PRIVACY & COOKIE POLICY
Last updated: February 18, 2026
1. Introduction
Orbitum Tech OÜ ("we," "our," or "us"), a company registered in Estonia (Registration Number: 17390885), operates sec30.com ("the Service"). We are committed to protecting your privacy and being transparent about how we handle your personal information. This Privacy & Cookie Policy explains our data practices when you use our AI-powered creative platform.
Company Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Võru tn 11, 13612, Estonia
1A. Our Data Protection Roles
Under Regulation (EU) 2016/679 (GDPR), Orbitum Tech OÜ acts in a dual capacity depending on the category of personal data involved:
Data Controller
We are the data controller for personal data we collect and process for our own purposes, including:
- Account registration data (name, email, password hash)
- Billing and payment information (billing address, transaction records, invoices)
- Security and authentication data (access logs, session tokens, IP addresses)
- Service analytics and compliance records
For these categories we determine the purposes and means of processing and are responsible for compliance with all applicable GDPR controller obligations.
Data Processor
We act as a data processor when you use the Service to create, upload, or process content (including text prompts, images, and other creative materials). In this capacity:
- We process your content solely on your behalf and according to your instructions
- We do not determine the purposes or means of processing your content
- We do not use your content for any purpose of our own, including training, analytics, marketing, or profiling
- We implement appropriate technical and organisational measures to ensure the security of processing
Processing is carried out only on the basis of your documented instructions - i.e., the actions you take within the Service (sending prompts, generating images, uploading files). We do not independently analyse, mine, or repurpose your content. Upon account deletion, content is removed in accordance with the retention schedule described in Section 7.
1B. You as Data Controller (User-Provided Personal Data)
If you choose to include personal data of third parties in your prompts, uploads, or generated content,you act as the data controller for that data. As a data controller, you are responsible for:
- Ensuring you have a valid lawful basis (e.g., consent, legitimate interest) for processing such personal data
- Informing the relevant data subjects about how their data is processed
- Responding to data subject requests relating to personal data you have provided
- Complying with all applicable data protection laws in your jurisdiction
Orbitum Tech OÜ accepts no responsibility or liability for the lawfulness, accuracy, or appropriateness of any personal data you submit to the Service. You must ensure that your use of third-party personal data complies with applicable law before submitting it.
2. Information We Collect
Account Information
When you register for an account, we collect:
- Email address (required for account creation and communication)
- Display name (optional, for personalization)
- Password (stored using industry-standard hashing)
- Profile preferences you choose to configure
Usage Data
We automatically collect certain information when you interact with our Service:
- Chat conversations and AI-generated responses
- Images you create and associated metadata
- Feature usage patterns and preferences
- Device type, browser information, and operating system
- IP address and approximate geographic location
- Session duration and interaction timestamps
Payment Information
All payment transactions are processed through PCI DSS-compliant third-party payment providers. We do not store complete credit card numbers or CVV codes on our servers. We retain only transaction records necessary for billing, support, and compliance purposes.
3. How We Use Your Information
We process your personal data for the following purposes:
- Service Delivery: To provide, maintain, and improve our AI features
- Transaction Processing: To handle token purchases and maintain billing records
- Communication: To send account notifications, updates, and support responses
- Security: To detect, prevent, and respond to fraud or unauthorized access
- Analytics: To understand usage patterns and enhance the user experience
- Legal Compliance: To fulfill our obligations under applicable laws
4. AI Training Policy
We do NOT use your content to train AI models. Your conversations, generated images, prompts, and other creative content remain private. We do not share your content with AI model providers for training or fine-tuning purposes. Your creative work belongs to you.
5. Data Sharing
We share your information with the following categories of third-party service providers, strictly for the purposes described below:
| Recipient Category | Data Shared | Purpose |
|---|---|---|
| AI Service Providers (OpenRouter, fal.ai) | Text prompts, image generation parameters, conversation context | Generating AI text and image responses on your behalf |
| Payment Processor (Sigmex) | Name, email, billing address, phone number, transaction amount | Processing token purchases and payment verification. Sigmex acts as payment processor; Orbitum Tech OÜ remains the merchant of record for all transactions. |
| Application Hosting (Railway) | All Service data (encrypted at rest and in transit) | Application hosting and infrastructure |
| CDN & Security (Cloudflare) | Requests routed through edge network | Content delivery, DDoS protection, and SSL termination |
| Object Storage (Cloudflare R2) | Generated images, uploaded media files | Persistent storage and delivery of media content |
AI Provider Data Handling
When you use AI features, your prompts and inputs are transmitted to third-party AI providers (OpenRouter, fal.ai) solely for the purpose of generating the requested output. We do not permit these providers to use your data for model training. Where the provider offers a mechanism to disable training on inputs (e.g., API-only access, zero-data-retention agreements), we enable those settings. AI providers may retain inputs transiently for abuse monitoring as required by their terms of service, but do not use them for model improvement.
We may also disclose your data when required by law, court order, or to protect our legal rights.
All third-party service providers are contractually bound to protect your data, process it only for the purposes we specify, and comply with applicable data protection legislation.
6. Data Security
We implement robust security measures to protect your information, including:
- TLS/HTTPS encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Regular security audits and vulnerability assessments
- Access controls limiting data access to authorized personnel only
- Secure, geographically distributed data storage
While we employ industry-standard protections, no system is completely secure. We encourage you to use strong passwords and protect your account credentials.
7. Data Retention
We retain your personal data for the periods described below. When a retention period expires, data is either permanently deleted or irreversibly anonymised.
| Data Category | Retention Period | After Deletion |
|---|---|---|
| Account Data (email, name, password hash, profile info) | Duration of active account | Deleted within 30 days of account closure |
| Payment & Transaction Records (invoices, billing address, transaction history) | 7 years from transaction date | Retained as required by Estonian tax and accounting law (Accounting Act § 12) |
| User Content (chats, prompts, generated images, projects) | Duration of active account | Deleted within 30 days of account closure |
| Server & Security Logs (IP addresses, access logs, error logs) | 90 days | Automatically purged after 90 days |
| Cookie Consent Records | 12 months | Consent re-requested upon expiry |
Grace period: After you request account deletion, there is a 30-day grace period during which your account can be reactivated by contacting support. After this period, all personal data and content is permanently deleted, except for records we are legally required to retain (e.g., transaction records for tax compliance).
8. Your Rights (Data Subject Rights)
Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have the following rights with respect to your personal data:
- Access (Art. 15 GDPR): Request a copy of your personal data we hold
- Rectification (Art. 16 GDPR): Correct inaccurate or incomplete information
- Erasure (Art. 17 GDPR): Request deletion of your account and personal data, subject to legal retention obligations
- Portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format
- Objection (Art. 21 GDPR): Object to processing based on legitimate interests
- Restriction (Art. 18 GDPR): Request limitation of processing in certain circumstances
- Withdraw Consent (Art. 7(3) GDPR): Revoke consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request.
Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data infringes your rights under the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. As Orbitum Tech OÜ is registered in Estonia, the lead supervisory authority is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: www.aki.ee
You may also lodge a complaint with the supervisory authority in your country of residence or place of work if you are located in the EU/EEA.
9. Cookies & Tracking Technologies
We use cookies and similar technologies to enhance your experience. Non-essential cookies are only placed after you have given your explicit consent via our cookie consent banner.
Types of Cookies
- Strictly Necessary Cookies: Required for authentication, security, and core platform functionality. These cookies do not require consent and cannot be disabled.
- Analytics Cookies: Help us understand usage patterns and improve the Service. Placed only with your consent.
- Preference Cookies: Remember your settings, language, and interface choices. Placed only with your consent.
Cookie Consent & Management
When you first visit the Service, a cookie consent banner is displayed allowing you to accept or reject non-essential cookies. Your consent preferences are stored and honoured across sessions.
- You may withdraw or modify your consent at any time by clicking the cookie settings icon on the website, accessible from the footer of every page.
- Disabling strictly necessary cookies via your browser may affect Service functionality.
- Consent records are retained for 12 months, after which consent is re-requested.
10. Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such data, please contact us immediately for removal.
11. International Data Transfers
Your data may be processed in countries outside the European Economic Area (EEA). The following table describes the specific transfers we make:
| Data | Recipient | Country | Safeguard |
|---|---|---|---|
| Text prompts, conversation context | OpenRouter (LLM providers) | United States | Standard Contractual Clauses (SCCs) |
| Image generation parameters | fal.ai | United States | Standard Contractual Clauses (SCCs) |
| Application data (encrypted) | Railway (hosting) | United States / EU | Standard Contractual Clauses (SCCs) |
| Generated images, media files | Cloudflare R2 (storage) | EU (primary), global edge | EU Adequacy / SCCs |
| Payment data (name, email, billing address) | Sigmex (payment processor) | EU | GDPR-compliant processor |
Where data is transferred to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the Commission (Decision 2021/914) to ensure an adequate level of data protection.
12. Policy Updates
We may update this Privacy & Cookie Policy periodically to reflect changes in our practices or legal requirements. Material changes will be communicated via email or prominent notice on the Service. Continued use after updates constitutes acceptance of the revised policy.
13. Contact Us
For privacy-related inquiries or to exercise your data rights, please contact:
Orbitum Tech OÜ
Registration Number: 17390885
Harju maakond, Tallinn, Lasnamäe linnaosa, Võru tn 11, 13612, Estonia
Email: [email protected]
Data Protection Contact: [email protected]
Hours: Monday–Friday, 09:00–18:00 CET