Privacy Policy
Last updated: 26 May 2026
This is an English translation provided for convenience. In case of any discrepancy or conflict, the Romanian version of this document, available at https://trovare.ro/privacy-policy, shall prevail.
NETBEARS TEAM SRL (hereinafter "Trovare", "we" or "the company") is committed to protecting the privacy of your personal data. This policy explains what data we collect, how we use it, and what your rights are under the General Data Protection Regulation (GDPR) and applicable Romanian law.
1. Data controller
The controller of your personal data is:
- Name: NETBEARS TEAM SRL
- VAT ID: RO37261366
- Address: Corneliu Baba 8, Iași, Romania
- Email: contact@trovare.ro
2. What personal data we collect
Depending on how you interact with Trovare, we may collect the following categories of data:
Data you provide directly
- Account information: first name, last name, email address, password (stored encrypted, as a hash)
- Profile information: company, profile photo, professional role
- Preferences: preferred shops, sorting options and other usage settings
Data generated through your use of Trovare
- Search queries you run and your recent-search history
- Products saved to favourites
- Collections and boards, including the email addresses of recipients with whom you share a collection, together with the votes and comments associated with approvals
- Moodboards generated and their associated preferences
- Images uploaded to Reflexii (image-based product search)
- Personal photos uploaded to Vernissage (the Instagram framing atelier) — photos of real interiors/spaces that you upload in order to frame, optionally process with AI, and export. Location metadata (EXIF/GPS) is automatically stripped on upload.
- Client CRM data (the Clienți module)
- Feedback you provide on the quality of searches, moodboards and the platform
- Price alerts you configure
Technical data
- IP address, User-Agent, browser type and operating system
- Cookies and similar session data (see the Cookie Policy)
3. Purposes of processing
We process your personal data for the following purposes:
- Providing and improving the furniture search service
- Creating and managing your user account
- Saving favourites, collections, boards and preferences
- Generating personalised moodboards
- Service-related communications (notifications, updates, transactional emails)
- Analysing and improving Trovare
- Fraud prevention, security, rate-limiting/WAF and error monitoring
4. Legal basis for processing
We process your personal data on the following legal bases set out in the GDPR:
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Trovare service on the basis of the accepted terms and conditions: managing your account, saving favourites, collections and preferences, generating moodboards and sending service-related communications
- Legitimate interest (Art. 6(1)(f) GDPR) — to analyse and improve Trovare, ensure security, monitor errors and apply rate-limiting/WAF
- Consent (Art. 6(1)(a) GDPR) — for non-essential (preference) cookies, marketing communications and the email notifications associated with sharing collections, as well as for the transfer of your personal photos outside the EEA (the United States) in the case of the Vernissage AI fallback (Art. 49(1)(a) GDPR — explicit consent for the international transfer). Storing and framing photos within the EEA is carried out on the basis of contract performance; the AI processing and the associated transfer to the USA take place only with your explicit consent, which you can withdraw at any time by not using the AI actions (the rest of Vernissage's functionality remains available)
5. Data sharing
We do not sell your personal data to third parties, and we do not use any third-party web-analytics or advertising trackers (we do not use Google Analytics or Microsoft Clarity). Product data comes from indexing retailers' websites and does not contain personal data. We may share data with the following service providers (processors / sub-processors):
Within the European Economic Area (EEA)
- AWS Cognito (eu-central-1, Frankfurt, Germany) — authentication and user account management
- Amazon DynamoDB (eu-central-1, Frankfurt, Germany) — primary data store (profile, favourites, collections, boards, cache)
- Amazon S3 (eu-central-1, Frankfurt, Germany) — file storage (avatars, moodboard images, brand kits, images uploaded to Reflexii, data-export ZIP archives)
- AWS Bedrock — Claude Sonnet 4 (eu-central-1, Frankfurt, Germany) — analysing products to generate moodboards
- AWS Bedrock — Claude Haiku 4.5 (eu-central-1, Frankfurt, Germany) — the Stil style classifier and search query rewriting
- AWS Bedrock — Titan (multimodal embeddings) (eu-central-1, Frankfurt, Germany) — generating embeddings from product images
- AWS Bedrock — Nova Canvas (eu-west-1, Dublin, Ireland) — the PRIMARY generator of moodboard scenes and backgrounds, and the PRIMARY AI processor of photos in Vernissage (background removal and frame extension)
- Amazon SES (eu-central-1, Frankfurt, Germany) — delivery of transactional emails (account verification, password reset, collection-share and vote invitations, the weekly price-alert digest, GDPR data-export delivery)
- Bunny Fonts (BunnyWay d.o.o., Slovenia — EU — privacy-focused CDN) — delivery of the web fonts used across the entire platform (the application and the marketing/legal pages). Your IP address is passed to the CDN in order to serve the fonts, as with any CDN, but it is not used for tracking; processing takes place within the EU.
Identity providers (optional sign-in)
- Google OAuth (Google LLC, USA — EU-US DPF certified) — only when you choose "Sign in with Google". Transmitted: email address, name, profile photo and Google sub. Legal basis: performance of the contract.
- Facebook OAuth (Meta Platforms Inc., USA — EU-US DPF certified) — only when you choose "Sign in with Facebook". Transmitted: email address, name, profile photo and Facebook id. Legal basis: performance of the contract.
Outside the European Economic Area (EEA)
- AWS Bedrock — Stability "Stable Image Ultra" (us-west-2, Oregon, USA) — used SOLELY as a fallback, when Nova Canvas is unavailable, to generate moodboard backgrounds. No personal data is transmitted, only aggregated characteristics of the selected products.
- AWS Bedrock — Stability (remove-background / outpaint) (us-west-2, Oregon, USA) — used SOLELY as a fallback for the AI processing of photos in Vernissage, when Nova Canvas (eu-west-1) is unavailable. Unlike the moodboard fallback, in this case your personal photo is transmitted to and processed in the USA. This transfer takes place only after you have explicitly acknowledged the AI-processing notice, and solely for the AI actions you initiate yourself (background removal, frame extension).
- Sentry (Functional Software Inc., USA) — error and performance monitoring, run as essential telemetry. Personal data is scrubbed (authorization headers, cookies, tokens, email address and username are removed, and send_default_pii is disabled); events are retained for a maximum of 90 days.
- Microsoft Teams (webhook) — internal error and feedback alerts. May contain technical context and exception text/stack frames, possibly including a pseudonymised user id. No marketing purposes.
In addition, we may disclose data to authorities where we are required to by law.
All service providers are contractually obliged to protect your data and to process it only for the specified purposes, under data-processing agreements concluded in accordance with Art. 28 GDPR.
6. Data storage and security
Your data is stored on secure servers within the European Union (the AWS eu-central-1 region in Frankfurt, Germany, and eu-west-1 in Dublin, Ireland, for Nova Canvas). We use encryption, multi-factor authentication (MFA) and access controls to protect your data.
6a. International data transfers
Most of your data is stored and processed within the European Economic Area (AWS eu-central-1 in Frankfurt, and eu-west-1 in Dublin for Nova Canvas). However, certain data is processed outside the EEA:
- Google OAuth and Facebook OAuth (Google LLC and Meta Platforms Inc., USA) — only if you use one of these methods to sign in. Transmitted: email address, name, profile photo and provider id.
- AWS Bedrock — Stability "Stable Image Ultra" (us-west-2, Oregon, USA) — solely as a fallback for moodboard backgrounds. No personal data is transmitted, only aggregated characteristics of the selected products.
- AWS Bedrock — Stability (Vernissage) (us-west-2, Oregon, USA) — a fallback for the AI processing of photos in Vernissage, when Nova Canvas (eu-west-1) is unavailable. In this case, your personal photo (an image of a real interior, which may show people or other identifiable elements) is transmitted to and processed in the USA. The transfer takes place solely for the AI actions you initiate yourself and only after you have explicitly acknowledged the notice shown before first use. The photo is used exclusively to produce the requested result and is not retained by the provider for any other purpose.
- Sentry (servers in the USA) — error monitoring. Personal data is scrubbed; events are retained for a maximum of 90 days.
- Microsoft Teams (webhook) — internal error and feedback alerts. Technical context, no marketing purposes.
These transfers are safeguarded by the following legal guarantees:
- EU-US Data Privacy Framework (DPF) (adequacy decision of 10 July 2023) — Amazon Web Services, Google LLC and Meta Platforms Inc. are certified under the DPF.
- Standard Contractual Clauses (SCC) — applied where necessary, in accordance with Art. 46(2)(c) GDPR.
- Should the DPF adequacy decision be suspended or invalidated (for example, following a future "Schrems"-type ruling), these transfers will fall back on the Standard Contractual Clauses that each of these providers has also concluded.
7. Retention period
- Account data, favourites, collections and boards, brand kits, client CRM data, feedback (search, moodboard and platform), votes and comments — retained until account deletion (with no fixed expiry)
- Search and product-detail cache — 8 days (35 days for the monthly Coverage writes); refreshed automatically by a maintenance process
- Usage logs (UsageLogs) — 90 days
- Product snapshots — 90 days
- Reflexii (image-based reflections) — 180 days; unopened ones are swept after 30 days
- Vernissage (personal photos, accepted AI results and thumbnails) — retained until you delete them (per piece) or until you delete your account; there is no fixed expiry, so that you can re-edit your pieces at any time. Temporary, unaccepted AI results are automatically removed after 1 day.
- Query-rewrite cache — 30 days
- Error logs (Sentry) — 90 days
- Cognito authentication tokens — access/ID tokens: 1 hour; refresh tokens: 30 days
- Data-export ZIP archive — approximately 14 days
- When the account is deleted, all associated data is permanently erased through a cascading deletion process: the DynamoDB rows, all S3 prefixes (including Reflexii images and Vernissage photos and results) and the Cognito user
8. Automated processing and the use of artificial intelligence
Trovare uses AI-assisted processing (AWS Bedrock) for its features:
- Claude (Sonnet 4) analyses the characteristics of the selected products (style, colour, dimensions) to suggest optimal layout compositions for moodboards
- Nova Canvas (eu-west-1) is the PRIMARY generator of moodboard scenes and backgrounds, based on that analysis
- Stability "Stable Image Ultra" (us-west-2) is used SOLELY as a fallback when Nova Canvas is unavailable
- Vernissage — at your request, background removal and frame extension of your photo are performed with Nova Canvas (eu-west-1) as the PRIMARY processor; if it is unavailable, the processing is performed as a fallback with Stability models in the USA (us-west-2). These AI actions are optional, are initiated manually by you, and are limited to 15 actions per month.
- The Stil classifier and the Gemeni similarity feature help classify and aesthetically match products
This processing produces no legal effects, nor any similarly significant effects on users. It is used exclusively for creative/aesthetic purposes, to generate visual styling suggestions.
Users may give feedback on the generated moodboards and may request new variants.
Trovare does not carry out profiling or automated decision-making within the meaning of Art. 22 GDPR.
9. Your rights
Under the GDPR, you have the following rights:
- Right of access — you may request a copy of your personal data
- Right to rectification — you may correct inaccurate data in your profile
- Right to erasure — you may request the deletion of your account and all associated data
- Right to portability — you may request an export of your data in a structured format
- Right to object — you may object to the processing of your data in certain situations
- Right to restriction of processing — you may request that the way your data is processed be limited
- Right to withdraw consent — you may withdraw your consent at any time, without affecting the lawfulness of processing carried out beforehand
For the right to data portability (Art. 20 GDPR), you can also request an automated export of your data directly from your profile settings; you will receive a ZIP archive by email. Because of the load on our infrastructure, this export is limited to approximately one request every 7 days.
To exercise your other rights, contact us at contact@trovare.ro.
9a. Minors
Trovare is aimed at professional interior designers and is not directed at children under 16. We do not knowingly collect personal data from minors. If you suspect that we have received a minor's data, please contact us and we will delete it.
9b. Data Protection Officer (DPO)
Trovare has not formally designated a Data Protection Officer — the processing does not meet the mandatory thresholds set out in Art. 37(1) GDPR (no large-scale processing of special categories of data and no large-scale systematic monitoring). For privacy queries, you can contact us directly at contact@trovare.ro.
10. Complaints
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with:
- The National Supervisory Authority for Personal Data Processing (ANSPDCP) — www.dataprotection.ro
- The National Authority for Consumer Protection (ANPC) — https://anpc.ro/
11. Changes to this policy
We reserve the right to update this privacy policy. Any significant changes will be communicated by email or by a notice within Trovare. The date of the last update is shown at the top of this page.
12. Contact
For any questions about this policy or about the processing of your personal data, you can contact us at:
- Email: contact@trovare.ro
- Address: NETBEARS TEAM SRL, Corneliu Baba 8, Iași, Romania