Privacy Policy

VastgoedFotoAI.nl ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains in plain language what data we collect, why we collect it, which third-party services we use, and what rights you have.

By using VastgoedFotoAI.nl, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our service.

We collect the following categories of personal data:

a) Account Information

When you sign up, we collect your name, email address, and password (stored in hashed form — we never store your password in plain text). We also require email verification before you can use the service.

b) Payment Information

Payments are handled entirely by Stripe. We never see or store your credit card number, CVV, or full billing details. What we do store is a reference to your Stripe customer ID, the payment amount, and the payment status so we can link payments to your projects.

c) Images You Upload

When you use our service, you upload property photos. These images are stored in our cloud storage (hosted by Supabase) and sent to our AI provider (Fal.ai) for processing. The processed (enhanced) images are also stored so you can download them.

d) Session & Device Data

When you log in, we record your IP address and browser user agent as part of your session. This helps us detect unauthorized access to your account. Sessions expire after 7 days of inactivity.

e) Contact Form Data

If you contact us through our website, we collect your name, email, and message so we can respond to your inquiry.

f) Usage Data

We track which features you use (such as style templates selected, number of images processed) to improve our service. We do not use third-party analytics trackers like Google Analytics.

To deliver our service, we rely on a number of trusted third-party providers. Each of these only receives the minimum data needed to perform their function:

• Stripe (payment processing) — Handles all credit card and payment details. Stripe is PCI-DSS compliant. We share your email address with Stripe to create a customer record.
  Stripe Privacy Policy
• Fal.ai (AI image processing) — Your uploaded images are sent to Fal.ai’s servers for AI enhancement. Fal.ai processes the images and returns the enhanced results. Images are not retained by Fal.ai after processing.
  Fal.ai Privacy Policy
• Supabase (database & file storage) — Stores your account data, project information, and uploaded/processed images. Supabase hosts data in the European Union.
  Supabase Privacy Policy
• Resend (email delivery) — Sends transactional emails on our behalf: account verification, password resets, and workspace invitations. Resend receives your email address and name.
  Resend Privacy Policy
• Vercel (hosting) — Our website is hosted on Vercel’s infrastructure. Vercel may process your IP address and request headers as part of serving web pages.
  Vercel Privacy Policy
• Upstash (rate limiting) — We use Upstash Redis to enforce rate limits and prevent abuse. Upstash receives anonymized request identifiers (IP-based), not personal data.
  Upstash Privacy Policy
• Trigger.dev (background jobs) — Manages asynchronous tasks like image processing queues. Trigger.dev receives job metadata such as project IDs, but not personal user data.
  Trigger.dev Privacy Policy

We use the data we collect for the following purposes only:

• Delivering the service — processing your images with AI, storing results, and enabling downloads
• Processing payments — creating Stripe checkout sessions and tracking payment status
• Account management — authenticating you, sending verification emails, and managing your workspace
• Customer support — responding to your questions and support requests
• Security & abuse prevention — rate limiting, detecting unauthorized access, and preventing fraud
• Service improvement — understanding usage patterns to improve features (no third-party analytics tools are used)

We do not use your data for advertising, profiling, or selling to third parties.

We use a minimal number of cookies:

• Session cookie (essential) — Keeps you logged in. Expires after 7 days of inactivity. Without this cookie, the service cannot function.
• Language preference (essential) — Remembers your selected language so pages load in the right language.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. There is nothing to opt out of because we only use cookies that are strictly necessary for the service to work.

Your data is stored on servers within the European Union via Supabase. We take the following measures to protect your data:

• Passwords are securely hashed — we never store them in plain text
• All data is transmitted over encrypted connections (HTTPS/TLS)
• Database access is restricted and authenticated
• Payment data is handled by PCI-DSS compliant Stripe — we never touch your card details
• Sessions are tied to your IP and device, making stolen session tokens harder to misuse
• Rate limiting prevents brute-force attacks on all endpoints

We keep your data for as long as it is needed:

• Account data — Retained as long as your account is active. Deleted when you delete your account.
• Uploaded & processed images — Kept for 30 days after processing so you can re-download them. After 30 days, images are automatically deleted. You can request earlier deletion at any time.
• Session data — Sessions expire after 7 days of inactivity and are then removed.
• Payment records — Transaction references are kept for tax and legal compliance as required by Dutch law (typically 7 years for financial records).
• Contact messages — Retained for as long as needed to resolve your inquiry, then deleted.

We do not sell, rent, or trade your personal data. We only share data with third parties in these situations:

• Service providers — The third-party services listed in Section 3 above receive only the data they need to perform their function.
• Legal requirements — If we are legally required to disclose data (for example, by a court order or law enforcement request under Dutch or EU law).
• Business transfer — If VastgoedFotoAI.nl is acquired or merges with another company, your data may be transferred as part of that transaction. You will be notified in advance.

Because we operate in the Netherlands and the EU, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to access — You can request a copy of all personal data we hold about you.
• Right to correction — You can ask us to fix any inaccurate data.
• Right to deletion — You can ask us to delete your account and all associated data ("right to be forgotten").
• Right to data portability — You can request your data in a machine-readable format to transfer to another service.
• Right to object — You can object to the processing of your data.
• Right to restrict processing — You can ask us to temporarily stop processing your data while a complaint is resolved.

To exercise any of these rights, email us at info@nuktup.com. We will respond within 30 days as required by law.

If you believe we are not handling your data correctly, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Our service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email or through a notice on our website.

If you have questions about this Privacy Policy or how we handle your data, contact us at:

VastgoedFotoAI.nl
E-mail: info@nuktup.com