Privacy Policy

Last updated: TODO(founder) — set on first real publish

This page is a reviewed template, not final legal advice. Sections marked TODO(founder/lawyer) must be completed or confirmed by a lawyer qualified in Czech/EU law before this policy is relied upon in production.

This Privacy Policy explains what personal data Stagio collects, why, how long we keep it, and the rights you have under the GDPR.

1. Data controller

TODO(founder): legal entity name, registered address, company/VAT ID, and contact details for the data controller and (if appointed) a Data Protection Officer.

2. What we collect

Account data (email address, locale, admin status), the photos you upload, the staged/decluttered images we generate, payment and invoicing data (via Stripe), and operational logs needed to run and secure the service (e.g. generation status, quality-control scores, session tokens).

3. Why we process it, and on what legal basis

To perform the contract with you (account, generations, billing — GDPR Art. 6(1)(b)); to comply with tax and accounting law (invoice retention — Art. 6(1)(c)); for our legitimate interest in fraud prevention, service security, and quality control (Art. 6(1)(f)); and, only where you explicitly opt in, to use a project as a public case study (Art. 6(1)(a) consent, freely withdrawable).

4. We do not train AI models on your images

Your uploaded photos and generated images are never used to train, fine-tune, or improve any AI model — ours or a third party's. They are used only to produce the specific generation you requested and to run the automated quality-control check on that same generation.

5. Retention and deletion — the specifics

Default retention: photos, generations, and exports are automatically and permanently deleted 30 days after upload/creation, unless the project is flagged as a consented case study (caseStudyConsent), in which case that project's assets are exempt from the automatic 30-day deletion until you withdraw consent. Per-project "delete now": you can purge a project's photos, generations, and exports from storage immediately, at any time, from the project view. Account deletion: requesting account deletion immediately purges all of your photos, generations, and exports from storage — including case-study-consented projects, since erasing your account withdraws that consent too. Your account row itself is not hard-deleted: it is anonymized (email replaced with a non-reachable placeholder, locale reset, marked deleted) so that invoices and credits-ledger entries linked to it keep a valid reference. Invoices and credits-ledger entries are retained for as long as applicable tax and accounting law requires (commonly several years under Czech/EU rules; TODO(founder/lawyer) confirm the exact statutory period for your jurisdiction) because we are legally required to keep accounting records even after you leave.

6. Who we share data with

We use a small number of subprocessors to run the service — hosting, payments, email delivery, and automated quality control. The full list, with purpose and region for each, is published on the Subprocessors page.

7. International transfers

Our hosting and object storage run in the EU. Some subprocessors (notably our quality-control model provider) may process data outside the EU/EEA; TODO(lawyer) confirm the transfer safeguards in place (e.g. EU Commission Standard Contractual Clauses) for any non-EU subprocessor before this is relied upon.

8. Your rights

Under the GDPR you have the right to access, rectify, or erase your personal data, to restrict or object to processing, to data portability, and to withdraw consent (e.g. case-study consent) at any time without affecting past processing. You also have the right to lodge a complaint with your local supervisory authority — in the Czech Republic, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, UOOU).

9. Security

Data is encrypted in transit, access to object storage is via short-lived signed URLs rather than public links, and production infrastructure runs in EU data centers. TODO(founder/lawyer): add specifics once a formal security policy is finalized.

10. Children

Stagio is a business tool for real estate professionals and is not directed at children. We do not knowingly collect personal data from minors.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email before they take effect.

12. Contact

TODO(founder): contact email for privacy/data-protection requests, and DPO contact if one is appointed.