Privacy
Privacy Policy
Last updated: April 8, 2026
1. Data controller
The controller of your personal data is the team behind Liru.app: Maciej Kaminski and Karol Jablonski. For data-related inquiries, contact us at contact@liru.app.
2. Data we collect
Account data (designer): email address, full name, design studio name, profile photo and studio logo (optional), language and currency preferences, authentication data (encrypted password, MFA tokens). Project data: project names and descriptions, property addresses, budget and financial data, photos, documents and files uploaded to the platform, product data (names, prices, photos, store links), subcontractor and supplier data, notes, comments, design decisions. Client portal data: client email address, client name (optional), brief and survey responses, style preferences (quiz results, swipe results, comments), product/visualization approvals and rejections. End clients do not create accounts - access is provided through a unique link with a token. Technical data: IP address, browser and operating system type, visit times and frequency, session identifiers, error logs (stack traces, error context). Chrome extension: product data extracted from store pages (name, price, image, URL), authentication token (Bearer token). The extension does not track browsing history - it activates only when clicked by the user.
3. Purposes and legal bases of processing
Providing the service (account, projects, portal) - Art. 6(1)(b) GDPR (performance of a contract). Sending transactional emails (invitations, notifications) - Art. 6(1)(b) GDPR (performance of a contract). Analytics and service quality improvement - Art. 6(1)(f) GDPR (legitimate interest of the controller). Error monitoring and stability - Art. 6(1)(f) GDPR (legitimate interest of the controller). AI data processing (categorization, notes) - Art. 6(1)(b) GDPR (performance of a contract). Security (rate limiting, abuse detection) - Art. 6(1)(f) GDPR (legitimate interest of the controller).
4. Data processors (sub-processors)
We use the following third-party services: Supabase (Supabase Inc.) - database, authentication, file storage - data in EU (Frankfurt). Vercel (Vercel Inc.) - application hosting, serverless functions - EU (preferred) / USA. OpenAI (OpenAI LLC) - product categorization, AI note generation, summaries - USA. fal.ai (fal.ai Inc.) - 3D model generation, image segmentation - USA / EU. Resend (Resend Inc.) - transactional email delivery - USA. Upstash (Upstash Inc.) - rate limiting, abuse protection - EU (Frankfurt). PostHog (PostHog Inc.) - product analytics - EU. Sentry (Functional Software Inc.) - error monitoring - USA. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCC) or adequacy decisions (EU-US Data Privacy Framework), in accordance with GDPR requirements.
5. AI data processing
Liru.app uses artificial intelligence for: product categorization - product name and description are sent to OpenAI for category assignment; AI note generation - client brief responses are analyzed to create summaries; 3D model generation - product photos are sent to fal.ai for conversion to 3D models; data extraction from pages - product page content is analyzed to retrieve data. Data sent to AI providers is not used to train AI models (in accordance with OpenAI and fal.ai API customer policies), is processed solely to fulfill the specific request, and is not stored by providers longer than necessary to process the request (max. 30 days for abuse monitoring).
6. Data retention periods
Account data is retained until account deletion. Project data - until account or project deletion. Client portal data - until portal deactivation or project deletion. Error logs (Sentry) - 90 days. Analytics data (PostHog) - 12 months. Storage files (Supabase) - until deleted by the user. Session data - 7 days (automatic expiration).
7. Your rights (GDPR)
As an EU/EEA user, you have the following rights: right of access (Art. 15) - you may request information about processed data; right to rectification (Art. 16) - you may correct inaccurate data; right to erasure (Art. 17) - you may delete your account and all data ("Delete account" function in settings); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21) - to processing based on legitimate interest; right to withdraw consent - at any time, without affecting processing prior to withdrawal. Account deletion: Settings → Security → Delete account (immediate, cascading deletion of all data). Other requests: write to contact@liru.app - we will respond within 30 days. Complaint: you have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) or your local supervisory authority.
8. Cookies and tracking technologies
Essential (no consent required): Supabase session - user authentication, expiry 7 days; client portal session - client portal access, expiry 7 days; language preferences - remembering selected language, expiry 1 year. Analytics (with consent): PostHog - product analytics, anonymous events, user paths. We do not use advertising cookies. We do not share data with advertisers.
9. Data security
We apply the following security measures: encryption of sensitive data (AES-256-GCM), transport encryption (TLS/HTTPS), two-factor authentication MFA (TOTP), Row Level Security (RLS) at the database level, rate limiting on API endpoints, input data validation (Zod), regular security audits (latest: April 2026, 0 critical vulnerabilities), password policy: minimum 8 characters, uppercase letter, digit.
10. Children's data
Liru.app is not intended for persons under 16 years of age. We do not knowingly collect data from children. If you become aware that a child has provided us with personal data, please contact us at contact@liru.app.
11. Changes to the privacy policy
We will notify you of significant changes to the privacy policy through an in-app notification and via email to the address associated with your account. Continued use of the service after changes are introduced constitutes acceptance.
12. Contact
For matters regarding personal data protection: email contact@liru.app. Creators: Maciej Kaminski, Karol Jablonski. Platform: https://studio.liru.app.