Who touches
your data.
About this page
Under GDPR Article 28(2), we must publish the complete list of sub-processors that process personal data on our behalf, with their category, purpose, region, and DPA reference. This is that list. It is the canonical public version of our internal DPA document.
We commit to providing at least 30 days' advance notice before adding a new sub-processor — by updating this page and, for users with an active account, by an in-app banner. Material changes also bump the privacy-policy version, which triggers a re-consent prompt at next login.
Current sub-processors
| Sub-processor | Purpose | Data category | Region | DPA |
|---|---|---|---|---|
| Google Firebase | App backend (Firestore + Auth + Storage + Crashlytics) | Account email, name, generated images, chat messages, crash reports | US (us-central1) | Link |
| Vercel | Web + API hosting | All request/response data, geo IP | Global edge | Link |
| KIE.ai (Kiengage Ltd.) | Primary AI image generation | Image input, prompt text | US | Link |
| Replicate, Inc. | Fallback AI image generation | Image input, prompt text | US | Link |
| Google Cloud (Vertex AI) | Fallback AI image generation (Imagen) | Image input, prompt text | US (us-central1) | Link |
| Amazon Web Services (AWS Bedrock) | Fallback AI image generation (Nova Canvas) | Image input, prompt text | US | Link |
| Google Gemini (Google Cloud) | Photo understanding (room-type detection, layout analysis, furniture cataloguing) | Image input, prompt text | US (us-central1) | Link |
| Adapty Tech, Inc. | In-app purchase analytics + receipt validation | Anonymous device id, purchase events | US | Link |
| Apple App Store / StoreKit | iOS payments | Apple ID hash, purchase data | Apple-controlled | Link |
| Google Play | Android payments | Google account hash, purchase data | Google-controlled | Link |
| Zoho (ZeptoMail / Zoho Mail) | Transactional email sending + support inbox hosting (welcome, password reset, design-emailed-to-you, support@) | Email address, message content | US/EU | Link |
| Stripe | Web subscription billing | Last 4 of card, billing address, country | Global | Link |
| Highlight.io | Frontend error monitoring (web only) | User session id, console errors | US | Link |
| Google Cloud Vision API | Content safety (SafeSearch on uploads + generated outputs) | Image bytes (analysed and discarded, not retained) | US (us-central1) | Link |
Last updated: 2026-06-09. Subscribe to changes by emailing privacy@intirear.design with the subject “Subscribe to sub-processor updates”.
Retention summary
- Account data: retained while active. Deleted within 30 days of request (Art. 17).
- Generated images: retained until you delete them or close your account.
- Source room uploads: 365 days from upload (auto-deleted via GCS lifecycle).
- Inpainting masks: 7 days from creation.
- Crashlytics crash reports: 90 days (Firebase default).
- Server access logs: 30 days on Vercel.
- Analytics events: indefinitely in anonymized form (user-id replaced with “anonymized” on account deletion).
- Audit logs (moderation, opt-outs, admin actions): 7 years for legal-defence retention.
EU + UK Representatives (Art. 27)
Enterprise customers and EU/UK supervisory authorities can reach our designated representatives at the addresses below. These are the official Article 27 GDPR / Art. 27 UK GDPR points of contact and are kept in sync with the contact block on /privacy.
- EU representative
- Soyuz Ventures Ltd — EU Rep
eu-rep@intirear.design - UK representative
- Soyuz Ventures Ltd — UK Rep
uk-rep@intirear.design - Data Protection Officer
- privacy@intirear.design
- Controller / sub-processor disputes
- privacy@intirear.design
International transfers
EU → US transfers are governed by Standard Contractual Clauses (SCCs) included in each sub-processor's DPA, supplemented (where the sub-processor processes personal data of EU residents in the US) by technical and organisational measures consistent with the European Data Protection Board's recommendations under Schrems II.
UK transfers rely on the UK International Data Transfer Addendum to the SCCs. Swiss transfers rely on the Swiss-FDPIC-recognised SCCs. We do not transfer personal data to any country lacking an EU Commission adequacy decision or an equivalent transfer mechanism.