Privacy Policy
Effective Date: November 26, 2025
1. Introduction
Welcome to Vistafy.ai ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you understand how your information is collected, used, and shared. This Privacy Policy is based on the New Zealand Privacy Act 2020 and explains our practices for users ("you") of our architectural visualisation platform. Nothing in this policy limits rights that cannot be excluded by law.
2. Data We Collect
We collect the following types of information:
2.1 Information You Provide
- Account Information: When you sign up, we collect your email address and password (hashed).
- Billing Information: If you subscribe to a paid plan or purchase credits, our payment processor (Stripe) collects your payment method details and billing address. We do not store full credit card numbers on our servers.
- User Content: We store the text prompts, chat history, images, and project data you upload or generate using our services to provide the Services to you.
- Feedback: Any feedback or support requests you send to us.
2.2 Information Collected Automatically
- Usage Data: We track your interactions with our services, including API usage, tokens consumed, images generated, and error logs to operate, secure, and improve the Services.
- Device Information: We may collect information about your device and browser (e.g., IP address, browser type) for security and troubleshooting.
- Cookies and Similar Technologies: We use cookies and similar technologies in the following categories:
- Strictly Necessary: These cookies are essential for authentication, security, and basic site functionality. They cannot be disabled and are always active.
- Analytics: We use Google Analytics and Vercel Analytics to understand how visitors interact with our site. These cookies help us improve our services and user experience.
- Marketing: We use LinkedIn Insight Tag to measure and improve our marketing campaigns and understand conversion patterns.
3. How We Use Your Data
We process your data for the following purposes:
- Service Provision: To authenticate you, process your rendering requests, and manage your projects.
- Billing: To calculate usage costs, process payments, and manage wallet balances.
- Communication: To send transactional emails (invites, password resets, billing notifications). Marketing emails are sent only with consent and include an unsubscribe link.
- Improvement: To analyze aggregate usage patterns and improve platform reliability and UX (not to train models on your content).
- Analytics and Marketing Attribution: To use aggregated or pseudonymous information (such as cookie identifiers, IP address, device/browser data, and page views) to measure and improve the performance of our website, features, and marketing campaigns. This includes:
- Analytics: Google Analytics and Vercel Analytics (only if you consent to analytics cookies)
- Marketing: LinkedIn Insight Tag for conversion tracking and campaign measurement (only if you consent to marketing cookies)
- Security: To prevent fraud and ensure the security of our platform.
4. No Training on Your Data
We do not use your User Content or personal information to train or improve our or third-party AI models. We configure our vendors to not use API data for training.
5. Data Sharing and Subprocessors
We do not sell your personal data. We share data with trusted third-party service providers who assist in operating our platform:
| Service Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | Global/US |
| Stripe | Payments & Billing | Global |
| OpenAI | AI Chat Processing | Global |
| Fal.ai | AI Image Generation | Global |
| Resend | Transactional Emails | Global |
| Vercel | Hosting, Infrastructure & Analytics | Global |
| Google (Google Analytics) | Product analytics and usage measurement | Global |
| Advertising and conversion analytics (LinkedIn Insight Tag) | Global |
These providers are contractually obligated to handle your data securely and only under our instructions. See our Subprocessors page for the current list.
6. International Transfers
Your information may be transferred to and processed in countries outside New Zealand. Where required, we use appropriate safeguards (such as standard contractual clauses) to protect your information.
7. Data Retention
- Account Data: Retained while your account is active and as required by law.
- Usage Logs: Retained for billing reconciliation, security, and debugging, then deleted or anonymised.
- User Content: Retained until you delete it or delete your account, subject to backups with limited retention.
8. Your Rights
Under the NZ Privacy Act 2020, you can request access to and correction of your personal information. If you are located in other regions (e.g., EU/UK/US), you may have additional rights, which we will honour where applicable.
- Access: Request a copy of your personal information.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of personal information, subject to legal obligations.
- Portability: Where applicable, request a copy in a portable format.
To exercise these rights, contact matt@vistafy.ai. We may need to verify your identity before responding.
9. Security
We implement industry-standard security measures, including encryption in transit (TLS) and at rest (database), to protect your data. However, no method of transmission over the internet is 100% secure.
10. Data Breach Notification
We assess suspected privacy breaches promptly. If a breach is likely to cause serious harm, we will notify the New Zealand Office of the Privacy Commissioner and affected individuals as required by law.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or through a notice on our platform.
12. Contact Us
If you have questions about this Privacy Policy, please contact us at: matt@vistafy.ai