Privacy Policy

1. Introduction

Habitours.com ("we," "us," or "our") operates the Habitours.com website and service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using Habitours.com, you consent to the practices described in this policy.

2. Information We Collect

Account Information

• Email address
• Display name (derived from email or Google profile)
• Authentication credentials (hashed; we never store plaintext passwords)
• Google account profile data (if using Google sign-in)

Uploaded Content

• Room photographs you upload for staging
• Project titles and configuration choices (style, mode, room types)
• Rework feedback text

Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full card details. We receive and store only: transaction IDs, purchase amounts, subscription plan selected, and billing email.

Usage Data

• Pages visited and features used
• Project creation and completion timestamps
• Subscription plan and image usage history
• Browser type, device type, and IP address

3. How We Use Your Information

• To provide and operate the Service (staging, image transformation, delivery)
• To process subscription payments via Stripe
• To authenticate your identity and protect your account
• To send service-related notifications (project completion, failures, refunds)
• To improve the Service through usage analytics
• To comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are located in the European Union or European Economic Area, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Art. 6(1)(b) — Contract Performance: Account creation, project processing, subscription management, and service delivery. This data is necessary to provide the Service you requested.
• Art. 6(1)(a) — Consent: Analytics cookies (PostHog). You can withdraw your consent at any time via the cookie banner.
• Art. 6(1)(f) — Legitimate Interests: Security monitoring, fraud prevention, and service improvement. We balance our interests against your rights and freedoms.
• Art. 6(1)(c) — Legal Obligation: Retention of tax records and compliance with regulatory requirements.

5. AI Processing Disclosure

Your uploaded images are processed by third-party AI services provided by Google (Gemini for image transformation). Important details:

• Your images are sent to Google's API solely for the purpose of generating transformed images.
• Google does not use your images to train their AI models when accessed via their paid API.
• Google may retain API inputs/outputs for up to 55 days for abuse monitoring and safety purposes, after which they are deleted.
• We do not use your images for any purpose other than delivering the Service to you.

6. Third-Party Service Providers

We use the following third-party services to operate Habitours.com:

• Google Cloud / Google AI — AI image transformation (Gemini). Subject to Google's Data Processing Terms.
• Supabase — Database hosting, user authentication, and file storage (your images).
• Stripe — Payment processing. Subject to Stripe's Privacy Policy.
• Cloudflare — Frontend hosting and content delivery.
• Cloudflare — Object storage (R2) for images. Subject to Cloudflare's DPA.
• Resend — Transactional email delivery. Subject to Resend's Privacy Policy.
• PostHog — Product analytics (only with your consent via our cookie banner). Subject to PostHog's Privacy Policy.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Project assets (original and transformed images): Retained while your account is active. You may delete individual projects at any time, which removes associated files from storage.
• Payment records: Retained for 7 years for accounting and tax compliance.
• Usage logs: Retained for up to 90 days for debugging and analytics.

8. International Data Transfers

Some of our third-party service providers are based outside the European Union / European Economic Area (EU/EEA), including Google, Stripe, PostHog, and Cloudflare. When your data is transferred outside the EU/EEA, it is protected by:

• EU-US Data Privacy Framework — For providers certified under the DPF (e.g., Google, Stripe).
• Standard Contractual Clauses (SCCs) — Approved by the European Commission to ensure adequate data protection.
• Adequacy decisions — Where the European Commission has determined that a country provides an adequate level of data protection.

You may request details about the specific transfer mechanisms used for your data by contacting us at support@habitours.com.

9. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest for stored data
• Row-Level Security (RLS) ensuring users can only access their own data
• JWT-based authentication with secure token handling
• Signed URLs with short expiration for file access
• Rate limiting to prevent abuse

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Deletion: Request deletion of your account and associated data.
• Correction: Request correction of inaccurate personal data.
• Portability: Request your data in a portable format.
• Opt-out: Opt out of non-essential data processing.

California Residents (CCPA): You have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of the sale of personal information. We do not sell personal information.

11. Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have the following additional rights under the GDPR:

• Right of access (Art. 15) — Obtain confirmation of whether your personal data is being processed and request a copy.
• Right to rectification (Art. 16) — Have inaccurate personal data corrected without undue delay.
• Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing (Art. 18) — Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent (e.g., analytics cookies).
• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority for Bavaria is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), www.lda.bayern.de.

To exercise any of these rights, contact us at support@habitours.com. We will respond within 30 days.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (Art. 34).

Notification will include:

• The nature of the personal data breach
• The likely consequences of the breach
• The measures taken or proposed to address and mitigate the breach

13. Cookies

We use the following types of cookies:

• Essential cookies: Supabase Auth session cookies (required for login). These cannot be disabled as they are necessary for the Service to function.
• Analytics cookies: PostHog analytics cookies are only set with your explicit consent via our cookie consent banner. You can change your preference at any time.

You can manage your cookie preferences at any time via our Cookie Policy page or the cookie consent banner. We do not use third-party advertising cookies.

14. Children's Privacy

Habitours.com is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

• Email: support@habitours.com