HomeGlow Lab · Policies
Last updated 23 April 2026
Privacy policy

How we handle your rooms, your clients, and your data.

HomeGlow Lab provides AI virtual staging for real estate listings. This policy explains what we collect when you use the studio, how we process it, where it lives, and the rights you have over it under the UK GDPR and EU GDPR.

§ 01Who we are

Who we are

HomeGlow Lab (“HomeGlow”, “we”, “us”) is the data controller for personal data processed through homeglowlab.com and the HomeGlow Studio application.

Controller: HomeGlow Lab. Contact for privacy queries: editors@homeglow.lab.

§ 02Information we collect

Information we collect

  • Account data. Email address, one-time login codes, and session tokens required to authenticate you into the Studio. No passwords are stored.
  • Uploaded images. The room photos you send us for staging. These are your files; we process them only to fulfil the staging job you requested.
  • Job metadata. Filenames, room types, style selections, credit balances, and timestamps associated with each staging job.
  • Billing data. If you purchase credits, our payment processor (LemonSqueezy) collects the card and billing details directly. We receive a transaction reference and order metadata — never full card numbers.
  • Operational logs. Minimal request logs (IP, user agent, route, status) retained for up to 30 days for abuse prevention and debugging.
§ 03Where your data lives

Where your data lives

HomeGlow runs on European infrastructure. Database, object storage, and AI rendering workloads are hosted in EU regions. We do not transfer your uploaded images outside the EU for processing.

Model inference is performed on EU endpoints of our AI providers under contractual data-processing terms that prohibit provider-side training on your inputs and outputs.

§ 04Retention and deletion

Retention and deletion

  • Uploaded input images: deleted within 30 days of upload. You can request immediate deletion at any time from the Studio or by emailing us.
  • Staged output images: retained in your account for as long as you keep the account active, so you can re-download. Deleted within 30 days of account closure.
  • Account data: kept for the life of the account. On deletion request, we erase within 30 days, subject to legal retention duties (e.g. invoicing records required by HMRC).
  • Operational logs: 30 days maximum.
§ 05How we use it

How we use it

We process personal data to: deliver the staging service you requested; operate billing and credits; send transactional emails (login codes, receipts, job-ready notifications); investigate bugs and abuse; and comply with legal obligations.

Legal bases: performance of a contract (the staging service), legitimate interests (security, fraud prevention, service improvement), consent (any marketing email, separately opted-in), and legal obligation (tax records).

We do not sell personal data. We do not use your uploaded images to train models. We do not run advertising trackers on this site.

§ 06Sub-processors

Sub-processors

We use a small, named set of processors. Each is bound by a data processing agreement.

Supabase
Application database and authentication. EU region. Stores account records, job metadata, credit ledger.
Cloudflare R2
Object storage for uploaded and staged images. EU endpoints. Signed URLs used for access.
Resend
Transactional email delivery (login codes, receipts, job-ready notifications).
AI image generation
Inputs and outputs processed on EU endpoints under contractual terms that prohibit training on customer data. A current list of named sub-processors is available on request.
LemonSqueezy
Payment processing and receipting. They handle card details directly; we never see full card numbers.
§ 07Cookies

Cookies

We set one first-party cookie: a signed session JWT that keeps you logged into the Studio. No third-party advertising, analytics, or tracking cookies are set on this site. If we introduce product analytics in future, it will be a privacy-first tool with IP truncation and no cross-site tracking, and this policy will be updated before rollout.

§ 08Your rights

Your rights

Under the UK GDPR and EU GDPR you have the right to:

  • Access — request a copy of the personal data we hold on you.
  • Rectification — correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal retention duties.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Complaint — lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local EU supervisory authority.

To exercise any of these, email editors@homeglow.lab. We respond within 30 days.

§ 09Security

Security

Transport is TLS end-to-end. Object storage access is gated by signed URLs with short expiries. Database access is restricted by row-level security to the owning account. Secrets are stored in the deployment provider’s encrypted env store, never in source.

If a security incident affects your personal data, we notify the relevant supervisory authority within 72 hours where required, and notify you directly without undue delay where the risk to you is high.

§ 10Changes to this policy

Changes to this policy

We update this policy when our processing changes. Material changes are signalled by email to active account holders at least 14 days before taking effect. The date at the top of this page always reflects the current version.

§ 11Contact

Contact

Questions, requests, and complaints: editors@homeglow.lab.

See also our Terms of Service.

End of document · HomeGlow Lab Privacy Policy · 23 April 2026