Remake.House

Legal

Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how the operator of Remake.House(“we”, “us”) collects, uses, and shares your personal data when you use the Remake.Housewebsite and services (the “Service”). We act as the data controller for this processing. For privacy questions or requests, use the contact page.

1. What we collect

  • Account data — e-mail address, name (if provided by you or your sign-in provider, e.g. Google), and authentication identifiers.
  • Photos and images— the photos you upload (“Inputs”) and the images we generate for you (“Outputs”). Photos of a home can reveal information about you; avoid uploading photos with identifiable people in them.
  • Payment data — handled by our payment processor. We receive plan, payment status, and partial card metadata (brand, last four digits) — never full card numbers.
  • Usage and technical data — generations requested, credits used, settings chosen, pages visited, IP address, device/browser type, and logs needed for security and rate limiting.
  • Communications — messages and attachments you send via the contact form or e-mail.

2. How we use it, and the legal bases

  • Providing the Service — generating images from your Inputs, storing your gallery, managing credits and subscriptions. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • Content moderation — automated screening of uploads to keep prohibited content out of the pipeline. Legal basis: legitimate interests (Art. 6(1)(f)) — keeping the Service safe and lawful.
  • Billing and accounting — payments, invoices, tax records. Legal bases: contract and legal obligation (Art. 6(1)(c)).
  • Security and abuse prevention — rate limiting, fraud detection, log analysis. Legal basis: legitimate interests.
  • Service communications — sign-in links, receipts, important changes. Legal basis: contract. Marketing e-mail, if ever sent, only with your consent and a working unsubscribe. Legal basis: consent (Art. 6(1)(a)).
  • Analytics— aggregated, cookieless page analytics to understand product usage: Umami (hosted in the EU) and our hosting platform’s built-in analytics, which identifies visits via a short-lived anonymous hash rather than cookies or persistent identifiers. No cross-site profiles are built and no advertising identifiers are used. Legal basis: legitimate interests.
  • Error monitoring — when something breaks, we send an error report to our error-monitoring provider containing the error details, your IP address, browser/device type, and the pages involved. For a sample of sessions where an error occurs, a replay of the interface state may be recorded with text and images masked. Legal basis: legitimate interests — keeping the Service working.

We do not use your photos or generated images to train AI models, and we do not sell your personal data.

3. AI processing

To generate images and moderate content, your Inputs are transmitted to specialised AI infrastructure providers acting as our processors. They process your images solely to return the result and are bound by API data-handling terms that restrict use of your content for their own purposes.

4. How long we keep it

  • Uploaded photos: the original upload file is deleted from storage on a short schedule (approximately one hour) after processing; free-preview uploads within approximately two hours.
  • Generated images: kept in your gallery until you delete them or close your account.
  • Account, credit, and billing records: for the life of your account, then for legally required accounting retention periods.
  • Logs and rate-limit counters: short-lived — typically days to weeks.
  • Error reports and session replays: retained by our monitoring provider for up to 90 days, then deleted.
  • Contact messages: as long as needed to handle your request and for a reasonable period after.

5. Who we share it with

Only processors that help us run the Service, under data-processing agreements:

  • Cloudflare — image storage and global content delivery, with servers across many regions operated in line with the applicable local regulations
  • Google — sign-in, if you choose it
  • Stripe — payments
  • Umami — privacy-friendly web analytics (data hosted in the EU)
  • and our cloud-hosting, database, AI image-processing, e-mail-delivery, security and error-monitoring providers — each engaged as a processor under a data-processing agreement

A complete, current list of our subprocessors is available on request via the contact page.

We may also disclose data where required by law, to protect rights and safety, or as part of a business transfer (with notice to you).

6. International transfers

Some providers process data in the United States and other countries outside the EEA/UK. Where that happens we rely on appropriate safeguards: the EU–US Data Privacy Framework where the provider is certified, and/or the European Commission’s Standard Contractual Clauses (with the UK Addendum where relevant).

7. Your rights (EEA/UK)

If the GDPR or UK GDPR applies to you, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • have your data deleted (“right to be forgotten”);
  • receive a portable copy of data you provided;
  • restrict or object to processing based on legitimate interests;
  • withdraw consent at any time, where processing is based on it.

Exercise these rights via the contact page; we respond within one month. You can also complain to your local data-protection supervisory authority.

8. US residents (including California)

If you live in California or another US state with a comprehensive privacy law, you have rights to know, access, correct, and delete the personal information we hold, and the right not to be discriminated against for exercising them. We do not sell or “share” personal information as defined by the CCPA/CPRA, and we do not use sensitive personal information for purposes requiring an opt-out. Submit requests via the contact page; we honor Global Privacy Control signals where required by law.

9. Cookies

We use strictly necessary cookies for authentication and your theme preference. Our analytics are cookieless and do not build cross-site profiles. We do not run third-party advertising cookies.

10. Security

We use industry-standard measures: encrypted transport (TLS), access controls, scoped tokens, and isolation between users’ content. No system is perfectly secure — if a breach affects your data, we will notify you and regulators as the law requires.

11. Children

The Service is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes

We may update this policy; material changes will be announced by e-mail or in-product before they take effect. The date at the top reflects the current version.