RIZMOby BLUE MOON VIRTUAL

Privacy Policy

Version dated 15 September 2025

Controller

Blue Moon Virtual GmbH
Grunewaldstraße 39 b, 12165 Berlin, Germany

E-mail: info@bm-3d.de · Phone: +49 30 233 279 27

We have not appointed a Data Protection Officer. For all privacy matters, contact us at the e-mail above.

1. Scope

This policy explains how we process personal data when you use rizmo.ai and related services, create an account, make purchases, or visit our sites.

2. Roles (who does what)

  • We act as controller for account, billing, site operations, security logs, and analytics.
  • For business customers who process personal data through our features, we can act as processor; our Data Processing Agreement (DPA) applies as part of our contractual terms.
  • Auth0 (Okta) acts as our processor for authentication.
  • Stripe generally acts as an independent controller for payment processing (KYC/AML/fraud obligations).
  • Model and inference providers (e.g., Black Forest Labs FLUX, Replicate, fal.ai, Google via fal.ai) process prompts and uploads to deliver AI features (see Section 6).

3. Categories and sources of data

  • Account and login: name, e-mail, password hash, and social login identifiers if you use Google.
  • Payments: Stripe customer ID, transaction amounts, billing details, invoices (we do not store full card numbers).
  • Jobs (uploads, prompts, outputs): images, videos, documents, prompts or instructions, generation settings, job IDs, timestamps, and status.
  • Technical data and logs: IP address, device or browser, timestamps, request metadata, error logs, and abuse-prevention signals.
  • Cookies and online identifiers: strictly necessary cookies and optional analytics or marketing cookies only with your consent.

Sources: directly from you; from Google if you use social login; from Stripe (payment status and identifiers); from cookies and pixels (after consent).

4. Purposes and legal bases

ProcessingPurposeLegal basis
Account creation and login (Auth0)Provide and secure your accountArt. 6(1)(b) GDPR (contract)
Core features (render, edit, upscale, deliver jobs)Perform the services you requestArt. 6(1)(b)
Payments and invoicing (Stripe)Purchases, subscriptions, refundsArt. 6(1)(b) and Art. 6(1)(c) (tax laws)
Security, rate limits, abuse or fraud preventionKeep services secure and reliableArt. 6(1)(f) (legitimate interests)
Server logs and diagnosticsOperate, troubleshoot, defend against attacksArt. 6(1)(f)
Customer supportRespond to requests and fix issuesArt. 6(1)(b) or (f)
Website contact form inquiries (Formspree)Receive and respond to demo, partnership, and contact requests submitted on rizmo.aiArt. 6(1)(b) or (f)
Analytics (GA4), ads and remarketingImprove the site and run adsArt. 6(1)(a) (consent)
Google Ads (conversion tracking, remarketing, ad personalization)Measure campaign effectiveness and optimize targetingArt. 6(1)(a) GDPR (consent)
Legal compliance (e.g., court or tax)Fulfil legal obligationsArt. 6(1)(c)

Note (job history): Storing your job history in your library is necessary to provide the service you requested (Art. 6(1)(b)). You can delete individual jobs or your entire library at any time.

Website inquiries: If you submit the rizmo.ai contact form, the information you enter is routed through Formspree on our behalf and forwarded to our internal project inbox so we can review and respond to your request.

5. Cookies and consent

We run a cookie banner and consent manager. Non-essential cookies (analytics, ads, remarketing) only run after consent. You can change or withdraw consent at any time via the banner.

We use Google Ads and related Google tags, which may use cookies or similar technologies to track conversions, build remarketing audiences, and personalize ads. These tags execute only after consent. Learn more in Google's Advertising and Cookies policy.

6. Model providers and how your inputs are handled

To deliver AI features we send your prompts and uploads to model and inference providers (e.g., Black Forest Labs (FLUX), Replicate, fal.ai, Google via fal.ai).

  • We disclose in-product which provider powers each feature.
  • Depending on endpoint and mode, some providers may retain inputs and outputs for limited periods.
  • Some outputs may include provenance signals or watermarks indicating AI origin; do not remove them.
  • Do not upload confidential information or special-category data (e.g., health, biometrics) into features where providers may reuse data to improve services.

7. Recipients and international transfers

Recipients: Auth0 (identity), Stripe (payments), hosting and CDN providers (e.g., Hetzner, Cloudflare), database and storage providers, model providers named above, and analytics or ads providers you consent to (e.g., Google).

Google Ireland Limited and Google LLC (Ads, Analytics, Tag, etc.) process personal data for advertising, remarketing, and conversion measurement.

International transfers: Where data is processed outside the EEA, UK, or CH, we use appropriate safeguards (e.g., Standard Contractual Clauses) and suitable technical and organizational measures.

8. Retention

We keep data only as long as needed for the purposes above, then delete or anonymize it. Typical periods:

  • Account data: for the life of your account; active systems deletion within 30 days after deletion request.
  • Invoices and transaction data: 10 years (tax and commercial law).
  • Jobs data: stored until you delete jobs or your account.
  • Backups: encrypted backups overwritten in normal cycles within up to 90 days.
  • CDN and caches: may persist for up to 7 days after deletion.
  • Server and security logs: usually 6 months unless needed longer for incidents.

Model-provider retention: deleting a job in your library removes our copy, but does not control retention already performed by a provider under its own policy.

9. Your rights

You have rights of access, rectification, erasure, restriction, portability, objection, and consent withdrawal. To exercise rights, contact info@bm-3d.de.

You also have the right to lodge a complaint with your supervisory authority, e.g. the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

10. Children and sensitive data

Our service is for users 18+ and is not directed to children. Please do not upload special categories of data (e.g., health, biometrics) unless we have expressly agreed and enabled controls for such processing.

11. Is provision of data required?

Account and payment data are necessary to provide paid features. If not provided, paid services cannot be used. Analytics and ads processing is optional and requires consent.

12. Automated decision-making

We do not conduct automated decision-making producing legal or similarly significant effects about you.

13. Security

We apply appropriate technical and organizational measures (encryption in transit and at rest, access controls, least privilege, logging and monitoring, vulnerability management, backups, and incident response).

14. How to control your data

  • Access and update your profile.
  • Delete jobs from your library at any time.
  • Delete your account.
  • Change cookie settings via the banner.

15. Subprocessors

We maintain a list of subprocessors (identity, payments, hosting, model providers, analytics) and update it when providers change. You can request it at info@bm-3d.de.

  • Google Ads - ad measurement, conversion tracking, and remarketing.
  • Google Analytics - analytics and measurement.
  • Google Tag - tag deployment and orchestration for Google services.

16. Changes to this policy

We may update this policy. The current version is always available at /privacy-policy. Material changes will be highlighted on the site.

Last updated: 15 September 2025.