a complaint with the Information Commissioner's Office (ICO). We welcome the chance to address your concerns first.