Trust, Security & Data Protection

Last Revised on 23rd March 2026.

At Roominate (operated by Interior Intelligence Oy), we understand that our clients entrust us with valuable intellectual property. This page outlines our technical security measures, data processing standards, and compliance infrastructure. By using the Roominate Services, you agree to the data practices described below, which form an integral part of our Terms of Service.


1. Data Processing & Compliance

To ensure compliance with the GDPR (EU), UK GDPR, and CCPA (USA), we act as a Data Processor (or Service Provider) for all business clients.

Scope of Data: We process only the data required to generate interior design imagery (“Input” and “Output”). We explicitly prohibit the uploading of Sensitive Personal Data (e.g., health, financial, or biometric data).

Your Ownership: As defined in our Terms, you remain the Data Controller. You own your Input, and we process it solely on your instructions to provide the Services.

Liability: We accept liability for the performance of our subprocessors in accordance with Article 28 of the GDPR. Notwithstanding any other provision of these Terms, our liability for any breach of this Data Protection Section or any data protection laws (including the GDPR) shall be limited to the total amount of fees paid by you to the Company in the twelve (12) months preceding the event giving rise to the claim.

Relationship of the Parties: To the extent that your use of the Services involves the processing of “Personal Data” (as defined under the GDPR, UK GDPR, or CCPA) or “Proprietary Business Data,” you acknowledge that you are the Data Controller (or “Business”) and Interior Intelligence Oy is the Data Processor (or “Service Provider”).

Authorization to Transfer Data: You explicitly acknowledge and agree that providing the Services (specifically, high-fidelity AI image generation) requires significant computational resources that may be located outside of your country of residence. You hereby grant Interior Intelligence specific authorization to transfer, process, and store your Input and Output in facilities located in the European Union and the United States, provided such transfers comply with applicable laws. Where Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (“UK”), or any jurisdiction requiring appropriate safeguards is transferred to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfers shall be governed by the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor), as supplemented by the UK Addendum where applicable. The Data Processing Addendum (“DPA”) incorporating such safeguards is hereby incorporated by reference into this Agreement.
For US clients: Where applicable under U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA”), the Company shall act as a “Service Provider” and shall not sell or share Personal Data except as permitted under applicable law.

2. International Data Transfers

To deliver high-fidelity AI generation, Roominate utilizes enterprise-grade GPU clusters located in the United States and the European Union.
Legal Mechanism: For data transfers from the EEA/UK to the USA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor).
Authorization: By using the Services, you explicitly authorize the transfer of Input data to our US-based subprocessors for the sole purpose of image generation and model inference.

3. Subprocessors & Infrastructure

Security Measures: We implement commercially reasonable technical and organizational measures designed to protect your data against unauthorized access, loss, or alteration. However, you acknowledge that no internet transmission is 100% secure. You agree that Interior Intelligence’s liability for any data breach shall be limited to the Liability Cap set forth in Section 1, except where such limitation is prohibited by mandatory law.
Subprocessors: You agree that we may engage third-party subprocessors (e.g., cloud hosting providers like AWS, Google Cloud, or specialized AI compute providers) to deliver the Services.

4. Technical Security Measures

Encryption at Rest: All user data (images and prompts) stored in our databases is encrypted using AES-256 standards.
Encryption in Transit: All data transmitted between your browser and our servers is secured via TLS 1.2+ (HTTPS).
Access Control: Access to customer data is strictly restricted to Roominate employees with a specific business need (e.g., engineering support). We enforce Multi-Factor Authentication (MFA) on all internal administrative accounts.
Data Isolation: Customer data is logically separated in our database to prevent unauthorized cross-tenant access.

5. Data Retention & Deletion

Users may request deletion of their account and associated Personal Data by contacting us at team@interiorintelligence.co. We will process verified deletion requests in accordance with applicable data protection laws.  We retain Personal Data for as long as necessary to provide the Services and to fulfill the purposes described in this Agreement. Upon account termination or verified deletion request, Personal Data will be deleted within a reasonable period, unless retention is required or permitted by applicable law (e.g., for accounting, legal, or compliance purposes).

6. Contact Our Security Team
If you have questions about our security posture, need to report a vulnerability, please contact:

Interior Intelligence Oy Email: team@interiorintelligence.co