Decorb ("we," "us," or "our") operates the Decorb mobile application and web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By accessing or using Decorb, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide
| Data Type | Description |
|---|---|
| Account Information | Name, email address, and profile photo obtained through Google or Apple Sign-in |
| Onboarding Preferences | Your role (e.g., homeowner, interior designer), design goals, and how you heard about Decorb, collected during onboarding |
| Space Photos | Images of rooms or spaces you upload for redesign |
| Reference Images | Inspiration photos, furniture images, or material samples you upload |
| Text Prompts & Chat Messages | Descriptions and instructions you provide to guide AI generation, and conversational messages exchanged with the AI design assistant within your projects |
| Payment Information | Billing details processed through our payment provider, Dodo Payments (we do not store full payment card numbers) |
| Feedback & Support Communications | Bug reports, feature requests, and other feedback you submit (including your email address and message text), as well as support correspondence |
1.2 Information Collected Automatically
| Data Type | Description |
|---|---|
| Device Information | Device type, operating system, app version, unique device identifiers (including Firebase App Instance ID), and mobile network information |
| Usage Data | Features used, pages visited, generation history (including resolution, processing time, and success/failure status), session duration, credit usage, and interaction patterns. This data is collected via Google Analytics 4 (see Section 3.1) and may include your subscription tier, credit balance, and onboarding persona as user-level properties. |
| Log Data | IP address, browser type, access times, and referring URLs |
| Marketing Attribution | UTM parameters (source, medium, campaign, content, term) captured from URL query strings when you first visit the Service, along with the landing page path and capture timestamp. These are stored in your browser's local storage and linked to your account upon registration. |
| Location Data | Approximate location derived from IP address (we do not collect precise GPS location) |
| Analytics Identifiers | A randomly generated Google Analytics client ID (UUID) stored in your browser's local storage and linked to your user account for analytics purposes |
| Cookies & Local Storage | Session cookies for authentication, and browser local storage entries for: analytics client ID, UTM attribution data, and UI preferences (theme, sidebar state). The mobile app stores a notification preference flag locally on your device. |
1.3 Information from Third Parties
| Source | Data |
|---|---|
| Google / Apple Sign-in | Name, email address, email verification status, and profile photo as authorized by you during authentication via the OAuth consent screen |
2. How We Use Your Information
| Purpose | Description |
|---|---|
| Provide the Service | Process your uploads, generate AI-powered interior design visualizations, and deliver results |
| Account Management | Create and maintain your account, manage subscriptions, and process payments |
| Service Improvement | Analyze usage patterns to improve features, performance, and user experience |
| Communication | Send service-related notifications, respond to support requests, and provide updates about your account |
| Security | Detect, prevent, and address fraud, abuse, and technical issues |
| Legal Compliance | Comply with applicable laws, regulations, and legal processes |
2.1 AI Processing
When you submit images and prompts for generation, your inputs are transmitted to Google Gemini, our AI processing provider, solely to generate the requested visual output. We do not use your uploaded images or prompts to train our own AI models, and we do not permit Google to use your content to train its models beyond what Google's API data processing terms permit. You should review Google's Gemini API Terms of Service and Google's Privacy Policy for information on how Google handles data submitted via its API. Generated images are stored in your account for your access and are treated as your content.
3. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
3.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting, data storage, background task processing (Cloud Tasks), and AI image generation (Gemini API) | All data stored in Firestore and Cloud Storage; room images and prompts sent to Gemini for generation; content moderation checks on uploaded images |
| Firebase (Google) | Authentication, real-time database, and file storage | Authentication credentials, user profiles, all application data |
| Google Analytics 4 | Product analytics and user behavior measurement via both client-side Firebase Analytics SDK and server-side Measurement Protocol | User ID, analytics client ID, event data (login, signup, generation, billing, navigation, chat events), and user properties (subscription tier, credit balance, persona, design goal, referral source, signup date, UTM attribution). See Section 1.2 for full details. |
| Dodo Payments | Payment processing and subscription management (as Merchant of Record) | Email address, name, billing address (city, state, country, zip code), subscription/product IDs, user ID (in metadata for webhook correlation) |
| Google Fonts | Font delivery via CDN | Standard HTTP request data (IP address, referrer, user agent) sent when fonts are loaded |
3.2 Legal Requirements
We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to comply with legal obligations, protect our rights or property, prevent fraud, or protect users' safety.
3.3 Business Transfers
If Decorb is involved in a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred to the successor entity as part of that transaction. We will notify you at least 30 days before the transfer takes effect by email (to the address on file) and by posting a prominent notice on our website. If you do not wish your information to be transferred to the successor entity, you may delete your account before the transfer takes effect.
3.4 Public Sharing
When you use the share feature to create a public link for a design iteration, the following data becomes publicly accessible to anyone with the link:
- The AI-generated design image
- The original base image of your room
- The text prompt describing the design changes
- Metadata including iteration number, processing time, and resolution
Share links do not expire and remain publicly accessible until you delete the associated design iteration. Social media platforms (Facebook, Twitter/X, LinkedIn, WhatsApp, Telegram, Discord) may access and cache shared design images and metadata through their respective link preview crawlers when a share link is posted on those platforms.
3.5 With Your Consent
We may share your information for purposes not described in this Privacy Policy if we have obtained your explicit consent.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Information | Retained while your account is active. Deleted within 30 days of receiving your account deletion request. |
| Uploaded Images | Retained while your account is active. You may delete individual design iterations through the Service; associated generated images are removed from storage upon deletion. Remaining images are deleted as part of account deletion processing. |
| Text Prompts & Chat Messages | Retained while your account is active and the associated project/space exists. Deleted as part of account deletion processing. |
| Generated Images | Retained while your account is active. Accessible via time-limited signed URLs (7 days) that are automatically refreshed. You may delete individual iterations; images are removed from cloud storage upon deletion. Remaining images are deleted as part of account deletion processing. |
| Onboarding Preferences & Feedback | Retained while your account is active. Deleted as part of account deletion processing. |
| Credit Transaction History | Retained indefinitely for audit, tax, and financial compliance purposes, even after account deletion. Transaction records may be anonymized (user identifiers removed) rather than deleted to preserve financial audit integrity. |
| Subscription Records | Retained as required by applicable tax and financial regulations (typically 7 years). Dodo Payments independently retains payment records per their own retention policies. |
| Usage & Analytics Data | Data sent to Google Analytics 4 is retained according to Google's data retention settings (currently configured for 14 months). Server-side log data is retained for up to 24 months. |
| Publicly Shared Designs | Shared links remain publicly accessible until you delete the associated design iteration or request account deletion. Social media platforms may cache shared content independently and beyond our control. |
4.1 Account Deletion
You may request deletion of your account by contacting us at support@decorb.app. Upon receiving a verified deletion request, we will:
- Delete your user profile, projects, spaces, design iterations, chat messages, uploaded images, and generated images from our active systems within 30 days
- Revoke all public share links associated with your account
- Anonymize (rather than delete) credit transaction records where required for financial compliance
- Request deletion of your Firebase Authentication record
Please note: data may persist in encrypted infrastructure backups managed by Google Cloud Platform for a limited period beyond the 30-day window; such backup data is not actively accessible and is overwritten in the normal course of backup rotation. Data previously sent to third-party services (Google Analytics, Dodo Payments) is subject to those services' own retention and deletion policies.
5. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2+
- Encryption at Rest: Stored data is encrypted using AES-256 encryption
- Access Controls: Strict role-based access controls for internal systems
- Infrastructure: Hosted on Google Cloud Platform with enterprise-grade security certifications
- Signed URLs: Uploaded and generated images are accessible only through time-limited signed URLs
While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights and Choices
6.1 Account Controls
You can:
- Access your personal information through your account settings
- Update your profile information (name and display details) at any time
- Delete individual projects, spaces, and design iterations through the Service
- Request account deletion by emailing support@decorb.app, which will trigger deletion of your personal data as described in Section 4.1
6.2 Communication Preferences
You can opt out of promotional communications by following the unsubscribe instructions in those messages. You cannot opt out of service-related communications (such as billing notifications and security alerts).
6.3 Cookie Controls
We use the following categories of cookies: (a) Essential cookies — required for authentication and session management (these cannot be disabled without breaking the Service); (b) Analytics cookies — used to understand how you interact with the Service to improve it. Where required by law (including for EEA/UK users), we will request your consent before placing non-essential cookies. You can manage or withdraw cookie preferences through your browser settings at any time. Disabling analytics cookies will not affect core Service functionality.
6.4 Data Portability
You can download individual generated images through the Service. For a complete export of your data (including projects, prompts, and chat history), contact us at support@decorb.app and we will provide your data in a machine-readable format within 30 days.
7. Regional Privacy Disclosures
7.1 European Economic Area and United Kingdom (GDPR)
If you are located in the EEA or UK:
- Legal Bases for Processing: We process your data based on: (a) your consent (e.g., for cookies and marketing communications), (b) the necessity to perform our contract with you (e.g., providing the Service, managing your account and credits), (c) our legitimate interests (e.g., fraud prevention, security, analytics), and (d) compliance with legal obligations (e.g., tax and financial record-keeping).
- Data Controller: Decorb is the data controller for personal information collected through the Service.
- Your Rights: You have the right to: (i) access and receive a copy of your personal data; (ii) rectify inaccurate data; (iii) erase your data ("right to be forgotten") under certain conditions; (iv) restrict processing; (v) port your data in a machine-readable format; (vi) object to processing based on legitimate interests; and (vii) withdraw consent at any time without affecting the lawfulness of prior processing.
- Automated Decision-Making: We do not make solely automated decisions that produce legal or similarly significant effects on you. AI-generated design outputs are tools provided to you and do not constitute decisions made about you.
- International Transfers: Your data may be transferred to and processed in countries outside the EEA/UK, including India and the United States (via Google Cloud Platform). We ensure adequate safeguards through Standard Contractual Clauses adopted under EU Commission Decision 2021/914 (or equivalent UK mechanisms) with each recipient.
- Complaints: You have the right to lodge a complaint with your local supervisory authority. You may find your authority at edpb.europa.eu. You may also contact us first and we will work to resolve your concern.
7.2 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction, comply with law, or fulfill a legal obligation).
- Right to Correct: You may request correction of inaccurate personal information we hold about you.
- Right to Opt-Out of Sale or Sharing: We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA.
- Non-Discrimination: We will not discriminate against you for exercising any of these rights.
- "Shine the Light" Disclosure: We do not disclose personal information to third parties for their direct marketing purposes.
To exercise any of these rights, contact us at the address provided in Section 10. We will respond to verified requests within 45 days (extendable by an additional 45 days with notice).
7.3 Indian Residents (DPDPA)
We comply with the Digital Personal Data Protection Act, 2023 (DPDPA) of India, as and when its provisions come into force. As a Data Fiduciary, we collect and process your personal data for the purposes described in this Policy, and only on lawful grounds (including your consent and legitimate uses under the Act).
Indian users have the right to:
- Access: Obtain a summary of personal data we hold about you and the processing activities undertaken.
- Correction and Erasure: Request correction of inaccurate or misleading data, and erasure of data no longer necessary for the stated purpose.
- Grievance Redressal: Have your grievances addressed in a timely manner. Contact us at support@decorb.app. If unresolved, you may approach the Data Protection Board of India once it is constituted.
- Nomination: Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
7.4 Do Not Track Signals
Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. We do not currently respond to DNT browser signals. If a universal standard for DNT compliance emerges, we will revisit this policy.
8. Children's Privacy
Decorb is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and in the app, updating the "Last Updated" date, and sending a notification through the Service for significant changes.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:
- Email: support@decorb.app
- Website: https://decorb.app/privacy
Document Status: v1.0 · Last Updated: April 2026