Privacy Policy

Last revised: 18.08.2024

  1. Who are we, the data controller?

This Website as well as our Services are operated/ provided by Extend Studio S.R.L., a Romanian company, headquartered in P-ţa Presei Libere, no. 1, first floor, Casa Presei Libere, Corp A3, Bucharest, District 1, Romania, VAT RO17752490, registered at the Trade Register under no. J40/11781/2005, e-mail [email protected], (hereinafter referred to as ”Extend Studio”, “us”, “we”, or “our”).  

  1. The purpose of this policy

This Privacy Policy applies to your use of our tool, Espresso AI, an AI website builder which allows people to generate a website based on a short description provided by them (our “Services”) and, together with our Cookie Policy, it informs you, as a data subject, on how we process Personal Data we collect from or about you when you use our Services. 

  1. Definitions

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

GDPR Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  1. Personal Data and information we Process

When you use our Services, we process several types of Personal Data and information, such as:

  • Personal Data you provide
  1. Account Data

When you create an Account and use our Services, we collect information and data associated with your Account, including personal identification data (name, e-mail, phone number, country of origin, company you work for as well your role and position within the company), account credentials, payment and purchase data (billing data, purchase and payment history) or any other data you include in your communication with us. If you want to create an Account and use our Services as a Client, then providing this Data is necessary. 

  1. Communication Data and any other Data you provide

If you communicate with us, we collect your name, contact information, and the contents of any messages you send to us through requests, complaints, reviews, suggestions, feedback, opinions etc. 

  1. User Content (Input and Output)

When you (as a Client or User) use our Services, we process Personal Data that is included in the content you provide (”Input”) and in the content you receive (“Output”). Input and Output are collectively “User Content.” The User Content may contain Personal Data belonging to our Clients (or their employees/ representatives), their Users or third parties (collectively ”data subjects”). 

We will process the User Content and all Personal Data associated with it and also the e-mail address of the User only for as long is necessary to generate the website; after that, the User Content and all Personal Data associated with it will be automatically transferred on your servers. After the website is generated, any information associated with Users or User Content that will remain stored in logs on our servers will be anonymized. 

In those situations in which a demo website is launched, the User Content and all Personal Data associated with it and the e-mail address of the User will be processed for a period of 24 hours. After this period, the website that was generated (including its associated User Content) will either be permanently deleted or will be migrated to a server chosen by you. After this period, any information associated with Users/ User Content that will remain stored in logs on our servers will be anonymized.

In all cases in which our Services are accessed by Users as part of a hosting plan (subscription concluded with our Clients) the generated website including its associated User Content and all the information regarding Users will be processed by our Clients according to their own Privacy Policies and Data Privacy Agreements. Our Clients are responsible for complying with all laws and regulations that may apply to the collection and processing of such data regardless of their quality, Data Controllers or Processors. 

  • Personal data we collect from third parties

We may receive Personal Data about you, as a data subject, from our Clients or their Users, when they submit Input in order to launch a website with our Services. Such Personal Data depends on the Input that is submitted to us and may consist of: identification data, company roles, photos, videos etc. Any such Personal Data will be processed by us for as long as it is necessary to generate the website or, in case of demo websites, for 24 hours. After that, any information associated with the Input we received or the Output that was generated that will remain stored in logs on our servers will be anonymized.

  • Personal data/ information we collect automatically 

When you visit, use, or interact with our Services, we receive the following information (“Technical Information”):

  1. Log Data. Information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.
  2. Usage Data. We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection.
  3. Device Information: Includes name of the device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.
  4. Cookies and Similar Technologies. Please read our Cookie Policy for more information.
  1. How we use Personal Data

We use the collected Personal Data for various legitimate purposes, such as:

  • to provide and personalize our Services, to allow you to create and manage your Account, to provide customer assistance and technical support, to communicate with you about the Service, 
  • to conclude and perform contracts with our Clients, 
  • to detect, understand, diagnose, fix and prevent issues with our Services, appreciating that we have a legitimate interest to do so, 
  • to detect and prevent fraud, illegal activity, misuses of our Services including fraudulent payments or fraudulent use of our Services, appreciating that we have a legitimate interest to do so,
  • to comply with legal obligations and law enforcement requests,
  • to fulfil contractual obligations with third parties, appreciating that we have a legitimate interest to do so,
  • to establish, exercise, or defend legal claims, appreciating that we have a legitimate interest to do so,
  • to protect our or third parties’ rights and legitimate interests, for safety reasons such as analyzing log data to identify fraud and abuse in our Services,
  • to communicate with you and respond to your requests, complaints, questions, reviews, comments or suggestions, including to provide you with information regarding our Services at your request and to notify and inform you of any changes to our Policies;
  • depending on specific circumstances, we may have a legitimate interest in processing your Personal Data as part of extraordinary business operations (mergers, acquisitions, etc.).
  • in statistical purposes, to gather analysis or valuable information about how you use our Services so that we can improve it, to analyze the effectiveness of our Services, to improve and add features to our Services, appreciating that we have a legitimate interest to do so. 

We may also use your Personal Data and Technical Information for the purposes provided in our Cookie Policy. 

  1. Legal basis for Processing Personal Data under GDPR Regulation

The legal basis for processing the Personal Data described in this Privacy policy depends on the Personal Data we collect and the specific context in which we process it. We may process your Personal Data because:

  1. we need to perform a contract signed with you [article 6, letter b) of GDPR Regulation]
  2. we need to comply with a legal obligation [article 6, letter c) of GDPR Regulation]
  3. the processing is in our legitimate interests or in the legitimate interests of third parties as stated in our Policies and it is not overridden by your rights [article 6, letter f) of GDPR Regulation]; 
  4. you gave us permission to do so [article 6, letter a) of GDPR Regulation]; we will rely on consent for the processing of data by means of Cookies and other similar technologies (other than necessary) or in other specific cases stated in this Policy (if any). 
  1. Retention of Data

We will retain your Personal Data only for as long as necessary to achieve the purposes stated in this Policy. 

As a Client, your Personal Data will be stored for as long as you have an active Account or for the entire duration of the contract between us (as long as you use our Services). However, we may also store your Personal Data after this moment when we are required to do so by law or when we have a legitimate interest in doing so. For example, financial accounting documents will be kept for 5 or 10 years, according to the applicable law. Also, in order to manage contract-related operations, to fulfill our legal obligations, including the archiving of documents as well as for the purpose of achieving our legitimate interests (keeping a record of your relationship with us so that we can defend our rights in the event of any legal or extrajudicial proceedings), we may keep the Personal Data related to your contract with us for 5 years after the termination of the contract, deletion of your Account or, as the case may be, from your last interaction with us (whichever comes last), unless we have good reason to keep them for a longer period of time.

User Content and all Personal Data associated with it will be processed by us for a short period of time – for as long as it is necessary to generate the website or, in case of demo websites, for 24-hours; after that, the User Content with it will be either deleted or transferred to servers indicated by our Clients or their Users. Any information that still remains stored in logs on our servers will be anonymized. 

For the personal data / information collected automatically, please see our Cookie Policy. 

When the processing of your Personal Data is based on our legitimate interests or those of third parties, you have the right to object to the processing at any time and free of charge. 

When the processing of your Personal Data is based on your consent, you have the right to withdraw your consent at any time and free of charge without affecting the lawfulness of the processing carried out on the basis of your consent before its withdrawal. 

  1. Transfer of Data outside EU/ EEA

In certain situations, we may transfer your Personal Data to third countries, outside the European Union or the European Economic Area, which do not offer a level of data protection comparable to that of the European Union. For such cases, the data transfer will be carried out:

  1. In accordance with Art. 45 of the GDPR Regulation, only to those third countries that have been recognized by the European Commission as ensuring an adequate level of protection of personal data. The list of these countries can be found here or, failing that,
  2. Only on the basis of appropriate safeguards, such as standard data protection clauses (SCC) approved by the European Commission (many details can be found here) or other appropriate safeguards, as provided by art. 46 of the GDPR Regulation or, failing that,
  3. According to art. 49 para. 1 letter a) of the GDPR Regulation, only on the basis of your explicit consent, or, failing that,
  4. In accordance with art. 49 para. 1 letter b) – f) of the GDPR Regulation, only if the transfer is necessary for the performance of a contract concluded between us and you or between us and a third party, but in your interest, if the transfer is necessary for the implementation of pre-contractual measures taken at your request, if the transfer is necessary for important reasons of public interest, if the transfer is necessary for the establishment, exercise or defense of legal claims, or if the transfer is necessary in order to protect a vital interest, 
  5. According to art. 49 para. 1 final sentence of the GDPR Regulation, only if the transfer is necessary for the purposes of compelling legitimate interests pursued by Extend Studio which are not overridden by your interests or rights and freedoms, is not repetitive and made based on suitable safeguards with regard to the protection of Personal Data and only after informing you of the transfer and of the legitimate interests pursued.

You should also know that we have integrated OpenAI tools and products into our Services. Therefore, by using our Services, you understand and acknowledge that your Personal Data may be processed and stored by OpenAI company in other jurisdictions including United States which do not offer the same level of data protection as EU countries. Some of the OpenAI privacy policies may be found here:  https://openai.com/policies/eu-privacy-policy/

  1. Disclosure of Data

Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency). We may also disclose your Personal Data in the good faith belief that such action is necessary or upon your request. A transfer of your Personal Data also occurs when we use the services of third parties to provide our Services or to Process Data. 

Your Personal data may be disclosed to the following categories of recipients, including third parties, as appropriate:

  • OpenAI. As part of our Services, we use AI tools, software or products provided by OpenAI, which is an AI research and deployment company (OpenAI). Therefore, while using our Services your Personal Data will be transferred to OpenAI and will be processed according to their Policies. Some of their policies may be found here: Terms of use | OpenAI, Privacy policy | OpenAI, Terms & policies | OpenAI).
  • Other service providers. To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to service providers, including providers of hosting services, cloud services, support and safety monitoring services, web analytics services, legal services, accounting and financial services, payment and transaction providers, and other information technology services providers.
  • Hosting services providers indicated by you. 
  • Business Transfers. If we are involved in strategic transactions, reorganization, bankruptcy, merger and acquisition or transition of service to another provider (collectively, a “Transaction”), your Personal Data and other information may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
  • Our employees, in order to exercise their duties.
  • Our shareholders, for administrative and control purposes.
  • Public authorities and institutions, including financing authorities and institutions.
  • Judicial bodies, if we are required to transfer Personal Data based on a legal request or in compliance with applicable laws.
  1. Security of Data

The security of your Personal Data is important to us but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

  1. Your Data Protection rights under GDPR Regulation 

In certain circumstances, you, as a Data subject, have the following data protection rights:

(a) The right to receive information about how we process your Personal Data.

(b) The right of access to your Personal Data, which allows you to obtain confirmation that your Personal Data are being processed by us, and, where that is the case, access to the Personal Data. It is important to know that we will not be able to process your request in all cases, such as situations where the exercise of your right could affect the rights of others, situations in which we cannot identify you or situations in which your request is manifestly unfounded or excessive.

(c) The right to rectification of inaccurate Personal Data concerning you.

(d) The right to erasure (right to be forgotten), which allows you to obtain from us the erasure of your Personal Data where one of the following grounds applies: (i) your Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw your consent on which the processing is based and we have no other legal grounds for the processing; (iii) you object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing of your Personal Data for direct marketing purposes; (iv) your Personal Data have been unlawfully processed; (v) your Personal Data have to be erased for compliance with a legal obligation incumbent on us or (vi)  your Personal Data have been collected in relation to the offer of information society services directly to a child. 

It is important to know that we will not be able to process your request in all cases, such as situations where the law requires us to keep the Personal Data for a certain period, your Personal Data is necessary for exercising the right of freedom of expression and information, for the establishment, exercise or defense of legal claims or for reasons of public interest in the area of public health, etc.

(e) The right to restriction of the processing of your Personal Data, which allows you to request us not to use your Personal Data, but only to store them, in the following cases: (i) you have contested the accuracy of your Personal Data, for a period that allows us to verify the accuracy of your Personal Data; (ii) the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of their use instead; (iii) we no longer need your Personal Data for the purposes of the processing, but you require us your data for the establishment, exercise or defence of legal claims; (iv) you have objected to the processing of your Personal Data, for the period of time in which we verify whether our legitimate rights prevail over your rights.

(f) The right to Personal Data portability, which allows you to receive your Personal Data that you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller. Such a right is granted to you only when the processing of your Personal Data is based on your consent or on a contract concluded between us and you and only if the processing is carried out by automated means.

(g) The right to object to the processing of your Personal Data, under the conditions and within the limits provided by law. It is important to know that, when you exercise the right to object, the law obliges us to stop the processing only if it is carried out for direct marketing purposes. In other cases, we have the right to balance our interests and your particular situation in order to make a final decision. That is why it is important to explain to us why you object to the processing when making such a request.

(h) The right to withdraw your consent, at any time and free of charge, when data processing is done on the basis of your consent. 

(i) The right to lodge a complaint with a supervisory authority if you consider that the processing of your Personal Data is illegal. For more information, please contact your local data protection authority in the European Economic Area (EEA). The details of the Romanian supervisory authority may be found here https://www.dataprotection.ro/.

(j) The right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. It is important to know that this right does not apply in certain cases, such as where the decision based solely on automatic processing is necessary for entering into or performance of a contract between us and you, is authorized by law or is based on your explicit consent.

(k) The right to a judicial remedy.

The main supervisory authority within the meaning of art. 56 of the GDPR Regulation:

The National Supervisory Authority for the Processing of Personal Data 

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucharest, Romania

Phone: +40.318.059.211

Email: [email protected]

www.dataprotection.ro 

  1. Requests and exercise of your rights

As a Data subject, if you have any questions or concerns about how we process your Personal Data or if you wish to exercise your legal rights, you may contact us at our headquarters in P-ţa Presei Libere, no. 1, first floor, Casa Presei Libere, Corp A3, Bucharest, District 1, Romania, or by e-mail at [email protected]. Also, whenever made possible, you can access, update or request deletion of your Personal Data directly within your Account settings section. If you are unable to perform these actions yourself, please contact us to assist you. 

We will not refuse to comply with your request, unless it is not lawful or we are unable to identify you. We will make every effort to respond to you within one month of receiving your request. However, the law allows us to extend the response period by two months when necessary, in which case we will inform you of the reasons leading to this extension.

We will respond to requests by which you exercise your rights free of charge but if your requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may: (a) either charge a reasonable fee taking into account administrative costs to provide the information or communication or to take the requested action; (b) either refuse to comply with the request.

  1. Updating your Personal Data

You are required to provide us with true, complete and accurate data. If the Personal Data you have provided to us changes or if you become aware that we have any incorrect Personal Data about you, please contact us by email at [email protected]. We will not be liable for any loss arising from incorrect, inauthentic, insufficient or incomplete Personal Data that you provide to us.

  1. Links to other sites

Our Website may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

  1. Children’s Privacy

Our Services do not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 18. 

  1. Changes to this Privacy Policy

This Privacy Policy is subject to change at any time. Any changes that are made to our Privacy Policy will not apply retroactively and will not apply to disputes or events occurring before the change is published. The new version of the Policy will be published on the Website and you will be notified by a pop-up or by e-mail before the change becomes effective. 

  1. Contact us

If you have any questions about this Privacy Policy, please contact us:

Extend Studio S.R.L.

Headquarters: P-ţa Presei Libere, no. 1, first floor, Casa Presei Libere, Corp A3, Bucharest, District 1, Romania

E-mail [email protected]