How does the platform work?

You upload your assets, describe what you want, and the platform generates your video. Human directors review every output for quality before delivery. You review, request changes if needed, and download your finished video. All from one dashboard.

Do I need to prepare a creative brief?

No. Just type what you want the video to achieve. "A romantic getaway feel for couples" or "Show off our new rooftop bar" is enough. The platform will prompt you if anything else is needed.

How long does it take to get my first video?

Most videos are ready within 72 hours of uploading your assets. The platform guides you through each step, so there's no waiting on back-and-forth emails to get started.

What if I don't have professional photos or videos?

No problem. We can work with whatever visual assets you have, even smartphone photos. Our AI technology can enhance and transform basic imagery into professional-quality video content. We'll guide you on what works best.

What if I don't like the video I get?

Use the revision tool to flag what's not working. You can request changes to pacing, music, specific scenes, or overall tone. The platform regenerates and delivers an updated version.

What's the role of "human creators" vs. AI?

Our AI handles the heavy lifting: scene composition, transitions, and initial edits. Human directors review every video for quality, brand alignment, and emotional impact. It's the best of both worlds: AI efficiency with human creativity.

Can I use these videos anywhere?

Absolutely. You own full rights to all videos we create. Use them on your website, social media, OTAs like Booking.com and Expedia, email campaigns, or anywhere else you promote your property.

Back to Home

Data Processing Agreement

1. Parties & Scope

This Data Processing Agreement ("DPA") is entered into pursuant to Art. 28(3) GDPR between:

Data Controller ("Controller"): The customer who has entered into a service agreement with Strana for use of the platform.
Data Processor ("Processor"): Strana UG (haftungsbeschränkt), Schackstr. 1 // c/o Kleinhempel & Partner, 80539 München, Germany.

This DPA supplements and forms part of the Terms & Conditions and governs the Processor's processing of personal data on behalf of the Controller in connection with the Strana platform.

2. Processing Details

Subject Matter & Duration

The processing concerns the provision of AI-powered video production services and continues for the duration of the service agreement plus the data retention period specified in our Privacy Policy.

Nature & Purpose

Processing includes storage, organization, retrieval, AI model training, video generation, and transmission of data as necessary to provide the Strana platform services.

Types of Personal Data

Account data (name, email, company information)
Uploaded media (photos, videos, brand assets)
Usage and technical data (IP addresses, session logs)
Payment and billing information

Categories of Data Subjects

Controller's employees and authorized users
Individuals depicted in uploaded media (hotel guests, staff — as determined by Controller)

3. AI Model Training

Per-Account Training: AI models are trained exclusively on the Controller's uploaded content and are isolated to the Controller's account. No cross-account data sharing occurs.
Face-Agnostic Processing: AI models focus on property and environment visuals. We do not train facial recognition models on Controller's content.
Exclusion Flags: The Controller can flag specific content to be excluded from AI model training while retaining it for other platform features.
Model Deletion: Per-account AI models are deleted within 30 days of the service agreement termination.

4. Security Measures (Art. 32 GDPR)

The Processor implements the following technical and organizational measures:

Encryption

AES-256 encryption for data at rest
TLS 1.3 for data in transit
Encrypted backups with separate key management

Access Control

Role-based access control (RBAC)
Multi-factor authentication for administrative access
Principle of least privilege
Regular access reviews

Infrastructure

EU-hosted infrastructure (AWS Frankfurt, EU-West-1)
Network isolation and firewalls
Intrusion detection and monitoring
Automated vulnerability scanning

Personnel

Confidentiality agreements for all staff
Regular data protection training
Background checks for personnel with access to personal data

5. Sub-processors (Art. 28(2), (4) GDPR)

The Controller grants general authorization for the Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting, storage, compute	EU (Frankfurt)
Stripe	Payment processing	EU / US
Google Analytics	Website analytics (consent-based)	EU / US

The Processor will notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors. The Controller may object to such changes within 14 days. If a reasonable objection cannot be resolved, the Controller may terminate the agreement.

All sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

6. International Transfers (Art. 44-50 GDPR)

EU Primary Processing: All core data processing, including AI training and video generation, is performed within the EU (AWS Frankfurt).
US Transfers: Limited to payment processing via Stripe, which is certified under the EU-US Data Privacy Framework.
Safeguards: Where transfers to third countries occur, they are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, by adequacy decisions under the EU-US Data Privacy Framework (DPF).
Transfer Impact Assessments: The Processor conducts transfer impact assessments for all international data transfers and implements supplementary measures where necessary.

7. Controller Obligations

The Controller is responsible for:

Legal Basis (Art. 6): Ensuring a valid legal basis exists for the processing of personal data, including any personal data contained in uploaded media.
Transparency (Art. 13-14): Informing data subjects about the processing of their personal data, including the use of Strana as a processor.
Data Protection Impact Assessment: Conducting DPIAs where required by Art. 35 GDPR, particularly for large-scale processing of media containing images of individuals.
Rights of Data Subjects: Handling data subject requests and informing the Processor where assistance is required.
Content Rights: Ensuring appropriate rights, consents, or authorizations for all uploaded content, particularly media depicting identifiable individuals.

8. Processor Obligations (Art. 28(3)(a-h) GDPR)

The Processor shall:

Instructions Only: Process personal data only on documented instructions from the Controller, unless required by EU or member state law.
Confidentiality: Ensure that all persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation.
Security: Implement and maintain the technical and organizational measures described in Section 4.
Sub-processing: Only engage sub-processors in accordance with Section 5 and impose equivalent data protection obligations.
Assistance: Assist the Controller in responding to data subject requests and in ensuring compliance with Arts. 32-36 GDPR.
Deletion/Return: At the Controller's choice, delete or return all personal data upon termination of services, as described in Section 10.
Audit Support: Make available all information necessary to demonstrate compliance and allow for audits as described in Section 11.
Notification: Immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other data protection provisions.

9. Breach Notification (Art. 33-34 GDPR)

Notification Timeline: The Processor will notify the Controller of any personal data breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
Initial Report: The initial notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
Final Report: A comprehensive final report will be provided as soon as reasonably practicable, including root cause analysis and remediation steps.
Cooperation: The Processor will cooperate with the Controller in investigating and remediating the breach and in fulfilling notification obligations to supervisory authorities and data subjects.

10. Data Deletion (Art. 28(3)(g) GDPR)

Upon termination of the service agreement:

Data Export: The Controller has 30 days from termination to export their data via the platform or by request to privacy@strana.ai.
Production Deletion: After the 30-day export period, all Controller data is deleted from production systems.
Backup Deletion: Data is removed from backup systems within 90 days of production deletion.
AI Model Deletion: Per-account AI models are deleted within 30 days of termination.
Certification: Upon request, the Processor will provide written confirmation that data deletion has been completed.

11. Audit Rights (Art. 28(3)(h) GDPR)

Right to Audit: The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA.
Frequency: Audits may be conducted up to once per year, with reasonable advance notice (minimum 30 days).
Alternatives: In lieu of on-site audits, the Controller may review relevant third-party certifications and audit reports (e.g., SOC 2 Type II, ISO 27001) maintained by the Processor.
Costs: Each party bears its own costs for audits, unless the audit reveals material non-compliance, in which case the Processor bears reasonable audit costs.
Confidentiality: Audit findings are treated as confidential information by both parties.

12. Liability & Governing Law

Liability (Art. 82 GDPR): Each party is liable for damages caused by processing that infringes the GDPR. The Processor is liable only for damages caused by processing that does not comply with the Processor's obligations under GDPR or this DPA.
Indemnification: Each party will indemnify the other for any fines, damages, or costs arising from the indemnifying party's breach of this DPA or the GDPR.
Governing Law: This DPA is governed by the laws of the Federal Republic of Germany.
Jurisdiction: The exclusive place of jurisdiction is Munich, Germany.

13. Contact

For questions about this Data Processing Agreement:

Legal inquiries: legal@strana.ai
Privacy inquiries: privacy@strana.ai
Security inquiries: security@strana.ai

Related documents: Privacy Policy | Terms & Conditions

Last updated: February 9, 2026