Main

Privacy Policy

Last Update: 12.06.2025

Table of Contents

This Privacy Policy describes how Diletta Luna OÜ (registry code 14646450), located at Sepapaja 6, 15551 Tallinn, Estonia ("we", "us", or "our"), processes personal data when you use our In A Nutshell service. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

1. Data Controller

Diletta Luna OÜ acts as the data controller for your personal data. For any privacy-related inquiries, please use our contact form.

2. Personal Data We Process

We collect and process the following categories of personal data:

  • Account information: email address, password (encrypted), account settings
  • Payment information: transaction records (payment amounts, dates) - note that actual payment processing is handled by Stripe
  • Usage data: IP address, browser type, device information, interaction with our service
  • Communication data: support requests, feedback, correspondence with us
  • Technical data: cookies, log files, device identifiers
  • Analytics data: service usage patterns, feature interaction statistics
  • Video queries: YouTube URLs and related conversation data for service provision

For users under 13 years of age: We do not knowingly collect or process personal data from children under 13 years old. If you become aware that a child has provided us with personal data, please contact us immediately.

4. International Data Transfers

We may transfer your personal data to countries outside the European Economic Area (EEA). When we do, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions issued by the European Commission
  • Binding Corporate Rules where applicable
  • Additional technical measures to ensure data security

Our primary data processing occurs within the EU, but some services may involve transfers to:

  • United States (for AI processing and certain cloud services)
  • Other countries where our service providers operate

You can request information about specific transfer mechanisms by contacting us.

5. Security Measures

We implement appropriate technical and organizational measures following Article 32 of the GDPR to ensure data security:

  • End-to-end encryption for data in transit
  • Multi-factor authentication (MFA) for admin account access where possible
  • Regular automated security scanning and vulnerability assessments
  • Strict access controls based on the principle of least privilege
  • Comprehensive incident response and breach notification procedures
  • Automated system monitoring and intrusion detection
  • Secure development practices and code reviews

We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintain ISO 27001 aligned security practices.

In case of a personal data breach that risks your rights and freedoms, we will notify:

  • The Estonian Data Protection Inspectorate within 72 hours
  • Affected individuals without undue delay
  • Our Data Protection Officer immediately

6. Data Sharing and Processors

We share your personal data with these categories of processors:

  • Payment processing: Stripe handles all payment processing
  • Data storage: Netcup and Hetzner for secure data storage and backups
  • Email delivery: Postmark for sending transactional emails
  • AI processing: Anthropic (Claude) and OpenAI for video analysis and chat functionality
  • Analytics services (with pseudonymized data)

All our processors are bound by Data Processing Agreements that ensure GDPR compliance and appropriate data protection measures. We carefully select our service providers to ensure they meet our security and privacy standards.

6.1 Records of Processing Activities

In accordance with Article 30 of the GDPR, we maintain detailed records of our processing activities, including:

  • Categories of processing activities
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Technical and organizational security measures

These records are available to supervisory authorities upon request and help us maintain accountability for our data processing activities.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. This includes:

  • Account and service data: For as long as needed to provide our services
  • Transaction records: As required by applicable tax and accounting laws
  • Usage data: Up to 12 months for service optimization
  • Communication records: As needed for support and service improvement
  • Video conversation data: Stored temporarily for service provision and improvement

7.1 Data Minimization

We follow data minimization principles by:

  • Only collecting data necessary for our services
  • Automatically deleting unnecessary data
  • Regularly reviewing and updating data retention periods
  • Providing options to limit data processing

8. Your Rights

Under the GDPR, you have the following rights:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent for marketing

To exercise these rights, please use our contact form. We'll respond within one month. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee).

9. Cookies

We use the following types of cookies:

  • Essential cookies: Required for service functionality
  • Analytics cookies: To understand service usage (with your consent)
  • Functional cookies: To remember your preferences

You can manage cookie preferences through your browser settings.

9.1 Automated Decision-Making and Profiling

Our service is built around AI-powered automation for video analysis and insights. This is a core feature that:

  • Analyzes YouTube video content and transcripts using AI models
  • Generates automated summaries and insights
  • Provides interactive chat functionality about video content
  • Processes multiple language support for video analysis

While our service is AI-driven, we ensure transparency by:

  • Providing clear explanations of how we analyze video content
  • Allowing you to review and question any analysis
  • Having human oversight of our AI systems
  • Maintaining high standards of AI accuracy and fairness

9.2 Startup Growth and Data Protection

As a growing startup, we may:

  • Introduce new features and processing activities
  • Partner with additional service providers
  • Expand to new markets

We commit to:

  • Notifying you of significant changes
  • Maintaining data protection standards during growth
  • Conducting privacy impact assessments for new features
  • Ensuring vendor compliance with our privacy standards

10. Changes to This Policy

We may update this policy occasionally to reflect changes in our practices or legal requirements. We'll notify you of significant changes through our service or by email. Continued use of our service after such changes constitutes acceptance of the updated policy.

11. Contact Information and Data Protection Officer

For any privacy-related questions, to exercise your rights, or to contact our Data Protection Officer:

Diletta Luna OÜ

Attn: Data Protection Officer

Sepapaja 6

15551 Tallinn

Estonia

Please use our contact form for all inquiries.

12. Salvatory Clause

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired. Any invalid, illegal, or unenforceable provision shall be deemed to be modified to the extent necessary to render it valid, legal, and enforceable while preserving its intent, or if such modification is not possible, shall be severed from this Privacy Policy.