Your data, treated like a commission.

The controller responsible for your personal data is KV Services sp. z o.o., Grochowska 23/31, 04-186 Warszawa, Poland. Our Data Protection Officer can be reached at [email protected].

We process data under the EU General Data Protection Regulation (GDPR) and the Polish Personal Data Protection Act (UODO), and equivalent EU and UK frameworks where relevant.

We deliberately collect as little as possible. Specifically:

• Account data — first and last name, email, hashed password.
• Order data — billing address, credits purchased, invoice history, bank-transfer reference.
• Configurator inputs — dimensions, materials, finishes you selected.
• AI Planner uploads — photographs of your room and any reconstructed 3D twin.
• Technical data — IP address, browser, device, page interactions, error traces.
• Optional analytics — only if you accept analytics cookies.

We do not collect special-category data, biometric identifiers, payment-card numbers (bank transfer only), or social-graph data.

• Contract (Art. 6(1)(b) GDPR) — fulfilling orders, activating credits, delivering custom furniture.
• Legal obligation (Art. 6(1)(c)) — bookkeeping, tax, invoice retention (10 years under §147 AO).
• Legitimate interest (Art. 6(1)(f)) — fraud prevention, securing the configurator, improving the AI model on aggregated data.
• Consent (Art. 6(1)(a)) — analytics cookies, marketing emails, optional AI training on your room photos.

When you upload a photograph to the AI Planner, it is processed by our in-house room-reconstruction model hosted within the EU. The image is retained for the active session and any saved project you create. We do not train our model on your photographs unless you tick the explicit opt-in in your dashboard.

You can delete a project — and the underlying photograph and 3D twin — at any time from your dashboard. Deletion is propagated to backups within 30 days.

We share data only with vetted processors bound by Art. 28 GDPR contracts:

• Our EU-hosted cloud infrastructure provider (Frankfurt region).
• Transactional email and invoicing providers in the EU.
• Logistics partners — only the shipping address required to deliver.
• Tax advisors and auditors, when legally required.

We do not sell personal data and do not transfer it outside the EEA/UK/Switzerland without an adequacy decision or Standard Contractual Clauses.

• Account & dashboard — for the life of the account, deleted within 30 days of closure.
• Orders & invoices — 10 years (statutory).
• Room photos & 3D twins — until you delete them, or 24 months of inactivity.
• Server logs — 30 days, then aggregated.
• Marketing emails — until you unsubscribe.

Under GDPR you have the right to:

• Access the data we hold about you.
• Rectify inaccurate data.
• Erase data (subject to legal retention).
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time.
• Lodge a complaint with your supervisory authority (in Poland: UODO).

To exercise any of these rights, write to [email protected]. We respond within 30 days.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based and logged. We run quarterly penetration tests and follow ISO 27001 controls. In the unlikely event of a personal-data breach we notify affected users and the UODO within 72 hours.