Privacy notice

Juunam AI is the controller of the personal data described in this notice. We classify items and suggest prices. We do not list, sell, or transact on your behalf.

Juunam AI is in the process of being registered as an entity in the Grand Duchy of Luxembourg. Until that registration completes at the Registre de Commerce et des Sociétés (RCS Luxembourg), the founder Frederik Frieg acts as controller in a personal capacity. The privacy notice will be updated with the full entity name and RCS number in the same change in which they are issued.

[TO CONFIRM: Full registered entity name, registered address, and RCS Luxembourg number — to be inserted once entity registration completes.]

EU representative under Article 27 GDPR: not applicable. The controller is established in the European Economic Area (Luxembourg), so Article 27 does not require the appointment of an EU representative.

Data Protection Officer: not appointed. Article 37 GDPR requires a DPO only where (a) the controller is a public authority, (b) core activities involve large-scale, systematic monitoring of data subjects, or (c) core activities involve large-scale processing of special-category data under Article 9 or criminal-conviction data under Article 10. Juunam AI is a small-scale processor of general consumer data (account information, photos of personal items, derived classification and price suggestions). None of those categories apply. We will reassess this if the scale or scope of processing changes.

Privacy questions, data-subject requests, and complaints reach us at privacy@juunam.com. General product or business questions: hello@juunam.com. We aim to acknowledge within five working days and respond fully within one month.

This notice covers personal data we process when you sign up, submit items for classification and pricing, or interact with our marketing site and the product. Once you take a suggestion off our platform and use it elsewhere — listing on a marketplace, selling, transferring — we are not the controller for that activity, and the platform you use applies its own notice.

We hold three kinds of personal data. Each comes from a specific source.

What you give us

• Account data — email address, display name, a password (stored hashed), and any optional profile fields such as an avatar.
• Inputs submitted for classification and pricing — photos, written descriptions, and any context you add (brand, condition, location notes, and so on).
• Settings and preferences — including your opt-in choice for pricing personalisation.

What we generate from your inputs

• Inference outputs — suggested classification (category, brand, attributes, condition) and a suggested price.
• Inference logs — the inputs that produced an output, the output itself, the model version, and a timestamp. This is the provenance record (see below).

What we collect automatically

• Technical metadata — IP address, user agent, device type, and basic telemetry. We need this to keep the service running, prevent abuse, and debug issues.

We do not buy data about you from third parties. Everything we hold came either from you or from your interactions with the service.

Every purpose below has one specific lawful basis under Article 6 GDPR. Where we rely on legitimate interests, you can object — see Your rights.

Run your account

Data: Account dataBasis: Article 6(1)(b) — performance of a contract with you

Classify items and suggest prices (the core service)

Data: Inputs you submit, generated outputsBasis: Article 6(1)(b) — performance of a contract with you

Record provenance for the outputs we generate

Data: Inference logs (input identifier, model version, timestamp, output)Basis: Article 6(1)(f) — our legitimate interest in auditability, traceability, and trust in our outputs, balanced against your interests

Keep the service secure and prevent abuse

Data: Technical metadata, server logsBasis: Article 6(1)(f) — our legitimate interest in the integrity and security of the service

Personalise pricing to your specific market environment

Data: Inputs you submit (only if you opt in)Basis: Article 6(1)(a) — your consent. Strictly opt-in. See the section on pricing personalisation.

Meet legal obligations (e.g. responding to lawful requests, tax records)

Data: Whatever the obligation requiresBasis: Article 6(1)(c) — compliance with a legal obligation

When you submit an item, the model does two things: it classifies the item (category, brand, attributes) and it suggests a price. It does this by matching the patterns in your input against patterns it has learned from labelled examples. We do not disclose proprietary specifics of the model beyond that.

The output is a suggestion. We do not list, sell, or transact on your behalf. You decide what to do with it. You run any listing or sale on a platform you choose, separately from us, and the final price you apply is your decision and your responsibility.

Because the suggestion does not, by itself, produce a legal effect or similarly significant effect on you or a third party within our product, Article 22 GDPR (decisions based solely on automated processing producing legal or similarly significant effects) is not engaged in its strict form. We still describe the logic and significance of the suggestion here because you should understand what you are working with.

If you want a human to review a specific suggestion you have received, write to privacy@juunam.com and we will respond within one month.

This is separate from the core service. By default, you receive standard suggestions and your inputs are not used to train or fine-tune the model.

If you opt in, we use your submitted inputs to adapt future pricing suggestions to your specific market environment — in effect, fine-tuning the model so it learns the price signals you tend to work with. The lawful basis is your consent under Article 6(1)(a) GDPR.

You can withdraw your consent at any time, in the same place where you gave it. Withdrawal stops further use of your inputs for personalisation. It does not affect (i) suggestions already issued to you, or (ii) the lawfulness of any processing we carried out before you withdrew. This is your right under Article 7(3) GDPR.

Where the opt-in lives: Settings → Privacy → Pricing personalisation, in both the iOS app and the web vault. The same control toggles consent on or off. Withdrawal takes effect immediately for new collection. Any inputs already attached to your personalisation set are excluded from the next training cycle and deleted from the training set within 30 days. Suggestions already issued to you remain unaffected.

Status as of 2026-05-14: pricing personalisation is not yet available as a feature. The opt-in surface ships in a default-off state. If you turn it on now, you are recording consent in advance for when the feature ships; we do not collect or use any inputs for personalisation until the feature is live and you have left the consent on.

Retention for inputs used in personalisation is described separately under How long we keep data.

For every suggestion the model generates, we record a small set of fields: the input identifier, the model version that produced the output, a timestamp, and the output itself. We call this the provenance signal.

In practice this means we can answer a question like “why did the model suggest this price for this item, and which version produced it?” — yours, ours, or a regulator’s. We do not store anything about other users in your provenance record.

We do not sell your data. We do not share it with advertisers, ad networks, or data brokers.

We use a small number of service providers (sub-processors) to operate the product — hosting, database, storage, model inference, and error monitoring. Each is bound by a data-processing agreement that limits what they can do with your data to what we instruct, and explicitly prohibits re-use of the data for the sub-processor's own purposes.

Current sub-processor list (verified against the edge functions that handle your data, 2026-05-14):

• Supabase — authentication, Postgres database, object storage. Processes data in Ireland (EU). No transfer outside the EEA.
• Anthropic — Claude Vision for item classification and Claude for price + outfit reasoning. Processes data in the United States. Transfer safeguard: Standard Contractual Clauses, plus Anthropic's API default of not training on customer inputs.
• Google AI Studio (Gemini) — parallel classification used alongside Claude. Processes data in the United States. Transfer safeguard: Standard Contractual Clauses.
• Google Cloud Vision — label and text detection used alongside Claude. Region pinning to the EU is configured where supported by the API. Transfer safeguard: Standard Contractual Clauses for any traffic that egresses the EU.
• OpenAI — text-embedding model only (no inference, no image data). Processes data in the United States. Transfer safeguard: Standard Contractual Clauses, plus OpenAI's API default of not training on customer inputs.
• Vercel — hosting for juunam.ai (the marketing site and web vault). Processes data on a global edge network with regional caching; EU regions are preferred for primary workloads. Transfer safeguard: Standard Contractual Clauses and the Vercel DPA.

We may disclose data to a competent authority if compelled by a lawful order, or where necessary to protect our rights, our users, or the public from clear harm. We push back on requests that overreach.

Some of the sub-processors above may process personal data outside the European Economic Area. Where that happens, we rely on one of the safeguards permitted under Chapter V GDPR:

• an adequacy decision by the European Commission (the destination country offers an essentially equivalent level of protection), or
• the European Commission’s Standard Contractual Clauses (SCCs), together with any supplementary technical and organisational measures the specific transfer requires.

The destinations outside the EEA are the United States(Anthropic, Google AI Studio, Google Cloud Vision egress, OpenAI, Vercel edge for some routes) and, in the case of Google Cloud Vision and Vercel, other regions in their global edge networks where region pinning is not yet configured. The safeguard for each is the European Commission's Standard Contractual Clauses (Decision 2021/914), together with the technical and organisational supplementary measures described in the relevant sub-processor's Data Processing Agreement. Where the destination is covered by the EU–US Data Privacy Framework adequacy decision (Decision 2023/1795), that adequacy decision supplements the SCCs.

[TO CONFIRM: Transfer Impact Assessments per US sub-processor (Anthropic, Google AI Studio, Google Cloud Vision, OpenAI, Vercel) — template in the repo at docs/legal/TIA-template.md; instances to be drafted or commissioned per provider.]

You can ask for a copy of the safeguards by writing to privacy@juunam.com. We will respond within one month.

We keep personal data only for as long as we need it for the purpose it was collected for, then delete or anonymise. The windows below describe what that means for each category.

Account data

For as long as your account is active. When you delete your account, the auth record, profile, and items linked to it are removed immediately by a cascade. Backups containing the data are retained for up to 30 days before being purged on the standard rolling schedule.

Inputs and inference outputs (your items, descriptions, suggestions)

Kept with your account so you can see your own history. Hard-deleted when the item or the account is deleted; backup purge follows the same 30-day window as above.

Inference logs (provenance)

Retained for 12 months from generation, then anonymised in place — we keep the model version, a hash of the input, and the timestamp, and we null the payload — so the provenance signal survives while you no longer do.

Provider raw responses

The raw response from each upstream model provider for an inference (used for debugging classification quality) is retained for 90 days, then hard-deleted.

Inputs used for pricing personalisation (opt-in only)

Kept for as long as your consent is on. If you withdraw consent, your existing inputs are excluded from the next training cycle and hard-deleted from the training set within 30 days. (Pricing personalisation is not yet available; this window applies when the feature ships.)

Technical metadata and security logs

Retained for 90 days for security, abuse prevention, and debugging, then deleted or aggregated.

Records required by law

Where a law requires us to keep something (tax, accounting, response to a competent authority), we keep it for that period and no longer.

Under the GDPR you have the rights below. They apply free of charge in most cases. We respond within one month, extendable by up to two further months for complex requests (with notice).

• Access (Article 15) — get a copy of the personal data we hold about you and information about how we are using it.
• Rectification (Article 16) — correct anything inaccurate or incomplete.
• Erasure (Article 17)— have your data deleted, sometimes called “the right to be forgotten,” subject to the limited exceptions in the GDPR.
• Restriction (Article 18) — ask us to limit processing while we resolve an issue, for example while we check a rectification request.
• Portability (Article 20) — receive your data in a structured, commonly used, machine-readable format, or have us transmit it directly to another controller where technically feasible.
• Objection (Article 21) — object to processing based on our legitimate interests, including any profiling carried out on that basis. We will stop unless we can show compelling legitimate grounds that override your interests, or the processing is needed for legal claims.
• Withdraw consent (Article 7(3)) — for the pricing personalisation opt-in, withdraw at any time from the same surface where you gave consent. Withdrawal does not affect the lawfulness of processing done before you withdrew.

To exercise any of these, email privacy@juunam.com or use the controls in your profile and settings. To delete your account directly, see how to delete your account. We may ask you to verify your identity for sensitive requests.

If you think we have mishandled your personal data, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority in the EEA — usually the one in the country where you live, where you work, or where the alleged infringement happened.

Our lead supervisory authority is the Commission nationale pour la protection des données (CNPD), based on the controller's main establishment in Luxembourg:

We would rather hear from you first and try to fix the issue — but you do not have to contact us before going to a supervisory authority. That is your right either way.

We use only the cookies needed to keep you signed in and to operate the site. No advertising cookies. No third-party trackers. The cookies page lists each cookie and what it does.

All cookies in use are strictly necessary under the ePrivacy Directive and therefore do not require prior consent. We do not run a consent banner because we do not set any cookie that would require one. If that ever changes, we will publish a consent mechanism before the change takes effect.

We do not run advertising. We do not share your data with ad networks. We do not sell your personal data — in any meaning of the word “sell.” We do not pass anything to data brokers. None of this is hedged.

Some data is required, some is not.

• Account data is a contractual requirement. Without it we cannot sign you in or hold your settings.
• Inputs (photos, descriptions) are a contractual requirement for the specific purpose of getting a classification or a price suggestion. You cannot receive a suggestion without submitting something to classify.
• Technical metadata is sent automatically by your browser or app, and we cannot operate the service without it.
• Pricing personalisation is not required. Refusing it does not affect your use of the service. You will receive standard suggestions instead of personalised ones.

We update this notice from time to time. The date at the top tells you when we last changed it.

If the change is material — different purposes, different categories of recipients, new transfers outside the EEA, changes to retention, anything else that affects your rights — we will notify you in-product before it takes effect, and where the change requires it we will ask for fresh consent. Minor edits (typos, clarifications) we publish without notice.

Privacy questions, data-subject requests, and complaints: privacy@juunam.com.

General product or business questions: hello@juunam.com.

Controller: Juunam AI (in formation — Grand Duchy of Luxembourg). Until entity registration completes at the Registre de Commerce et des Sociétés (RCS Luxembourg), the founder Frederik Frieg acts as controller in a personal capacity.

[TO CONFIRM: Full registered entity name, RCS Luxembourg number, and registered address — to be inserted once entity registration completes.]

EU representative under Article 27 GDPR: not applicable (controller established in the EEA). Data Protection Officer: not appointed; see Who we are for the Article 37 reasoning.