Privacy Policy
Legal · Last updated July 2026
Plain language, no fine print games. Here is what we collect, how we use it, who processes it, and the control you keep over the product links, media, and ads you bring to the render room.
Who we are
Overlume is a vertical AI ad generator for e-commerce sellers, operated from the Netherlands. The service is operated by Ethernus, an incorporated partnership (VOF); Overlume is its trade name and the controller of the personal data described in this policy. Our full registered details are Ethernus (KvK 42102774, VAT NL869741548B01), Tagoreplaats 65, 3069 PB Rotterdam, the Netherlands. For any privacy question, or to exercise your rights, reach us at hello@ethernus.ai.
What we collect
We keep this to what the service actually needs:
- Account details you provide when you sign up, such as your name and email address.
- What you submit to build an ad, meaning the product links, images, and notes you bring into the render room.
- Generated outputs, meaning the finished ads and intermediate renders we produce for you.
- Live camera sessions, if you use Live: the feed is processed in real time and is not stored by us. The details live in the Live camera sessions section below.
- Operational telemetry, such as which features you use and the renders you create, so we can run, secure, and improve the service.
- Optional analytics, gathered through non-essential cookies and similar tools only if you accept them, so we can understand how the product is used.
- Billing metadata, such as your plan, invoices, and payment status. Payments are handled by a PCI compliant payment processor. We do not store full card numbers.
You do not have to give us this data, but we cannot create your account or generate ads without your account details and the product materials you submit.
How we use your data
To create the ads you request, to run and secure your account, to provide support, to bill you and manage your plan, to improve the product, and to meet our legal obligations.
Three promises we hold as principles, not fine print. We do not sell your personal data. We do not train AI models on your uploaded media or your finished ads, and we do not grant the model providers who process your renders any right to use your content to train theirs. And we never display, feature, or share your media or your ads publicly unless you have explicitly chosen to share them; if we ever offer a featured-content or reward program that shows your work, taking part will be strictly opt-in. Live camera sessions are the one exception to the training promise, and we spell it out under Live camera sessions below.
We do not use your data to make solely automated decisions that produce legal or similarly significant effects about you.
Legal bases
Under the GDPR we rely on: contract, to deliver the service and handle billing; legitimate interests, to secure the service, prevent fraud and abuse, and improve the product, balanced against your rights, which you can object to at any time as described in Your rights; consent, for optional analytics cookies and any optional communications, which you can withdraw at any time; and legal obligation, for tax, accounting, and lawful reporting.
AI subprocessors
Your uploads and renders are processed by our AI and compute subprocessors solely to produce your output. They act on our instructions under data processing terms, and they do not use your content for their own purposes, including training their models. We select providers on a zero-retention posture: your content passes through them to generate your render and is not kept by them beyond what processing and abuse prevention require under their terms. Long-term storage of your projects lives with us, under the Retention section below, where you can delete it. A current list of our subprocessors is available on request, and we will give notice before we add a new one. Where a subprocessor sits outside the European Economic Area, transfers are covered by appropriate safeguards, as described below. Live camera sessions run on a different posture, described in the next section.
Live camera sessions
Live is our realtime camera feature. When you start a Live session, your camera feed streams to our realtime video provider and comes back transformed frame by frame, so you can watch the result while you film.
We do not record or store the stream. On our side a session leaves only its billing record: which block you bought, how many seconds ran, and the refund for the seconds you did not use.
The realtime provider processes the feed under its own terms, and those terms allow it to retain what passes through and to use inputs and outputs to improve its models. That is a different posture than our render subprocessors, so we say it plainly: treat a Live session like filming with a third party's camera in the room, and keep anything out of frame that you would not share with a provider.
Your browser asks for camera permission before a session starts, the camera is active only during the session, and the feed stops when the session ends.
International transfers
We aim to keep processing within the EEA. Where a provider is located elsewhere, we put safeguards in place before data moves, meaning an adequacy decision, Standard Contractual Clauses, or another safeguard permitted under Article 46 of the GDPR, so your data carries the same protection with it. We will provide a copy of the relevant safeguard on request.
How we protect your data
We protect your data with encryption in transit, access controls that limit who can reach it, and a PCI compliant processor for payments. If a data breach ever puts your rights at risk, we will notify you and the relevant authority as required by law.
Retention
We keep your projects and renders while your account is active so you can return to them. You can delete a project at any time, and we remove the associated files when you do. You can ask us to delete your account, after which we remove your personal data, except where we must keep limited records to meet a legal obligation. Billing and tax records, for example, are kept for the period Dutch law requires, currently seven years.
We may also retain limited records needed to prevent fraud and abuse, such as the signals that let us detect duplicate free grant sign ups, for as long as that legitimate interest applies, so that our one free grant per person rule holds.
Your rights
Under the GDPR you can ask us to give you access to your personal data, correct it, delete it, export it to another service, restrict or object to certain processing, and withdraw a consent you have given. Send any request to hello@ethernus.ai, and we will respond within one month. For complex or numerous requests we may extend this by up to two further months, and we will tell you why if we do.
You have the right to lodge a complaint with a supervisory authority at any time, in the Netherlands the Autoriteit Persoonsgegevens. If you contact us first we will try to put it right, but that choice is entirely yours.
Cookies
We use a small set of cookies. Essential cookies for sign in, session, and security run without consent. Optional analytics cookies load only if you accept them. The full breakdown lives in our Cookie Policy.
Children
Overlume is a tool for businesses and is not directed to children. You must be 18 or older to use it, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has given us data, contact us and we will remove it and close the associated account.
Changes to this policy
If we change this policy we will update the date above, and for material changes we will give you notice in the product or by email before they take effect. Where a change requires your consent, we will ask you for it separately rather than assume it.
Contact
Questions about this policy, or about how we handle your data, can go to hello@ethernus.ai. You can also review our Terms.