Privacy Policy

1. Data Controller

YALMAI LTD (ЯЛМАИ ЕООД), UIC 208775443, registered office: 3 Akad. Yordan Trifonov St., Sofia, Bulgaria. Contact: [email protected]

2. Data We Collect

Username (required) — account identifier and login. Email address (required) — communication and password recovery. Name (optional) — personalisation. IP address and login timestamps (automatic) — account security. Text prompts and generation parameters (automatic) — service delivery. Business details: company name, tax ID, responsible person (optional, for B2B invoicing). Payment card data is not collected by us — it is processed directly by payment providers.

3. Purposes and Legal Basis

Performance of a contract (Art. 6(1)(b) GDPR): account creation and management, service delivery, service-related communication. Legal obligation (Art. 6(1)(c) GDPR): accounting and tax requirements. Legitimate interest (Art. 6(1)(f) GDPR): IP address and login history for account security and fraud prevention.

4. Retention Period

Account data: until account deletion + 90 days. Generated images: automatically deleted from cloud storage after 7 days. Login history: last 10 records retained per account. Generation logs (prompts, parameters): retained for service delivery and support, deleted upon account deletion. Accounting records: as required by Bulgarian law (5 or 10 years).

5. Processors and Recipients

Microsoft Azure (EU regions) — hosting and infrastructure, email delivery. Governed by the Microsoft Online Services Data Protection Addendum. Cloudflare, Inc. — CDN and security. Governed by the Cloudflare Data Processing Addendum. Third-party AI service providers (USA/EU) — image generation and prompt processing. Your text prompts and uploaded reference images are sent to these providers solely for generating your requested images. These providers process data under their respective data processing agreements and do not use your data for training their AI models.

Payment providers (independent data controllers for payment data): Stripe, Inc. — online payments via redirect to Stripe's hosted payment page. UniCredit Bulbank AD / Borica AD — card payments via redirect to a certified payment page.

Your data is never sold or shared for marketing purposes.

6. International Transfers

Data is stored in Microsoft Azure EU regions. Transfers to Cloudflare, Stripe, and AI service providers (USA) are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Your Rights

Access, rectification, erasure, restriction of processing, data portability, objection. Submit requests to: [email protected]. We respond within 30 days. You have the right to lodge a complaint with the Commission for Personal Data Protection (www.cpdp.bg).

8. Cookies

We do not use HTTP cookies for tracking. Session data (authentication token, language preference) is stored in your browser's local storage and is cleared when you log out or your session expires. No analytics or marketing tracking is used.

9. Changes to This Policy

We will notify you of material changes by email or via an in-platform notice.

10. Uploaded Content

Images uploaded for AI generation are processed solely for that purpose. They are not used for training AI models. Generated images are stored in your account for 7 days, after which they are automatically deleted from our servers. You may download your images at any time during this period.