Privacy Policy
Last updated: April 2026
Alrom Works (“we”, “our”) operates the ALROM Sign Maker application. This policy explains what personal data we collect, how we use it, who processes it on our behalf, and the rights you have over it under the GDPR and similar privacy laws.
What we collect
When you sign in with Google, we receive your name, email address, and profile picture. When you create a sign, we store the family name and apartment number you enter, the photo(s) you upload, the generated sign designs, and the material you choose. We also use a session cookie to keep you signed in. Vercel, acting as our processor through Speed Insights, also collects anonymous page-load metrics such as the route and URL viewed, country-level location, browser/device and network type, and Web Vitals attribution. For administrators only, we record in-app sessions (clicks, mouse movements, form input) to help diagnose bugs; regular users are not recorded. With your consent to analytics, we also use PostHog (EU region) as a processor for anonymized product-usage analytics (pages viewed, interactions, feature usage). For error monitoring we use Sentry (EU region) as a processor; error reports are collected to diagnose crashes and run on a legitimate-interest basis with personal data scrubbed before transmission.
How we use your data
We use your data only to run the service: authenticate you, generate and produce your sign, process and ship your order, and provide customer support. The lawful basis under the GDPR is performance of a contract (Art. 6(1)(b)) for order-related data, and consent (Art. 6(1)(a)) for administrator-only session recordings. We do not sell or rent your personal data, and we do not use it for advertising.
AI image processing
To turn your photos into silhouettes and compose them with your text into a finished sign, we send your uploaded images to OpenAI (image model) and Google Gemini via their APIs. Both are US-based processors with Data Processing Agreements in place. Images are transmitted over TLS, used only to generate your sign, and are not used to train the providers’ models (both have opt-out defaults for enterprise API traffic).
Where we store your data
Account, order, and design data is stored in Supabase (Postgres and object storage). Transactional emails are sent via Amazon Web Services (AWS SES). We retain uploaded photos only as long as we need them to fulfill your order and resolve any disputes; derivative silhouettes and sign images are kept with the order record for production and customer support. If you request account deletion, we remove all associated personal data promptly.
Cookies
We use one strictly necessary authentication cookie to keep you signed in, plus functional cookies (sign-maker-theme, sign-maker-locale, and, when enabled, sign-maker-dev) to remember your theme, language, and developer-mode preferences. We do not use advertising or tracking cookies and do not embed third-party analytics scripts on public pages without your consent. For performance monitoring we use Vercel Speed Insights, which collects anonymous page-load metrics (Core Web Vitals) without setting cookies or identifying individual visitors. Optional analytics (used only with your consent) is described below under ‘Your choices.’
Your choices
You can accept or reject optional analytics at any time. On your first visit you'll see a consent banner with the choice; you can also change it later from this page (a Reset choice link will appear when a choice is recorded). Rejecting analytics does not degrade the core sign-maker experience — it only prevents anonymous usage data from being collected. Strictly-necessary cookies (authentication, theme, language) remain regardless because they are required for the app to work.
Photos of other people
If the photo you upload shows other people, you confirm that you have permission from each identifiable person (or from a parent or guardian for minors) to submit that image for this purpose. If you appear in a photo someone else uploaded and you want it removed, contact us and we will delete it.
Your rights
Under the GDPR you can request access to the data we hold about you, correction of inaccurate data, deletion, restriction of processing, data portability, and objection to processing. Email us to exercise any of these rights. You can also revoke Google sign-in access at any time via your Google Account settings.
Contact
For privacy-related questions, or to exercise any of the rights above, email us at alrom.works@gmail.com