Controlling language
The English version of this document is the only legally valid and legally binding version. Any non-English version is an AI-generated translation provided for convenience only. If any translated version differs from the English version, the English version prevails.
This Privacy Policy describes how Erphitea OÜ (trading as Katalo), a private limited company registered in Estonia (reg. 17272613, VAT EE102940097), Ahtri tn 12, 15551 Tallinn, Estonia ("Katalo", "we", "our", or "us") collects, uses, stores, and discloses your personal information when you use:
- the Katalo website at katalo.ai (the "Site")
- the Katalo web application (the "App")
- the Katalo AI virtual staging Manual Service (the "Manual Service")
- the Katalo API (the "API")
(collectively, the "Service")
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein where consent is the applicable legal basis. If you do not agree, please do not use the Service.
This Privacy Policy should be read alongside our Terms of Service and Cookie Policy.
1. Who We Are (Data Controller)
For the purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, Erphitea OÜ (trading as Katalo) is the data controller of personal information collected through the Service.
Contact: Email: info@katalo.ai Phone: +420 776 309 578 Address: Ahtri tn 12, 15551 Tallinn, Estonia
For privacy-specific inquiries, please email info@katalo.ai with the subject line "Privacy Request".
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples | When Collected |
|---|---|---|
| Identity data | First name, last name | Early-access waitlist form; account registration |
| Contact data | Email address; phone number (optional) | Early-access waitlist form; account registration; support |
| Account credentials | Password (stored in hashed form) | Account registration |
| Payment data | Billing name, billing address, partial card details | Purchase / subscription sign-up |
| User content | Real estate photos and images you upload | When using the App, Manual Service, or API |
| Communications | Messages, feedback, support requests | When you contact us |
| Professional data | Company name, role (if provided) | Account registration or API sign-up |
Early-access waitlist: The form at katalo.ai collects your full name, email address, and optionally your phone number in order to notify you when access is granted and to communicate about the Service. Providing your phone number is voluntary.
Important note on payment data: Full payment card details (card numbers, CVV) are collected and processed exclusively by Lemon Squeezy (our payment processor / merchant of record). We do not store full card details on our systems.
2.2 Information Collected Automatically
When you visit the Site or use the App, we and our service providers may automatically collect:
| Category | Examples |
|---|---|
| Usage data | Pages visited, features used, time spent, click patterns |
| Device data | Browser type, operating system, screen resolution, device type |
| Network data | IP address, approximate location derived from IP |
| Session data | Login/logout times, session duration |
| Image interaction data | Room type selections, style selections, mode selections, output quality ratings |
| Advertising data | Ad click identifiers (such as GCLID), conversion identifiers, audience segments — only if we later activate consented advertising tools |
For more detail on cookies and similar tracking technologies, see our Cookie Policy.
2.3 Technical / System Log Data
We and our infrastructure providers (Vercel, Convex, UploadThing) automatically collect server logs for the purposes of security monitoring, error diagnosis, and infrastructure maintenance. This includes IP addresses, timestamps, HTTP request types, error codes, and referrer URLs. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). This data is not used for profiling or marketing.
2.4 Information from Third Parties
We may receive information about you from:
- Lemon Squeezy — confirmation of payment status, transaction IDs
- Authentication providers — if you register via a third-party single sign-on (SSO) service, we receive basic profile information (name, email) from that provider
3. How We Use Your Information and Our Legal Basis (GDPR)
The table below sets out each purpose for which we process personal data, together with the legal basis under Article 6 GDPR (and, where applicable, Article 9 for special category data).
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing early-access waitlist submissions | Identity data (name), contact data (email, optional phone) | Consent — you submit the form voluntarily to request early access; you may withdraw by emailing info@katalo.ai (Art. 6(1)(a)) |
| Creating and managing your account | Identity, contact, credentials | Contract — necessary to provide the Service (Art. 6(1)(b)) |
| Delivering the Service (App, Manual Service, API) | Identity, contact, user content (images) | Contract — necessary to provide the Service (Art. 6(1)(b)) |
| Processing and managing payments and subscriptions | Identity, contact, payment data | Contract — necessary to perform the payment transaction (Art. 6(1)(b)) |
| AI processing of uploaded images to generate staging outputs | User content (images) | Contract — processing your images is the core purpose of the Service (Art. 6(1)(b)) |
| Improving our AI generation workflows using aggregated analytics and feedback derived from usage | Image interaction data, usage data, aggregated/anonymized image metadata | Legitimate interests — improving product quality benefits all users; we do not use your identifiable images to train new AI models (Art. 6(1)(f)) |
| Customer support and handling complaints | Identity, contact, communications | Contract / Legitimate interests (Art. 6(1)(b)/(f)) |
| Sending transactional and service-related emails | Contact data | Contract — necessary to communicate service updates (Art. 6(1)(b)) |
| Sending marketing and promotional communications | Contact data | Consent — only with your explicit opt-in; you may withdraw at any time (Art. 6(1)(a)) |
| Targeted advertising (if activated) | Contact data, usage data, cookie data | Consent — only with your explicit opt-in via our consent manager (Art. 6(1)(a)) |
| Website and product analytics (PostHog) | Usage data, device data, network data | Consent — via the cookie consent banner (Art. 6(1)(a)) |
| Advertising measurement & conversion tracking (future advertising tools, if activated) | Advertising data, usage data, cookie data | Consent — only if such tools are activated later and you opt in via our consent manager (Art. 6(1)(a)) |
| Personalized advertising / remarketing (future advertising tools, if activated) | Usage data, cookie data, audience segments | Consent — only if such tools are activated later and you opt in via our consent manager (Art. 6(1)(a)) |
| Behavioral analytics and session replay (future replay tools, if activated) | Usage data, device data, mouse movements, heatmaps | Consent — only if such tools are activated later and you opt in via our consent manager (Art. 6(1)(a)) |
| Fraud prevention and security | Identity, network, session data | Legitimate interests — protecting users and the Service (Art. 6(1)(f)) |
| Compliance with legal obligations (tax records, regulatory requests) | Identity, payment, transaction data | Legal obligation (Art. 6(1)(c)) |
| Enforcing our Terms of Service | All relevant data | Legitimate interests (Art. 6(1)(f)) |
Legitimate interests balancing test: Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may request a copy of our legitimate interests assessment by contacting info@katalo.ai.
No automated decision-making: We do not carry out solely automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22. The AI processing of your images generates visual outputs at your explicit request; it does not make decisions about you as a person.
4. AI Processing of Your Images
When you upload images to the Service, those images are transmitted to Google's AI services (via Google Cloud / Vertex AI) solely to generate the staged output images you have requested. The specific Gemini models used include image generation and text models operated by Google LLC. We do not own or train these AI models — we use existing Google models via their APIs.
Specifically:
- Your images are processed by Google LLC on our behalf as a data processor under GDPR. Google processes image data in accordance with its Cloud Data Processing Addendum and applicable SCCs.
- Your images are not used by Google to train its general AI models under our API usage terms (Google Cloud / Vertex AI API terms prohibit use of API inputs for model training without consent).
- We use aggregated analytics and feedback (e.g., which outputs you rated positively, which styles performed well) to improve our own orchestration layer. This processing uses metadata and interaction signals, not your raw images in an identifiable form.
- Output images generated by Google's models are returned to you and stored on our backend (Uploadthing by T3 Tools, Inc.) until you download them or your account is closed.
5. How We Share Your Information
We do not sell your personal information. We share it only in the following circumstances:
5.1 Service Providers (Data Processors)
We share data with trusted third-party vendors who process it on our behalf and under our instructions:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Lemon Squeezy (LS Tech Inc.) | Payment processing / merchant of record | USA | SCCs |
| Google LLC (Google Cloud / Vertex AI) | AI image processing and staging generation (Gemini models) | USA | SCCs via Cloud DPA |
| Vercel Inc. | Website and domain hosting, edge network | USA | SCCs |
| Convex Inc. | Backend infrastructure, database, serverless functions | USA | SCCs |
| T3 Tools, Inc. (UploadThing) | Image file storage and delivery | USA | SCCs |
| Google LLC (Google Workspace / Gmail) | Transactional and operational email | USA | SCCs |
| PostHog, Inc. | Website and product usage analytics, when enabled by consent | USA / EU depending on account setup | Consent + SCCs / equivalent safeguards |
| Future Google Analytics 4 / Google Ads / Microsoft Clarity tools | Analytics, advertising measurement, or session replay if later activated | USA | Consent + SCCs |
5.2 Legal Requirements
We may disclose your information to comply with applicable law, regulation, court order, or other legal process, or where we believe it is necessary to protect the rights, property, or safety of Katalo, our users, or the public.
5.3 Enforcement
We may share information to enforce our Terms of Service, investigate suspected violations, or respond to claims that your use of the Service violates third-party rights.
5.4 Business Transfer
If Erphitea OÜ or Katalo (once incorporated) is involved in a merger, acquisition, asset sale, or restructuring, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information becomes subject to a different privacy policy.
6. International Data Transfers
Erphitea OÜ is based in Estonia (EU). Where we transfer your personal data to recipients outside the European Economic Area (EEA) — for example, to US-based service providers such as Lemon Squeezy — we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, or
- Adequacy decisions where the destination country has been recognized by the EU as providing an adequate level of data protection
You can request information about the specific transfer mechanisms we use by contacting info@katalo.ai.
7. Data Retention
We retain your personal information for as long as necessary to fulfil the purposes described in this Privacy Policy, including to comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period |
|---|---|
| Account data (identity, contact) | Duration of account + 2 years after closure |
| Payment records | 7 years (Estonian accounting law requirement) |
| Uploaded images (user content) | Duration of account + 30 days after closure; earlier deletion available on request |
| AI output images | Duration of account + 30 days, or until downloaded and deleted by user |
| Usage / analytics data | Up to 24 months |
| Support communications | 3 years from resolution |
| Consent records | 3 years from withdrawal or account closure |
When we no longer need your data, we securely delete or anonymize it. Aggregated, non-identifiable data may be retained indefinitely.
8. Your Rights
8.1 Rights Under GDPR (EEA and Estonia)
If you are in the EEA, you have the following rights under the GDPR:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data |
| Erasure / "Right to be forgotten" (Art. 17) | Ask us to delete your data, subject to legal retention requirements |
| Restriction of processing (Art. 18) | Ask us to pause processing your data in certain circumstances |
| Data portability (Art. 20) | Receive your data in a machine-readable format or have it transferred to another controller |
| Object to processing (Art. 21) | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent (Art. 7(3)) | Withdraw any consent you have given at any time, without affecting lawfulness of prior processing |
| Lodge a complaint (Art. 77) | Complain to your local supervisory authority |
To exercise any of these rights, contact us at: info@katalo.ai (subject: "Data Rights Request"). We will respond within 30 days, or within 3 months for complex requests (we will inform you if an extension applies).
Estonian Supervisory Authority: Data Protection Inspectorate (Andmekaitse Inspektsioon — AKI) Website: aki.ee | Email: info@aki.ee | Phone: +372 627 4135
8.2 Rights Under UK GDPR (United Kingdom)
If you are in the United Kingdom, you have equivalent rights under the UK GDPR. The competent supervisory authority is:
Information Commissioner's Office (ICO) Website: ico.org.uk | Phone: 0303 123 1113
8.3 Rights Under CCPA / CPRA (California, USA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, disclose, and sell
- Right to delete your personal information, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of your personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising your CCPA rights
We do not sell personal information. We do not share it for cross-context behavioral advertising without consent.
To exercise your CCPA rights, contact us at info@katalo.ai. We will respond within 45 days (extendable by a further 45 days with notice).
8.4 Opt-Out of Direct Marketing
You may opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email or by writing to info@katalo.ai. Transactional/service emails related to your account or active subscription are not affected by marketing opt-out.
9. Cookies and Tracking Technologies
We use cookies and similar technologies on the Site and App. For full details — including the categories of cookies used, third-party cookies, and how to manage your preferences — please see our Cookie Policy.
Under GDPR and the ePrivacy Directive, non-essential cookies are set only with your prior consent. You may grant consent through our cookie consent banner, and you may revisit your choice later by clearing your browser cookies and revisiting the site so the banner is shown again.
Tracking Tools We Use
We currently use the following consented analytics tool:
PostHog — We use PostHog for first-party website and product analytics, including page views, feature usage, and product-improvement insights. PostHog is only enabled after you consent to analytics cookies, and we use it to understand how the Service is used rather than to make automated decisions about you.
If we later activate additional analytics or advertising tools such as Google Analytics 4, Google Ads, or Microsoft Clarity, we will do so only after updating this Privacy Policy and Cookie Policy and only with the consent required under applicable law. References to such tools in this document describe possible future implementations and should not be read as a statement that those tools are currently active in production.
10. Security
We implement technical and organizational measures appropriate to the risk to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission (HTTPS/TLS), hashed password storage, access controls, and vendor security assessments.