Privacy Policy

Controller: Endless Circuit Technologies OÜ Registered address: Pärnu mnt 139b, Kesklinna, Tallinn, 11317, Harju County, Estonia Registry code: 17343218 Legal form: Private Limited Company (OÜ) Email for privacy inquiries: privacy@ollala.ai General enquiries: info@ollala.ai Support: support@ollala.ai Data Subject Access Requests (DSAR): data@ollala.ai Data Protection Officer: dpo@ollala.ai

We collect account details, usage data, and content you submit. If you provide sensitive information (e.g., sexual preferences), we process it only with your explicit consent. Data are used to operate, secure, and improve our Services; process payments; provide support; prevent fraud; comply with legal obligations; and communicate service updates. We share data only with trusted service providers (e.g., payments, hosting, security, AI model providers). We do not sell your personal data. You have rights under applicable laws (EEA/UK, U.S. states, Canada, etc.), including access, deletion, correction, restriction, portability, objection, and the right to withdraw consent at any time. The Services are intended only for adults (18+). We do not knowingly process data from children. When you delete your account, we delete your personal data within 24 hours, except where longer retention is required by law (e.g., billing records retained up to 7 years). Analytics cookies load by default; you can manage them any time through the on-site cookie settings tool or via your browser/device controls.

This policy applies to all data processing activities related to ollala.ai and associated services. "Personal Data" means any information relating to an identified or identifiable natural person. "Special Categories" or "Sensitive Data" refers to information such as sexual preferences or health details that receive heightened protection under data-protection law.

5.1 Data You Provide Directly Account and profile: email address, username/display name, optional avatar, communication preferences. Content and interactions: story prompts, generated outputs, comments, ratings, feedback, and other content you submit. Billing and transactions: limited payment information (e.g., last 4 digits of card, card brand, transaction IDs), invoices, and refund records processed through our payment provider. 5.2 Data Collected Automatically Log and device data: IP address, device type, operating system, browser, language, approximate location (derived from IP), timestamps, referring/exit URLs, error logs, and diagnostic data. Usage data: feature usage, session metadata, performance metrics, reliability metrics, and crash reports. 5.3 Cookies and Local Storage We use first‑party cookies and local storage for session management, security, preferences, and analytics. Analytics cookies load by default so we can understand performance and protect the Service. You can disable analytics at any time using the on-site cookie settings tool or block cookies through your browser or device settings (which may affect functionality). Refer to our Cookie Policy for details. 5.4 Optional Marketing Data If you opt in to receive marketing communications, we collect your preferences for email or in‑product messages.

Processing sensitive data: We process sensitive personal data (e.g., sexual preferences) only with your explicit consent and solely to provide requested features such as personalized story generation. You can withdraw consent at any time via your settings or by contacting data@ollala.ai. Withdrawal does not affect processing already performed. Age restriction: The Services are intended exclusively for adults (18+). We do not knowingly collect personal data from anyone under 18. If you believe that a minor has provided personal data, please contact us immediately; we will promptly delete the data and close the account.

We do not use your private stories, prompts, or outputs to train our foundation models. If we integrate third‑party AI providers, we contractually instruct them not to train on your private content. Only de‑identified, aggregated data may be used for statistical learning if the provider's terms require it, and we apply strict safeguards. Public content you intentionally publish may be used to improve our Services (e.g., quality and discovery).

We process personal data to: Provide and operate the Services (e.g., account creation, authentication, content generation, moderation, customer support). Process payments, manage subscriptions, handle chargebacks/refunds, and prevent fraud. Maintain the safety and integrity of the platform, enforce our Terms of Service, and detect or respond to abuse. Communicate service‑related messages, security alerts, billing notices, and policy updates. Develop, improve, and test features through de‑identified analytics and A/B testing. Comply with legal and regulatory requirements (e.g., tax obligations, lawful requests). Protect vital interests in emergency situations.

We process personal data under one or more of the following bases: Consent: For optional marketing and for processing sensitive data. Contract: To provide the Services you request and administer subscriptions. Legitimate interests: To secure, maintain, and improve the Services; understand aggregated usage patterns; prevent fraud; and send essential communications, provided these interests do not override your rights and freedoms. Legal obligation: To meet record‑keeping, tax, and regulatory requirements, and to respond to lawful requests. Vital interests: To protect the life and safety of users in emergencies.

We use essential cookies for core functionality and security. Analytics cookies also run by default so we can understand performance and reliability. You can opt out of analytics at any time through the cookie settings tool or your browser/device controls. Disabling essential cookies may affect the platform's functionality.

If you sign up or log in using a third‑party provider (e.g., Google), we receive limited personal data such as your name, email address, and profile picture to create and authenticate your account. We do not control or assume responsibility for how the provider processes your personal data outside our Services. Review their privacy policy for more details.

We do not engage in automated decision‑making that produces legal or similarly significant effects without human intervention. We may use automated tools (including machine learning) to generate or recommend content and to detect abuse, but human oversight remains part of our safety and support processes.

Account data: Retained while your account is active and deleted within 24 hours of your account deletion request, subject to legal holds. Content: Private content is deleted with your account. You can delete specific content at any time. Public content you intentionally publish may remain visible until you remove it; residual copies may persist where necessary for legal reasons or backups. Billing and compliance records: Retained for up to 7 years (or longer if required by law). Logs and security telemetry: Typically retained up to 180 days for security and incident investigations. We delete or irreversibly anonymize data when retention periods expire.

We are based in the EU. When personal data are transferred outside your jurisdiction (e.g., to processors in the United States), we use safeguards such as Standard Contractual Clauses and, where applicable, the UK Addendum. We conduct transfer risk assessments and implement supplementary measures as needed to protect your data.

We do not sell personal data. We share personal data only with: Payments: Payment processors (e.g., Stripe) to handle subscriptions, billing, and refunds. Hosting and infrastructure: Service providers (e.g., Supabase, cloud hosting) for storage, backups, and content delivery; security providers (e.g., Cloudflare). Diagnostics and reliability: Providers for error monitoring, performance analysis, and incident resolution. Communications: Services for sending transactional emails. AI model providers: Third‑party providers (e.g., OpenAI, Google) to generate content based on your inputs. They do not train on your private content unless permitted by you and the provider processes only aggregated or de‑identified data. Professional advisors: Auditors, accountants, and legal counsel under confidentiality obligations. Business transfers: In connection with mergers, acquisitions, or financing; your data will remain protected. Legal and safety disclosures: Authorities or law enforcement as required to comply with laws, protect rights, or respond to emergencies. We maintain an up‑to‑date list of sub‑processors and require them to follow our instructions and implement appropriate safeguards.

We implement technical and organizational measures to protect your data, including: Encryption: TLS 1.3 for data in transit and AES‑256 for data at rest, where applicable. Access controls: Role‑based access control, multi‑factor authentication for privileged accounts, and regular access reviews. Secret management: Secure vault storage and periodic key rotation. Secure development: Code reviews, dependency scanning, static/dynamic analysis, and supply‑chain hygiene. Testing and monitoring: Continuous vulnerability scanning, logging, and security assessments. Business continuity: Backups, disaster recovery, and incident‑response procedures. Compliance alignment: Controls aligned with frameworks such as SOC 2 and ISO 27001 (even where certification is not yet held). No system is completely secure. You should use strong, unique passwords and keep them confidential.

Depending on your jurisdiction, you may have rights to: Access your personal data and obtain a copy. Request correction of inaccurate data. Request deletion of your data. Restrict or object to processing. Obtain data portability. Not be subject to automated decisions that produce legal or similarly significant effects. Withdraw consent where consent is the basis of processing. Lodge a complaint with a supervisory authority. To exercise any of these rights, email data@ollala.ai or use available in‑product tools. We aim to respond within 30 days or within the timeframe required by law.

Residents of certain U.S. states (e.g., California, Virginia, Colorado, Connecticut, Utah) may have additional rights, including the right to opt out of targeted advertising and data sales or sharing. Please refer to our dedicated U.S. state rights section (available at ollala.ai/privacy/us) for more details and instructions.

Requests: Submit via data@ollala.ai or our in‑product request tools. Verification: We may need to verify your identity (e.g., via email confirmation or transaction metadata). Appeals: If we deny your request in a state with an appeal right, you may appeal by replying to our response. If unresolved, contact your state's attorney general. Authorized agents (California): You may designate an agent to act on your behalf. We may require proof of authorization and your verification. Marketing opt‑out: Unsubscribe using the link in marketing emails or adjust preferences in your account settings.

There is no industry consensus on Do‑Not‑Track (DNT) signals; therefore, we do not respond to DNT at this time. Where legally required, we process Global Privacy Control signals as a valid opt‑out of certain data processing (e.g., targeted advertising).

If Endless Circuit Technologies OÜ is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We may also share data with our affiliates under common control, provided they follow this policy. We will ensure the confidentiality of personal data and provide notice before personal data become subject to a materially different privacy policy.

We may disclose personal data to comply with applicable laws, respond to lawful requests, protect rights, privacy, safety, or property, enforce our terms, or investigate suspected violations and security incidents. Where permitted by law, we will notify affected users before making such disclosures.

We may update this policy from time to time to reflect changes in law or our practices. Material changes will be communicated through prominent notices in the Services or via email. The date at the top of the policy indicates when it was last updated.

For questions or concerns about this policy or our privacy practices: Privacy inquiries: privacy@ollala.ai Data subject requests: data@ollala.ai General inquiries: info@ollala.ai Support: support@ollala.ai Postal address: Endless Circuit Technologies OÜ Registry code: 17343218 Pärnu mnt 139b, Kesklinna Tallinn, 11317, Harju County Estonia We take your privacy seriously and are committed to handling your personal data transparently and responsibly. If you have any questions, please contact us using the details above.