Last updated: 21st of May, 2023

1. Introduction

RenderAI OÜ ("we", "us", "our") provides the app Retrato, a service which transforms user-uploaded selfies into professional photographs using artificial intelligence. This Privacy Policy outlines our practices for gathering, using, maintaining, protecting, and disclosing personal data collected from users of our service.

Our registered office is at Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia with registration number 16169244.

Our appointed Data Protection Officer is Joel Hernández, who can be contacted at [email protected].

Please read this Privacy Policy carefully to understand our practices regarding your data and how we will treat it.

2. Definitions

It will be helpful for you if we explain the terms that you may encounter reading this document.

1. 'Content' is information, materials and other content, including, but not limited to, images, video, sounds, text, and designs.
   
   

2. 'Visitor' refers to any individual Internet browser that may view any portion of the Site, particularly public portions of the site that do not require registration.
   
   

3. 'User' refers to any Visitor or registered user of Retrato, namely a person that seeks to create, use, view, and engage with Retrato Content.
   
   

4. 'Personal Information' is information that can identify a natural person alone or in combination with other information, e.g. name, email address, online identifiers, photos, trained models, etc.
   
   

5. 'Non-Personal Information' – refers to information that is not considered 'Personal' under applicable law, such as anonymous session management cookies or information about your device.
   
   

6. 'Data Subject' refers to any User whose information is being processed. 'Processed' means stored, used, shared, etc.
   
   

7. 'Profile' is the section of our App where you can edit the Personal Information that is displayed publicly.
   
   

8. 'Cookie’ is a small text file that a website saves on your computer or mobile device when you visit the site. This small text file enables a site to remember your actions and preferences for a specified period of time so you don’t have to re-enter your login or settings information each time you visit a new page on our site.
   
   

9. ‘Training Photo’ is a photo uploaded by the user in order to create artificial intelligence models with our app.
   
   

10. ‘Facial Attributes’  is data derived from the uploaded ‘Training Photos’ consisting of the attributes eye color, hair color and skin tone.
    
    

11. ‘Artificial intelligence facial model’ is a file created with generative diffusion based probabilistic artificial intelligence technology, stored securely in our servers, able to generate portraits of a singular user, after being trained with 15-30 ‘Training Photos’ from a user. While the file contains the ability to reproduce facial attributes of the user beyond the ones described in `Facial Attributes`, these are indecipherable to any person or machine, as they are stored as intricate neural networks consisting of billions of nodes, each with its set of inputs, weights and bias value. 
    
    

12. ‘Facial Data’ refers to the combination of an `Artificial Intelligence Facial Model` and `Facial Attributes` required to deliver a photorealistic representation of the user.
    
    

13. `Artificial Intelligence Photos` are media files generated by the app Retrato, derived from the `Facial Attributes` and `Artificial Intelligence Facial Model`
    
    

14. `APIs` are short for Application Programming Interfaces, are sets of rules and protocols that determine how different software applications or components should interact with each other. They define methods and data formats that a program can use to perform tasks, interact with operating systems, software libraries, or other software applications.
    
    

15. `Instance of Retrato` is the product offered by the Retrato app, which consists of `Facial Data` and `Artificial Intelligence Photos`. 

    
    

3. Information we collect

To deliver our service, Retrato needs to collect specific information from you, including personal information and non-identifiable metadata. The collection process happens in various ways. During the registration process, we collect your email address, which allows us to manage your account, communicate with you, and provide necessary support.

We require you to upload 15-30 photos to the Retrato app. These images are used solely to create Facial Data, required in order to create `Artificial Intelligence Photos` of  the user. Following the completion of the training, we promptly delete the uploaded `Training Photos`  from our systems.

In addition to personal information, we also gather non-identifiable information, including session storage properties, metadata, basic information about your device, and IP address. This is typically collected through your Internet browser or the device on which you use our app.

As part of our service improvement efforts, we may collect data about your usage of the app and use the photos you generate using Retrato to improve our services. 

These photos serve for service enhancement purposes but rest assured, we will not share them with third parties without your explicit consent.

3.1. Usage Information

Retrato will collect some usage information automatically when you visit and/or use the Service and store it in log files. This information refers mainly to the technical information about your use of the Service through your internet browser or mobile device and is necessary for the correct technical functioning of the Service. We use this information to administer the Service and improve the Site and our Services to our users' needs.

This information may include, but is not limited to:

• Usage information – refers to the information that is uploaded to the Service and stored in log files. It relates to how you use the Service. When you use a mobile device to access our Service, we may access, collect, and/or monitor one or more "device identifiers". These are small data files stored on or associated with your mobile device, which uniquely identify your mobile device. However, we only collect and store those identifiers for session management. After a User finishes a session, the device identifiers are deleted from our logs.
  
  

• Services Metadata – Metadata is usually technical information that is associated with your use of the Service or any Content you post. For example, metadata can describe how, when and by whom a piece of user Content was uploaded. Retrato processes metadata for the least amount of time possible and only enough for the App to function properly. The content you upload is stripped off of metadata during the initial stage of processing.
  
  

• Session management cookies – we use this mechanism to store session information for a particular user. When a User logs into the Service, his/her session ID will be stored on the server until he logs out. A session is initiated when a User logs onto the Service and is terminated when he or she logs out. The User's Session ID is a random string of numbers and is non-identifiable on its own. The User's Session ID is 'assigned' to the User and each time the User logs into the service, he/she retrieves that assigned key.

  
  

3.2. Communications Information

We advise not to disclose any personal information, and especially any sensitive personal information such as health/genetic information, racial/religious/ethnic background, etc. anywhere on the Service.

3.3. Information that you should not provide to us

We do not require any kind of sensitive information, such as health/genetic information, racial/religious or ethnic backgrounds, etc.

4. How we collect information

SUMMARY: We obtain information about you when you voluntarily give it to us.

We use different methods to collect Personal Information from and about you, for example:

• Direct disclosure – occurs when you register to the Service or fill in additional information while using the Service. It also happens when you disclose Personal Information through post/phone/email correspondence.
  
  

• Automated technologies and derivatives – As you interact with our Service, we may automatically collect certain technical Information about your device, information about your behavior on the Service, etc. This is explained in more detail in part 3.1. of this Policy. We also create and collect personal information by derivation. When the user uploads its ‘Training Photos’ and chooses to generate `Artificial Intelligence Photos`, we derive two types of personal information: Artificial Intelligence Facial Models and Facial Attributes (see 2.10 and 2.11 definitions). These derived data types form part of the personal information we collect and are essential for delivering the `Artificial Intelligence Photos` offered by Retrato.

  
  

By processing the `Training Photos` you provide, we create an `Artificial Intelligence Facial Model` tailored to you and derive `Facial Attributes` needed for image generation.

Once the AI training is complete, and the `Artificial Intelligence Photos` are generated, these two derived forms of personal information remain stored in our systems for 1 month, adhering to the same privacy guidelines as any other personal data you provide directly. The `Training Photos` are deleted immediately.

5. How we use the Personal Information collected

SUMMARY: We use the information collected to ensure the proper functioning of our Service, maintain security, and/or comply with our legal obligations.

Retrato will use your Personal Information only when it is allowed to by applicable law and in a manner that is consistent with this Policy.

We do not use any of the `Training Photos` uploaded by our users for any other purpose but to deliver the functionality of the App. Once the Artificial Intelligence Model of the user is created, the photos are deleted permanently and irreversibly from our servers.

We use your email, IP address and generated photos with the service for the following purposes:

5.1. Providing and maintaining the best version of the Service

Enabling the Service to function most effectively lies in our legitimate interest. Retrato uses the Personal and non-Personal Information to:

• Create and update your account.
  
  

• Create artificial intelligence models & facial attributes (Facial Data) in order to deliver the user `Artificial Intelligence Photos`
  
  

• Further improve our machine learning models by using the generated `Artificial Intelligence Photos` to fine tune our technology
  
  

• Enable you to contact us and for us to respond to you.
  
  

• Contact you with administrative communication when it is necessary, for example when we update our policies.

We do not use any of the derived Facial Attributes (2.10) nor Artificial Intelligence Facial Model (2.11) for anything other but delivering the user professional grade photographs. 

5.2. Maintaining the appropriate level of safety and security

Retrato is committed to keeping the Service safe and secure. We may use your non-identifiable information to:

• Perform internal operations necessary to provide our services, including to troubleshoot software bugs and operational problems;
  
  

• to conduct basic data analysis, testing, and research.

5.3. Communicating relevant information to you

In the future, Retrato may use Personal Information it collects to inform you about services, studies, surveys and news. Users have the right to object to this type of use of your Personal Information, see section 8.1. of this Policy for more information. Before we introduce such type of processing, every User will be informed about it and will have the choice to opt-in to such processing.

5.4. Complying with our legal obligations

We may process your information in a way that is necessary for compliance with a legal obligation we may encounter. Apart from the domestic/international regulations, this may include the need to comply with applicable court orders, legal requirements, legal proceedings, document requests, and industry standards and our policies.

6. How we share your information

SUMMARY: Part of the Personal Information that you share with us is also shared with third parties to ensure the proper functioning of our Service

6.1. We share information with Retrato's service providers

Retrato needs to provide certain information to service providers in order to ensure the proper functioning of the Service.

Every time we share any Personal Information with a third party, we make sure that it's done lawfully and in compliance with all the applicable regulations, such as the GDPR. We also make sure that the entities we share your information with adhere to the applicable law and offer appropriate safeguards to the information we disclose.

Retrato shares only the information that is relevant for the purpose we are sharing it. We regulate our relationships with third parties with appropriate contracts and we take all commercially reasonable steps to ensure full information security.

Currently, Retrato shares User's Personal Information with Digital Ocean, a platform provider that hosts the App `APIs` on the Internet in their Amsterdam & Frankfurt data centers, created artificial intelligence photos with Cloudinary, for the sole purpose of media optimization and resilient delivery and `Artificial Intelligence Face Models` with Amazon Web Services, in their Frankfurt datacenters.

6.2. We disclose the information if legally required to do so

Retrato must share information with government agencies as required by law in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

7. Information retention and deletion

SUMMARY: We hold your email for as long as you are a registered user. Your `Facial Data` is deleted one month after creation, and your `Artificial Intelligence Photos` can be deleted either individually by deleting a Retrato or in batch by deleting the account. Your entire Personal Information is then purged from our databases.

As a necessary requirement for the adequate delivery of our service, Retrato retains your email throughout the period when you are a registered user.

Due to safety and privacy precautions, we delete your `Facial Data` one month after creation, in which case you will need to create another `Instance of Retrato` to generate more `Artificial Intelligence Photos`. We make this clear on our user interface.

You have the option to delete your account and all of its associated `Personal Data` any time by navigating to App Settings -> Delete account.

Additionally, if you wish to erase individual `Facial Data`, you can do so by visiting the app home, selecting the desired `Instance of Retrato`, and tapping on the More Icon button at the top right of the screen, followed by Delete Retrato.

Please note, all deletion actions are irreversible. Once you confirm your desire to delete your account or specific models, all associated information will be permanently purged from our system, ensuring your complete data removal.

8. Users and the GDPR

SUMMARY: As a User of Retrato, the GDPR grants you a number of rights concerning the use, storage and processing of your Personal Information.

The General Data Protection Regulation (the 'GDPR') is an EU legislation that grants certain rights to Data Subjects.

Those rights apply to all the Users of Retrato worldwide – the fact that we are a company registered in the EU and we process your information in the EU (Estonia) makes all Retrato Users Data Subjects under the GDPR.

8.1. Your rights under the GDPR

For as long as we are in possession of your information, you have the following rights:

• Right of access – you may ask us whether we are processing your information and you have the right to request a copy of the information we hold about you.
  
  

• Right of rectification – you have the right to correct inaccurate or incomplete information about you; you also have the ability to do so yourself in the 'Settings' section of your Profile.
  
  

• Right to be forgotten – in most circumstances, you can ask for the information that we hold about you to be erased from our system.
  
  

• Right to restriction of processing – where certain conditions apply, you can ask us to 'block' the processing of your information.
  
  

• Right to data portability – you have the right to have the data we hold about you transferred to another organisation and to receive the information in a structured, commonly used format. This functionality is under development – in the meanwhile you can contact us at [email protected] to request your data.
  
  

• Right to object – the GDPR gives you the right to object to certain types of processing, such as direct marketing. Currently, we are not using your Personal Information for any marketing purposes and we do not foresee such use in the future.
  
  

• Right to object to automated processing (including profiling) – This right provides the data subject with the ability to object to a decision based on purely automated processing. Like with the right to object, we are not processing your Personal Data for such type of automated decision-making and we are not anticipating such use in the future.

If you wish to exercise any of those rights, contact us at [email protected]. 

If you have any concerns about how Retrato processes your Personal Information, you have the right to lodge a complaint with a suitable data protection authority. Here you can find a list of data protection authorities in Europe.

8.2. Grounds for processing

The GDPR requires every organization that processes information about EU users to do so on the basis of specific legal grounds. Retrato processes information on the basis of the following grounds:

• Legitimate interest - It is necessary to provide the Service's features. Our main ground for processing is our interest in delivering you the best Service possible. Retrato collects and uses certain information in order for the Service to fulfill its functions. Certain information about the user is necessary to create and maintain your account.
  
  

• Contract - processing is necessary to fulfill our contractual obligations towards you. By signing up to the Service, you enter into a legally binding contract with Retrato, established in the terms of use link. Although it might sound very business-like, entering into a contract by signing up to a website is extremely common on the Internet and necessary for you to use the Service.

  
  

Through creating an account and accepting the Terms of Use, you provide certain Personal Information for us to process.

9. International Data Transfers

SUMMARY: Retrato is a company registered in Estonia but outsources its hosting services to Digital Ocean and Amazon Web Services, who provide data centers across Europe.

We use Digital Ocean & Amazon Web Services for the purposes of hosting our `APIs` and `Artificial Intelligence Face Models`. We transfer the data to servers across Amsterdam and Frankfurt. We take appropriate safeguards for international data transfers, all the data is encrypted and sent through a secure TLS connection.

10. Security

SUMMARY: We utilize a variety of industry-standard safeguards to keep your Information safe, such as secure coding, privacy by design/default, two-step authentication, encryption, TLS connections, and 3-layer access.

Retrato takes information security very seriously. Sustainability, privacy and security are paramount values in our organization. We work hard to protect the Personal Information you give us from loss, misuse, or unauthorized access. We utilize a variety of safeguards to protect the Personal Information submitted to us, both during transmission and once it is received.

Retrato implements a number of safeguards to ensure that our systems are secure. Retrato performs code reviews and security and privacy testing on every new feature. Retrato utilizes automated package vulnerability scanners – which scan the system for known vulnerabilities and automatically prepare and implement a patch which will fix the vulnerability.

Retrato also implements security monitoring, which monitors strange activities and detects suspicious traffic.

Retrato enforces a multi-layer approach to the service's security. Accessing managerial part of the service requires a complex authentication. Every layer has access to different data and privileges. From the mid-layer downwards, there's IP domain restriction, self-signed certificates and IP white listing/restriction. On top of the before-mentioned safeguards, Retrato also uses multi-factor authentication for development and management systems.

11. Children's Privacy

We do not intentionally gather Personal Information from persons under the age of 16.

If you are under the age of 16, please do not submit any Personal Information through the Service. Retrato does not collect or process Personal Information pertaining to a child, where a child under the GDPR is defined as an individual below the age of 16 years old.

12. Contact Us

You can direct any questions regarding this Privacy Policy to Retrato by sending an email to [email protected], or by post to:

RenderAI OÜ,

Harju maakond,

Tallinn,

Lasnamäe linnaosa,

Lõõtsa tn 5, 11415

Please include your name and email address in email requests, and your name and postal address in mail requests.

These policies are part of Retrato’s Terms of Service. For more information, contact Retrato at [email protected].