Privacy Policy

1. Introduction and Data Controller

Protecting your personal data is important to us. This Privacy Policy explains what personal data we process in connection with our website and services, for what purpose, and to whom we disclose this data.

The data controller is:

DEMENO
Tino Bögli
Switzerland
Email: privacy@demeno.app

This Privacy Policy is governed by the Swiss Federal Act on Data Protection (FADP/DSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Personal Data We Process

2.1 Account Information

• Email address (for account creation and communication)
• Name (if provided via OAuth provider)
• Profile picture (when signing in with Google)
• Password hash (for email registration, stored encrypted)

2.2 Payment Data

• Payment information is processed directly by our payment provider Stripe, Inc.
• We do not store any credit card or bank account details ourselves
• We only store your Stripe customer ID and subscription status

2.3 Usage Data

• Images you upload (temporarily processed for AI generation)
• Rendering settings and prompts
• Generated outputs (renderings, 3D models, CAD files)
• Credit usage and history
• Project data and configurations

2.4 Technical Data

• IP address (for security and rate limiting)
• Browser type and version
• Operating system
• Access timestamps
• Referrer URL

3. Purpose of Data Processing

We process your personal data for the following purposes:

• Providing and operating our platform and AI-powered services
• Processing your requests (renderings, 3D models, CAD conversions)
• Managing your account and subscription
• Processing payments via Stripe
• Communicating with you about your account and our services
• Preventing abuse, fraud, and security threats
• Complying with legal obligations
• Improving our services and user experience

4. Legal Basis

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide our contractual services (Art. 31(2)(a) DSG)
• Consent: Where you have given us consent, e.g. for newsletters (Art. 31(1) DSG)
• Legitimate interests: Improving our services, fraud prevention, IT security (Art. 31(1) DSG)
• Legal obligations: Compliance with accounting and tax retention requirements

5. Image Processing and AI

Important: Images you upload are transmitted to external AI services to generate the requested outputs. Specifically:

• Google Gemini API: Image processing for renderings, prompt generation, and analysis. Data is processed by Google LLC, USA.
• Replicate: Image enhancement and additional AI models. Processed by Replicate, Inc., USA.
• Modal (TRELLIS.2): 3D model generation. Processed by Modal Labs, Inc., USA.

Uploaded images are only transmitted to these services for the duration of processing. We do not permanently store your uploaded original images unless you explicitly save the results to your account.

6. Recipients and Data Processors

We share your personal data with the following third parties insofar as this is necessary to provide our services:

7. International Data Transfers

Some of our data processors are located in the USA. Since September 15, 2024, Switzerland has issued an adequacy decision for the USA (for companies participating in the Swiss-U.S. Data Privacy Framework). Where no adequacy decision applies, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards pursuant to Art. 16 DSG.

8. Data Security

We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or destruction. These include:

• Encrypted data transmission (TLS/HTTPS)
• Secure authentication via OAuth 2.0 and Supabase Auth
• Rate limiting to protect against abuse
• Access controls and role-based permissions
• Regular review of our security measures

Despite these measures, no data transmission over the internet can be guaranteed to be completely secure.

9. Data Retention

• Account data: Retained while your account is active; deleted within 30 days of account deletion
• Generated content: Renderings and models are retained for 90 days unless deleted earlier
• Payment records: Retained as required by law (up to 10 years)
• Technical logs: IP addresses and access logs are retained for a maximum of 90 days
• Uploaded images: Not permanently stored after processing unless you save the result

10. Cookies

We only use technically necessary cookies for authentication and session management. We do not use any tracking, advertising, or analytics cookies. For details, please refer to our Cookie Policy.

11. Your Rights

Under the DSG and, where applicable, the GDPR, you have the following rights:

• Right of access: You may request information about your personal data stored by us (Art. 25 DSG)
• Right to rectification: You may request correction of inaccurate data (Art. 32(1) DSG)
• Right to erasure: You may request deletion of your data, unless statutory retention obligations apply
• Right to data portability: You may request your data in a commonly used format (Art. 28 DSG)
• Right to object: You may object to the processing of your data
• Right to withdraw consent: You may withdraw any consent given at any time

To exercise your rights, please contact us at privacy@demeno.app. You can also delete your account and all associated data at any time in your account settings, or request a data export.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC):
www.edoeb.admin.ch

12. Changes to This Privacy Policy

We may update this Privacy Policy at any time. The current version is always available on this page. We will notify you of material changes through appropriate channels. The date of the last update can be found at the top of this policy.

13. Contact

For privacy-related inquiries or to exercise your rights, contact us at:
Email: privacy@demeno.app