Privacy Policy

The data controller responsible for this website and the Strana platform is:

Strana UG (haftungsbeschränkt)
Schackstr. 1 // c/o Kleinhempel & Partner
80539 München, Germany

Email: hello@strana.ai
Managing Directors: Jakob Riegger, Guilherme Coelho

For privacy-related inquiries, please contact our Data Protection Officer at privacy@strana.ai.

• Service Delivery: To provide, operate, and maintain the Strana AI video production platform, including generating videos from your uploaded content.
• AI Processing: To train per-account AI models on your uploaded content to produce customized video outputs for your property. Models are isolated per account and not shared across customers.
• Analytics: To understand how our platform is used and improve the user experience (only with your consent where required).
• Communications: To send you service-related notifications, respond to inquiries, and, with your consent, marketing communications.
• Security & Fraud Prevention: To detect, prevent, and address technical issues, security threats, and fraudulent activity.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We process your personal data under the following legal bases (Art. 6 GDPR):

• Performance of Contract (Art. 6(1)(b)): Processing necessary to provide our services as agreed in our Terms of Service — account management, video generation, and platform access.
• Consent (Art. 6(1)(a)): For analytics cookies, marketing communications, and optional processing activities. You may withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f)): For service improvement, security measures, and fraud prevention, where our interests do not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c)): Where processing is required to comply with tax, accounting, or other legal requirements.

Strana uses AI models to generate video content from your uploaded media. Here is how this works:

• Per-Account Models: AI models trained on your content are isolated to your account. Your media is never used to train models for other customers.
• Face-Agnostic Processing: Our AI models are designed to process property and environment visuals. We do not train facial recognition models on your content.
• Opt-Out: You may opt out of AI training on your content at any time by contacting us at privacy@strana.ai. Opting out may limit the quality and personalization of generated videos.
• Content Exclusion: You can flag specific uploads to be excluded from AI training while still using them for manual editing features.
• Transparency: Upon request, we can provide information about how your content has been used in AI model training.

We do not sell your personal data. We share data only as necessary with the following categories of service providers:

• Cloud Infrastructure — Amazon Web Services (AWS): Hosting and data storage within the European Union (EU-West-1, Frankfurt).
• Payment Processing — Stripe: Payment processing with data stored in EU and US data centers. Stripe is certified under the EU-US Data Privacy Framework.
• Analytics — Google Analytics: Website usage analytics, only with your explicit consent via our cookie banner.

All sub-processors are bound by Data Processing Agreements that ensure GDPR-compliant handling of your data. For a complete list of sub-processors, see our Data Processing Agreement.

Your data is primarily processed within the European Union. Where transfers to third countries are necessary:

• EU-Only Primary Processing: All core data processing, including AI model training and video generation, occurs on servers within the EU (AWS Frankfurt).
• Standard Contractual Clauses (SCCs): Where data is transferred outside the EU/EEA, we rely on European Commission-approved Standard Contractual Clauses (Art. 46(2)(c) GDPR).
• EU-US Data Privacy Framework: For transfers to US-based sub-processors (e.g., Stripe), we additionally rely on the EU-US Data Privacy Framework adequacy decision where applicable.

We retain your data only as long as necessary for the purposes for which it was collected:

• Account Data: Retained for the duration of your account plus 30 days after deletion for data export.
• Uploaded Media: Retained while your account is active. Deleted within 30 days of account termination or upon your request.
• AI Models: Per-account models are deleted within 30 days of account termination.
• Payment Records: Retained for 10 years as required by German tax law (AO §147).
• Usage Logs: Anonymized or deleted after 90 days.
• Backup Data: Removed from backups within 90 days of deletion from production systems.

Under the General Data Protection Regulation, you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@strana.ai. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

We implement appropriate technical and organizational measures to protect your data (Art. 32 GDPR):

• Encryption: AES-256 encryption at rest and TLS 1.3 for data in transit.
• Access Controls: Role-based access control, multi-factor authentication for administrative access, and principle of least privilege.
• Infrastructure Security: EU-hosted infrastructure with network isolation, firewalls, and intrusion detection.
• Regular Testing: Periodic penetration testing and security assessments.
• Employee Training: All team members receive data protection training.

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms (Art. 33 GDPR).
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (Art. 34 GDPR).
• Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

Strana is a B2B platform designed for hotel businesses and professionals. Our services are not directed at individuals under the age of 16 (Art. 8 GDPR). We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page and, where appropriate, via email notification.

For questions about this Privacy Policy, please contact:

privacy@strana.ai

Related documents: Terms & Conditions | Data Processing Agreement