Privacy policy

Last updated: March 24, 2026

1. General Information

This Privacy Policy describes how personal data of users of the Izbaviz service, available at izbaviz.com and app.izbaviz.com (hereinafter: the “Service”), is collected, processed, and protected.

This Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and applicable local data protection laws.

2. Data Controller

The controller of your personal data is:

Devlom
ul. Wigury 8/9
90-301 Lodz, Poland
Tax ID (NIP): 8681799697
REGON: 363671760

Contact regarding data protection matters:
Email: support@izbaviz.com
General email: info@devlom.com

3. Scope and Purposes of Data Processing

We process personal data of users for the following purposes:

  • Providing AI interior visualization services — processing photos uploaded by the user to generate interior visualizations (legal basis: Art. 6(1)(b) GDPR — performance of a contract).
  • Account registration and management — email address, name, login data, including sign-in via Google and Facebook (legal basis: Art. 6(1)(b) GDPR).
  • Payment processing — data necessary for transaction processing by payment operators PayNow, Stripe, and PayPal (legal basis: Art. 6(1)(b) GDPR).
  • Security and fraud prevention — IP addresses, session data, activity logs (legal basis: Art. 6(1)(f) GDPR — legitimate interest of the controller).
  • Analytics and service improvement — anonymous statistical data on Service usage (legal basis: Art. 6(1)(f) GDPR).
  • Communication with users — responding to inquiries, handling complaints (legal basis: Art. 6(1)(b) and (f) GDPR).
  • Legal obligations — maintaining accounting and tax records (legal basis: Art. 6(1)(c) GDPR).

4. Processing of Uploaded Photos

Photos uploaded by users are processed solely for the purpose of providing the AI interior visualization service. Specific rules:

  • Photos are sent to external AI providers (Replicate, FAL.ai) exclusively for generating visualizations.
  • Original user photos are stored on the Service servers for a period depending on the account type: 7 days (free account), 30 days (basic account), or 90 days (premium account).
  • Generated visualizations are stored for the same period, after which they are automatically deleted.
  • The system applies automatic content moderation — photos that violate the Terms of Service may be automatically rejected.
  • The Controller does not use uploaded photos for any purpose other than providing the Service.

5. Data Retention Period

  • Account data — retained for the duration of the user account activity.
  • Inactive accounts — data of accounts inactive for more than 90 days may be automatically deleted after prior notification of the user by email.
  • Transaction data — retained for the period required by tax law (5 years from the end of the calendar year in which the tax payment deadline expired).
  • Photos and visualizations — automatically deleted after the period applicable to the account type (7, 30, or 90 days).
  • Analytical data — stored in anonymized form indefinitely.

6. Data Recipients

Personal data may be shared with the following categories of recipients:

  • Hosting providers — servers located within the European Economic Area.
  • AI providers — Replicate, Inc. and FAL.ai (USA) — solely for processing visualizations. Data transfers to the USA are conducted under Standard Contractual Clauses (SCCs).
  • Payment operators — PayNow (mBank S.A., Poland) for Polish users, Stripe Inc. (USA) for international users, PayPal (Europe) S.a r.l. et Cie, S.C.A. (Luxembourg).
  • Analytics services — Google Analytics (with IP anonymization).
  • Accounting firm — to the extent necessary for maintaining accounting records.

7. User Rights

Under the GDPR, every user has the right to:

  • Access — the right to obtain information about processed personal data (Art. 15 GDPR).
  • Rectification — the right to correct inaccurate or supplement incomplete data (Art. 16 GDPR).
  • Erasure — the right to request deletion of data, the so-called “right to be forgotten” (Art. 17 GDPR).
  • Restriction of processing — the right to request restriction of data processing in certain cases (Art. 18 GDPR).
  • Data portability — the right to receive data in a structured format (Art. 20 GDPR).
  • Objection — the right to object to processing based on legitimate interest (Art. 21 GDPR).
  • Complaint — the right to lodge a complaint with the supervisory authority. For users in Poland, this is the President of the Personal Data Protection Office (UODO). Users in other EU/EEA countries may contact their local data protection authority.

To exercise any of the above rights, please contact us at: support@izbaviz.com.

8. Data Security

The Controller applies appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data transmission using SSL/TLS protocol.
  • Encryption of user passwords using the bcrypt algorithm.
  • Regular backups.
  • Access control to IT systems.
  • Monitoring and responding to security incidents.

9. Cookies

The Service uses cookies for the following purposes:

  • Essential — ensuring the proper functioning of the Service, maintaining user sessions, remembering language preferences.
  • Analytical — collecting anonymous statistical data about Service usage (Google Analytics).
  • Functional — remembering user settings such as dark mode or preferred language.

Users can manage cookies through their browser settings. Disabling essential cookies may limit the functionality of the Service.

10. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Users will be notified of significant changes via the Service or by email at least 14 days before they take effect.

The current version of the Privacy Policy is always available on the Service website.