App Terms Privacy Acceptable Use EULA DPA Cookies

Privacy Policy

Type: Privacy Policy · Version: 2026-04-17 · Published: 2026-04-17 11:23 UTC
════════════════════════════════════════════════════════════════ MAKRR — PRIVACY POLICY Version 1.0 · Effective 2026-04-17 Trashify Tech OÜ · Registry code 16495334 ════════════════════════════════════════════════════════════════ AT A GLANCE — We are the controller of the personal data we collect about YOU: account, billing, support, site usage and cookies. This Policy explains that. — For personal data YOU upload to the Service about third parties (people visible in images, video, device telemetry), you are the controller and we are your processor. That is governed by the Data Processing Agreement, not this Policy. — We do NOT sell or share your data with third parties for their marketing or advertising. — We use Derived Signals and a narrow subset of User Content to improve the Service, on a legitimate-interest basis. You can opt out at any time in your account settings or by email. — Primary storage is in the European Union (AWS Frankfurt). Some training runs on our infrastructure in India, under EU Standard Contractual Clauses and a Transfer Impact Assessment. — You have GDPR rights: access, rectification, deletion, portability, objection, complaint. Contact privacy@makrr.ai. ──────────────────────────────────────────────────────────────── SECTION 1. CONTROLLER AND CONTACT ──────────────────────────────────────────────────────────────── Controller: Trashify Tech OÜ Registry code 16495334 Registered office: Gonsiori tn 29-3, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia VAT: EE102538959 Privacy contact: privacy@makrr.ai Postal: FAO Privacy Contact, Trashify Tech OÜ, Gonsiori tn 29-3, 10147 Tallinn, Estonia Formal Data Protection Officer: a formal DPO will be appointed before the Service reaches the activity thresholds that make appointment mandatory under Article 37 GDPR. Until then, the Privacy Contact address above is the single intake point for all data-protection matters. Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), info@aki.ee, www.aki.ee, Tatari 39, 10134 Tallinn. ──────────────────────────────────────────────────────────────── SECTION 2. SCOPE OF THIS POLICY ──────────────────────────────────────────────────────────────── 2.1 This Policy applies when we act as CONTROLLER, i.e. when we decide the purposes and means of processing. That covers: (a) visitors to makrr.ai and trashify.tech and any associated pages; (b) users who register, sign in, configure, pay for or get support for the Service; (c) individuals who contact our sales or support teams; (d) technical data needed to operate and secure the Service. 2.2 For personal data you upload or capture through the Service about third parties (for example, faces or vehicle registration marks in uploaded content, people recorded by device cameras you install, or telemetry from your installed hardware), YOU are the controller and we act as PROCESSOR on your instructions. Those processing activities are governed by our Data Processing Agreement at /legal/dpa, not by this Policy. The roles are summarised again in Section 12. ──────────────────────────────────────────────────────────────── SECTION 3. THE DATA WE COLLECT ──────────────────────────────────────────────────────────────── 3.1 Account data. First name, last name, business email, hashed password, company affiliation, role, email-verification status, onboarding status, language/locale, UI preferences, session version, and legal-acceptance records (document type, version, timestamp, IP address and user agent — kept as Article 7(1) GDPR evidence of consent). 3.2 Billing and order data. Company name, VAT number, billing and shipping address, payment-method identifier, payment brand and last-four digits (we do not store full card numbers — those remain with Stripe), invoice history, subscription history, credit-purchase history, hardware orders, order fulfilment status. 3.3 Support and communications data. Content of support tickets, emails and chat transcripts with our team; metadata (time, channel, agent); marketing-email engagement (open, click) where marketing consent is given. 3.4 Product telemetry. IP address, user agent, device and browser metadata, pages viewed, features used, timestamps, error logs, performance metrics, session identifiers, rate-limit and abuse signals (including reCAPTCHA scores), Sentry error events (with personally-identifying fields scrubbed where feasible). 3.5 Cookies and similar technologies. Strictly-necessary cookies (session, CSRF, preferences, legal acceptance) without consent; optional cookies (analytics, reCAPTCHA) only with prior consent obtained via our banner. Our cookie consent log records your consent version, the categories you selected or refused, timestamps, and any withdrawal. See the Cookie Policy at /legal/cookies. 3.6 Team-invite data. Name and business email of colleagues you invite. If a colleague does not accept the invitation within sixty (60) days, we delete the invitation record. 3.7 Content we process on your behalf. We do not describe the content of User Content here because you are the controller of any personal data within it. See the Data Processing Agreement. ──────────────────────────────────────────────────────────────── SECTION 4. SOURCES ──────────────────────────────────────────────────────────────── We collect data: (a) directly from you (registration, settings, payments, support interactions, uploads); (b) automatically (cookies, telemetry, logs); (c) from third parties (payment confirmations from Stripe, anti-fraud signals, email-delivery receipts, public business registers where we need to verify your company). ──────────────────────────────────────────────────────────────── SECTION 5. PURPOSES AND LEGAL BASES ──────────────────────────────────────────────────────────────── We process personal data for the following purposes on the following legal bases. (1) Creating and operating your account, providing the Service, customer support. Data: account, telemetry, support. Basis: Art. 6(1)(b) GDPR — performance of contract. (2) Billing, tax, accounting, debt collection. Data: billing, order, shipping. Basis: Art. 6(1)(b) contract + Art. 6(1)(c) legal obligation under the Accounting Act and Taxation Act of Estonia. (3) Security, fraud prevention, rate limiting, abuse detection, protection of other users. Data: telemetry, reCAPTCHA signals, IP. Basis: Art. 6(1)(f) — legitimate interest in keeping the Service safe. (4) Recording legal acceptance and maintaining an audit trail. Data: acceptance log. Basis: Art. 6(1)(c) legal obligation + Art. 7(1) evidentiary duty. (5) Processing cookie-consent records. Data: consent log. Basis: Art. 6(1)(c) + Art. 7 GDPR. (6) Service improvement, debugging, capacity planning, product analytics (aggregated level). Data: aggregated telemetry, error reports. Basis: Art. 6(1)(f) — legitimate interest. (7) Platform improvement through training on Derived Signals and a narrow subset of User Content. Data: derived signals, de-identified extracts of User Content from users who have not opted out. Basis: Art. 6(1)(f) — legitimate interest, subject to the safeguards and opt-out in Section 7 and clause 6.4 of the Terms of Service. (8) Marketing communications about the Service and related offerings. Data: name, email. Basis: Art. 6(1)(a) consent, or where permitted the "soft opt-in" for similar goods/services to existing customers, in either case withdrawable at any time. (9) Legal claims, compliance with lawful requests, cooperation with authorities. Data: whatever is relevant. Basis: Art. 6(1)(c) legal obligation + Art. 6(1)(f) legitimate interest in establishing, exercising or defending legal claims. (10) Business transactions (M&A, financing due diligence). Data: the minimum necessary, under NDA. Basis: Art. 6(1)(f) — legitimate interest. We do not carry out automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. ──────────────────────────────────────────────────────────────── SECTION 6. USE OF YOUR DATA TO TRAIN AI MODELS ──────────────────────────────────────────────────────────────── 6.1 What we do. To continuously improve detection and annotation quality for all Customers, we process aggregated Derived Signals and a narrow subset of User Content to evaluate, retrain and fine-tune platform models. This is described in clause 6.4 of the Terms of Service. 6.2 What we do NOT do. (a) we do not train any identifying model of natural persons, vehicles or property; (b) we do not train on content that is, or contains, special categories of personal data under Article 9 GDPR (health, biometrics used for identification, ethnicity, political opinions, religious beliefs, sexual orientation, sex life, trade-union membership); (c) we do not share one Customer's Content or Customer Models with another Customer; (d) we do not sell, rent or licence User Content or Customer Models to any third party; (e) we do not use User Content to train or improve foundation models offered for commercial release to the public or to third parties. 6.3 Legal basis: legitimate interest, balanced. We rely on Article 6(1)(f) GDPR. We have conducted a legitimate- interest balancing test which we can share on request (contact privacy@makrr.ai). Key conclusions: — purpose: platform-wide improvement of accuracy and safety; — necessity: improvement that is not possible from synthetic data alone; narrow subset used; maximum de-identification applied; — impact on rights: low — aggregated Derived Signals do not identify data subjects; identifying features are excluded or hashed/blurred; no impact on decisions about individuals; — safeguards: opt-out at any time; transparency on this Policy; data-subject access and objection rights honoured. 6.4 Opt-out and objection. You can opt out at any time without giving reasons and without any adverse effect on your Service: (a) toggle "Do not use my data for platform improvement" in your account settings; (b) email privacy@makrr.ai requesting opt-out. Opt-out applies prospectively. Data already processed before opt-out, and any training artefact already produced, will remain — we cannot remove a single data point from a trained model — but no further processing of your data will occur. 6.5 Data subjects' rights. If you are a data subject shown in someone else's User Content (for example, your image was uploaded by a customer of ours), contact the customer in the first instance — they are the controller. If you do not know who uploaded the content, contact us at privacy@makrr.ai and we will assist the controller to respond. ──────────────────────────────────────────────────────────────── SECTION 7. SHARING AND SUB-PROCESSORS ──────────────────────────────────────────────────────────────── We share personal data only with the categories of recipient described below and only as necessary for the purposes above. 7.1 Sub-processors running the Service. (1) Amazon Web Services EMEA SARL Service: object storage (S3), IoT Core (MQTT), compute, ancillary cloud services Location: Frankfurt, Germany (AWS eu-central-1) as primary region; US for support personnel access Transfer: No cross-border transfer for primary storage. SCCs for US-resident personnel access via the AWS Data Processing Addendum. (2) Heroku (Salesforce Tower Dublin Limited) Service: application hosting (PaaS) Location: [HEROKU_REGION — confirm: EU Common Runtime (Dublin) or US] Transfer: SCCs where US; intra-EU otherwise. (3) Stripe Payments Europe Ltd Service: payment processing, invoicing, Checkout Location: Ireland (EU) + US Transfer: SCCs + Stripe DPA; EU–US Data Privacy Framework where the importer is certified. (4) Google Ireland Limited (Workspace / Gmail API) Service: transactional email, internal admin email Location: EU + US Transfer: SCCs + Google Cloud DPA; DPF. (5) Google LLC (reCAPTCHA v3) Service: bot and abuse prevention on public forms Location: US Transfer: SCCs; DPF. (6) Redis Ltd (Redis Cloud) Service: cache, session store, job queue Location: [REDIS_REGION — confirm EU] Transfer: SCCs if transfer. (7) Hugging Face, Inc. Service: distribution of open-source pretrained model weights (download only) Location: France + US Transfer: No Customer Personal Data transferred. Weights-download only. (8) Functional Software, Inc. dba Sentry Service: error monitoring and performance tracing Location: US (primary) Transfer: SCCs + Sentry DPA. PII scrubbing applied at send-time. (9) Nvidia Corporation Service: firmware/SDK components embedded on devices Location: US (firmware-embedded) Transfer: device-embedded only; limited telemetry handled under SCCs where applicable. (10) Trashify Tech OÜ (India training infrastructure) Service: AI training workloads executed on GPU hardware under our control located in India (RTX 3090 class workstation) Location: India (Gurugram / Haryana region) Transfer: SCCs Module Two (controller to processor), plus a documented Transfer Impact Assessment. Encryption at rest and in transit; de-identification applied to any training data leaving the EU; access restricted to authorised engineers. (11) [SMTP_PROVIDER — confirm] Service: transactional email fallback Location: [REGION — confirm] Transfer: SCCs if transfer. Our current sub-processor list is published at /legal/subprocessors and is updated before we add or replace a sub-processor. Customers who have accepted our Data Processing Agreement receive prior notice of material changes and a period to object as set out in the DPA. 7.2 Professional advisers. Lawyers, accountants, auditors, insurers and DPO-as-a-service providers — under confidentiality. 7.3 Authorities. Where we are legally compelled to disclose (court order, lawful authority request) we disclose the minimum necessary. Where law allows, we notify you first. 7.4 Corporate transactions. In the event of a merger, acquisition, financing round or sale, data may be disclosed to counterparties under confidentiality and may be transferred to a successor entity, subject to data-protection safeguards and appropriate notice. 7.5 No sale of personal data. We do not sell personal data. We do not share personal data with third parties for their own marketing or advertising. ──────────────────────────────────────────────────────────────── SECTION 8. INTERNATIONAL TRANSFERS ──────────────────────────────────────────────────────────────── 8.1 Primary region. Production storage (including images, videos, models and annotations) is in the European Union at AWS Frankfurt (eu-central-1). No routine transfer of content occurs outside the EEA for storage. 8.2 Training in India. To make economic use of existing GPU infrastructure, certain training workloads may be executed on our equipment in India (the "India Training Site"). Before such transfers, we apply: (a) EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two, between Trashify Tech OÜ as data exporter (controller) and Trashify Tech OÜ (India Training Site) as data importer (processor); (b) a Transfer Impact Assessment considering the Indian legal environment (including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and lawful-access regimes), supplementary measures (encryption at rest and in transit, access control, de-identification where possible), and the absence of bulk government access to commercial cloud in the relevant region; (c) training-specific de-identification: we strip or blur identifying features in User Content before transfer, and we exclude content that you have opted out from under Section 6. 8.3 US sub-processors. Certain sub-processors (notably Stripe, Google, Sentry, Hugging Face, Nvidia) process data in the US. These transfers rely on the EU–US Data Privacy Framework where the importer is certified, SCCs where not, and derogations under Article 49 GDPR only where strictly necessary. 8.4 Copies of transfer tools. A redacted copy of the SCCs with a particular sub-processor can be requested at privacy@makrr.ai. ──────────────────────────────────────────────────────────────── SECTION 9. RETENTION ──────────────────────────────────────────────────────────────── We keep personal data only as long as necessary for the purposes for which it was collected and as required by law. The periods below are the maximum periods we apply; data may be deleted earlier on request or where no longer needed. Account profile ............... Duration of subscription, plus 30 days after closure User Content and Customer Models . Duration of subscription, plus 30 days grace period for export, then irreversible deletion subject to backup rotation Billing, invoicing, accounting . 7 years after end of the financial year (Accounting Act of Estonia §12) Tax records .................... 7 years (Taxation Act §§57, 58) Legal-acceptance log ........... 10 years (contractual limitation period in Estonia) Cookie-consent log ............. 3 years from withdrawal Security and access logs ....... 12 months Error monitoring (Sentry) ...... 90 days rolling Support tickets ................ 3 years from resolution Marketing records (opt-in, opt-out, suppression) .......... until withdrawn plus 3 years (suppression-list purpose) Unaccepted team invitations .... 60 days Backups ........................ Rolling, up to 35 days; deletions are not re-extracted from backup media but become irretrievable on rotation. Aggregated, anonymous statistical data ............... indefinite (no longer personal data) Where you request deletion, we will delete or anonymise within thirty (30) days, subject only to the retention obligations above and backup rotation. ──────────────────────────────────────────────────────────────── SECTION 10. YOUR RIGHTS ──────────────────────────────────────────────────────────────── Under the GDPR (and corresponding rights under the UK GDPR and other applicable laws) you have the right to: — Access (Art. 15) — obtain a copy of the personal data we hold about you. — Rectification (Art. 16) — correct inaccurate data. — Erasure (Art. 17) — deletion in the circumstances set out. — Restriction (Art. 18) — limit processing while a dispute is resolved. — Portability (Art. 20) — receive your data in a structured, commonly-used, machine-readable format. — Objection (Art. 21) — object to processing based on legitimate interest, including the platform-improvement training in Section 6. — Withdraw consent (Art. 7(3)) — at any time, for any processing based on consent, without affecting the lawfulness of earlier processing. — Lodge a complaint with a supervisory authority — in particular the Estonian Data Protection Inspectorate (info@aki.ee), or the supervisory authority in your habitual residence or place of work. How to exercise. Contact privacy@makrr.ai. We will verify your identity before acting, and respond within one month. We may extend the response period by up to two further months for complex or numerous requests, on notice. Requests from third-party data subjects. If your request concerns data we hold as processor on behalf of a customer (for example, a person shown in their uploaded content), we will forward it to the customer (the controller) and assist as required by Article 28(3)(e) GDPR. ──────────────────────────────────────────────────────────────── SECTION 11. SECURITY ──────────────────────────────────────────────────────────────── We maintain appropriate technical and organisational measures, including: — TLS 1.2+ encryption in transit; AES-256 encryption at rest for object storage; — secure-coded, CSRF-protected application with strong session protection, HTTP-only / secure / SameSite cookies, session-version invalidation on password change; — password hashing using a current industry-standard algorithm (Werkzeug default); — mutual-TLS + HMAC API key authentication for device-to- cloud traffic; — role-based access control with least-privilege principles; — rate limiting and bot prevention (reCAPTCHA); — centralised logging and monitoring; audited admin access; — documented incident-response and breach-notification workflow; — hosting in ISO 27001–certified data centres (AWS); — annual review of technical and organisational measures. No system is perfectly secure. If we experience a personal-data breach likely to result in a risk to data subjects, we will notify the Estonian Data Protection Inspectorate within 72 hours and, where required by Article 34 GDPR, the affected data subjects without undue delay. ──────────────────────────────────────────────────────────────── SECTION 12. CONTROLLER vs PROCESSOR RE-STATED ──────────────────────────────────────────────────────────────── Because MAKRR is a platform on which Customers process personal data about third parties, the roles split as follows. We are CONTROLLER for: account data, billing data, visitors to our site, support interactions, cookies, our own telemetry, and our platform-improvement processing described in Section 6. You are CONTROLLER, we are PROCESSOR, for: personal data you upload in User Content or capture through devices you install, annotations you create, and telemetry captured by those devices. See the Data Processing Agreement. ──────────────────────────────────────────────────────────────── SECTION 13. EDGE DEVICES AND CHILDREN ──────────────────────────────────────────────────────────────── Edge cameras may capture images of children where your deployment environment makes this foreseeable. If such environments are within your deployment scope (schools, playgrounds, child-care facilities, paediatric clinics) you must complete a DPIA under Article 35 GDPR, identify an Article 6 (and, if applicable, Article 8 or 9) lawful basis, and put in place appropriate safeguards. The Service itself is not directed at, or intended for use by, children. We do not knowingly collect personal data from children in a controller capacity. ──────────────────────────────────────────────────────────────── SECTION 14. AUTOMATED DECISION-MAKING AND AI ACT ──────────────────────────────────────────────────────────────── We do not make automated decisions producing legal or similarly significant effects on you. Where the Service generates AI outputs (detections, classifications, tracks, counts), those outputs are probabilistic and must be reviewed by you. Where YOU use the Service to make automated decisions about natural persons, you are responsible for compliance with Article 22 GDPR and Regulation (EU) 2024/1689 (the AI Act), including obligations that attach to "deployers" of high-risk AI systems. ──────────────────────────────────────────────────────────────── SECTION 15. CHANGES ──────────────────────────────────────────────────────────────── We may update this Policy. The current version is always available at /legal/privacy. Material changes will be notified by email or in-product banner at least 30 days before they take effect, and re-acceptance of the Terms may be required. ──────────────────────────────────────────────────────────────── SECTION 16. CONTACT ──────────────────────────────────────────────────────────────── Trashify Tech OÜ Registry code: 16495334 Registered office: Gonsiori tn 29-3, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia Privacy: privacy@makrr.ai Legal: legal@makrr.ai Support: support@makrr.ai Abuse: support@makrr.ai (subject: ABUSE REPORT) Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — info@aki.ee — www.aki.ee ════════════════════════════════════════════════════════════════ Version 1.0 · Effective 2026-04-17 ════════════════════════════════════════════════════════════════