Privacy Policy

Data Protection Information pursuant to Art. 13 and 14 GDPR

Controller: Stratum1 GmbH, Schubertstrasse 6a, 8010 Graz, Austria
Email: office@stratum1.io
Last updated: May 2026

If you have any questions regarding this Privacy Policy or wish to exercise your data protection rights, you may contact us at office@stratum1.io.

1. General information

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use and protect personal data when you visit our website, use Arrival.Space, interact with spaces, create an account, use our services, communicate with us or otherwise interact with us.

“Personal data” means any information relating to an identified or identifiable natural person (e.g. name, email address, IP address.)

“Processing” means any operation performed on personal data, such as collection, storage, use, or disclosure.

This Privacy Policy should be read together with our Terms and Conditions and, where applicable, our Cookie Settings or consent management tool.

Our services are not intended for individuals under the age of 14. We do not knowingly collect personal data from children under this age. If we become aware that such data has been collected, we will take steps to delete it without undue delay.

2. Roles and scope

Stratum1 generally acts as controller for personal data processed for the operation of Arrival.Space, including account management, billing, platform security, product operation, support, website analytics, marketing and legal compliance.

In certain B2B or enterprise contexts, where a customer determines the purposes and means of processing personal data contained in its spaces, uploaded content, visitor interactions or managed workspaces, Stratum1 may act as processor for that customer. In such cases, the Data Processing Agreement applies to the relevant processor activity.

Unless expressly agreed otherwise in writing, Stratum1 and customers, partners, resellers, creators or external service providers do not act as joint controllers. Each party is responsible for its own processing activities and legal compliance.

3. Sources of personal data

We may collect personal data:

• directly from you, for example when you create an account, subscribe, contact us, request support, use a feature, upload content, submit a report or configure a space;
• automatically when you use the website or Platform, for example through server logs, cookies, local storage, telemetry, device information or interaction data;
•  from other users, customers, partners or third-party integrations, for example where a customer invites you, a partner publishes content to Arrival.Space, or your public data appears in user-generated content (e.g. you allow users to remix your space);
•  from service providers, payment providers, authentication providers or external platforms, where required for the relevant feature.

Certain features may be used without registration. In such cases, data is processed to provide the requested functionality, ensure security and stability, and, where required, based on consent.

Where the same feature involves multiple processing purposes, different legal bases may apply to different parts of the processing.

4. Purposes and legal bases for processing

We process personal data only where permitted by law. The main purposes and legal bases are set out below.

4.1 Account and platform administration

Purpose: account creation, registration, onboarding, authentication, verification and account administration.
Data: name, email address, company, password or login credentials, account identifiers and phone number where provided.
Legal basis: performance of a contract; legal obligation where applicable.

4.2 Avatars

Purpose: avatar creation and customisation.
Data: avatar settings, selected features, profile and customisation data.
Legal basis: performance of a contract.

4.3 Subscriptions, billing and service emails

Purpose: subscriptions, purchases, billing, account-related service communications, verification emails, security notices, space notifications, visitor alerts, usage insights, space statistics and engagement updates.
Data: name, email address, billing data, payment metadata, transaction data, discount code information, account and space metadata, notification settings, statistics and alert data.
Legal basis: performance of a contract; legal obligation where applicable; legitimate interest in service communication and platform operation.

4.4 Newsletter and marketing

Purpose: newsletters and marketing emails.
Data: name, email address, consent records and email interaction data where tracking is enabled.
Legal basis: consent.

4.5 Contact and support

Purpose: contact requests, support, troubleshooting and customer communication.
Data: name, email address, request, support history, files or content shared for support and phone number where provided.
Legal basis: performance of a contract or pre-contractual steps; legitimate interest in handling general enquiries; consent where required.

4.6 Payments

Purpose: payment processing, fraud prevention, accounting and tax documentation.
Data: name, email address, billing address, payment details, IP address and transaction metadata.
Legal basis: performance of a contract; legal obligation.

4.7 Notice-and-action, reports and illegal content

Purpose: notice-and-action procedures, reports, illegal content handling, suspected criminal offences, rights complaints and platform integrity.
Data: name, email address, report details, content location, related content, logs and communications.
Legal basis: legal obligation; legitimate interest in compliance and platform integrity.

4.8 Security, operation and abuse prevention

Purpose: operation, functionality, availability, security, abuse prevention, fraud prevention, troubleshooting and optimisation.
Data: IP address, browser and device data, server logs, approximate location derived from IP address, language settings, request metadata and connection data.
Legal basis: legitimate interest.

4.9 Use of the Platform

Purpose: use of the Platform, including spaces, avatar presence, collaboration, communication, uploads and settings.
Data: identity and account data, avatar and user settings, interaction data, communication data, uploaded content, space data, technical and telemetry data.
Legal basis: performance of a contract.

4.10 Real-time communication

Purpose: real-time voice, audio, chat, presence and communication features.
Data: voice/audio streams, chat messages, presence, movement, session data, device and connection data.
Legal basis: performance of a contract or requested feature; consent where required by law or feature design.

4.11 Internal operational analytics

Purpose: internal operational analytics and service improvement in a privacy-preserving manner.
Data: usage data, feature interaction data, performance metrics, telemetry, pseudonymised identifiers and aggregated statistics.
Legal basis: legitimate interest, where necessary and proportionate and not based on optional cookies or similar technologies requiring consent.

4.12 Optional analytics and marketing technologies

Purpose: optional analytics, marketing, performance measurement and comparable technologies.
Data: IP address, usage data, device/browser data, cookie or identifier data.
Legal basis: consent.

4.13 Business dashboards and partner management

Purpose: analytics dashboards for business users, partner or reseller dashboards and account management.
Data: aggregated and anonymised or pseudonymised usage data, visitor numbers, engagement metrics, account data, workspace data, space data, content and management metadata.
Legal basis: performance of a contract; legitimate interest where applicable.

4.14 APIs, MCP, plugins, vibes and integrations

Purpose: APIs, MCP access, integrations, plugins, vibes and automated workflows.
Data: account data, API tokens, access scopes, space data, content, metadata, logs, interaction data and outputs.
Legal basis: performance of a contract; legitimate interest in security, interoperability and abuse prevention; consent where required.

4.15 AI-powered features

Purpose: AI-powered features, prompts, agents, vibe-coding and generated outputs.
Data: prompts, commands, uploaded content, audio, screenshots, space data, metadata, context, outputs and technical metadata.
Legal basis: performance of a contract; legitimate interest for security, debugging and abuse prevention; consent where required.

4.16 Legal compliance

Purpose: compliance with retention, accounting, tax, documentation and statutory obligations.
Data: various categories depending on the applicable legal obligation.
Legal basis: legal obligation.

We may send service-related communications, including notifications, updates, usage insights, visitor numbers, engagement statistics and alerts related to your spaces. These communications are necessary for the provision of the Services and do not require separate marketing consent. Users may be able to configure notification preferences within account settings.

5. Business users, dashboards, partners and resellers

We may provide analytics dashboards to business users showing aggregated or anonymised information about interactions within their spaces, such as visitor numbers, engagement metrics and performance indicators.

We may provide selected partners, resellers, agencies, consultants or other authorised service providers with access to administrative or business dashboard functionalities to create accounts, configure workspaces, set up spaces, manage content, purchase or manage licences, provide support, or perform related services for their own customers or clients.

In this context, such partners, resellers or service providers may access account and workspace information, spaces and associated content, licence information, customer support information, aggregated analytics and management-related metadata necessary for the relevant service.

A partner, reseller or service provider may create or manage an account, workspace, licence or space before it is transferred to an end client. After such transfer, the end client is responsible for managing access rights and permissions, including whether the partner, reseller or service provider may continue to access, edit, configure, publish, support or otherwise manage the relevant spaces, content, dashboards, integrations or settings.

Depending on the specific relationship and processing activity, partners, resellers or service providers may act as independent controllers, as processors acting on behalf of their own customer or client, or, where separately engaged by Stratum1, as processors or subprocessors of Stratum1. 

They are responsible for ensuring that they have the necessary authority, rights, permissions, consents and legal bases to access, manage, upload, edit, publish, transfer or otherwise process personal data and content on behalf of their customers or clients.

Stratum1 is responsible for the processing it carries out as platform provider. Partners, resellers, agencies or other service providers are responsible for their own processing activities where they act independently or on behalf of their own customer or client. Where Stratum1 separately engages such third parties to process personal data on Stratum1’s behalf, they are subject to appropriate contractual obligations.

We avoid joint control unless it is expressly agreed in a separate written arrangement that identifies the relevant processing activity and allocates responsibilities under Art. 26 GDPR.

6. Platform visibility, collaboration and user-generated content

When using the Platform, particularly within interactive 3D environments, certain personal data may be visible to other users by design. This may include:

• username, nickname or profile information;
• avatar representation;
• real-time interactions such as movement, presence and communication by audio, video, voice or text chat;
• user-generated content created or uploaded within the Platform;
• content uploaded, embedded or integrated by users, including assets, media, external files, links and websites;
• social graph data such as followers or followed users;
• other social media profiles or contact information provided by the user;
• public interactions such as likes, bookmarks, comments, notifications or visible engagement actions;
• visible space settings, including community listing, public visibility and remixability.

The visibility of such data depends on the privacy settings of the relevant space, for example public, limited via link, password-protected, private, community-listed or remixable.

Users may grant other users access to their spaces for collaboration, editing, administration or management. Receiving users may access content, data and functions within the relevant space according to the permissions granted. The user or customer managing the space is responsible for assigning access only to authorised persons.

7. External content and Gates

Users can embed and link external content within spaces through Gates or similar features. External content may include websites, videos, social media posts, external media, documents, iframes, viewers, tools or other third-party services.

We do not control or review all third-party content provided by creators. 

Such content is only loaded after the user actively interacts with a Gate or has accepted the relevant external media setting. Once activated, data may be transmitted to the respective external platform, which is solely responsible for its own data processing practices unless expressly stated otherwise.

If external services are accepted in the cookie or privacy settings, manual consent may no longer be required for each subsequent access to such content, subject to the selected settings.

Creators who embed external content are responsible for ensuring that such content and related data processing are lawful and do not violate third-party rights or data protection laws.

8. Artificial intelligence features

We provide AI-powered features such as content generation, interactive functionality, AI agents, in-app prompts, vibe-coding and similar tools.

For these features, we currently use OpenAI services and may use other comparable AI service providers, including Anthropic, in the future or for specific features. When users interact with AI features, inputs such as prompts, commands, uploaded content, audio, screenshots, space data, metadata and relevant context, as well as generated outputs and technical metadata, may be processed to provide the requested functionality.

AI service providers process such data under their applicable service terms, data processing terms, privacy commitments and technical configurations. Depending on the provider, feature and configuration, data may be retained for limited periods for purposes such as security, abuse prevention, debugging or service operation. We aim to minimise the data shared with AI providers and may use privacy-preserving configurations, such as reduced retention or zero-data-retention configurations, where technically available and enabled.

Users should avoid including unnecessary personal, sensitive or confidential data in prompts, commands, uploads or other inputs. Information included in inputs may be reflected in generated outputs. AI outputs may be visible to other users where content is shared, published or made public.

AI outputs may be generated automatically and may be inaccurate, incomplete or unsuitable for a particular purpose. Users are responsible for reviewing AI-generated outputs before relying on them or publishing them.

Some AI service providers may process data outside the EU/EEA, including in the United States. Where required, such transfers are protected by appropriate safeguards, such as standard contractual clauses, adequacy mechanisms or equivalent safeguards.

9. APIs, developer integrations, plugins, vibes and MCP access

We may provide APIs, developer tools, partner interfaces, plugin systems, vibes, prompt-based features and integration interfaces, including MCP or similar protocols, that allow users, developers, partners, resellers or automated systems to build, connect or operate additional functionality on top of the Platform.

Different technical features may involve different data flows. These may include account-level API and MCP access, partner or third-party integrations, sandboxed plugins or vibes inside the Platform, user prompts and AI-assisted features inside the app.

In the context of such features, we act as controller for the operation, security and provision of the core Platform. In specific customer, partner or enterprise contexts, we may act as a processor where we process personal data strictly on behalf of a customer under a separate agreement.

9.1 API and developer access

We may allow access to our platform via APIs or developer interfaces. API access allows authenticated users or authorised applications to interact with the user’s account and content. Depending on available API functionality, this may include creating or updating spaces, uploading assets, managing entities or content inside spaces, changing space settings and accessing related metadata.

API keys or access tokens allow access to the spaces and assets that the authenticated user is permitted to access in the platform. This includes all spaces owned by the user and spaces where the user has been granted sufficient ownership or management permissions.

Developers, partners, resellers and API users are responsible for ensuring that any personal data processed through their applications complies with applicable data protection laws.

API access is subject to authentication, authorisation checks, access controls, rate limits, logging and monitoring for security, integrity, debugging and abuse prevention purposes. 

Unless revoked earlier, API access tokens may expire after a defined period, for example 30 days, depending on technical configuration. Users may revoke or regenerate API access via available account or system settings.

9.2 MCP, AI assistant and programmatic access

We may support MCP or similar protocols that allow users to connect external AI assistants, developer tools, or automated clients to their account.

When a user enables MCP access, the connected tool may perform actions on behalf of the user within the permissions of that user account. 

This may include, depending on the available tools, creating or updating spaces, uploading files or assets, managing entities, reading space information, updating privacy settings, or performing similar account-level actions.

MCP access does not grant broader rights than the user has in the platform. A connected MCP client can only access spaces, assets, and functions that the authenticated user is allowed to access.

Users are responsible for deciding which external tools they connect via MCP and for reviewing the privacy terms of those external tools. Where an external MCP client or AI assistant receives personal data, that provider may process such data as an independent controller or as a processor, depending on its relationship with the user or customer.

MCP tokens expire after 30 days unless revoked earlier. Users may revoke MCP access via available account or system settings. Revocation prevents future access but does not automatically delete data that may already have been transmitted to an external tool.

9.3 Plugins and vibes

Users may create or use custom logic, plugins, or “vibes” inside the platform.

Plugins and vibes are designed for lightweight in-platform functionality. They are technically restricted and do not have general access to external websites, external domains, browser cookies, or local storage. They are not intended to be used for cross-site tracking or external user profiling.

Depending on how a plugin or vibe is configured, it may interact with the content, entities, or state of the space in which it runs. It does not grant access to unrelated spaces or account data unless such access is provided through platform functionality and user permissions.

Users who create, publish or share plugins or vibes are responsible for ensuring that their logic and content comply with applicable laws and do not unlawfully process personal data.

These restrictions do not prevent us from processing ordinary platform logs, security logs, usage data, or diagnostics as described in this Privacy Policy.

9.4 Third-Party Integrations and Connected Services

Where users activate or use third-party integrations, connected services, partner tools, plugins, MCP clients, or external applications, personal data may be shared with or accessed by the respective third-party provider.

Such access may include, depending on the integration and permissions granted, account-related data, space data, uploaded content, asset metadata, interaction data, technical metadata, or other information required for the integration to function.

Third-party providers may process personal data:

• as independent controllers, where they determine the purposes and means of processing; or
• as processors, where they act strictly on behalf of a customer, user, or partner.

Users are responsible for reviewing the privacy policies and terms of such third-party providers before enabling integrations. We are responsible for the data processing we carry out on our own platform. Third-party providers are responsible for their own processing activities where they act independently.

Access to personal data through integrations is limited to the permissions granted by the user, customer, or applicable configuration, and may be revoked or modified where available through account or system settings.

9.5 Partner Integrations with Data Transfer

In certain cases, we may integrate with partners or third-party platforms that enable the transfer of data to Arrival.Space, for example to publish content, synchronise assets, import media, or create a new space.

Unless otherwise agreed in a specific contractual arrangement, the partner and Stratum1 typically act as independent controllers. The partner is responsible for ensuring that the initial collection and transfer of personal data to Arrival.Space is lawful, for providing appropriate information to its users, and for obtaining any necessary consents or legal permissions.

Upon receipt of such data, we process personal data in accordance with this Privacy Policy and for the purposes described herein. The data transferred may include content, assets, metadata, account-related data, interaction-related information, or other data required to provide the relevant integration.

Where integrations allow automatic or default publishing or synchronisation, users or customers are responsible for configuring and controlling such features in accordance with applicable data protection requirements.

9.6 Data Visibility and Flow

Depending on the feature, integration, and configuration, personal data may be:

• accessed through APIs or MCP tools;
• transmitted to third-party systems;
• processed by external AI or integration providers;
• processed within external environments;
• accessed by automated systems or agents;
• combined with other data sources by a user, partner, developer, or external provider;
• logged for security, debugging, integrity, and abuse prevention.

The extent and nature of such processing depend on the specific feature used, the permissions granted, the user’s configuration, and the technical capabilities of the relevant integration.

9.7 Responsibility of Users, Developers and Partners

Users who enable integrations, MCP access, API-based functionality, plugins, vibes, or prompt-based automation are responsible for:

• ensuring that they have a valid legal basis for any personal data they process through such features;
• configuring access rights and permissions appropriately;
• ensuring that only authorised persons, systems, or tools are granted access;
• reviewing third-party terms where external tools or providers are used.

Developers, partners, and resellers must ensure that their integrations comply with applicable data protection laws and must not use our platform to collect, process, or transfer personal data unlawfully.

Users may revoke or modify access to integrations, APIs, MCP clients, or plugins via available account or system settings, subject to technical limitations. Revocation prevents future access but may not delete data already exported, transferred, logged, or processed by third parties.

10. Recipients of personal data

We do not sell personal data. We will keep your personal data confidential.

Within Stratum1, personal data is accessible only to employees, founders, contractors or departments that require access for the purposes described in this Privacy Policy.

We may share personal data with:

• courts, public authorities and regulators where required by law;
• attorneys, tax advisers, auditors, banks and insurance companies;
• IT service providers and other processors; 
• authorised partners or resellers as described above;
• other users where visibility is part of the Platform functionality or configured by the relevant user/customer;
• third-party providers activated by the user, such as Gates, AI, integrations, plugins, APIs, external media or authentication providers.

Personal data may be transferred outside the EU/EEA, including to the United States, Canada, Japan, or other countries depending on provider infrastructure, user location, customer configuration, or feature use. Where required, such transfers are protected by adequacy decisions, EU Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms. Transfers to countries covered by an adequacy decision, such as Japan where applicable, may take place on the basis of that adequacy decision.

11. Technical infrastructure and service providers

We use technical infrastructure and service providers to operate, secure and improve the Platform. Depending on the service and processing activity, personal data is processed on the basis of performance of a contract, legal obligation, consent or legitimate interest.

Not all listed services are active for every user or every feature. Some services are used only when a user chooses the relevant feature.

Some service providers, users, customers, partners, or infrastructure locations may be located outside the EU/EEA, including in countries such as the United States, Canada, Japan, or other countries. Where required, we use adequacy decisions, EU Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms.

11.1 AWS / Amazon Web Services

Purpose: hosting, compute, storage, load balancing, security, platform infrastructure and backups.
Typical data: IP address, request data, log data, content, account data and technical metadata.
Typical legal basis: performance of a contract; legitimate interest; legal obligation where applicable. 

Link: https://aws.amazon.com/privacy

11.2 Hetzner Online GmbH

Purpose: infrastructure, hosting or EU-based technical services where used.
Typical data: technical data, hosted data, logs, analytics or operational data.
Typical legal basis: performance of a contract; legitimate interest.

Link: https://www.hetzner.com/legal/privacy-policy/ 

11.3 Cloudflare

Purpose: security, content delivery, DDoS protection, traffic management and bot protection.
Typical data: IP address, traffic data, security data and request metadata.
Typical legal basis: legitimate interest.

Link: https://www.cloudflare.com/privacypolicy 

11.4 Hyperbeam

Purpose: user-activated browser streaming and interactive embedded experiences.
Typical data: IP address, session data, connection data and interaction metadata.
Typical legal basis: performance of a contract or requested feature; legitimate interest for security.

Link: https://watch.hyperbeam.com/privacy

11.5 LiveKit

Purpose: WebRTC-based, encrypted real-time communication such as voice and audio.
Typical data: IP address, media data, connection data and device data (encrypted or pseudonymized)
Typical legal basis: performance of a contract or requested feature; consent where required. 

Link: https://livekit.com/legal/cookie-policy

11.6 atmoky

Purpose: spatial audio and voice functionality where enabled.
Typical data: audio data, technical metadata and device/connection data.
Typical legal basis: performance of a contract or requested feature; consent where required.

Link: https://atmoky.com/privacy-policy/

11.7 SendGrid / Twilio

Purpose: transactional emails, verification emails, account communications and marketing emails where consented.
Typical data: email address, email content, delivery data and interaction data where tracking is enabled.
Typical legal basis: performance of a contract; legitimate interest; consent for marketing.

Link: https://www.twilio.com/en-us/legal/privacy

11.8 Stripe

Purpose: payment processing.
Typical data: payment data, transaction data, billing data and IP address.
Typical legal basis: performance of a contract; legal obligation.

Link: https://stripe.com/en-at/privacy

11.9 Google Login

Purpose: optional authentication via Google account.
Typical data: name, email address, profile data and unique identifier.
Typical legal basis: performance of a contract or requested feature.

Link: https://policies.google.com/privacy 

11.10 Apple Login

Purpose: optional authentication via Apple ID.
Typical data: name, email address or relay address and unique identifier.
Typical legal basis: performance of a contract or requested feature.

Link: https://www.apple.com/legal/privacy/en-ww

11.11 Google Analytics

Purpose: optional analytics where enabled.
Typical data: IP address, usage data, device information, interaction data and cookies/identifiers.
Typical legal basis: consent.

Link: Google Privacy Policy

11.12 OpenAI

Purpose: AI-powered features, prompts, coding assistance, agents and content generation.
Typical data: user inputs, prompts, uploaded/contextual data, outputs and technical metadata.
Typical legal basis: performance of a contract; legitimate interest; consent where required.

Link: https://openai.com/policies/row-privacy-policy/

11.13 Anthropic

Purpose: AI-powered assistance and content generation where used.
Typical data: user inputs, contextual data, outputs and technical metadata.
Typical legal basis: performance of a contract; legitimate interest; consent where required.

Link:  https://www.anthropic.com/legal/privacy

11.14 Appzi

Purpose: content reports, user-initiated feedback, bug reports or surveys where enabled.
Typical data: user input, interaction data and technical data.
Typical legal basis: consent or legitimate interest depending on deployment.

Link: https://www.appzi.com/privacy/

11.15 Screenshot Machine

Purpose: server-side generation of static preview images of external websites where used.
Typical data: URL requested for preview and server-side request metadata.
Typical legal basis: legitimate interest.

Link: https://www.screenshotmachine.com/privacy-policy.php

11.16 Text Chat 

Purpose: chat, messaging or communication features where used.
Typical data: account identifiers, messages, metadata and device/connection data.
Typical legal basis: performance of a contract or requested feature.

12. Email communications and SendGrid tracking

We may send transactional and service-related emails such as verification emails, account notices, security alerts, subscription notices, space notifications, visitor alerts, space statistics and engagement updates. These emails are part of the Services and are not marketing emails.

We may also send newsletters or marketing emails where you have consented.

Emails sent via SendGrid may include tracking technologies such as tracking pixels and link tracking to measure delivery, open rates and interactions with emails, where enabled. In this context, data such as email address, IP address, device information, time of access and interaction data may be processed.

For marketing and newsletter emails, such tracking is based on consent. For transactional and service emails, limited delivery and security analytics may be based on legitimate interest where necessary to ensure deliverability, security and performance. You can object to tracking where applicable or use available unsubscribe or preference settings for marketing communications.

13. Cookies and similar technologies

Cookies are small text files stored on your device. They may be session-based (deleted after closing your browser) or persistent (stored until deleted or expired).

Our website and platform uses cookies and similar technologies (e.g. local storage), which helps us to provide you with a good experience when you use our website and platform and also allows us to improve our websites and platform.

Some technologies are strictly necessary to provide a service requested by the user or to ensure security and integrity. Other technologies are optional and are used only with consent, in particular for analytics, marketing, performance measurement, external media or comparable purposes.

Temporary status of optional cookies and consent settings

Our cookie and consent management interface is currently being implemented. Until it is available, we will only use technologies that are strictly necessary to provide the website or platform, ensure security, enable login, process payments, provide requested features, or maintain technical stability. Optional analytics, marketing technologies, email marketing tracking, and external media integrations that require consent will not be activated unless and until a valid consent mechanism is available or the user actively enables the relevant third-party content. If optional technologies are activated in the future, users will be able to grant, refuse, or withdraw consent through the cookie or privacy settings.

You may manage cookies through your browser settings. Once our cookie and privacy settings interface is available, you will also be able to manage optional consents directly through the platform.

13.1 Strictly necessary technologies

Strictly necessary technologies may be used for login, authentication, session management, security, fraud prevention, load balancing, service stability, payment processing, storage of privacy settings, language/interface settings, real-time communication, user-requested AI features, user-requested interactions and other requested Platform functionality.

Depending on the feature used, this may include services such as AWS, Cloudflare, Stripe, Google Login, Apple Login, Hyperbeam, In-House analytics to ensure stability, LiveKit, atmoky, SendGrid for transactional emails, Screenshot Machine for server-side previews, OpenAI or Anthropic for user-requested AI features, and Appzi where a user actively submits a report or feedback.

Where a service is activated only at the user’s request, the related technically necessary storage, access or processing may occur only after the user initiates that feature.

13.2 Optional analytics, marketing and measurement

Optional technologies are used only if you consent. These may include Google Analytics, SendGrid email marketing measurement, optional Appzi surveys or feedback widgets, marketing technologies, and other performance or analytics tools.

Google Analytics may use cookies or similar identifiers to analyse website and Platform use. IP anonymisation is enabled where supported and configured. Data may be transferred outside the EU/EEA subject to appropriate safeguards.

SendGrid marketing emails may use web beacons, tracking pixels and tracked links to measure opens and clicks. Email tracking usually does not require browser cookies, but it is still personal data processing and is disclosed here. Data may be transferred outside the EU/EEA subject to appropriate safeguards.

13.3 External Media, Social Media and Gates

Our website and platform may include links to our official social media presences or community channels, such as LinkedIn, YouTube, Instagram, TikTok, X, Discord, and similar services. If you click such links or visit our social media presences, the respective provider may process personal data, including your IP address, usage data, profile data if you are logged in with that provider, cookies, local storage, and interaction data, in accordance with its own privacy notice.

Our website and platform may also integrate external media or third-party content selected by us, such as embedded videos, social media posts, interactive viewers, widgets, or similar content. External media may include services such as YouTube, LinkedIn, Instagram, TikTok, X, Discord, SuperSplat/PlayCanvas, embedded websites, iframes, or similar third-party services. Where required, such content is blocked by default and only loaded after you actively activate it or accept the relevant category in the privacy settings.

Users may also embed or link external content within spaces through “Gates” or similar features. Such user-added content may include external websites, media, iframes, social media content, files, tools, or other third-party resources. We do not control, pre-screen, or review all third-party content added by users. The user who adds or makes such content available is responsible for ensuring that the embedded or linked content is lawful and that any required rights, notices, and consents are in place.

If you activate a Gate, iframe, embedded website, external media item, or similar third-party content, your browser or device may connect directly to the respective external provider. Such providers may process personal data, including IP address, device data, interaction data, account or profile data if you are logged in with that provider, cookies, local storage, or similar identifiers. The scope and purpose of such processing are determined by the respective third-party provider.If external services are accepted in the privacy settings, manual consent may no longer be required each time you access such content, subject to your selected settings and applicable law. You can change your privacy or cookie settings at any time where such settings are available.

13.4 Managing consent

You can grant, refuse or withdraw consent to optional cookies and similar technologies at any time with effect for the future via our cookie banner, cookie settings or in-app privacy settings. Refusing optional technologies may limit certain functionality, analytics, marketing personalisation or external media access.

Registered users may have consent settings stored at account level in addition to browser-level settings.

14. Data retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy and to comply with legal obligations.

In particular:

• account data is generally retained for the duration of the account and for a limited period thereafter where necessary for contractual follow-up, dispute resolution, security or legal compliance;
• billing, tax and accounting data is retained for the period required by applicable commercial and tax laws;
• User Content is generally retained until deleted by the user/customer or until the account or relevant service is terminated, subject to backups and legal retention;
• raw files used for conversion or processing workflows, such as source video used to generate 3D Gaussian splats, are retained only for the technical processing window and normally deleted within a short period, such as up to 5 hours, unless longer retention is required for troubleshooting, security, user request or legal reasons;
• server logs and security event data are retained for a limited period necessary for security, troubleshooting, abuse prevention and incident investigation;
• support requests and related correspondence may be retained for an appropriate period after closure to handle follow-up requests, defend legal claims and improve support quality;
• consent records are retained for as long as necessary to manage and demonstrate consent choices;
• applicant data is retained as described in Section 18.

Where possible and appropriate, we may anonymise data instead of deleting it.

If you withdraw consent or object to processing, we will delete or stop processing the relevant personal data unless continued processing is required by law, necessary for legal claims, or otherwise permitted by applicable law.

15. Data security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.

Measures may include access controls, authentication, least-privilege access, encryption in transit, encryption at rest where appropriate, logging, monitoring, backups, secure development practices, vendor management, incident response procedures and confidentiality obligations.

Access to personal data is restricted to persons who need access for the purposes described in this Privacy Policy. Where you use a password, API key or access token, you are responsible for keeping it confidential.

No transmission over the internet or electronic storage system can be guaranteed to be completely secure. However, we take reasonable and appropriate steps to protect personal data.

16. Server log files and encryption

Our website and Platform automatically collect and store information in server log files, including IP address, browser and language settings, operating system, referrer URL, internet service provider, date and time of access, and request and connection metadata.

This data is processed on the basis of our legitimate interest in system stability, security, troubleshooting, abuse prevention and technical optimisation. Server logs are retained for a limited period unless longer storage is required for security, incident investigation, legal compliance or legal claims.

For security reasons, our website and Platform use SSL/TLS encryption. You can recognise an encrypted connection by “https://” and the lock icon in your browser.

17. Your rights

Under applicable data protection law, you may have the right to:

• access your personal data;
• rectify inaccurate or incomplete personal data;
• erase personal data;
• restrict processing;
• object to processing based on legitimate interests;
• receive personal data in a portable format where applicable;
• withdraw consent at any time with effect for the future where processing is based on consent;
• lodge a complaint with a supervisory authority.

To exercise your rights, contact us at office@stratum1.io.

You may lodge a complaint with the Austrian Data Protection Authority: Barichgasse 40-42, 1030 Vienna, Austria, Tel: +43 1 52 152-0, email: dsb@dsb.gv.at.

18. Applicants

If you send us application documents, we process the personal data contained therein, including CVs, references and related correspondence, for the purpose of personnel selection and recruitment.

In the event of rejection, we will delete your application documents 7 months after notification of rejection, unless longer retention is required for the establishment, exercise or defence of legal claims.

If we wish to retain your application for future opportunities, we will request separate consent. If you provide such consent, we will store your applicant data for up to one year from the date of consent, unless a shorter period is appropriate.

19. Automated decision-making

We do not carry out automated decision-making, including profiling, within the meaning of Art. 22 GDPR, unless expressly stated otherwise for a specific feature and permitted by law.

AI-assisted outputs and automated technical features may support user-facing functionality, but they do not constitute automated legal or similarly significant decisions about users unless expressly stated otherwise.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical or business developments. The current version will be made available on our website and within the Platform.