Last Updated: March 27, 2026 · Version 1.6
Welcome to Avatarooms, a social network dedicated exclusively to AI-generated synthetic media. Because our platform relies on advanced Artificial Intelligence to help you create avatars and videos, we believe in radical transparency.
This Privacy Policy is written in plain English to clearly explain exactly what personal data we collect, how our AI systems process it, who we share it with, and the rights you have under the General Data Protection Regulation (GDPR) and other applicable privacy laws.
The company responsible for deciding how and why your personal data is processed (known as the “Data Controller”) is:
Novum universum, UAB
Company Code: 304773257
Address: Piromonto g. 7-61, Vilnius, Lithuania
If you have any questions about this policy or want to exercise your privacy rights, you can contact our privacy team at any time at privacy@avatarooms.com.
We have carefully assessed our privacy obligations and determined that we are not currently required by law to appoint a formal Data Protection Officer (DPO). However, we take your privacy seriously. All privacy inquiries, complaints, and data rights requests are handled directly by our dedicated privacy team, who can be reached at privacy@avatarooms.com.
Because Novum universum, UAB is established in Lithuania, the lead supervisory authority is the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI). If you believe your data protection rights have been infringed, you have the right to lodge a formal complaint with the VDAI:
You may also contact the supervisory authority in the EU Member State where you live or work.
You must be at least 16 years old to create an account and use Avatarooms.
This threshold is derived from GDPR Article 8, which sets the default age of digital consent for information society services at 16 – a standard that the Republic of Lithuania has maintained without lowering. Additionally, the Digital Services Act (DSA) Article 28 requires platforms to implement appropriate measures to ensure a high level of privacy, safety, and security for minors.
We do not knowingly collect personal data from anyone under the age of 16. If we become aware that an account has been created by someone under this age threshold, we will immediately and permanently delete the account and all associated data.
We only collect the data necessary to provide you with a seamless and secure experience. Under the GDPR, we must have a valid “legal basis” – a legally justified reason – to process your data. Here is a granular breakdown of our processing activities.
What we collect: Your email address and a securely hashed password, or your Google Sign-In details (display name, email address, profile photo, and Google ID, and phone number, if provided by Google). We also record a boolean flag confirming you declared yourself to be 16 or older, and a timestamped record of the Terms of Service version you accepted.
Why we need it: To verify your identity, create your account, and send you mandatory service and security notifications. The age declaration ensures compliance with child data protection laws before granting access.
Legal Basis: Contract (Art. 6(1)(b)) – processing is necessary to provide you with the Service under our Terms. For the age declaration, we also rely on Legal Obligation (Art. 6(1)(c)) to comply with GDPR Art. 8 and DSA Art. 28.
What we collect: Optional profile information you choose to provide, such as a display name, date of birth, country of residence, biographical text, and custom avatar images. We also record a last-seen timestamp and session tokens.
Why we need it: To allow you to personalize your public social profile. The last-seen timestamp is used for session security and to prevent unauthorized account access.
Legal Basis: Consent (Art. 6(1)(a)) for optional fields – you choose exactly what to share and can remove it at any time. Legitimate Interest (Art. 6(1)(f)) for session state and last-seen timestamps – we have a legitimate interest in ensuring network and information security, which overrides the minimal privacy impact.
If you supply a date of birth, we use it solely for age verification and do not share it with third parties or use it for any other purpose.
What we collect: The text prompts you type, personality descriptions, style preferences, aspect ratio, duration, generation parameters, and any source images you upload. We also store the AI-generated outputs – avatar images, video files, stream URLs, thumbnails, and generation metadata.
Why we need it: To instruct our AI models to generate the specific synthetic media you requested.
Legal Basis: Contract (Art. 6(1)(b)) – processing is strictly necessary to deliver the core generative service.
When you upload a source image to create an avatar, our AI systems analyze facial geometry and features. Depending on your jurisdiction, this may be classified as biometric data.
Important notice about prompts and uploads: Please do not include sensitive personal information in your prompts – such as information revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation – about yourself or others. We do not intentionally process special-category data (GDPR Art. 9), but free-text prompts may incidentally contain it. Similarly, please do not upload images of other people unless you have their explicit consent to do so.
What we collect: Your published posts (media files in MP4 H.264+AAC format), captions (up to 1,000 characters), visibility settings (public/private/unlisted), comments, likes, follows, saves, block lists, interaction timestamps, and your social graph. We also process your per-post privacy preferences – “Allow Comments” and “Allow Sharing” toggles.
Why we need it: To host your content, display it to your followers, enable community interaction, and enforce your privacy-by-design settings.
Legal Basis: Contract (Art. 6(1)(b)) – necessary to deliver the social networking functionality.
What we collect: Engagement metrics – what content you interact with, view duration, and algorithmic ranking signals.
Why we need it: To power our recommendation algorithms and personalize your “For You” and “Trending” feeds.
Legal Basis: Legitimate Interest (Art. 6(1)(f)) – we have a legitimate business interest in improving content discovery and user experience. You can opt out of personalised feed recommendations through your account settings, in which case you will see a chronological or default feed instead.
What we collect: IP addresses, login attempt logs, API request headers, endpoint access history, rate-limit counters, failed authentication attempts, device fingerprint proxies, active authentication tokens, AI safety flags, content moderation signals, and moderation decision audit logs.
Why we need it: To detect hackers, prevent bot attacks (including brute-force, credential stuffing, and DDoS), keep the platform stable, and to detect, review, and remove illegal content or material violating our Community Guidelines.
Legal Basis: Legitimate Interest (Art. 6(1)(f)) for protecting platform integrity and infrastructure security. Legal Obligation (Art. 6(1)(c)) for content moderation activities required under the Digital Services Act (DSA Arts. 14-16).
What we collect: App usage data (event names, screen views, feature usage, crash logs, device context) and device-linked identifiers used for marketing attribution (campaign parameters, deep-link routing data, install source attribution, web banner interactions).
Why we need it: To fix software bugs, understand how our app is used, and measure the success of our marketing campaigns.
Legal Basis: Consent (Art. 6(1)(a)). We only collect this data if you explicitly click “Accept” on our consent banner. These analytics and attribution tools access information on your device and are activated only after you grant consent through our Consent Management Platform (CMP). You can withdraw your consent at any time through the same interface.
If we introduce paid features, we will collect subscription status and plan type. Payment processing will be handled by a third-party payment processor, which will be named in an update to this policy before any paid features are launched. We will not store your full payment card details.
Legal Basis: Contract (Art. 6(1)(b)).
Avatarooms is an AI-first platform. Whenever you generate an avatar or video, you are interacting with an artificial intelligence system.
To continuously improve the generative capabilities of Avatarooms, we use your creative text prompts, uploaded source images, and generated synthetic media to train and fine-tune our own proprietary artificial intelligence models.
Legal Basis: Legitimate Interest (Art. 6(1)(f)). We have a legitimate interest in improving the quality and safety of our AI systems. This interest has been assessed against user privacy expectations through a Legitimate Interest Assessment (LIA).
Your Opt-Out Right: You can opt out of having your data used for AI model training at any time through the privacy settings inside the Avatarooms app. If you opt out, your existing and future content will not be used for model training. Content already incorporated into trained models before your opt-out cannot be individually extracted.
We transmit your prompts and source images to external AI service providers to generate content on your behalf. These providers currently include:
Each provider acts as a Data Processor under a formal Data Processing Agreement. We do not permit these providers to use your data for their own training purposes unless explicitly disclosed.
We use AI-based safety filters to automatically detect and block content that violates our Community Guidelines or applicable law (e.g., CSAM, violence, hate speech). These filters operate at the point of generation and publication.
Legal Basis: Legal Obligation (Art. 6(1)(c)) for DSA compliance. Legitimate Interest (Art. 6(1)(f)) for platform safety.
If your content is restricted or your account is affected by an automated moderation decision, you have the right to request a human review. You can do this through the in-app appeals process or by contacting legal@avatarooms.com.
We share your data only with the categories of recipients described below, and only for the specified purposes.
As listed in Section 5.2. Your prompts and images are transmitted to these providers to generate content.
These providers only receive data if you have granted consent via the CMP.
We may disclose your information if required by law, court order, or regulatory authority, or if necessary to protect our legal rights, enforce our Terms, or ensure the safety of our users.
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy.
| Data Category | Retention Period |
|---|---|
| Account data (email, credentials, profile) | Active account lifetime + 30-day grace period, then hard deletion |
| AI-generated content (avatars, videos, thumbnails) | Until you delete the content or your account, then 30-day grace period + hard deletion |
| Social interaction data (posts, comments, likes, follows) | Until you delete the content or your account, then 30-day grace period + hard deletion |
| Log data (IP addresses, access logs) | Automatically destroyed after 12 months |
| Analytics data (Firebase Analytics) | Up to 14 months per vendor settings |
| Attribution data (AppsFlyer) | Up to 24 months per vendor settings |
| Content moderation records | Minimum 6 months following moderation decision (DSA Art. 20) |
| Inactive accounts | After 2 years of inactivity, warning email sent; hard deletion 30 days later if no response |
The deployment of tracking technologies on your device is governed by our Consent Management Platform (CMP), ensuring compliance with the ePrivacy Directive and the Digital Markets Act (DMA).
These are the fundamental scripts necessary for the platform to function – maintaining secure login sessions, enforcing rate-limiting, and remembering your privacy preferences. These cannot be disabled and do not require consent under the strict necessity exemption of the ePrivacy Directive.
The SDKs provided by Firebase Analytics and AppsFlyer are strictly disabled by default. They will not initialise and will not read or write data on your device unless you affirmatively grant consent via the CMP.
To comply with the anti-dark-pattern mandates of DSA Article 25, our consent interface is designed neutrally. If you decline consent, we register your refusal and will not subject you to repeated consent prompts on subsequent visits. Refusing analytics consent will in no way degrade your ability to access the core generative and social networking features of the platform.
You can manage your consent preferences at any time through the privacy settings inside the Avatarooms app.
The protection of your data requires uncompromising technical and organisational measures (GDPR Art. 32):
While we take these precautions seriously, no system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform you directly.
Under the GDPR, you maintain complete control over your personal data. You have the right to:
You can use the self-service privacy tools inside the Avatarooms app settings, or email your request directly to privacy@avatarooms.com with the subject line “Data Subject Rights Request.”
To protect your privacy from fraudulent requests, we may need to verify your identity before acting. We will respond to your request within 30 days. If your request is complex, we may extend this period by an additional 60 days with notice.
You can delete your account at any time through the app settings (Settings > Account > Delete Account). After you request deletion:
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with any personal data.
As we introduce new generative features or as privacy laws evolve, we may update this policy. If we make material changes, we will notify you by sending an email or displaying a prominent alert within the Avatarooms application before the changes take effect.
Your continued use of the Service after the effective date of any update constitutes your acknowledgment of the revised policy. If you do not agree with the changes, you may delete your account as described in Section 10.
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account registration and authentication | Contract | Art. 6(1)(b) |
| Age verification | Contract + Legal Obligation | Art. 6(1)(b) + Art. 6(1)(c) |
| Optional profile customization | Consent | Art. 6(1)(a) |
| Session state and last-seen timestamps | Legitimate Interest | Art. 6(1)(f) |
| Avatar and video generation | Contract | Art. 6(1)(b) |
| AI model training and fine-tuning | Legitimate Interest | Art. 6(1)(f) |
| Social features (posts, comments, likes) | Contract | Art. 6(1)(b) |
| Algorithmic feed curation | Legitimate Interest | Art. 6(1)(f) |
| IT security and abuse prevention | Legitimate Interest | Art. 6(1)(f) |
| Content moderation (DSA compliance) | Legal Obligation | Art. 6(1)(c) |
| Product analytics (Firebase, GTM) | Consent | Art. 6(1)(a) |
| Marketing attribution (AppsFlyer) | Consent | Art. 6(1)(a) |
| Billing and subscription (future) | Contract | Art. 6(1)(b) |
| Provider | Country / HQ | Transfer Mechanism |
|---|---|---|
| Google Cloud / Firebase | United States | EU-US DPF + SCCs |
| Cloudflare | United States | EU-US DPF + SCCs |
| Google Cloud AI (Vertex AI) | United States | EU-US DPF + SCCs |
| Kling AI (LOHAS GAMES PTE. LTD.) | Singapore / China | SCCs |
| OpenAI | United States | SCCs (via Business DPA) |
| Replicate | United States | SCCs (via Processor Terms) |
| Nano Banana | Google Cloud (US) | Google Cloud DPA + SCCs |
| AppsFlyer | Israel | EU Adequacy Decision + SCCs |
| Firebase Analytics | United States | EU-US DPF + SCCs |
| Google Tag Manager | United States | EU-US DPF + SCCs |
Categories of Personal Information Collected: Identifiers, Commercial Information (subscription status), Biometric Information (source images for AI), and Sensitive Personal Information (if voluntarily provided in prompts).
Your Rights: You have the right to: (1) Know what data is collected; (2) Delete your data; (3) Correct inaccurate data; and (4) Opt-out of the ‘Sale’ or ‘Sharing’ of Personal Information.
Notice of Right to Limit: We do not use or disclose Sensitive Personal Information for purposes other than those permitted by the CCPA.
This Privacy Policy is governed by the laws of the Republic of Lithuania and the applicable regulations of the European Union.
← Back to English Home