// Privacy
Privacy Policy
Last updated: April 8, 2026
1. Data controller
The controller of your personal data is the team behind Liru.app: Maciej Kaminski and Karol Jablonski. For data-related inquiries, contact us at contact@liru.app.
2. Data we collect
Account data (designer): email address, full name, design studio name, profile photo and studio logo (optional), language and currency preferences, authentication data (encrypted password, MFA tokens). Project data: project names and descriptions, property addresses, budget and financial data, photos, documents and files uploaded to the platform, product data (names, prices, photos, store links), subcontractor and supplier data, notes, comments, design decisions. Client portal data: client email address, client name (optional), brief and survey responses, style preferences (quiz results, swipe results, comments), product/visualization approvals and rejections. End clients do not create accounts – access is provided through a unique link with a token. Technical data: IP address, browser and operating system type, visit times and frequency, session identifiers, error logs (stack traces, error context). Chrome extension: product data extracted from store pages (name, price, image, URL), authentication token (Bearer token). The extension does not track browsing history – it activates only when clicked by the user.
3. Purposes and legal bases of processing
Providing the service (account, projects, portal) – Art. 6(1)(b) GDPR (performance of a contract). Sending transactional emails (invitations, notifications) – Art. 6(1)(b) GDPR (performance of a contract). Analytics and service quality improvement – Art. 6(1)(f) GDPR (legitimate interest of the controller). Error monitoring and stability – Art. 6(1)(f) GDPR (legitimate interest of the controller). AI data processing (categorization, notes) – Art. 6(1)(b) GDPR (performance of a contract). Security (rate limiting, abuse detection) – Art. 6(1)(f) GDPR (legitimate interest of the controller).
4. Data processors (sub-processors)
We use the following third-party services: Supabase (Supabase Inc.) – database, authentication, file storage – data in EU (Frankfurt). Vercel (Vercel Inc.) – application hosting, serverless functions – EU (preferred) / USA. OpenAI (OpenAI LLC) – product categorization, AI note generation, summaries – USA. fal.ai (fal.ai Inc.) – 3D model generation, image segmentation – USA / EU. Resend (Resend Inc.) – transactional email delivery – USA. Upstash (Upstash Inc.) – rate limiting, abuse protection – EU (Frankfurt). PostHog (PostHog Inc.) – product analytics – EU. Sentry (Functional Software Inc.) – error monitoring – USA. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCC) or adequacy decisions (EU-US Data Privacy Framework), in accordance with GDPR requirements.
5. AI data processing
Liru.app uses artificial intelligence for: product categorization – product name and description are sent to OpenAI for category assignment; AI note generation – client brief responses are analyzed to create summaries; 3D model generation – product photos are sent to fal.ai for conversion to 3D models; data extraction from pages – product page content is analyzed to retrieve data. Data sent to AI providers is not used to train AI models (in accordance with OpenAI and fal.ai API customer policies), is processed solely to fulfill the specific request, and is not stored by providers longer than necessary to process the request (max. 30 days for abuse monitoring).
6. Data retention periods
Account data is retained until account deletion. Project data – until account or project deletion. Client portal data – until portal deactivation or project deletion. Error logs (Sentry) – 90 days. Analytics data (PostHog) – 12 months. Storage files (Supabase) – until deleted by the user. Session data – 7 days (automatic expiration).
7. Your rights (GDPR)
As an EU/EEA user, you have the following rights: right of access (Art. 15) – you may request information about processed data; right to rectification (Art. 16) – you may correct inaccurate data; right to erasure (Art. 17) – you may delete your account and all data ("Delete account" function in settings); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21) – to processing based on legitimate interest; right to withdraw consent – at any time, without affecting processing prior to withdrawal. Account deletion: Settings → Security → Delete account (immediate, cascading deletion of all data). Other requests: write to contact@liru.app – we will respond within 30 days. Complaint: you have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) or your local supervisory authority.
8. Cookies and tracking technologies
Essential (no consent required): Supabase session – user authentication, expiry 7 days; client portal session – client portal access, expiry 7 days; language preferences – remembering selected language, expiry 1 year. Analytics (with consent): PostHog – product analytics, anonymous events, user paths. We do not use advertising cookies. We do not share data with advertisers.
9. Data security
We apply the following security measures: encryption of sensitive data (AES-256-GCM), transport encryption (TLS/HTTPS), two-factor authentication MFA (TOTP), Row Level Security (RLS) at the database level, rate limiting on API endpoints, input data validation (Zod), regular security audits (latest: April 2026, 0 critical vulnerabilities), password policy: minimum 8 characters, uppercase letter, digit.
10. Children's data
Liru.app is not intended for persons under 16 years of age. We do not knowingly collect data from children. If you become aware that a child has provided us with personal data, please contact us at contact@liru.app.
11. Changes to the privacy policy
We will notify you of significant changes to the privacy policy through an in-app notification and via email to the address associated with your account. Continued use of the service after changes are introduced constitutes acceptance.
12. Contact
For matters regarding personal data protection: email contact@liru.app. Creators: Maciej Kaminski, Karol Jablonski. Platform: https://studio.liru.app.
Annex A
Privacy Policy – Liru Chrome Extension
Last updated: April 26, 2026
This annex forms an integral part of the Liru Privacy Policy and describes in detail how data is processed by the Liru Chrome extension, which helps interior designers collect product information from online product pages and save it directly to their Liru projects.
A1. What data we collect
When you use the extension, Liru may process the following data: product page URL; product name; product price and currency; product image URL; product dimensions; SKU or product code; product color and material; product availability or delivery information; selected Liru project or room; account and session information required for authentication and saving products. The extension accesses page content only when the user actively triggers data collection, for example by clicking a button to fetch product data. The extension reads product information only from the active page and does not access other tabs or background browsing data.
A2. How we use the data
We use this data only to: show a product preview inside the extension; let you review and edit product details; save the product to your selected Liru project; maintain your login session and extension preferences.
A3. When data is sent
Product data is sent to Liru only when you choose to save a product to your project. The extension does not automatically send the full content of visited pages to Liru.
A4. What we do not collect
The extension does not collect: browsing history for unrelated pages; payment card information; health information; private communications; precise location data; keystroke tracking or mouse movement tracking.
A5. Remote code and AI processing
The production version of the extension does not use Smart Fill, AI correction, or broad page snapshot processing. The extension does not download or execute remote JavaScript or WebAssembly code.
A6. Legal basis for processing (GDPR)
We process personal data based on: your consent when you choose to use the extension and save products; performance of a contract to provide the Liru service; legitimate interest to improve functionality and ensure security.
A7. Data retention
We retain product data and account-related information for as long as your Liru account is active. Data is deleted when you delete it within your account or when you stop using the Liru service and request deletion. We may retain limited data when required for legal, security, or operational purposes.
A8. International data transfers
We use infrastructure providers such as Supabase and Vercel to operate the Liru service. Your data may be processed on servers located outside your country, including outside the European Economic Area. In such cases, we apply appropriate safeguards such as standard contractual clauses.
A9. Data sharing
We do not sell user data. We do not share user data with third parties except when necessary to provide the Liru service – such as authentication, secure hosting, database storage, and infrastructure providers.
A10. Data security
Data is transmitted using HTTPS and stored using secure, industry-standard infrastructure. We implement appropriate technical and organizational measures to protect data against unauthorized access, loss, or misuse.
A11. User control
You can review and edit product data before saving it to a project. You can choose not to save a product at any time.
A12. Your rights
You have the right to: access your data; correct your data; delete your data; restrict or object to processing; request data portability. To exercise your rights, contact us at: contact@liru.app.
A13. Updates to this annex
We may update this annex from time to time. Changes will be reflected by updating the "Last updated" date above.
A14. Contact
If you have questions about this annex, contact us at: contact@liru.app.