Last updated: May 3, 2026
This Privacy Policy (“Privacy Policy”) explains how HorseImpact Ltd, trading as ModelRoom (“ModelRoom”, “we,” “us,” or “our”) collects, uses, stores, or discloses your personal data, and what rights you have under applicable law.
We encourage you to read this Privacy Policy carefully to understand our practices and how we process your personal data.
This Privacy Policy applies to the website located at https://modelroom.ai/ and any associated subdomains and web pages (“Platform”), as well as the services and products otherwise made available to you by us through the Platform (together, the “Services”). It also applies to our related communications and interactions with you about the Services, for example, account onboarding, product demos, user support, and service-related emails.
This Privacy Policy does not apply to any third-party websites, services or applications, even if they are accessible through the Services.
We may provide separate or supplemental Privacy Notices in specific contexts, such as for job applicants, and, where provided, those notices govern the relevant processing.
The Services may change over time. This Privacy Policy applies to new features and updates unless we provide a separate or supplemental notice for specific processing activities, where appropriate or required by applicable law.
If you have any questions regarding this Privacy Policy or our processing of your personal data, you may contact us as described in Section 12 (Contact Details).
ModelRoom is the data controller of personal data processed in connection with this Privacy Policy. Where we process personal data on behalf of a business customer, that processing is governed by our Data Processing Addendum as incorporated into the applicable agreement, unless the parties have agreed to another data processing agreement or other written terms that apply to that processing (“Data Processing Agreement”).
When you access or use our Services, we collect information from and about you, which may include personal data. “Personal data” means any information that identifies or can reasonably be used to identify you as an individual.
The personal data we collect depends on how you interact with us and the Services. Not all of the personal data categories listed below will apply to you. We only collect the personal data that is relevant to your interactions with us and the Services.
Please note that you are not legally required to provide personal data to us. However, if you choose not to provide certain information, for example, data needed to create an account or respond to a support request, we may not be able to provide some parts of the Services. Certain data is also collected automatically when you use the Services.
We collect personal data when you create or sign in to an account, use the Services, contact support, sign up for communications, participate in demos, provide feedback, or otherwise interact with us. This may include:
When you access or use the Services, we may automatically collect certain data. This may include:
If we use cookies, pixels, SDKs, or similar technologies in connection with the Services, we will describe this in Section 9 (Cookies and Similar Technologies) or in a separate Cookie Policy.
We may receive your personal data from third parties. This may include:
We process your personal data only if we have a lawful basis under applicable data protection laws. In this Section we explain how we use your personal data, and the legal grounds we rely on for doing so.
In some cases, we may process your data to pursue our legitimate interests in developing, operating, protecting, and improving the Services and running our business in a way that you would reasonably expect and which does not override your rights and freedoms. We have identified such legitimate interests where applicable.
When we process your data based on our legitimate interests, you have the right to object to such processing. When we process your data based on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing based on such consent before it is withdrawn. Please see Section 7 (Your Rights) for more details about your rights and how to exercise them.
| Purpose of data processing | Data processed | Legal basis |
|---|---|---|
| Provide and operate Services (create and manage accounts, enable access, run features, process inputs and chat interactions, generate outputs, deliver the Platform) | Contact data Account data Content, prompt, and output data Technical data Usage data | Performance of a contract (including pre-contractual steps at your request): provide the Services you request, including account creation, access, and feature delivery |
| Run product demos and pre/post-demo communications (qualify requests, schedule, reschedule, or cancel demos, send invites, reminders, or access instructions, run demo follow-ups, share materials you requested) | Contact data Communication data Business data Technical data | Performance of a contract (including pre-contractual steps at your request): arrange and deliver demos you request and follow up on your requests Legitimate interests: verify authenticity of demo requests, prevent spam and abuse, and tailor demos for your role and use case |
| Provide support (respond to support requests, resolve issues, and follow up) | Contact data Account data Communication data Technical data Usage data Other data you provide | Performance of a contract (including pre-contractual steps at your request): provide support and respond to your inquiries Legitimate interests: troubleshoot efficiently, improve support quality, and prevent abuse of support channels |
| Send service and administrative communications (send technical notices, security alerts, account messages, and operational updates) | Contact data Account data Technical data Usage data | Performance of a contract (including pre-contractual steps at your request): send account-related and service communications needed to provide the Services Legitimate interests: keep you informed about service changes and maintain security and service continuity |
| Operate, secure, and improve the Services (monitor performance, debug, detect incidents, understand usage patterns, run analytics, develop and test features, create aggregated and de-identified data) | Technical data Usage data Feedback data Communication data | Legitimate interests: operate, secure, and improve the Services, including performance, user experience, reliability, and product development Consent: where required by law (for example, for the use of certain non-essential cookies or similar technologies) |
| Customize and improve experience (remember preferences, tailor the user interface, suggest relevant features or templates where available) | Account data Contact data Technical data Usage data Feedback data Communication data Marketing data | Legitimate interests: tailor parts of the Services and our communications to make them more useful and relevant Consent: where required by law (for example, where personalization relies on technologies that require consent) |
| Send marketing communications (send news and product updates, measure campaign effectiveness) | Contact data Marketing data Usage data | Consent: where required by law (for certain marketing communications and related measurement technologies) Legitimate interests: promote the Services and keep you informed about updates where permitted by law |
| Assess and set up business relationships (respond to business inquiries, evaluate partnership, agency, affiliate, or collaboration opportunities, negotiate terms, and prepare agreements) | Contact data Communication data Business data | Performance of a contract (including pre-contractual steps at your request): take steps you request to discuss and set up a business relationship Legitimate interests: identify and engage suitable customers, partners, agencies, affiliates, or collaborators, assess fit and eligibility, and protect the integrity of our business relationships |
| Process payments and manage billing (process purchases, manage subscriptions, handle refunds, chargebacks, failed or reversed transactions, maintain transaction records, prevent payment fraud) | Contact data Payment data Transaction data Technical data | Performance of a contract (including pre-contractual steps at your request): provide paid features, process purchases and subscriptions Legitimate interests: prevent payment fraud, manage disputes and chargebacks, and maintain transaction security and integrity Compliance with a legal obligation: comply with tax, accounting, and statutory record-keeping requirements |
| Protect rights and prevent misuse (enforce our Terms and policies, secure the Services, prevent abuse, detect and prevent fraud, investigate incidents, and respond to voluntary requests, reports, or complaints) | Any relevant personal data categories listed in this Privacy Policy, only as necessary for the specific matter | Legitimate interests: protect our business, personnel, users, and the Services, enforce our Terms and policies, detect, prevent, and address fraud, abuse, security incidents, and violations of our Terms and policies |
| Legal compliance (comply with legal obligations, respond to lawful requests, meet statutory record-keeping obligations) | Any relevant personal data categories listed in this Privacy Policy, only as necessary for the specific matter | Compliance with a legal obligation |
Automated decision-making. We do not use automated decision-making, including profiling, that produces legal effects or similarly significant effects on you.
We may share your personal data with third parties in the following cases:
Our Services are global by nature, and your personal data can therefore be transferred to and processed in countries other than the country of your residence, including countries where privacy laws differ from those in the country of your residence.
Where your personal data is shared with recipients located outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place to protect your personal data. Depending on the transfer, we rely on:
You can request a copy of the relevant transfer safeguards, such as Standard Contractual Clauses, by contacting us using the details in Section 12 (Contact Details).
We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect the Services. Retention depends on the type of data, how it is processed, and applicable legal requirements.
Where we anonymize data, we may retain and use it in anonymized form.
Where we process personal data on behalf of a business customer under the Data Processing Agreement, retention and deletion may also be governed by that agreement.
We may publish additional privacy disclosures or regional addenda that apply to users in specific jurisdictions. Where an addendum applies, it supplements this Privacy Policy and will control to the extent of any conflict.
If you are located in the EEA, the United Kingdom, or Switzerland, or if our processing of your personal data is otherwise subject to the EU GDPR, UK GDPR, or Swiss data protection law, you have certain rights under applicable data protection law. This Section sets out those rights and explains how you can exercise them:
These rights are subject to certain limitations and exceptions under applicable law. We will assess each request to exercise these rights on a case-by-case basis.
To exercise any of these rights, please contact us using the contact details in Section 12 (Contact Details) below. Where we process personal data on behalf of a business customer, we may refer your request to that business customer or assist the business customer in responding to your request, as appropriate.
We will respond as soon as possible, but not more than within one month of receipt of your request. This period may be extended by a further two months where necessary due to the complexity and number of requests. In this case, we will inform you of such an extension within one month of receipt of your request and explain the reasons for the delay. We reserve the right to verify your identity before we process your request. If we cannot comply with your request, we will inform you of the reasons and of your right to complain to a supervisory authority.
If you believe that our processing of your personal data infringes applicable laws, you have the right to lodge a complaint with a supervisory authority, in particular in the EEA country of your habitual residence, place of work, or where an alleged infringement occurred. As we are established in the Republic of Cyprus, the supervisory authority overseeing us is the Commissioner for the Protection of Personal Data. We encourage you to contact us first so we can address your concerns before reaching out to the Commissioner.
Our Services are intended for use by individuals who are over 18 years of age or the age of majority in their country of residence, whichever is older. We do not intentionally or knowingly collect personal data from children. If you become aware that we might have unintentionally collected personal data from a child, please contact us using the contact details in Section 12 (Contact Details), and we will take reasonable efforts to stop processing such data and erase it as soon as possible.
We may use cookies and similar technologies, such as pixels, tags, SDKs, and local storage (together, “Cookies and Similar Technologies”), in connection with the Services.
Some Cookies and Similar Technologies are strictly necessary to operate and secure the Services, enable core functionality, authenticate users, maintain session state, and help prevent fraud, abuse, or unauthorized access. We may also use Cookies and Similar Technologies for optional purposes, such as analytics, product measurement, marketing, and improving the Services.
Where required by applicable law, we will obtain your consent before using Cookies and Similar Technologies for optional purposes. Where available, you may manage your preferences through the Services, a consent banner, browser settings, or other controls we make available. If you disable or reject certain Cookies and Similar Technologies, some parts of the Services may not function properly or may be unavailable.
We may provide additional information about Cookies and Similar Technologies we use in this Section 9 or in a separate Cookie Policy.
Our Services may contain links to third-party websites and applications. Your use of any such third-party services, and the way they process your personal data, are covered by the privacy notices of such third-party services, not this Privacy Policy. We do not control and are not responsible for the content, security, or privacy practices of those third parties. We encourage you to read the privacy notices of any such third-party services you visit.
We may make changes to this Privacy Policy from time to time. When we make changes, we will post the updated Privacy Policy and update the “Last updated” date at the top of this Privacy Policy. If we make material changes, we will take reasonable steps to notify you prior to the changes becoming effective, for example, by displaying a prominent notice on our Services, or, where required by law, we will obtain your consent or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal data. We encourage you to periodically review this Privacy Policy to stay informed of our privacy practices.
For any questions, comments, or concerns regarding this Privacy Policy or our processing of your personal data, please contact us at [email protected] or by post at Griva Digeni 51, Athineon Court, Office 202, 8047 Paphos, Cyprus.