Get Started Free
Legal information

Privacy Policy

Privacy Policy for NetRoom. How we collect, store, and protect your data.

Updated: 13.06.2026 Currently in force
Terms of Service Privacy Policy Refund Policy

1. What this document is about

We treat your data with respect and want you to understand what happens "under the hood". This Privacy Policy (the "Policy") explains, in plain language, what data the NetRoom platform (the "Service", "we") collects, why we need it, with whom we may share it and how long we keep it. It also describes your rights and how to exercise them.

The document is drafted in accordance with applicable personal-data protection law.

By creating an account and using the Service you agree to this Policy. If something does not work for you — message support: we will figure it out together or help delete your account.

Full legal details of the operator (name, registration number, tax ID, registered address) are provided on request — see "Operator contact".

2. Legal bases for processing

We process personal data on the following legal bases:

  • Consent of the data subject — given upon registration and acceptance of this Policy.
  • Necessity for the performance of a contract to which the User is a party, or to take steps at the User's request prior to concluding such a contract.
  • Legitimate interests of the operator or third parties — in particular, fraud prevention, protecting the Service from abuse, internal accounting and anonymised analytics.
  • Compliance with statutory obligations — for example, tax and accounting requirements relating to payments.

3. Data collection and processing

NetRoom collects the minimum set of data required for the service to operate:

  • Account data — Telegram ID or email. Optionally, profile name and Google/Yandex OAuth identifier.
  • Conversation data — text prompts are stored for 14 days.
  • Payment data — processed through certified providers.

Below is the full list of categories of data we process:

3.1. Identifiers and account credentials

  • Email address, profile name;
  • Telegram ID, Telegram username, interface language (when signing in via Telegram WebApp);
  • Google identifier (google_id) and verified email when using Google OAuth;
  • Yandex identifier (yandex_id) and verified email when using Yandex OAuth;
  • Password hash (for email/password sign-in — the clear-text password is not stored and cannot be recovered);
  • Session access tokens (JWT) and related service flags.

3.2. Financial and tariff data

  • Internal balance in roubles, individual discounts and bonus coefficients, referral earnings;
  • Transaction history: operation type (debit, credit, refund, adjustment), category (text-model usage, image generation, top-up, referral, bonus, subscription, other), amount, tokens used, markups/discounts applied, model identifier, date and metadata;
  • Payment-system identifiers (YooKassa, Telegram Stars) — without bank-card details.

3.3. Signup attribution

For abuse prevention and acquisition analytics we record a set of anonymised parameters at first registration:

  • landing page, referrer, UTM tags (utm_source, utm_medium, utm_campaign, utm_term, utm_content);
  • platform (web/telegram), device type, operating system, browser;
  • IP address and User-Agent at the moment of registration, exact timestamp.

3.4. Current session data

  • Time of last activity; platform, device type, OS, browser, IP, User-Agent of the latest successful authentication;
  • Free-tier usage counters and the time of their last reset;
  • Technical log entries of requests (timestamp, endpoint, status code).

3.5. User content

  • Messages, prompts, files and images uploaded by the User to chats;
  • Model responses, including hidden reasoning chains where returned by the model;
  • Message pinning state (is_pinned), user prompt presets;
  • Metadata of generated images and videos: prompt, model, resolution, duration, status, media link, cost and related technical parameters (provider_data);
  • Metadata of uploaded files: name, MIME type, byte size, SHA-256 hash, RAG indexing state and number of billed tokens.

3.6. Referral relationships

  • Inviter identifier (invited_by);
  • Counters of level-1 and level-2 invited users (ref1_count, ref2_count);
  • Used referral/bonus codes and redemption history.

3.7. Settings and flags

  • Features enabled by the User (e.g. reasoning, search, image-generation modes);
  • Interface theme and language, other user preferences;
  • Status and parameters of active subscriptions.

4. Purposes of processing

We process the listed data solely for the following purposes:

  • creating and maintaining the account, authentication and session management;
  • providing the core and additional features of the Service (access to models, chats, assistants, presets, RAG search);
  • calculating request costs, maintaining the balance and transaction history, crediting and debiting bonuses;
  • providing support and handling user enquiries;
  • Service security: detection and prevention of fraud, abuse of bonus and referral systems, attacks on infrastructure;
  • compliance with tax, accounting, anti-fraud and other statutory requirements;
  • analytics, statistics and quality improvements — in anonymised or aggregated form;
  • delivery of important service notifications (e.g. changes to tariffs, policies, incident notifications) and, where you consent, marketing communications.

We do not use your data for automated legally significant decision-making and do not perform profiling with material legal effects on the User.

5. Sharing with third parties

To operate the Service we work with trusted partners. We interact with each of them only to the extent required to deliver the service:

  • AI model developers — leading companies in the industry (in particular, OpenAI, Anthropic, Google, Mistral, Stability AI and similar). When you select a model and submit a request, we share with the relevant developer only the request itself and its parameters (model, image dimensions, duration, etc.). We do not share your email, phone number or other contact details unless you place them in the prompt yourself.
  • Payment services — YooKassa and Telegram Stars. They receive the payment amount, currency and technical order identifier, and a service email when a fiscal receipt is issued. Your card details are processed directly by the payment system and do not reach the Service.
  • Telegram — the messenger is used for Telegram WebApp sign-in and for delivering service messages (for example, top-up notifications).
  • Cloud storage — to store your generated images, videos and uploaded files we use cloud infrastructure from trusted providers.
  • OAuth services — Google and Yandex, when you choose to sign in via these services.
  • Competent authorities — only in cases expressly required by law (for example, a duly substantiated request from a court or tax authority).

We do not sell your data, do not share it with ad networks and do not use it to build advertising profiles with third parties.

6. International data transfer

Some of the leading models we offer (for example, those developed by OpenAI, Anthropic, Google, Mistral and others) run on servers in various countries around the world. This is an inherent feature of the global AI market: to give you access to the best models, your request needs to reach their infrastructure.

The data transfer is limited to what is necessary to process the request: the prompt text, attached files and generation parameters. By accepting this Policy and selecting such a model, you agree that your request will be sent to the corresponding developer. You can at any time stop using particular models and select others from the catalogue.

7. Retention periods

Retention by data category:

  • Messages and generated outputs in chats14 days from creation, after which they are automatically removed from the Service's servers. This does not affect copies transferred to Model Providers, which are governed by their own policies.
  • Generated images and videos in cloud storage — until deleted by the User or upon account deletion.
  • User-uploaded files and their RAG indexes — until deleted by the User or upon account deletion.
  • Account and related identifiers, transaction history and referral relationships — until you request account deletion.
  • Financial and tax records — for the periods required by applicable accounting, tax and payment law (typically at least 5 years from the date of the transaction). After account deletion such data is anonymised to the maximum extent possible.
  • Technical log entries (IP, User-Agent, session markers) — no longer than 90 days.

8. How media storage and sharing work

We store your generated images and videos in cloud storage. Access is organised through an individual long identifier link known only to you and us. That said, if such a link becomes known to a third party — for example, you share it yourself or post it publicly — they will be able to open the content.

The same applies to the "share chat or preset" feature: a link with a share token is available to anyone you send it to. This is convenient for collaboration, but we recommend that you do not share links to materials you do not want to make public.

You can delete your media and revoke share links at any time. The Service may also disable any public link upon detecting violations of these Terms.

9. Data protection measures

The Service applies organisational and technical safeguards, including:

  • TLS encryption of data in transit, verification of domain certificates;
  • storage of passwords as cryptographic hashes (PBKDF2-SHA256), so they cannot be recovered in clear text;
  • authentication via JWT, session control, login attempt limits;
  • verification of Telegram WebApp authenticity via HMAC signature of initData;
  • segmented access to the database and logging systems; access limited to a narrow circle of staff acting in their official capacity;
  • regular backups and integrity checks;
  • logging of administrative actions and incident response.

Despite these measures, no system is absolutely secure. The Service promptly responds to identified vulnerabilities and incidents and, where required, notifies affected Users in the manner provided by law.

10. Cookies and analytics

The Service uses cookies and similar technologies:

  • Strictly necessary cookies — for User authentication, session maintenance, CSRF protection, storage of UI preferences (theme, language). These cookies cannot be disabled without loss of Service functionality.
  • Analytical cookies and anonymised counters — to understand traffic distribution, identify bottlenecks and improve Service quality. Data is processed in anonymised or aggregated form.
  • Browser local storage (localStorage/sessionStorage) — to save user preferences and the fact of consent to the legal documents.

Cookies can be managed through the User's browser. Disabling strictly necessary cookies will make the Service unusable.

11. Minors

The Service is not intended for persons under 18. We do not request from Users, and do not knowingly process in full, personal data of minors. If we learn that an account belongs to a minor acting without the consent of a legal guardian, we may restrict access to 18+ models or, in appropriate cases, delete the account.

12. Your rights

You have the right to request deletion of all of your data via Telegram support. In addition, in line with applicable law and accepted data-protection practice, you have the following rights:

  • Right of access — obtain a copy of all data NetRoom processes about you (account, transaction history, open chats) in a machine-readable format (JSON or CSV) within 10 business days of your request.
  • Right to rectification — request correction or update of inaccurate data (e.g. email, profile name).
  • Right to erasure ("right to be forgotten") — request full deletion of the account and all related data. After deletion the account cannot be restored. Records required by tax and accounting law are anonymised to the maximum extent and retained for the periods set by law.
  • Right to restrict processing — pause processing of specific data categories while keeping the account itself (for example, disable storage of conversation history).
  • Right to withdraw consent — withdraw previously given consent. Withdrawal results in account deletion, as providing the service is technically impossible without data processing.
  • Right to portability — receive an export of your data in a format suitable for transfer to other services.
  • Right to object to certain forms of processing — in particular, to the use of data for marketing communications.
  • Right to lodge a complaint — file a complaint with the competent data-protection authority if you believe your rights have been violated.

How to exercise: message Telegram support @netroom_ai with your account email or Telegram ID and the nature of the request. Response time — up to 10 business days. The platform may not refuse a deletion request in cases provided by law and does not charge for honouring your rights.

The Service may request additional information to verify your identity and prevent fraudulent access to other people's data.

13. Operator contact

For all data-processing matters and the exercise of your rights, contact our Telegram support: @netroom_ai. Support operates daily 09:00–23:00 (UTC+3). Full legal details of the operator (name, registration number, tax ID, registered address) are provided upon reasonable request.

14. Changes to the Policy

The Service may update this Policy. The current version is always published at /privacy/ with the date of the latest update. We notify Users of material changes affecting your rights as a data subject upon next sign-in and, where applicable, also via email or Telegram. If you disagree with the new version, you may withdraw your consent and request deletion of the account under the "Your rights" section.

Ready to start

Less legalese,
more making.

Sign-up is free. A starter balance is waiting for you.