1. Controller

For the purposes of GDPR and KVKK, the data controller is Holala, based in Istanbul, Türkiye. Contact: privacy@holala.ai.

For personal data you upload or process through the Service in the course of using it (for example, photos of models or employees in your brand assets), you act as the data controller and Holala acts as a data processor on your behalf.

2. Personal Data We Collect

2.1 Account and identity data

When you create an account, we collect your name, work email address, password (stored as a hash), company name, role, and country.

2.2 Billing data

Payments are handled by our merchant of record, Paddle.com Market Ltd. Paddle collects payment-method details (such as card number, billing address, and tax identifiers) directly. We receive limited billing metadata from Paddle (plan, transaction ID, renewal date, country, last four digits of the card).

2.3 Customer Content

"Customer Content" includes images, videos, text prompts, brand assets, product photographs, logos, and other files you upload to or generate with the Service. Customer Content may contain personal data (for example, photographs of people).

2.4 Usage data

When you use the Service, we automatically collect data about your interactions, such as pages visited, features used, generation requests, timestamps, device and browser information, IP address, and approximate location derived from IP.

2.5 Communications

When you contact us (support, sales, feedback), we collect the content of your message and any attachments.

2.6 Cookies and similar technologies

We use cookies and similar technologies on our website. See Section 10 for details.

3. How We Use Personal Data

We process personal data for the following purposes:

We do not use Customer Content to train our AI models or those of our third-party AI inference providers.

4. How We Share Personal Data

We share personal data only where necessary, and only with the following categories of recipients:

4.1 Service providers (subprocessors)

We use carefully selected third-party processors to operate the Service, including providers of:

• AI model inference,
• cloud hosting and file storage,
• content delivery,
• product analytics,
• transactional and marketing email delivery,
• customer relationship management,
• customer support tooling.

All subprocessors are bound by data-processing agreements that require them to handle personal data only on our instructions and to maintain appropriate security measures. A current list of subprocessors is available to enterprise customers on request at privacy@holala.ai.

4.2 Merchant of record

Payments are processed by Paddle.com Market Ltd, which acts as the seller of record and handles billing, taxes, chargebacks, and payment compliance on our behalf.

4.3 Integrations you authorize

If you connect the Service to a third-party platform (such as your e-commerce store), we will share data with that platform as needed to provide the integration, in accordance with your configuration.

4.4 Legal and safety

We may disclose personal data to comply with legal obligations, respond to lawful requests from public authorities, enforce our Terms, protect our rights, or prevent fraud or harm.

4.5 Business transfers

If Holala is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users.

We do not sell personal data.

5. International Data Transfers

Holala is based in Türkiye and uses service providers located in the European Union, the United Kingdom, the United States, and other countries. Where personal data is transferred outside the EEA, UK, or Türkiye, we implement appropriate safeguards, including:

• the European Commission's Standard Contractual Clauses (SCCs),
• the UK Information Commissioner's Office's International Data Transfer Addendum, and
• for transfers out of Türkiye, explicit consent, signed undertakings, or other mechanisms permitted under Article 9 of the KVKK.

Copies of relevant safeguards are available on request.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy:

• Account data: for the duration of your account, plus up to 24 months after closure for legal and audit purposes.
• Customer Content: for the duration of your subscription. You may delete content at any time through the Service. On account closure, Customer Content is deleted within 30 days, unless a longer retention period is required by law.
• Billing records: as required by applicable tax and accounting law (typically 10 years in Türkiye).
• Usage and log data: up to 18 months.
• Support communications: up to 3 years after resolution.
• Marketing data: until you withdraw consent or we determine the data is no longer useful.

7. Your Rights

Depending on your jurisdiction, you have the following rights:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — restrict how we process your data.
• Objection — object to processing based on legitimate interests or for direct marketing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint — with a supervisory authority (for EEA residents, your local data-protection authority; for Türkiye, the Kişisel Verileri Koruma Kurumu).

To exercise any right, contact us at privacy@holala.ai. We will respond within the time limits set by applicable law (typically 30 days).

8. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• encryption of data in transit (TLS) and at rest,
• role-based access control and the principle of least privilege,
• regular security reviews and dependency updates,
• authentication safeguards including hashed passwords and optional two-factor authentication,
• segregated production environments,
• logging, monitoring, and incident-response procedures.

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as required by law.

9. Children's Data

The Service is intended for businesses and is not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn that a child's personal data has been collected, we will delete it.

10. Cookies

We use the following categories of cookies on our website:

• Strictly necessary cookies — required for the site to function (authentication, session, security). No consent required.
• Analytics cookies — used to understand product usage and improve the Service. Used only with your consent.
• Marketing cookies — used to measure campaign performance. Used only with your consent.

You can manage cookie preferences through our cookie banner or your browser settings.

11. Marketing Communications

We may send marketing emails about Holala products, features, and events. You can unsubscribe at any time using the link in any marketing email or by contacting privacy@holala.ai. Unsubscribing from marketing does not affect transactional emails (receipts, account notifications, security alerts).

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any question, request, or complaint related to this Privacy Policy or your personal data:

Holala — Privacy
Email: privacy@holala.ai
Address: Istanbul, Türkiye
Website: holala.ai

EEA and UK residents may also contact their local data-protection authority. Türkiye residents may contact the Kişisel Verileri Koruma Kurumu (KVKK) at kvkk.gov.tr.