iTomas AI — Privacy Policy

CHANGES TO THIS PRIVACY POLICY

We may modify this Privacy Policy from time to time, in which case we will update the effective date at the top. If we make material changes to the way in which we use or disclose information we collect, we will notify you by email at the last email address you provided us. If you do not agree to any updates, please stop using the Services.

1. WHO WE ARE

SC OUTLETICO SRL is an EU-based company registered in Romania, operating the iTomas AI personal assistant platform at itomas.ai. For any privacy-related questions, contact us at [email protected].

2. INFORMATION WE COLLECT

Information you provide directly:

• Account details: name, email address, password (stored as a one-way cryptographic hash — we never store your actual password)
• Payment information: processed entirely by our third-party payment provider. We store only your subscription status and billing email, never your card details
• Platform identifiers: your Telegram or Discord user ID if you connect those platforms
• Google account data: only if you voluntarily connect your Google account (see Section 6)

Information collected automatically:

• Your messages and conversations with the iTomas AI assistant
• Usage data: features used, token consumption, subscription status
• Technical data: IP address, device type, browser type, log data, date and time stamps

Information your assistant learns about you:

• Facts and preferences that iTomas AI stores to personalise your experience over time ("memory data"). This data is built from your interactions with the assistant and is used solely to provide you with a personalised service.

3. HOW WE USE YOUR INFORMATION

We use your information to:

• Provide and operate the iTomas AI assistant service — legal basis: performance of contract
• Personalise your experience through persistent memory — legal basis: performance of contract
• Process your subscription and send billing-related emails — legal basis: performance of contract
• Maintain platform security and prevent abuse — legal basis: legitimate interest
• Comply with legal obligations — legal basis: legal obligation
• Analyse and improve our Services — legal basis: legitimate interest

We do not sell your data. We do not use your data for advertising. We do not use your conversation data to train AI models.

4. DISCLOSURE OF YOUR INFORMATION

We share your information with the following categories of third parties:

Service Providers: Vendors who help us provide the service, including cloud infrastructure and database hosting, generative AI and content processing, payment processing, email delivery, security and DDoS protection, and caching services. These providers act as data processors under our instruction and are contractually bound to process your data only as directed by us.

Business Transactions: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

Legal Requirements: We may disclose your information to comply with applicable law, court orders, or regulatory requests, or to protect the rights, property, and safety of our users, platform, and the public.

We do not name individual vendors in this public policy. In accordance with your rights under applicable data protection law, you may request the identity of specific data processors by contacting [email protected].

5. INTERNATIONAL DATA TRANSFERS

Some of our service providers operate outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. Standard Contractual Clauses are legally binding contract terms approved by the European Commission that impose data protection obligations on parties who transfer personal data outside the EEA. You may request a copy of the applicable safeguards by contacting [email protected].

6. GOOGLE INTEGRATION

If you choose to connect your Google account, we access Google Calendar, Google Drive, and Gmail only to fulfil your explicit requests. We do not store, analyse, share, or use your Google data to train AI models. We do not use Google data for any purpose other than providing the requested feature to you. We only use and disclose information from your Google account in accordance with the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect your Google account at any time from your account dashboard.

7. EU AI ACT TRANSPARENCY

iTomas AI is an AI-powered assistant. You are interacting with an artificial intelligence system, not a human. In compliance with Article 50 of the EU AI Act, which becomes fully applicable on 2 August 2026, we clearly disclose the AI nature of our service at all points of interaction. Our AI assistant is designed to be helpful, accurate, and transparent about its nature. It will not claim to be human if sincerely asked.

8. DATA RETENTION

• Conversation memory: automatically deleted on a rolling 90-day basis
• On cancellation: all personal memory and conversation data permanently deleted within 7 days of subscription ending. If you resubscribe within 7 days, your data is preserved.
• Account and billing records: retained as required by EU and Romanian law
• Messages and usage logs: retained while your account is active
• Right to erasure: contact [email protected] at any time to request immediate deletion of all your personal data

9. CHILDREN'S PRIVACY

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. By creating an account, you represent that you are at least 18 years of age. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

10. DATA SECURITY

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include AES-256-GCM encryption for stored credentials and OAuth tokens, HTTPS/TLS encryption for all data in transit, strict access controls and authentication requirements, regular security assessments, and infrastructure-level DDoS protection. We do not store payment card details on our servers. Despite our reasonable efforts, no security measures are completely impenetrable and we cannot guarantee the absolute security of your information. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

11. YOUR RIGHTS

EU/EEA residents (GDPR):

You have the following rights regarding your personal data:

• Right to access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data
• Right to restriction: request that we restrict processing of your data
• Right to object: object to processing based on legitimate interests
• Right to data portability: receive your data in a structured, machine-readable format
• Right to lodge a complaint: with the Romanian data protection authority (ANSPDCP) at www.dataprotection.ro

To exercise any of these rights, contact [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

US Residents (CCPA and similar state privacy laws):

If you are a resident of California or another US state with applicable privacy legislation, you have the following rights:

• Right to know: request information about the categories and specific pieces of personal information we have collected about you
• Right to delete: request deletion of personal information we have collected from you
• Right to correct: request correction of inaccurate personal information
• Right to opt-out: opt out of the sale of personal information. We do not sell personal information.
• Right to non-discrimination: we will not discriminate against you for exercising any of your privacy rights

To exercise any of these rights, contact [email protected]. We will respond within 45 days as required by applicable law.

12. DATA TRANSFERS — EU AND UK USERS

For transfers of personal data outside the EEA, we rely on Standard Contractual Clauses issued by the European Commission. These clauses provide appropriate safeguards for your personal data when transferred to countries outside the EEA. Please contact [email protected] if you wish to examine a copy of the applicable clauses or obtain further information about the safeguards we have in place.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will update the effective date at the top of this page and notify you by email of any material changes. We encourage you to review this Privacy Policy periodically.

14. HOW TO CONTACT US

SC OUTLETICO SRL
Romania, European Union
[email protected]

Last updated: May 2026