Privacy Policy

Last Updated: January 5, 2026

1. Introduction

Zhanna ROMM Inc ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing content generation platform (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address (required for account creation and authentication)
• Password (encrypted and never stored in plain text)
• Account preferences and settings

Brand Information:

• Company name, mission statement, and business description
• Industry, niche/category, and target audience details
• Business strengths, values, and unique selling proposition
• Key messages and brand voice preferences
• Writing samples (up to 10 per brand, max 2,000 characters each)
• Logo and brand images
• Product/service offerings with pricing information

Payment Information:

• Payment card details (processed securely by Stripe; we do not store full card numbers)
• Billing address
• Transaction history

Communications:

• Messages you send to our support team
• Feedback and survey responses

Audio Recordings:

• Voice recordings you upload for transcription (max 25MB)
• Supported formats: MP4, M4A, CAF, MP3, WAV, WebM, OGG
• Transcribed text generated from your audio
• Audio file metadata (file name, format, upload date)

Reference Materials:

• Documents you upload for AI context (max 10MB per file, 50MB total, up to 5 files)
• Supported formats: PDF, DOC, DOCX, TXT, MD, CSV, JSON
• File metadata (names, sizes, upload dates)

Strategy Information:

• Content strategy type (Visibility or Launch campaigns)
• Ideal client descriptions and demographics
• Customer pain points and daily challenges
• Desired outcomes and transformations
• Core messaging and campaign goals
• Posting frequency preferences
• Product/offer selections for campaigns

2.2 Information Collected Automatically

Usage Data:

• Log data (IP address, browser type, device information, operating system)
• Pages visited, features used, time spent on the Service
• Content generation requests and results
• Error logs and performance data
• API usage patterns

Usage Metrics:

• Content generation counts per month
• Feature usage patterns (topics created, strategies, brands, etc.)
• Export activity (limited to 2 per year)

Cookies and Tracking Technologies:

• Session cookies for authentication and maintaining login state
• Analytics cookies to understand how you use the Service
• Preference cookies to remember your settings

You can control cookie preferences through your browser settings, but disabling certain cookies may limit Service functionality.

2.3 Information from Third Parties

Authentication Services:

• If you use AWS Cognito for authentication, we receive your email address and authentication tokens

Payment Processor:

• Stripe provides us with payment confirmation and transaction details (but not full card numbers)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Creating and managing your account
• Processing your subscription payments
• Generating AI-powered marketing content based on your brand information
• Storing and retrieving your generated content (for up to 1 year in history, permanently in saved library)
• Enforcing usage limits based on your subscription plan
• Providing customer support and responding to your inquiries

3.2 Service Improvement

• Analyzing usage patterns to improve features and user experience
• Identifying and fixing technical issues
• Developing new features and functionality
• Training and improving our AI models (using anonymized data only)

3.3 Communication

• Sending transactional emails (account creation, password resets, payment confirmations)
• Sending service announcements and updates
• Responding to your support requests
• Sending marketing communications (with your consent; you may opt out at any time)

3.4 Legal and Security

• Enforcing our Terms of Service
• Detecting and preventing fraud, abuse, and security threats
• Complying with legal obligations and responding to legal requests
• Protecting our rights, property, and safety

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

4.1 Service Providers

We share information with third-party vendors who help us operate the Service:

Amazon Web Services (AWS):

• Purpose: Cloud infrastructure, data storage, authentication, AI processing, and audio transcription
• Data Shared: All data necessary to provide the Service (account info, brand profiles, generated content, audio files, reference documents)
• Services Used:
  • AWS Cognito (authentication)
  • DynamoDB (database)
  • S3 (file storage - reference files auto-deleted after 30 days)
  • Bedrock with Claude AI (content generation)
  • CloudWatch (logging - 14-30 day retention)
  • CloudTrail (security audit logs - 365+ day retention)
• Note: Voice recordings uploaded for transcription may be considered biometric data in some jurisdictions. Audio files are automatically deleted within 24 hours after transcription.
• Privacy Policy: https://aws.amazon.com/privacy/

Stripe:

• Purpose: Payment processing
• Data Shared: Payment card information, billing address, transaction details
• Privacy Policy: https://stripe.com/privacy

Anthropic (Claude AI via AWS Bedrock):

• Purpose: AI-powered content generation and voice matching
• Data Shared:
  • Brand information (company, mission, industry, audience, strengths, values)
  • Up to 3 active writing samples per brand for voice matching
  • Strategy details (ideal client, pain points, goals)
  • Content generation requests and custom instructions
  • Reference documents you upload
• Data Retention: AWS Bedrock logs typically retained for 30 days
• Privacy Policy: https://www.anthropic.com/privacy

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal requests from government authorities
• Court orders, subpoenas, or legal process
• Protection of our rights, property, or safety
• Enforcement of our Terms of Service
• Prevention of fraud or security threats

4.3 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Retention

5.1 Account Data

We retain your account information for as long as your account is active.

5.2 Brand and Strategy Data

Brand profiles, strategies, topics, and insights (writing samples) are retained indefinitely while your account is active. They are permanently deleted within 30 days of account deletion.

5.3 Generated Content

• Content History: Automatically deleted after 1 year (365 days) from generation date
• Saved Content: Permanently retained in your library until you delete it

5.4 Audio Recordings and Transcriptions

• Audio files: Automatically deleted within 24 hours after transcription
• Transcribed text: Follows the same retention as generated content (1 year)

5.5 Reference Files

Reference documents uploaded to S3 are automatically deleted after 30 days. Incomplete uploads are removed after 7 days.

5.6 Usage Records

• Rate limiting data: 2 minutes to 60 days depending on time window
• Export counters: Reset annually on January 1st

5.7 Payment Records

Payment transaction records retained as required by financial regulations (typically 7 years).

5.8 System Logs

• API Gateway logs: 14 days
• Application logs: 30 days
• Security audit logs (CloudTrail): 365+ days

5.9 After Account Deletion

When you delete your account:

• Your brand profiles, strategies, and generated content are permanently deleted within 30 days
• We may retain certain information for legal or regulatory compliance purposes
• Some data may be retained in system logs for up to 365 days for security purposes
• Anonymized usage data may be retained for analytics and service improvement

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your browser and our servers uses TLS/SSL encryption
• Encryption at Rest: Sensitive data is encrypted when stored in our databases
• Access Controls: Strict role-based access controls limit who can access your data
• API Key Security: API keys are hashed with cryptographic salts and never stored in plain text
• Infrastructure Security: AWS infrastructure with built-in DDoS protection, firewalls, and intrusion detection

6.2 Organizational Safeguards

• Regular security audits and vulnerability assessments
• Employee training on data privacy and security
• Incident response procedures for data breaches
• Logging and monitoring of system access

6.3 No Guarantee

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

7.1 Access and Portability

• Right to Access: You can request a copy of the personal information we hold about you
• Right to Data Portability: You can request your data in a machine-readable format

7.2 Correction and Deletion

• Right to Correct: You can update your account information at any time through your account settings
• Right to Delete: You can request deletion of your account and associated data

7.3 Opt-Out Rights

• Marketing Communications: Unsubscribe from marketing emails via the link in each email
• Cookies: Control cookie preferences through your browser settings

7.4 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, and shared
• Right to delete personal information (with certain exceptions)
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights
• Right to limit use of sensitive personal information (including voice recordings)

Categories of Personal Information Collected:

• Identifiers (email address, IP address)
• Commercial information (subscription history, payment records)
• Internet activity (usage patterns, feature interactions)
• Audio information (voice recordings for transcription)
• Professional information (business details in brand profiles)
• Inferences (AI-generated content based on your inputs)

To exercise these rights, contact us at: info@zhannaromm.com

7.5 European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

Legal Basis for Processing:

• Contract Performance: Processing necessary to provide the Service
• Legitimate Interest: Service improvement, security, and analytics
• Consent: Marketing communications and optional features
• Legal Obligation: Compliance with applicable laws

Data Controller: Zhanna ROMM Inc

To exercise these rights, contact us at: info@zhannaromm.com

8. International Data Transfers and Geographic Restrictions

The Service is hosted in the United States (AWS us-east-1 region). All data processing occurs in the United States.

Geographic Restrictions: The Service is currently available only to users in the United States. Access from other countries may be blocked.

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. The United States may have data protection laws that differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.

For EEA Users: We rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection of your data.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@zhannaromm.com. We will promptly delete such information from our systems.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with any information.

11. Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) signal. We do not currently respond to DNT signals because there is no industry-wide standard for how to interpret them.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes:

• We will notify you by email or through a prominent notice on the Service
• The "Last Updated" date at the top of this policy will be revised
• Your continued use of the Service after the effective date constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Zhanna ROMM Inc
Privacy Inquiries: info@zhannaromm.com
Response Time: We will respond to your inquiry within 30 days (or as required by applicable law).