Privacy Policy
Last updated: 4 June 2026
This Privacy Policy (the “Policy”) sets out how personal data of users of the website located at https://lora.pro and any related services (collectively, the “Service”) provided by the lora.pro team (the “Operator”) is processed and protected.
The Policy is adopted to comply with Russian Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (“Law No. 152-FZ”) and, to the extent applicable to users in the European Economic Area, with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”).
By using the Service the user (the “Data Subject”) confirms that they have read this Policy and, where required by law, consents to the processing of their personal data on the terms set out below. If the Data Subject disagrees with the Policy, they should refrain from using the Service.
The Policy applies together with the Terms of Service and the Cookie Policy. In case of conflict regarding the processing of personal data, this Policy prevails.
1. Definitions
- Personal data — any information relating to a directly or indirectly identified or identifiable natural person (the Data Subject).
- Processing — any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, use, transfer and erasure.
- Operator — the person who, alone or jointly with others, organises and/or carries out the processing of personal data and determines its purposes and the categories of data processed.
- Cross-border transfer — transfer of personal data to the territory of a foreign state, to a foreign authority, individual or legal entity.
2. Legal bases for processing
The Operator processes personal data on the following legal bases:
- the Data Subject’s consent (Art. 6(1)(1) of Law No. 152-FZ; Art. 6(1)(a) GDPR);
- performance of a contract to which the Data Subject is a party — provision of the Service (Art. 6(1)(5) of Law No. 152-FZ; Art. 6(1)(b) GDPR);
- compliance with the Operator’s legal obligations, including tax and accounting requirements (Art. 6(1)(c) GDPR);
- the Operator’s legitimate interests in keeping the Service operational and secure and in preventing abuse and fraud, to the extent these do not override the Data Subject’s rights (Art. 6(1)(f) GDPR).
3. Categories of data processed
The Operator processes the following categories of data:
- messenger account identifiers used to access the Service (Telegram ID, MAX ID), username and the selected interface language;
- images voluntarily uploaded by the Data Subject for processing and the resulting generations;
- payment information: the fact, amount, date, currency and status of a transaction, and the token balance. Full bank-card details are not transferred to or stored by the Operator — they are processed by the payment provider;
- technical data: IP address, device and software information, cookies and Local Storage data, and Service access logs;
- the content of the Data Subject’s support requests and related information.
The Operator does not request or deliberately process special categories of personal data (concerning racial or ethnic origin, political opinions, religious beliefs, health or sex life), except where such information is voluntarily included by the Data Subject in the uploaded materials at their own discretion.
4. Processing of images. Biometric data
Images uploaded by the Data Subject are processed solely to perform the requested generation (transformation, stylisation, image editing and other Service functions).
- The Operator does not use uploaded images to establish the Data Subject’s identity and does not create biometric templates for the purpose of identifying a natural person.
- The Operator does not transfer uploaded images to any state information system, including the Unified Biometric System.
- The Operator does not use uploaded images to train its own neural-network models.
Because images are processed without the aim of establishing identity, the Operator does not treat them as biometric personal data within the meaning of Article 11 of Law No. 152-FZ. The Data Subject is responsible for having a legal basis to upload images containing information about third parties.
5. Purposes of processing
- registration, authentication and provision of access to the Service;
- provision of generation features and delivery of results to the Data Subject;
- settlement, token-balance accounting and notification of transaction status;
- technical support and handling of requests;
- ensuring the security of the Service and preventing abuse and violations;
- compliance with applicable law.
6. Retention periods
The Operator retains personal data no longer than the processing purposes require, unless a different period is established by law. The following periods apply:
- source images uploaded for processing — up to thirty days;
- generation results not marked as public — up to six months;
- results published in the gallery and the related prompts — indefinitely, until removed by the Data Subject or the Operator;
- system logs and payment records — for the periods established by applicable law.
Upon deletion of the account or a particular generation the related files and metadata are permanently deleted, except for information whose retention is required by law.
7. Third-party sharing and cross-border transfer
To operate the Service the Operator engages third parties acting as processors on its behalf and to the extent necessary to provide the Service:
- cloud-infrastructure and automated image-processing providers (including FAL and Amazon Web Services);
- payment providers (including YooKassa) — to the extent necessary to carry out and confirm a payment;
- messenger providers (Telegram, MAX) — to the extent necessary to deliver messages and generation results.
Some of these parties may be located outside the Russian Federation, so the processing involves cross-border transfer of data. The Operator carries out such transfer provided that the receiving party ensures an adequate level of protection of the rights of data subjects, or on the basis of the Data Subject’s consent. Personal data is not transferred for other purposes or to other parties, except as provided by law, including lawful requests from competent authorities.
8. Cookies and similar technologies
The Service uses cookies and Local Storage to support authentication, store user settings and process payments. Details of the cookies used are set out in the Cookie Policy.
9. Data protection measures
The Operator applies legal, organisational and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying and dissemination, including restricting staff access, encrypting the data transmission channel (TLS), storing data in secure infrastructure and segregating access rights. Despite these measures, transmission of data over public communication networks cannot be guaranteed to be secure, and the Data Subject acknowledges the related risks.
10. Rights of the Data Subject
The Data Subject has the right to:
- obtain information about the processing of their personal data and confirmation that such processing takes place;
- require the rectification, blocking or erasure of data that is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose;
- withdraw consent to the processing of personal data previously given;
- for data subjects in the European Economic Area — exercise the GDPR rights of access, rectification, erasure, restriction of processing, data portability and objection to processing;
- lodge a complaint against the Operator’s acts or omissions with the supervisory authority for the protection of data subjects’ rights (in the Russian Federation — Roskomnadzor) or before a court.
Requests to exercise these rights are sent to support@lora.pro. The Operator reviews the request and responds within the periods established by applicable law.
11. Processing of minors’ data
The Service is intended for individuals who are at least eighteen years of age. The Operator does not deliberately collect the personal data of individuals below this age. Where such data is found to be processed without a proper legal basis, it is deleted.
12. Automated decision-making
The Operator does not make any decisions in respect of the Data Subject that produce legal effects concerning them or similarly significantly affect their rights and legitimate interests based solely on automated processing of personal data.
13. Changes to the Policy
The Operator may amend this Policy. The new version takes effect upon publication at lora.pro/privacy, unless the new version provides otherwise. The date of the last update is shown at the top of the document.
14. Contact information
Questions about the processing of personal data and requests to exercise rights: support@lora.pro. Copyright matters: copyright@lora.pro.