skip to main content
pirumi
sign in
legal

privacy

effective 9 July 2026

This policy explains what personal data RYVESA LTD (“Pirumi”, “we”, “us”) collects when you use pirumi.cy and our iOS app, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and Cyprus Law 125(I)/2018. We are the data controller.

who we are

RYVESA LTD

Terpsichoris 15, ELEFTHERIOU HILL RESIDENCE, Flat/Office 202, 2102 Aglantzia, Nicosia, Cyprus

Registration number: HE489886

Data-protection contact: privacy@pirumi.cy

General contact: contact@pirumi.cy

We are not legally required to appoint a Data Protection Officer, but you can reach our data-protection contact above for any privacy question.

the short version

We only store what we need to run your account, complete your orders and pay creators. We use product analytics only if you opt in, we do not track you across the web, we do not run advertising, we do not build advertising profiles, and we never sell your personal data. You can access or delete your data at any time.

what we collect and why

  • Account details — your email, username, display name and profile picture, managed through our sign-in provider (Clerk), so you can log in and be identified on the platform.
  • Creator application data — your bio, motivation and snapshots of the public social accounts you connect for verification, so we can review and approve creators.
  • Order and payment data — the request brief, an optional first name to be used in the video, prices, and the payment records and billing country needed to charge you, issue a VAT invoice and pay the creator. Card details are handled entirely by Stripe and never reach our servers.
  • Videos and thumbnails — the video a creator makes for you and its metadata (via Mux), and listing thumbnails (via Cloudflare), so we can deliver and display them.
  • Messages — the chat between a buyer and a creator, so you can discuss an order.
  • Reports — the content and message reports you submit, so we can moderate the platform.
  • Push tokens — if you use our iOS app and opt in, a device token so we can send you notifications.

our legal bases

We rely on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — running your account, processing orders and payments, delivering videos, and enabling buyer↔creator messaging.
  • Legal obligation (Art. 6(1)(c)) — verifying creator identity for payouts (KYC/AML via Stripe) and keeping tax and accounting records.
  • Legitimate interests (Art. 6(1)(f)) — keeping the platform safe and working: fraud prevention, security, content moderation, and error and crash monitoring (Sentry) so we can fix problems. Error monitoring sets no cookies and is scrubbed of personal detail. We balance these against your rights, keep the data involved to a minimum, and you can object at any time at privacy@pirumi.cy.
  • Consent (Art. 6(1)(a)) — product analytics (PostHog), push notifications, and optional creator verification via TikTok. You can withdraw consent at any time.

what we deliberately don’t do

  • We do not store your IP address for analytics or error reports.
  • We use product analytics (PostHog) only if you opt in — never by default, and never to track you across other sites.
  • We run no advertising and set no ad cookies.
  • We do not build advertising profiles or make automated decisions that legally affect you.
  • We never sell or rent your personal data.

analytics and error monitoring

Analytics (only with your consent). If you opt in, we use PostHog — hosted in the EU — to understand how the site is used, for example which pages and steps people reach, so we can improve it. Analytics is off by default and loads nothing until you agree. We do not record your screen or sessions, we do not capture your keystrokes, and we strip identifiers from the pages you visit. You can withdraw consent at any time via the “cookies” link in the footer, and capture stops immediately.

Error monitoring. We use Sentry — with EU data residency — to record technical errors and crashes so we can keep the site working. This runs on our legitimate interest in a secure, functioning service. It sets no cookies, does not store your IP address, and we remove personal detail (cookies, headers and identifiers) before an error report is sent. You can object at any time at privacy@pirumi.cy.

who we share data with

We share data only with the service providers that help us run Pirumi, each acting on our instructions under a data-processing agreement:

  • ClerkAccount sign-in, identity and session management.
    Location: United States · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses
  • StripeCard payments, creator payouts (Stripe Connect), VAT calculation, invoicing and creator identity verification.
    Location: European Union & United States · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses; PCI-DSS
  • MuxVideo encoding, storage and streaming.
    Location: United States (global content-delivery network) · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses
  • ResendTransactional email delivery.
    Location: European Union (Frankfurt) · Safeguard: Processed within the EEA
  • CloudflareThumbnail storage (R2) and image delivery.
    Location: European Union / global edge network · Safeguard: Standard Contractual Clauses where applicable
  • ConvexOur application database and backend.
    Location: United States / European Union · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses
  • PostHogProduct analytics — only if you opt in to analytics cookies.
    Location: European Union (Frankfurt, PostHog Cloud EU) · Safeguard: Processed within the EU; no session recording
  • SentryApplication error and crash monitoring, to keep the site working.
    Location: European Union (Frankfurt) · Safeguard: EU data residency; no cookies, IP or session replay, data minimised
  • Firebase Cloud Messaging (Google)Push notifications to our iOS app.
    Location: United States / European Union · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses
  • YouTube / Twitch / TikTok (OAuth)Optional verification of a creator’s public social account.
    Location: United States (Google, Twitch) / China (TikTok) · Safeguard: DPF / SCCs; for TikTok, Standard Contractual Clauses and your explicit consent (see “sending data outside the EEA”)
  • VercelWebsite hosting and delivery.
    Location: United States / European Union · Safeguard: EU–US Data Privacy Framework / Standard Contractual Clauses
  • European Central BankDaily currency reference rates (no personal data).
    Location: European Union · Safeguard: No personal data transferred

We also use Svix to verify incoming webhooks; it processes data only in memory and stores nothing.

sending data outside the EEA

Some of our providers are based outside the European Economic Area, including in the United States. For those transfers we rely on the European Commission’s EU–US Data Privacy Framework adequacy decision where the provider is certified, and on Standard Contractual Clauses otherwise, so your data keeps a level of protection comparable to the EU’s.

TikTok verification. If, as a creator, you choose to verify your identity using TikTok, some of your public profile data may be processed in China, which has no EU adequacy decision. We rely on Standard Contractual Clauses for this transfer, but Chinese law may give authorities access to data in ways that differ from the EU. TikTok verification is optional — you can verify with YouTube or Twitch instead — and we ask for your explicit consent before using it.

how long we keep data

  • Chat messagesDeleted after 12 months of conversation inactivity.
  • iOS push device tokensDeleted after 90 days without use.
  • Downloadable video filesRemoved 30 days after generation (regenerated on demand).
  • Email delivery logsDeleted within 1–4 weeks.
  • Error reports (Sentry)Deleted after 90 days.
  • Analytics events (PostHog)Deleted after 12 months; capture stops immediately if you withdraw consent.
  • Payment, invoice and tax recordsKept for about 7 years to meet Cyprus tax and accounting law.
  • Account and order dataErased or anonymised when you delete your account (subject to the tax-record exception above).

your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you and get a copy;
  • correct data that is wrong or incomplete;
  • have your data erased (“right to be forgotten”);
  • restrict or object to certain processing;
  • receive your data in a portable, machine-readable format;
  • withdraw any consent you have given, without affecting past processing.

You can export your data and delete your account from your account settings, or contact privacy@pirumi.cy. We respond within one month. When you delete your account we erase or anonymise your data across our systems, except records we must keep for tax and accounting law.

cookies and local storage

We use two kinds of cookies and local storage: strictly necessary ones, which are always on, and product-analytics ones, which are set only if you opt in. The strictly necessary ones are essential to the service and do not require consent under Cyprus Law 112(I)/2004; the analytics ones are only set after you agree, and you can withdraw at any time via the “cookies” link in the footer. They are:

  • sign-in and session cookies (set by Clerk) that keep you logged in;
  • checkout state used by Stripe during payment;
  • a small cookie that caches your avatar, and local storage for your theme and your consent choice;
  • if you opt in, analytics storage set by PostHog to measure how the site is used — removed if you withdraw consent.

Push notifications in the iOS app are separate and are only sent if you opt in; you can turn them off at any time in your device or app settings.

sensitive information in messages

Chat messages and briefs could contain sensitive personal data (for example about health or beliefs). We apply the same encryption and access controls to all messages and do not use their content for profiling. Please share sensitive information only where it is needed for your order.

age

Pirumi is only for people aged 18 or over. For data-protection purposes, the minimum age of digital consent in Cyprus is 14 (GDPR Article 8, as implemented by Law 125(I)/2018); it may differ in other EU countries. We do not knowingly process the data of anyone below these ages.

how we keep data secure

Data is encrypted in transit (TLS) and at rest. Videos are served through short-lived signed links (valid for about six hours) so only the buyer, the creator and our moderators can view them. If a data breach is likely to put your rights at risk, we will notify the Cyprus supervisory authority within 72 hours and inform you where required.

complaints

If you think we have mishandled your data, please contact us first at privacy@pirumi.cy. You also have the right to lodge a complaint with the Cyprus supervisory authority:

Office of the Commissioner for Personal Data Protection
15 Kypranoros Street, 1061 Nicosia, Cyprus
+357 22 818 456 · commissioner@dataprotection.gov.cy
dataprotection.gov.cy

changes to this policy

If we make material changes we will update this page and, where appropriate, let you know. The date at the top shows when this version took effect.