1. Introduction
This Privacy Policy explains how Rynexa ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our interior design project management platform ("Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data We Collect
We collect the following categories of personal data:
2.1 Data you provide directly
- Account information: name, email address, company name, role (designer or client)
- Project data: project names, floor plans, room configurations, product selections, comments, and task information
- Uploaded files: images, documents, floor plans, and other files you upload to projects
- Payment information: billing details if applicable (processed by our payment provider)
2.2 Data collected automatically
- IP addresses
- Browser type, version, and device information
- Pages visited, features used, and timestamps
- Cookies and similar technologies (see Cookies section below)
2.3 Data received from third parties
- When a designer invites you as a client, we receive your email address and name from the inviting designer
- Cloudflare Turnstile verification data for security purposes
3. How and Why We Use Your Data
We process your personal data for the following purposes, each with a legal basis under GDPR:
- Providing the Service, managing accounts, and enabling collaboration — Legal basis: performance of contract (Art. 6(1)(b))
- Security measures (email verification, login protection, audit logs, error tracking) — Legal basis: legitimate interest (Art. 6(1)(f))
- Marketing communications and non-essential cookies — Legal basis: consent (Art. 6(1)(a))
- Compliance with legal obligations — Legal basis: legal obligation (Art. 6(1)(c))
4. Data Sharing and Recipients
We share your data only with trusted service providers who process data on our behalf:
- Render — hosting infrastructure
- Cloudflare — CDN, file storage (R2), and security (Turnstile)
- Sentry — error tracking (production environment only)
- Cloudflare Turnstile — CAPTCHA verification
- Email service provider — transactional emails (password resets, login codes, invitations)
We do not sell your personal data. We may disclose data when required by law or to protect our legal rights.
5. International Data Transfers
Some of our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions.
We store uploaded files on Cloudflare R2, which may replicate data across regions. Our hosting provider Render operates infrastructure that may involve data processing in the United States, protected by appropriate transfer mechanisms.
6. Data Retention
We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:
- Account data: retained while your account is active and for 30 days after deletion
- Project data: retained while the associated account is active; deleted after account closure
- Uploaded files: deleted when you remove them or after account closure
- Audit logs: retained for up to 2 years for legal compliance and security
- Session data: automatically expires after 12 hours of inactivity
- Backups: retained for up to 30 days, then permanently deleted
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of your personal data
- Right to rectification (Art. 16) — Correct inaccurate or incomplete data
- Right to erasure (Art. 17) — Request deletion of your personal data
- Right to restriction (Art. 18) — Limit processing in certain circumstances
- Right to data portability (Art. 20) — Receive your data in a machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent
- Right to lodge a complaint — File a complaint with your national supervisory authority
To exercise any of these rights, contact us at privacy@rynexa.com. We will respond within one month.
8. Cookies
We use strictly necessary cookies for authentication, session management, and security (CSRF protection). These cookies are essential for the Service to function and do not require consent.
We do not currently use analytics or advertising cookies. If we introduce non-essential cookies in the future, we will update this policy and obtain your consent before placing them.
You can control cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning properly.
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/SSL)
- Password hashing with bcrypt
- CSRF protection on all forms
- Automatic session timeout after 12 hours
- Role-based access controls
10. Children's Data
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect, by email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.
12. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at privacy@rynexa.com.