Privacy Policy

1. Information We Collect

Account Data

When you create an account, we collect your name, email address, and a hashed version of your password. We never store your password in plaintext. If you sign in through a third-party provider (such as Google or other supported OAuth providers), we receive a token and the basic profile information that provider shares with us.

Scan Data

When you use the LiDAR scanning features, we process raw depth sensor data locally on your device to generate a structured floor plan. If you have cloud sync enabled (Pro and Business plans), the resulting floor plan — including room dimensions, wall positions, door and window placements, and any labels you add — is uploaded to our servers. Raw sensor point-cloud data is not transmitted to our servers; only the derived floor plan structure is stored.

Usage Analytics

If you have opted in to analytics in the app’s Privacy settings, we collect anonymised usage data including screen views, feature interactions, session duration, and general device information (device model, OS version, app version). This data does not include the content of your floor plans. You can opt out at any time in Settings → Privacy → Analytics.

Crash Reports

If you have enabled crash reporting, we collect diagnostic information when the app crashes, including device model, OS version, app version, and a stack trace of the error. Crash reports never include floor plan content or personal account data. You can opt out in Settings → Privacy → Crash Reporting.

Technical and Log Data

We automatically collect certain technical information when you access the Service, including your IP address, browser type and version, referring URL, and pages visited. This information is used for security monitoring, fraud prevention, and service diagnostics. It is retained for 90 days and then deleted.

Payment Data

Subscription payments are processed by Apple (App Store) or Stripe (web). We do not store your full payment card number. We receive a transaction identifier and subscription status through RevenueCat, our subscription management provider.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and improving the Service — To operate, maintain, and enhance the features and functionality of vPlan AR, including generating floor plans from scan data, enabling cloud sync, and processing exports.
• Account management — To create and maintain your account, authenticate you, and communicate with you about your account.
• Customer support — To respond to your inquiries, troubleshoot issues, and provide assistance when you contact us.
• Subscription management — To process payments, manage your subscription tier, and enforce feature access based on your plan.
• Analytics and product development — To understand how the Service is used, identify areas for improvement, and develop new features. Analytics data is used only in aggregated or anonymised form.
• Security and fraud prevention — To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities.
• Legal compliance — To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.
• Communications — To send you service-related notices, security alerts, and (with your consent) product updates or newsletters. You may opt out of marketing communications at any time.

We do not use your floor plan data or scan content for any purpose other than operating the Service for your benefit.

3. Data Storage & Security

Infrastructure

Your data is stored using Supabase, which operates on AWS infrastructure. Floor plans and account data are stored in a PostgreSQL database and encrypted file storage bucket. Data is hosted in the us-west-1 (US West) region.

Encryption

• Encryption at rest — All data stored in our database and file storage is encrypted using AES-256.
• Encryption in transit — All data transmitted between the Service and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints.
• Password storage — Passwords are hashed using bcrypt with a per-user salt before storage. We never store or transmit plaintext passwords.

Access Controls

Access to production systems is restricted to authorised personnel and governed by role-based access controls. We use row-level security (RLS) policies in our database so that each user can only access their own data. All internal access is logged and monitored.

Security Incident Response

In the event of a data breach affecting your personal information, we will notify affected users and, where required by law, the relevant supervisory authorities, within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the categories of data involved, and the steps we are taking to mitigate harm.

Data Retention

We retain your account data and floor plans for as long as your account is active. If you delete your account, your personal data and floor plans are permanently deleted within 30 days of the deletion request. Backups may retain data for up to 90 days before being purged. Anonymised analytics data may be retained indefinitely.

4. Sharing of Information

We do not sell, rent, or trade your personal information to any third party. We may share your information only in the following limited circumstances:

Service Providers

We share information with trusted third-party vendors who assist us in operating the Service. These providers are contractually required to use your information only to perform services on our behalf and may not use it for their own purposes. Current sub-processors include:

• Supabase — Database, authentication, and file storage (US West region).
• RevenueCat — Subscription management and purchase validation.
• Sentry — Crash reporting and error monitoring (only when crash reporting is enabled).
• Google Analytics — Usage analytics (only when analytics is enabled in Settings → Privacy).
• Postmark — Transactional email delivery (account notifications, password resets).
• Stripe — Web payment processing for Pro and Business subscriptions.

Public Share Links

If you generate a public share link for a floor plan, anyone with that link can view the floor plan without an account. Shared floor plans are accessible until you revoke the link. We recommend using share links only when you intend the content to be publicly viewable.

Team Workspaces (Business Plan)

If you are part of a Business plan workspace, other members of your workspace can view and edit projects shared within that workspace. The workspace owner controls membership.

Legal Requirements

We may disclose your information if required to do so by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

5. Cookies & Tracking

Website Cookies

Our website (vplan.ai) uses cookies to maintain your session when you are logged in, remember your preferences, and protect against cross-site request forgery. These are strictly necessary cookies and cannot be disabled without breaking core functionality.

Analytics Cookies

With your consent, we use analytics cookies to understand how visitors interact with the website — which pages are most visited, how long sessions last, and where users navigate from. Google Analytics 4 is used for this purpose. You can opt out by adjusting your browser’s cookie settings or using our cookie preference centre.

No Advertising Tracking

We do not use advertising or retargeting cookies. We do not allow third-party advertisers to track you through our website or app.

Mobile App

The mobile app does not use browser cookies. Usage analytics in the app are governed by the opt-in setting in Settings → Privacy → Analytics, not by browser cookie controls. Apple’s App Tracking Transparency (ATT) framework applies on iOS.

6. Your Rights

General Rights

Depending on your location, you may have the following rights with respect to your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data, subject to our legal obligations to retain certain information.
• Portability — Request your data in a structured, machine-readable format.
• Restriction — Request that we restrict processing of your data in certain circumstances.
• Objection — Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent — Withdraw any consent you have given at any time, without affecting the lawfulness of processing prior to withdrawal.

GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation. Our legal basis for processing your data is contract performance (to deliver the Service you signed up for) and legitimate interests (to improve the Service and ensure security). Where we rely on consent (e.g. analytics), you may withdraw it at any time. You have the right to lodge a complaint with your local supervisory authority. For privacy inquiries, contact us at support@vplan.ai.

CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, disclose, and sell about you.
• The right to delete personal information we have collected about you.
• The right to opt out of the sale or sharing of personal information — we do not sell or share personal information as defined under CCPA.
• The right to non-discrimination for exercising your CCPA rights.

To submit a CCPA request, contact us at support@vplan.ai or use the in-app account deletion flow in Settings → Account Management. We will respond within 45 days of a verifiable consumer request.

How to Exercise Your Rights

To exercise any of the rights listed above, email us at support@vplan.ai. We may ask you to verify your identity before fulfilling your request. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verified request.

7. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at support@vplan.ai.

If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. Users between the ages of 13 and 18 may use the Service only with the consent and supervision of a parent or legal guardian.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting a prominent notice in the app when you next open it.
• Sending an email to the address associated with your account at least 7 days before the changes take effect.
• Updating the "Last updated" date at the top of this page.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account.

We encourage you to review this policy periodically. The current version is always available at vplan.ai/privacy.

9. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days. For formal rights requests under GDPR or CCPA, we will respond within the legally required timeframe.