Thank you for choosing to be part of our community at Roast ("Company," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this privacy notice or our practices with regard to your personal information, please contact us at .

This privacy notice describes how we might use your information if you:

• Visit our website at
• Use our mobile application
• Engage with us in other related ways — including any sales, marketing, or events

In this privacy notice, if we refer to:

• "Website" — any website of ours that references or links to this policy
• "App" — our mobile application available on iOS and Android
• "Services" — our Website, App, and other related services, including any sales, marketing, or events

Please read this privacy notice carefully, as it will help you understand what we do with the information that we collect.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. FACE DATA POLICY
3. HOW DO WE USE YOUR INFORMATION?
4. WILL YOUR INFORMATION BE SHARED WITH ANYONE?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
7. HOW LONG DO WE KEEP YOUR INFORMATION?
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
9. DO WE COLLECT INFORMATION FROM MINORS?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. CONTROLS FOR DO-NOT-TRACK FEATURES
12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
13. DO WE MAKE UPDATES TO THIS NOTICE?
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
15. HOW CAN YOU REVIEW, UPDATE OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Website or App, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Website or App, or otherwise when you contact us.

The personal information we collect may include the following:

Personal Information Provided by You. We collect names; ages; profile pictures; email addresses; usernames; passwords; contact preferences; contact or authentication data; billing addresses; and other similar information.

Face Data. When you use our AI Photoshoot feature, we collect photographs and facial images that you voluntarily upload or capture via your device camera. Please refer to Section 2 (Face Data Policy) for complete details on how we collect, use, store, share, and retain this data.

Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number), and the security code associated with your payment instrument. All payment data is stored by Stripe. You may find their privacy notice here: .

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details. If you choose to register in this way, we will collect the information described in Section 6 (How Do We Handle Your Social Logins?).

All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

We automatically collect certain information when you visit, use or navigate the Website or App. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services.

The information we collect includes:

Log and Usage Data. Service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our Services, including your IP address, device information, browser type and settings, and information about your activity.

Device Data. Information about your computer, phone, tablet or other device you use to access the Services, including your IP address, device and application identification numbers, location, browser type, hardware model, internet service provider and/or mobile carrier, operating system and system configuration information.

Location Data. Information about your device's location, which can be either precise or imprecise, collected via GPS and other technologies based on your device settings. You can opt out by disabling your Location setting on your device.

2. FACE DATA POLICY

Because our AI Photoshoot feature relies on facial image processing, we treat your Face Data with the highest level of care and security. This section provides complete information about our face data practices in compliance with applicable privacy laws and platform requirements.

2.1 What Face Data We Collect

We collect photographs and facial images only when you actively use our AI Photoshoot feature — either by uploading a photo from your device's photo library or by capturing a photo using your device's camera. We do not collect face data passively, automatically, or without your active initiation.

We do not use Apple's depth-mapping, Face ID, ARKit facial mapping APIs, or any system-level biometric APIs. Face data is collected solely through standard camera or photo library access with your explicit consent.

2.2 How We Use Face Data

We use your Face Data exclusively for the following purposes:

• To generate AI-enhanced photographs as part of the AI Photoshoot feature you have purchased
• To process your images through AI models to produce the output photos you requested
• To deliver the completed AI Photoshoot results to you within the App

We do not use your Face Data for advertising, marketing, user profiling, or any purpose beyond delivering the AI Photoshoot service you have requested.

2.3 Third-Party Sharing of Face Data

To generate your AI Photoshoot results, your facial images are processed by the following third-party AI providers. Face Data is shared with these providers solely to generate your requested output and for no other purpose.

Fal AI

• Purpose: AI image generation and processing to produce your AI Photoshoot results
• Data shared: Facial photographs you upload or capture
• Retention by Fal AI: Images are processed transiently for the purpose of generation and are not retained by Fal AI after processing is complete
• Location: United States

Google Gemini (Vertex AI)

• Purpose: AI-assisted image analysis and enhancement as part of the photoshoot generation pipeline
• Data shared: Facial photographs you upload or capture
• Retention by Google: Google Vertex AI does not retain your face data beyond the processing period. Customer data sent to Vertex AI for prediction requests is not used to train or improve Google's models and is deleted after processing
• Location: United States and other Google Cloud regions

ROAST Proprietary AI Models

• Purpose: Additional image processing and quality enhancement steps in the AI Photoshoot pipeline, operated entirely by ROAST
• Data shared: Facial photographs you upload or capture
• Retention: Subject to the retention terms described in Section 2.5 below
• Location: Europe (AWS S3, EU region)

We have contractual agreements in place with our third-party AI providers that prohibit them from using your Face Data to train general public models or for any purpose other than processing your specific request.

We do not share your Face Data with advertising networks, data brokers, or any third party for commercial or marketing purposes.

2.4 Where Face Data is Stored

Your facial images and AI Photoshoot output are stored in AWS S3 in the European Union (EU region). Data is encrypted in transit (HTTPS/TLS) and at rest (AES-256 encryption). Access is restricted to authorized systems and personnel only.

2.5 How Long We Retain Face Data

We retain your Face Data for 90 days (three months) from the date of upload, or until you delete your account — whichever comes first.

This retention period is chosen to:

• Allow you to download and access your completed AI Photoshoot results within a reasonable window
• Enable customer support to assist with any issues relating to your order
• Balance service utility with privacy protection by not retaining data indefinitely

After 90 days, your Face Data is automatically and permanently deleted from our systems and from AWS S3.

2.6 Deletion of Face Data

Automatic deletion: Face Data is automatically deleted 90 days from the date of upload.

Account deletion: If you delete your account via the App or by contacting us, all of your Face Data (including images stored on AWS S3) is immediately scheduled for permanent deletion from all our systems.

Manual deletion: You may request deletion of your Face Data at any time by contacting us at .

2.7 Where This Information Appears in This Privacy Policy

This Section 2 constitutes the complete face data policy for ROAST. The relevant subsections are:

• Collection and purpose: Section 2.1 and 2.2
• Third-party sharing: Section 2.3
• Storage location: Section 2.4
• Retention period: Section 2.5
• Deletion: Section 2.6

3. HOW DO WE USE YOUR INFORMATION?

We use personal information collected via our Services for a variety of business purposes described below. We process your personal information in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations.

We use the information we collect or receive to:

• Facilitate account creation and logon process
• Post testimonials with your prior consent
• Request feedback about your use of our Services
• Enable user-to-user communications with each user's consent
• Manage user accounts and keep them in working order
• Send administrative information such as product, service, and new feature information and changes to our terms, conditions, and policies
• Protect our Services through fraud monitoring and prevention
• Enforce our terms, conditions and policies and comply with legal and regulatory requirements
• Respond to legal requests and prevent harm
• Fulfill and manage your orders, payments, returns, and exchanges
• Deliver and facilitate delivery of services to you
• Respond to user inquiries and offer support
• Send marketing and promotional communications in accordance with your marketing preferences (you may opt out at any time)
• Deliver targeted advertising tailored to your interests and/or location

4. WILL YOUR INFORMATION BE SHARED WITH ANYONE?

We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

We may process or share your data based on the following legal bases: Consent; Legitimate Interests; Performance of a Contract; Legal Obligations; and Vital Interests.

More specifically, we may share your personal information in the following situations:

Face Data: See Section 2.3 above for complete details on how Face Data is shared with Fal AI, Google Gemini, and ROAST's proprietary AI models.

Business Transfers. We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business.

Affiliates. We may share your information with our affiliates, who are required to honor this privacy notice.

Business Partners. We may share your information with our business partners to offer you certain products, services or promotions.

Roast has not disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months. Roast will not sell personal information belonging to website visitors, users and other consumers.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice: .

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

Our Website and App offer you the ability to register and login using your third-party social media account details (like your Facebook or Twitter logins). Where you choose to do this, we will receive certain profile information about you from your social media provider, which may include your name, email address, friends list, and profile picture.

We will use the information we receive only for the purposes described in this privacy notice. We are not responsible for other uses of your personal information by your third-party social media provider.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law.

Face Data is retained for 90 days from the date of upload or until account deletion, whichever comes first. See Section 2.5 for full details.

General account data is retained for no longer than twelve (12) months past the termination of the user's account.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or securely store it and isolate it from any further processing until deletion is possible.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process, including:

• Encryption of data in transit (HTTPS/TLS) and at rest (AES-256)
• Restricted access controls to personal data and Face Data
• Secure EU-based cloud storage (AWS S3, EU region)

However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

9. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at .

10. WHAT ARE YOUR PRIVACY RIGHTS?

In some regions (like the EEA and UK), you have certain rights under applicable data protection laws, including the right to:

• Request access and obtain a copy of your personal information
• Request rectification or erasure of your personal information
• Restrict the processing of your personal information
• Data portability (where applicable)
• Object to the processing of your personal information

To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If you are a resident in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority: .

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account, or contact us using the contact information provided.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases, including all Face Data as described in Section 2.6. We may retain some information in our files to prevent fraud, troubleshoot problems, enforce our Terms of Use, and/or comply with applicable legal requirements.

Opting out of email marketing: You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in our emails or by contacting us at .

11. CONTROLS FOR DO-NOT-TRACK FEATURES

We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online, as no uniform technology standard for recognizing and implementing DNT signals has been finalized. If a standard is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

Yes. California Civil Code Section 1798.83 (the "Shine The Light" law) permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes.

Categories of personal information collected in the past 12 months:

CategoryCollected

A. Identifiers (name, email, IP address, etc.)

YES

B. Personal information (California Customer Records statute)

YES

C. Protected classification characteristics (gender, date of birth)

YES

D. Commercial information (purchase history, financial details)

YES

E. Biometric information

NO

F. Internet or network activity

NO

G. Geolocation data

YES

H. Audio, electronic, visual information

YES (facial images for AI Photoshoot)

I. Professional or employment-related information

NO

J. Education information

NO

K. Inferences drawn from personal information

NO

Your rights with respect to your personal data:

• Right to request deletion of your personal data
• Right to be informed about what data we collect and how we use it
• Right to non-discrimination for exercising your privacy rights
• Right to opt-out from future selling of your personal information (we do not sell personal information)

To exercise these rights, contact us at .

13. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this notice as necessary to stay compliant with relevant laws. The updated version will be indicated by an updated "Last updated" date and will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may contact us at:

ROAST 33 bis rue Doudeauville Paris 75018 France

Email:

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information (including Face Data), please submit a request at .