Privacy Policy

Depending on how you use the Service, we process:

• Account data: your email address and chosen UI language.
• Uploaded photos and the staged images we generate from them.
• Billing data: handled by Stripe; we store identifiers and subscription status, not full card details.
• Usage and abuse-prevention signals (e.g. a coarse IP-derived signal and a perceptual hash for free previews).
• Email delivery logs.
• With your consent: analytics and conversion/ad-measurement data. Depending on what you enable, this can include pseudonymous identifiers (cookies such as Meta's _fbp/_fbc), your IP address and user agent, and a hashed (SHA-256) version of your email used for ad matching. We do not receive your plain-text email through these tools.

• Providing the Service and processing your photos — performance of a contract (Art. 6(1)(b) GDPR).
• Billing and bookkeeping — contract and legal obligation (Art. 6(1)(b),(c) GDPR).
• Abuse prevention and securing the Service — legitimate interests (Art. 6(1)(f) GDPR).
• Analytics and ad measurement — only with your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

We use carefully selected processors who act on our instructions under data-processing agreements:

• Vercel — website and application hosting, plus Vercel Analytics and Speed Insights (aggregate, cookieless performance metrics).
• Cloudflare R2 — storage of uploaded photos and renders.
• Stripe — payment processing and subscription billing.
• OpenAI — image generation (the virtual staging step).
• Anthropic — the automated structural-fidelity check.
• Resend — transactional and lifecycle email delivery.
• Google (Google Ads) and Meta (Meta Pixel + Conversions API) — conversion measurement and advertising, only after you consent (see “Analytics & advertising”).

Some processors are located in or transfer data to the USA (including Vercel, Cloudflare, Stripe, OpenAI, Anthropic, Resend, Google, and Meta). Such transfers are safeguarded by EU Standard Contractual Clauses and/or each provider's certification under the EU–US Data Privacy Framework. You can request a copy of the relevant safeguards from us at the contact below.

• Free-preview photos and renders are deleted automatically about 7 days after creation.
• Paid listing galleries remain available for 12 months after the listing is created, then are deleted automatically.
• Account data is kept until you delete your account.
• Abuse-prevention signals (IP-derived signals, perceptual hashes) are retained only as long as needed to limit free-preview abuse and then expire.
• Email delivery logs are kept for a short period for deliverability and troubleshooting.
• Invoicing and bookkeeping records are kept for as long as German tax law requires (generally up to 10 years under §§ 147 AO / GoBD), even after account deletion.
• Analytics and conversion/advertising data are retained according to the respective provider's settings and policies (Google, Meta, Vercel).
• Server logs and automated backups are kept briefly for security and reliability and are overwritten on a rolling basis.

You have the right to access, rectify, erase, restrict, and port your data, and to object to processing based on legitimate interests. Where processing relies on consent, you may withdraw it at any time without affecting prior processing.

You can delete your account, listings, uploaded photos, and renders yourself from the dashboard (“Delete account”), or by emailing hello@quickstaging.app. Note that records held for legal reasons (e.g. Stripe payment and tax/bookkeeping records) may be retained until the statutory periods expire, and data held by third-party processors remains subject to their own retention and legal obligations.

We have not appointed a Data Protection Officer, as we are not required to. You have the right to lodge a complaint with a supervisory authority — for us this is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden, Germany.

Strictly necessary cookies (your session and language preference) are always set. Analytics and advertising/conversion-measurement cookies are only set after you accept them in the cookie banner. You can change or withdraw your choice at any time — it is as easy to withdraw as to give — using the “Cookie settings” link in the footer; withdrawal does not affect processing that already took place.

Only with your consent, we use the following to measure conversions and the performance of our advertising:

• Google Ads, including Enhanced Conversions: a SHA-256 hash of your email may be sent as user_data so Google can match a conversion without receiving your plain-text email.
• Meta Pixel and the Meta Conversions API (server-side): may transmit a hashed email, your IP address and user agent, Meta browser cookies (_fbp, _fbc), an event identifier, the conversion value, and the source URL. Browser and server events are deduplicated on a shared event ID.
• Vercel Analytics and Speed Insights: aggregate, cookieless metrics about page performance and usage.

We load Google with Consent Mode v2 (defaulting to denied) and only inject the Meta Pixel after consent is granted. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via “Cookie settings”.

Data-protection contact: hello@quickstaging.app.