Privacy Policy

Last updated: 26 May 2026

This is an English translation provided for convenience. In case of any discrepancy or conflict, the Dutch version of this document, available at https://trovare-atelier.nl/privacy-policy, shall prevail.

NETBEARS TEAM SRL (hereinafter "Trovare", "we" or "the company") is committed to protecting the privacy of your personal data. This policy explains what data we collect, how we use it and what your rights are under the General Data Protection Regulation (GDPR) and applicable Dutch law.

1. Data controller

The controller of your personal data is:

Name: NETBEARS TEAM SRL
VAT number: RO37261366
Address: Corneliu Baba 8, Iași, Romania
Email: contact@trovare-atelier.nl

2. What personal data we collect

Depending on how you interact with the Trovare atelier, we may collect the following categories of data:

Data you provide directly to us

Account details: first name, last name, email address, password (stored encrypted)
Profile details: company, profile picture
Preferences: favourite retailers, sort options

Data generated through use of the atelier

Searches carried out in the atelier
Products saved to favourites and collections
Generated moodboards and their associated preferences
Brand kits (studio identity: logo, colours, tagline) you upload for use in PDFs, OG images and shared pages
Data from the Clienti client management (CRM): client names, notes, status and linked collections that you create
Reflexii: images you upload for visual search of similar products, stored per user
Personal photos uploaded to Vernissage (the atelier for framing photos for Instagram) — photos of real interiors/spaces that you upload in order to frame, optionally process with AI, and export. Location metadata (EXIF/GPS) is automatically removed on upload.
For shared collections: email addresses of recipients you invite, plus their votes and comments (Aprobari)
Feedback on the quality of searches and moodboards, and general platform feedback
Price-alert preferences: the per-favourite or per-collection price-drop alerts you opt into

Technical data

IP address, browser type, operating system
Cookies and similar data (see the Cookie Policy)
Session and navigation data

3. Purposes of the processing

We process your personal data for the following purposes:

Providing and improving the furniture search service
Creating and managing your user account
Storing favourites, collections and preferences
Generating personal moodboards
Communication about the service (notifications, updates)
Analysing and improving the atelier
Preventing fraud and ensuring security

4. Legal basis for the processing

We process your personal data on the following GDPR legal bases:

Performance of a contract (art. 6(1)(b) GDPR) — for the provision of the Trovare service on the basis of the accepted terms and conditions
Legitimate interest (art. 6(1)(f) GDPR) — for improving the atelier and ensuring security
Consent (art. 6(1)(a) GDPR) — for non-essential (preference) cookies, marketing communications and the email notifications around sharing collections, as well as for the transfer of your personal photos outside the EEA (the United States) in the case of the Vernissage AI fallback (art. 49(1)(a) GDPR — explicit consent for the international transfer). Storage and framing of photos within the EEA takes place on the basis of performance of the contract; the AI processing and the associated transfer to the US take place solely with your explicit consent, which you can withdraw at any time by not using the AI actions (the remaining Vernissage features stay available)

5. Sharing of data

We do not sell your personal data to third parties. We may share data with:

Service providers (processors) within the EEA:
- AWS Cognito (eu-central-1, Frankfurt, Germany) — authentication and account management
- Amazon DynamoDB (eu-central-1, Frankfurt, Germany) — storage of atelier data (profile, favourites, collections, cache)
- Amazon S3 (eu-central-1, Frankfurt, Germany) — file storage (avatars, moodboard images, brand kits, images uploaded to Reflexii, data-export ZIP archives)
- Amazon Bedrock — Claude (Sonnet 4 and Haiku 4.5) (eu-central-1, Frankfurt, Germany) — product analysis for generating moodboards (Sonnet 4) and the Stil style classifier (Haiku 4.5)
- Amazon Bedrock — Titan Embeddings (eu-central-1, Frankfurt, Germany) — generating vector embeddings for visual search (Reflexii / similar products)
- Amazon Bedrock — Nova Canvas (eu-west-1, Dublin, Ireland) — primary generator of moodboard scenes and backgrounds, and the PRIMARY AI processor of photos in Vernissage (background removal and frame extension)
- Amazon SES (eu-central-1, Frankfurt, Germany) — delivery of transactional emails (account verification, password recovery, collection invitations, the weekly price-alert digest, data export)
- Bunny Fonts (BunnyWay d.o.o., Slovenia — EU — privacy-focused CDN) — delivery of the web fonts across the entire atelier (the application and the marketing and legal pages). Your IP address is passed to the CDN in order to serve the fonts, as with any CDN, but it is not used for tracking; processing takes place within the EU.
Identity providers (federated authentication, optional):
- Google OAuth (Google LLC, US — DPF-certified) — only when you choose "Sign in with Google". Transferred: email, name, profile picture, Google sub ID. Legal basis: performance of the contract.
- Facebook OAuth (Meta Platforms Inc., US — DPF-certified) — only when you choose "Sign in with Facebook". Transferred: email, name, profile picture, Facebook ID. Legal basis: performance of the contract.
Processors outside the EEA (fallback mechanisms and monitoring):
- Amazon Bedrock — Stability AI (us-west-2, Oregon, US) — used solely as a fallback mechanism for generating moodboard backgrounds when Nova Canvas is unavailable. No personal data is transferred, only aggregated characteristics of the selected products.
- Amazon Bedrock — Stability (remove-background / outpaint) (us-west-2, Oregon, US) — used solely as a fallback mechanism for the AI processing of photos in Vernissage, when Nova Canvas (eu-west-1) is unavailable. Unlike the moodboard fallback, in this case your personal photo is transferred to and processed in the US. This transfer takes place only after you have explicitly acknowledged the notice about the AI processing, and solely for the AI actions you initiate yourself (background removal, frame extension).
- Sentry (Functional Software Inc., US) — error and performance monitoring. Pseudonymised data, no cross-site profiling, retained for a maximum of 90 days.
- Microsoft Teams (webhook) — internal error and feedback notifications. May contain technical context including a pseudonymised user ID. No marketing purposes.
Authorities: where we are legally required to do so

All service providers are contractually obliged to protect your data and to process it solely for the stated purposes (data processing agreements in accordance with art. 28 GDPR).

6. Storage and security of data

Your data is stored on secure servers in the European Union (the AWS eu-central-1 region in Frankfurt, Germany, and eu-west-1 in Dublin, Ireland, for Nova Canvas). We use encryption, multi-factor authentication and access controls to protect your data.

6a. International transfers of data

The majority of your data is stored and processed within the European Economic Area (AWS eu-central-1 in Frankfurt, and eu-west-1 in Dublin for Nova Canvas). Certain data, however, is processed outside the EEA:

Google OAuth and Facebook OAuth (Google LLC and Meta Platforms Inc., US) — only when you use one of these methods to sign in. Transferred: email, name, profile picture, provider ID.
Amazon Bedrock — Stability AI (us-west-2, Oregon, US) — used solely as a fallback mechanism for moodboard backgrounds. No personal data is transferred, only aggregated characteristics of the selected products.
Amazon Bedrock — Stability (Vernissage) (us-west-2, Oregon, US) — a fallback mechanism for the AI processing of photos in Vernissage, when Nova Canvas (eu-west-1) is unavailable. In this case, your personal photo (the image of a real interior, which may show people or other identifiable elements) is transferred to and processed in the US. The transfer takes place solely for the AI actions you initiate yourself and only after you have explicitly acknowledged the notice shown before first use. The photo is used solely to produce the requested result and is not retained by the provider for any other purpose. This transfer is covered by the EU-US Data Privacy Framework (DPF) and AWS's Standard Contractual Clauses (SCC).
Sentry (servers in the US) — used for error monitoring. May receive technical data (IP address, browser type, error details). Pseudonymised data, no cross-site profiling, retained for a maximum of 90 days.
Microsoft Teams (webhook) — internal error and feedback notifications. Technical context, no marketing purposes.

These transfers are protected by the following legal safeguards:

EU-US Data Privacy Framework (adequacy decision of 10 July 2023) — Amazon Web Services, Google LLC and Meta Platforms Inc. are certified under the DPF.
Standard Contractual Clauses (SCC) — applied where necessary, in accordance with art. 46(2)(c) GDPR.
If the DPF adequacy decision is withdrawn or suspended (for example, as a result of a future "Schrems" ruling), these transfers fall back on the Standard Contractual Clauses that each of these providers has also concluded.

7. Retention period

Account data (profile, favourites, collections, moodboards, brand kits, Clienti CRM data, Reflexii, votes and comments on shared collections) — retained until you delete the account; there is no fixed expiry
Cognito authentication tokens — session duration (30 days for refresh tokens, 1 hour for access tokens); MFA recovery codes — until regeneration or account deletion
Search cache and product details — 8 days (automatically refreshed daily by a maintenance process; data from the monthly Coverage process is retained for 35 days)
Query-rewrite cache — 30 days
Product snapshots (Stock Watch) — 90 days
Search and moodboard feedback — retained until account deletion (no fixed expiry)
Usage logs (UsageLogs) — 90 days
Error logs (Sentry) — 90 days
Reflexii uploads — 180 days; unopened uploads are swept after 30 days
Vernissage (personal photos, accepted AI results and thumbnails) — retained until you delete them (per piece) or until you delete your account; there is no fixed expiry, so that you can re-edit your pieces at any time. Temporary, unaccepted AI results are automatically removed after 1 day.
Data export (ZIP) — the generated export file is retained for approximately 14 days and then automatically deleted
On deletion of the account, all associated data (profile, favourites, collections, moodboards, brand kits, Clienti CRM, Reflexii, Vernissage photos and results, feedback, votes and comments, files in S3) is permanently erased through a full cascade

8. Automated processing and use of artificial intelligence

Trovare uses processing assisted by artificial intelligence (Amazon Bedrock) for generating moodboards:

Claude AI (eu-central-1) analyses the characteristics of the selected products (style, colour, dimensions) to suggest optimal layout compositions
Nova Canvas (eu-west-1) is the primary generator of background textures based on the analysis by Claude AI
Stability AI (us-west-2) is used solely as a fallback mechanism when Nova Canvas is unavailable
Vernissage — at your request, background removal and frame extension of your photo are performed with Nova Canvas (eu-west-1) as the PRIMARY processor; if it is unavailable, the processing is performed as a fallback with Stability models in the US (us-west-2). These AI actions are optional, are initiated manually by you, and are limited to 15 actions per month.

This processing has no legal effects and no similarly significant effects on users. It is used solely for creative/aesthetic purposes, to generate visual furnishing suggestions.

Users can give feedback on the generated moodboards and request new variants (a maximum of 4 variants per collection).

Trovare does not carry out profiling or automated decision-making within the meaning of art. 22 GDPR.

9. Your rights

In accordance with the GDPR, you have the following rights:

Right of access — you can request a copy of your personal data
Right to rectification — you can correct inaccurate data in your profile
Right to erasure — you can request deletion of your account and all associated data
Right to data portability — you can request an export of your data in a structured format
Right to object — you can object to the processing of your data in certain situations
Right to restriction of processing — you can request that the way your data is processed be restricted
Right to withdraw consent — you can withdraw your consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact us at contact@trovare-atelier.nl.

For the right to data portability (art. 20 GDPR), you can also request an automated export directly through your profile settings; you will receive a ZIP by email. Because of the load on our infrastructure, this export is limited to one request per seven days.

9a. Minors

Trovare is aimed at professional interior designers and is not intended for minors under the age of 16. We do not knowingly collect personal data from minors. If you suspect that we have received data from a minor, please contact us and we will delete that data.

9b. Data Protection Officer (DPO)

Trovare has not appointed a formal Data Protection Officer — the processing does not fall within the thresholds of art. 37(1) GDPR (no large-scale processing of special categories of data, no large-scale systematic monitoring). For privacy questions, you can contact us directly at contact@trovare-atelier.nl.

10. Complaints

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Dutch supervisory authority:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) — autoriteitpersoonsgegevens.nl

11. Changes to the policy

We reserve the right to update this privacy policy. Material changes will be communicated by email or through a notice in the atelier. The date of the last update is shown at the top of this page.

12. Contact

For questions about this policy or the processing of your personal data, you can contact us at:

Email: contact@trovare-atelier.nl
Address: NETBEARS TEAM SRL, Corneliu Baba 8, Iași, Romania