Legal

Privacy policy

Last updated 6 May 2026

About Maison Zola

Maison Zola is a digital service operated by BETTERGROUP HOLDING INC, governed by United States and Delaware law. This privacy policy applies to maison-zola.com and any related Maison Zola surface.

Controller and representatives

Data controller: BETTERGROUP HOLDING INC
Privacy contact: gdpr@bettergroup.io
Registered office: 1111B S Governors Ave, STE 37790, Dover, Delaware 19904, United States

EU representative (GDPR Article 27): Ria Pardeep, ria@workstreet.com
UK representative (UK GDPR Article 27): Daniel June, daniel@workstreet.com

1. Scope and definitions

This policy applies to Maison Zola, its employees, and contractors. A designated Privacy Manager oversees compliance and is involved in projects at early stages.

Key definitions:

  • Personal data: information relating to an identified or identifiable person
  • Processing: any operation or set of operations performed on personal data
  • Data subject: a natural person whose data is processed
  • Data breach: breach of security or confidentiality leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data
  • Data controller: the entity determining purposes and means of processing
  • Data processor: the entity processing data on behalf of the controller

2. Data processing principles

Processing follows the principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and confidentiality, integrity, and availability. We apply appropriate security to personal data.

We demonstrate accountability through:

  • Appointment of a data-protection-responsible person
  • Data Processing Impact Assessments where required
  • Developed policies and procedures
  • Staff training on compliance
  • Assessment and implementation of technical and organisational measures
  • Maintenance of processing-activity records

3. Access to personal data, legal grounds and purposes

Legal grounds for processing. One of the following lawful bases applies to every processing activity:

  • Performance of contract: where a contract requires personal data
  • Consent: freely given, active, with clearly articulated purposes; evidence retained
  • Legitimate interests: business-justified purposes including marketing analysis
  • Legal compliance: required by EU or member-state laws

Access to personal data. Employees access data on a strict need-to-know basis only, under confidentiality. Suspicious activity or breaches must be reported to the Privacy Manager.

4. Third parties

The Privacy Manager ensures third parties have adequate data protection levels. Sharing requires manager prescription and Records documentation. Maison Zola ensures third parties comply with deletion or change requests.

5. International transfers

For transfers outside the EEA, the Privacy Manager ensures the necessary safeguards under data-protection laws. Data subjects are informed of transfers and the safeguards in place.

UK transfers: the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA) is used.

6. Rights of data subjects

The Privacy Manager handles all data-subject requests. Address requests to gdpr@bettergroup.io. Response deadline is one month, extendable by two months with notification.

You have the right to:

  • Be informed about collection and processing, including names, purposes, lawful basis, data categories, recipients, retention periods, and your rights
  • Access your personal data and obtain disclosure on processing aspects, with a copy of the data
  • Rectify inaccurate data
  • Restrict processing when accuracy is contested, processing is believed unlawful, or objection is raised
  • Withdraw consent for consent-based processing at any time; withdrawal does not affect prior lawful processing
  • Object to processing based on legitimate interests, including direct marketing and research
  • Erasure when data is no longer necessary, consent is withdrawn, processing is unlawful, or deletion is required by law
  • Data portability in a machine-readable format, transferable to third parties, when data was collected for service provision or based on consent

Complaints:in the EU, file with your local data protection authority. In the UK, contact the Information Commissioner's Office (ICO).

Automated decision-making and profiling. Maison Zola does not make decisions based solely on automated processing that produce legal effects. Machine learning is used for AI inference (rendering portraits, scoring uploaded photos for print readiness) but does not determine rights or obligations.

Children's privacy. The service is not directed to children, and personal data from children is not knowingly collected. Contact gdpr@bettergroup.io if concerned.

7. New data-processing activities

Employees inform the Privacy Manager before introducing new data-processing activities. A Data Processing Impact Assessment (DPIA) is required when:

  • Processing uses new technologies with legal or economic effects
  • Systematic evaluation of personal aspects through automated profiling
  • Large-scale sensitive data processing
  • Large-scale collection from public sources
  • The Supervisory Authority requires it

8. Data retention

The Privacy Manager ensures clearly defined storage periods for each activity. On expiration, data is removed, including from backups.

For Maison Zola specifically:

  • Uploaded source photographs: retained for up to 30 days after upload, then deleted. Earlier deletion on request.
  • Generated portrait outputs: the three portraits we surface for each canvas you choose are retained while your account is active and deletable on request. Additional candidate paintings produced during our quality-selection step are scheduled for deletion within seconds of generation, with operational retries and a fallback cleanup sweep if a delete fails on first attempt.
  • Order records and invoices: retained for 7 years to comply with Belgian and US tax law.
  • Account data: stored while active, deleted within 90 days of an account-deletion request.
  • Data location: primary storage in the EU; some processing may occur in the US. All data is encrypted in transit and at rest.

Exemptions. Retention may be extended by a maximum of 60 days if deletion would harm legitimate operations, with Privacy Manager approval. Once truly anonymised, data-protection laws no longer apply.

9. Data breach

Maison Zola reports data breaches to the competent Supervisory Authority within 72 hours. Affected data subjects are notified without undue delay where possible. The Privacy Manager maintains breach records including facts, effects, and remedial actions.

10. Trust and security

Live security posture, sub-processors, and certifications for BetterGroup — the parent company of Maison Zola — live at our Trust Center: trust.bettergroup.io.

11. Changes to this policy

We may modify this policy at any time, with notice on this page. Please check regularly. If you object to a change you must cease use and may request data removal.

Questions about this policy: gdpr@bettergroup.io.