Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Albert Poghosyan, Private Entrepreneur ("we", "us", "our") collects, uses, shares, and protects personal data when you use RoomHelm (the "Service"), including the marketing website. We act as the data controller for data we collect from you as a customer or visitor, and as a data processor for personal data of your participants that you submit through the Service.

Quick summary. We collect only what we need to run the Service and improve it. We don't sell your data. You can ask us to access, correct, or delete your data at any time by emailing albert@poghosyan.org.

1. Who we are

The data controller is:

Albert Poghosyan, Private Entrepreneur
10/4 Atoyan Street, apt. 13
Yerevan, 0075, Armenia
Email: albert@poghosyan.org

2. What personal data we collect

We collect the following categories of personal data:

Account data — name, email address, password (hashed), workspace name, role.
Billing data — billing name, country, last 4 digits of payment card, transaction history. Full payment card data is collected and stored by Stripe, not by us.
Customer Content — the content blocks, materials, session structures, and proposals you create.
Participant data — name, email, access token, and task submissions of participants you invite to cohorts. We process this on your behalf as your processor.
Communications — messages you send us (e.g., support emails), and our replies.
Usage and device data — IP address, browser type, device type, operating system, pages visited, actions taken, timestamps, referrer URL.
Cookies and similar technologies — see section 6.
Error and diagnostic data — exception traces, request metadata, and limited context captured when something goes wrong, via Sentry.

3. How we use personal data

To provide, operate, and maintain the Service (including authentication, session delivery, file storage).
To process subscription payments and prevent fraud.
To communicate with you about your account, security, updates, and support requests.
To improve the Service — analytics on usage patterns, performance, and error monitoring.
To send product announcements and marketing communications, only where you have opted in or where permitted by law. You can opt out at any time.
To comply with legal obligations and enforce our Terms.

4. Legal bases for processing (EEA/UK users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

Contract — to perform the agreement with you (provide the Service, process payments, support).
Legitimate interests — to secure, improve, and analyse the Service, prevent fraud, and communicate operationally with you. We balance these interests against your rights.
Consent — for non-essential cookies, optional analytics, and marketing emails. You can withdraw consent at any time.
Legal obligation — when we must retain or disclose data to comply with the law (e.g., tax records).

5. How we share personal data

We do not sell your personal data. We share personal data only with:

Service providers (sub-processors) who help us operate the Service — see section 7.
Authorities when required by law, court order, or to protect rights, safety, or property.
In connection with a business transfer (merger, acquisition, restructuring), subject to confidentiality and to the protections of this Policy.

6. Cookies and tracking

We use cookies and similar technologies for:

Essential cookies — needed for sign-in, session management, and security. These are always on.
Analytics cookies — to understand usage and improve the Service (Google Analytics, Plausible). Where required by law, we ask for your consent before setting these.

You can manage cookies through your browser settings. Disabling essential cookies may break parts of the Service.

7. Third-party sub-processors

We use the following sub-processors to operate the Service. Each is contractually required to protect personal data and process it only on our instructions or as required by law.

Provider	Purpose	Data categories
Stripe	Subscription payment processing, fraud prevention, invoicing	Billing data, transaction metadata, IP address
Google Analytics	Aggregated usage analytics for the website	IP address (truncated), device and browser data, page interactions
Plausible	Privacy-focused, cookieless analytics	Aggregated page-view data, referrer, country-level location
Sentry	Error monitoring and performance diagnostics	Error traces, request metadata, IP address, browser data

These providers may process data outside Armenia and outside your country of residence (including the United States and the European Union). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or each provider's adequacy mechanisms.

8. Data retention

Account data — kept for as long as your Account is active, plus a reasonable period after cancellation to comply with legal and accounting obligations (typically up to 5 years).
Customer Content — kept for the duration of your subscription. After cancellation, you can request deletion or export. We may retain backups for a limited recovery window before they are overwritten.
Billing records — retained for the period required by applicable tax and accounting law.
Analytics and error logs — retained for limited periods set by each provider (typically 14 to 26 months).

9. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

Access — get a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data, subject to legal retention obligations.
Restriction — limit how we process your data in certain circumstances.
Objection — object to processing based on legitimate interests, or to direct marketing at any time.
Portability — receive your data in a structured, commonly used, machine-readable format.
Withdraw consent — where processing is based on consent, withdraw it at any time.
Complaint — lodge a complaint with the Personal Data Protection Agency of the Republic of Armenia, or with your local data-protection authority if you are in the EEA/UK.

To exercise these rights, email albert@poghosyan.org. We will respond within the timeframes required by applicable law, typically within 30 days.

Participants. If you are a participant in a cohort and want to exercise your rights, please contact the trainer who invited you (the data controller for your participant data). We will support them in responding to you.

10. International transfers

The Service is operated from Armenia, and our sub-processors may store and process data in other countries, including the United States and the European Union. Where personal data is transferred internationally, we rely on appropriate legal mechanisms (such as Standard Contractual Clauses) and on each provider's own safeguards.

11. Security

We use industry-standard technical and organisational measures to protect personal data, including TLS encryption in transit, password hashing, access controls, audit logging, and regular security reviews. No system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us at albert@poghosyan.org and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify you (e.g., by email or in-product notice) and update the "Last updated" date at the top of this page. The latest version always applies.

14. Contact

For any privacy questions, requests, or complaints, contact:

Albert Poghosyan, Private Entrepreneur

10/4 Atoyan Street, apt. 13
Yerevan, 0075, Armenia

Email: albert@poghosyan.org