Legal

Privacy Policy

Effective May 9, 2026 · Last updated May 9, 2026

The short version. We collect the minimum data needed to run a generation service: who you are (Google profile), what you generate (prompts, reference images, output), and what you pay (via Stripe — we never see your card). We share data only with the sub-processors listed in §7 and never sell it. You can request access, export, correction, or deletion at any time by emailing hello@floorplanai.net.

This Privacy Policy describes how FloorPlanAI (“FloorPlanAI”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you visit floorplanai.netor use our AI-powered floor plan generation service (the “Service”). This Policy forms part of our Terms of Service. By using the Service, you acknowledge that you have read and understood this Policy.

1. Who we are

FloorPlanAI is operated by FloorPlanAI (the “Operator”). For all data-protection matters, including requests to exercise your rights, the controller of your personal data is the Operator. You can reach our privacy team at hello@floorplanai.net.

If you are located in the European Economic Area, the United Kingdom, or Switzerland and require a local point of contact, please use the same email address; we will route your request appropriately. If we appoint an EU/UK representative under Article 27 GDPR in the future, their details will be published on this page.

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
Controller — the entity that determines the purposes and means of Processing (FloorPlanAI, for the data covered by this Policy).
Processor / Sub-processor— a third party that processes Personal Data on the Controller's behalf.
Service — the website at floorplanai.net and the related AI floor plan generation features.
You — a visitor, signed-in user, or paying customer of the Service.

3. Information we collect

3.1 Information you provide directly

Account information. When you sign in with Google we receive your name, email address, profile picture, and Google account ID.
Generation inputs. The text prompts you submit, the style preset you choose, the resolution you pick, and any reference images you upload.
Generation outputs. The floor plan images we generate for you and link to your account history.
Communications. When you email us, we keep the message, your email address, and any attachments you send.
Optional profile info. Anything else you choose to add to your account.

3.2 Information collected automatically

Device & log data. IP address, user agent, browser language, request timestamps, referring URL, the pages and API endpoints you access.
Usage data. Number of generations, credits charged, plan tier, success / failure of jobs, error codes.
Cookies and similar technologies. See §10.

3.3 Information from third parties

Google OAuth. We receive the Google profile fields listed in §3.1 when you authorize sign-in.
Stripe. When you purchase, Stripe sends us the billing event (success / failure), invoice ID, customer ID, plan purchased, and country / postal code for tax. We never receive your full card number, CVC, or full bank details.
Browser fingerprint. When you first visit we ask your browser to compute a fingerprint (via the open-source FingerprintJS library, executed in your browser) and we store only a salted SHA-256 hash of that fingerprint plus a random visitor UUID. The raw fingerprint is never transmitted to or stored by us.

3.4 Sensitive data

We do not knowingly collect special-category personal data (racial / ethnic origin, political opinions, religion, health data, biometric or genetic data). Please do not submit such data in prompts or reference images.

4. Legal bases for processing (EEA / UK only)

If you are in the EEA, the United Kingdom, or Switzerland, our legal bases under the GDPR / UK GDPR are:

Purpose	Legal basis
Provide the Service to you	Performance of a contract — Art. 6(1)(b)
Process payments and send invoices	Performance of a contract — Art. 6(1)(b)
Prevent fraud, abuse, and free-tier abuse	Legitimate interest — Art. 6(1)(f)
Comply with tax, accounting, and legal obligations	Legal obligation — Art. 6(1)(c)
Improve the Service via aggregated analytics	Legitimate interest — Art. 6(1)(f)
Send marketing emails (only with opt-in)	Consent — Art. 6(1)(a)
Respond to support requests	Legitimate interest / contract

Where we rely on legitimate interests, you have the right to object — see §13.

5. How we use information

We use the information described in §3 to:

Authenticate you and maintain your sign-in session.
Send your prompts and reference images to our AI sub-processors and return the generated images to you.
Track credit balances and deduct or refund credits per ledger rules.
Process payments via Stripe and grant or revoke plan benefits.
Detect and prevent abuse of free signup credits, account take-overs, payment fraud, and brute-force attempts. Specifically, we compare your hashed visitor ID and IP address against prior signups to decide whether to grant the 1 free signup credit.
Operate, monitor, debug, and improve the Service, including running aggregated analytics (e.g. “average generation time at 4K”).
Respond to your support requests and account inquiries.
Comply with applicable law, respond to lawful requests from authorities, and enforce our Terms.
Notify you of material changes, billing issues, or security incidents (transactional email — you cannot opt out of these as long as you have an account).

We do not sell your personal data. We do not share personal data with third parties for cross-context behavioral advertising. We share personal data only as described below:

Sub-processors. Vendors that process data on our behalf to operate the Service — see §7.
Legal authorities. When required by valid legal process (subpoena, court order, government request) or to protect rights, property, or safety. We will challenge overbroad requests and notify you when permitted by law.
Corporate transactions. If we are acquired, merged, or sell substantially all assets, your data may transfer to the acquirer subject to this Policy. We will notify you in advance and give you the chance to delete your account.
With your consent. Any other sharing requires your explicit consent.

7. Sub-processors

We rely on the following sub-processors. Each has signed a Data Processing Agreement (DPA) or equivalent contractual safeguards committing them to confidentiality, security, and (where applicable) Standard Contractual Clauses for international transfers.

Sub-processor	Purpose	Location	Privacy
Google LLC	OAuth sign-in	USA	Link
Stripe, Inc.	Payment processing & tax	USA	Link
KIE.ai	AI floor plan generation (primary)	USA	Site
Replicate, Inc.	AI floor plan generation (fallback)	USA	Link
OpenAI, L.L.C.	Text moderation API for prompt safety	USA	Link
Neon, Inc.	Managed PostgreSQL database	USA (configurable)	Link
Vercel, Inc.	Web hosting and CDN	USA & global edge	Link
Cloudflare, Inc.	Email routing for hello@floorplanai.net	USA	Link

We may add or replace sub-processors. Material additions will be announced on this page at least 14 days before they take effect.

8. International data transfers

Our infrastructure and most of our sub-processors are based in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate) and, where required, supplementary technical and organizational measures, including encryption in transit and at rest. Copies of the SCCs we have in place with sub-processors are available on request.

9. Data retention

We retain personal data only for as long as needed:

Data	Retention
Account record (profile, plan, balance)	Until you delete your account
Generated images & their prompts	90 days from creation, then permanently deleted
Reference images you upload	90 days from upload
Server & security logs (incl. IP)	30 days
Anti-abuse signals (visitor hash, signup attempts)	12 months
Stripe billing records (invoices, payment status)	7 years (tax / accounting law)
Support email correspondence	24 months from last reply
Backups	30-day rolling window

After the retention period, we delete or irreversibly anonymize the data. Deletion of an account triggers immediate deletion of profile and credit data; generations and logs already past their retention window are unrecoverable.

10. Cookies & similar technologies

We use only first-party and processor cookies that are strictly necessary to deliver the Service. We do not use advertising or analytics tracking cookies.

Cookie	Purpose	Lifetime	Type
`authjs.session-token`	Keeps you signed in	30 days	Strictly necessary, HttpOnly + Secure
`vid`	Salted hash of your browser fingerprint, used for signup abuse prevention	365 days	Strictly necessary, HttpOnly
`vid_set`	Non-sensitive flag — tells the client not to recompute the fingerprint	365 days	Strictly necessary
`__stripe_mid`, `__stripe_sid`	Stripe fraud detection on the checkout page (set by Stripe)	1 year / 30 min	Third-party (Stripe), strictly necessary for payments

Because all the cookies we set are strictly necessary, we do not show a cookie consent banner. You can clear cookies in your browser settings, but doing so will sign you out and may degrade abuse protection.

11. Security

HTTPS / TLS 1.2+ everywhere; HSTS enforced.
Database encryption at rest, managed by Neon.
OAuth-only authentication — we never store passwords.
Browser fingerprints are hashed with a server-side secret salt before storage.
Card data is handled exclusively by Stripe (PCI DSS Level 1) and never touches our servers.
API keys for AI providers are stored as environment variables, not in source control.
Webhook calls from Stripe are verified with a signing secret to prevent replay or spoofing.

No system is 100% secure. If we discover a breach affecting your personal data we will notify you and (where applicable) the relevant supervisory authority within 72 hours of becoming aware, in line with Article 33 / 34 GDPR.

12. Your rights — general

Regardless of where you live, you can ask us to:

Confirm whether we hold data about you and access a copy of it.
Correct inaccurate data.
Delete your data (subject to legal retention).
Export your data in a portable, machine-readable format.
Restrict or object to certain processing.
Withdraw consent where processing is based on consent.

If you are in the EEA, the UK, or Switzerland, you have these specific rights:

Right of access — Article 15
Right to rectification — Article 16
Right to erasure (“right to be forgotten”) — Article 17
Right to restriction of processing — Article 18
Right to data portability — Article 20
Right to object — Article 21
Right not to be subject to automated decisions producing legal or similarly significant effects — Article 22 (see §17)
Right to lodge a complaint with your local data protection supervisory authority. A list is available at edpb.europa.eu. UK residents may complain to the ICO.

14. California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what categories of personal information we collect, sources, and purposes.
Receive a copy of the specific pieces of personal information we hold about you.
Request correction of inaccurate personal information.
Request deletion of your personal information.
Opt out of the “sale” or “sharing” of personal information.
Limit our use of sensitive personal information.
Be free from retaliation for exercising these rights.

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). We do not have actual knowledge that we sell or share the personal information of consumers under 16.

You may submit requests by emailing hello@floorplanai.net from the email address on your account. You may designate an authorized agent to make a request on your behalf; we may require proof of authorization.

15. Other US state privacy laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have rights similar to those above (access, deletion, correction, portability, opt-out of targeted advertising, profiling appeal). Use the same email channel; we will honor requests under your applicable state law.

16. Children

The Service is not directed to children under 13 (or under 16 in the EEA where applicable). We do not knowingly collect personal data from such children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly. Paid plans require users to be 18 or older.

17. Automated decision-making & AI

We use AI models (gpt-image-2 via KIE.ai and, as fallback, Replicate) to generate floor plan images you request. This generation is not a decision about you and has no legal or similarly significant effect on you within the meaning of GDPR Article 22.

Our anti-abuse system uses your visitor fingerprint hash and IP address to decide whether to grant the 1-credit signup bonus. If you believe that decision was made in error, you can email hello@floorplanai.net to request a manual review by a human.

We use the OpenAI Moderation API to scan submitted prompts for prohibited content (e.g. explicit sexual content, violence). A prompt flagged by the moderator is rejected before any credit is charged. You can appeal a rejection by emailing us with the prompt; a human will review it.

18. Links to third-party sites

Our Service may contain links to third-party websites (e.g. Stripe Checkout, Google sign-in, AI provider documentation). Those sites operate under their own privacy policies; we are not responsible for their practices.

19. Do Not Track

Because we do not use tracking cookies for advertising, browser-level Do Not Track signals do not apply meaningfully to our Service. We do not respond to DNT signals because there is no consensus standard.

20. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes — for example, adding a new sub-processor, changing legal bases, or expanding the categories of data we collect — will be announced on this page at least 14 days before they take effect, and (if you have an account) we will email you. The date at the top of the page reflects the most recent update.

21. How to exercise your rights

To submit any privacy request:

Email hello@floorplanai.net from the email address on your account, or include account-verifying information (account ID, last invoice ID).
Tell us which right you are exercising and any details that help us locate the data (e.g. approximate sign-up date).
We will respond within 30 days. If your request is complex we may extend by a further 60 days and we will tell you why.
We may need to verify your identity to protect your data; we will not request more information than necessary.
We will not discriminate against you for exercising your rights.

22. Contact

Questions, complaints, or requests regarding privacy:

Email: hello@floorplanai.net
Subject line: please prefix with [Privacy] so we can route quickly.