"We", "us", "cinemap" means Daito Design Group LLC ("the controller"), the operator of cinemap.ai. Contact: hello@cinemap.ai · privacy contact: privacy@cinemap.ai.
Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You may also contact your local supervisory authority in your EU/EEA country of residence.
| Data | Purpose | Lawful basis (GDPR Art. 6) | Retention |
|---|---|---|---|
Local configuration (room dimensions, gear IDs, scenario names) stored in your browser's localStorage |
So your work persists between visits | Strictly-necessary functional storage. No consent required (ePrivacy exemption — equivalent to a local file save) | Until you clear it from your browser |
| Email (only if you provide one — share-by-email, feedback form, newsletter opt-in, or purchase) | Send you the requested artifact, reply to your message, deliver the newsletter, or fulfil the purchase | Contract necessity (purchase: 6(1)(b)); legitimate interest (feedback/share: 6(1)(f)); consent (newsletter: 6(1)(a)) | Purchase: 7 years (tax law); feedback: 1 year; newsletter: until you unsubscribe |
| Country code (you select at checkout) | Currency display + applicable VAT | Contract necessity (6(1)(b)) | For the life of your license |
| License key + Stripe customer ID + session ID | Validate your access to Pro features; manage your subscription | Contract necessity (6(1)(b)) | For the life of your license + 7 years post-cancellation (tax / dispute) |
| Payment data (card number, cardholder name, billing address) | Process the payment | Contract necessity (6(1)(b)) | We never see this — Stripe is the processor |
| Hashed IP address (audit log + rate-limiting) | Defend against abuse / brute-force / fraud | Legitimate interest (6(1)(f)) — security | Audit log: 90 days. Rate-limit counters: 24 hours max |
| Page views + event counts — self-hosted, first-party | Understand which features are used | Legitimate interest (6(1)(f)). No third-party analytics, no cookies, no fingerprinting — events are anonymous counts stored in our own database | Aggregated counts only; no per-user analytics profile |
We use the following sub-processors. Each has a Data Processing Agreement (DPA) with us. Where data leaves the EEA, transfers are covered by Standard Contractual Clauses (SCCs).
| Processor | Role | Region | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing, subscription management | Ireland (EU) + US | EU-EU + SCCs for US |
| Supabase Inc. | License database (Postgres + auth) + self-hosted anonymous analytics counts | EU region (Frankfurt) | EU-EU |
| Cloudflare / Vercel | Hosting + CDN | Global edge; primary EU | SCCs (US parent) |
| Resend Inc. | Transactional email (license keys, feedback replies) | US | SCCs |
| Notion Labs Inc. | Feedback CRM (when configured) | US | SCCs |
| Anthropic PBC | LLM-backed product spec extraction (cinemap-side, no user data sent) | US | SCCs · we never send user data here |
| Upstash Inc. | Rate-limit + idempotency keys (hashed only) | EU region | EU-EU |
We will publicly disclose any material change to this list before it takes effect.
Some of our processors are headquartered in the United States (Stripe US, Resend, Notion, Anthropic, Cloudflare, Vercel). For these, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision 2021/914) as our transfer mechanism. We have evaluated each transfer for additional safeguards under Schrems II; where US government access could weaken the SCCs, we minimise the data sent (e.g., we send hashed IPs to Upstash, not raw; we never send personal data to Anthropic).
Under the GDPR (and equivalent rights under UK GDPR / CCPA / PIPEDA / LGPD), you have the right to:
Email privacy@cinemap.ai from the address associated with your license, or use the in-app data export at Settings → Privacy → Export my data (Pro tier). We respond within 30 days (extendable to 90 for complex requests, with notice).
cinemap is not directed at children under 16. We do not knowingly collect data from children. If you believe we have, email us and we'll delete it.
We use localStorage on your device to save your room layout. This is a strictly-necessary functional storage equivalent to a "save" button — not a cookie, not a tracker. We don't use any cookies for tracking. Our analytics is self-hosted, cookie-free, and records only anonymous aggregate event counts (no third-party analytics service). Stripe Checkout sets its own cookies on its own domain (checkout.stripe.com) for the duration of the payment flow; those cookies are governed by Stripe's privacy policy.
We protect your data with TLS in transit, encrypted-at-rest storage at Supabase, signed-cookie session nonces (HMAC-SHA256), service-role-only database writes, content-security-policy headers, and per-IP rate-limiting on every endpoint. Payment data never touches our servers — Stripe is PCI DSS Level 1 certified.
If we ever experience a personal-data breach, we will notify the supervisory authority within 72 hours and notify affected individuals without undue delay (GDPR Art. 33–34).
We keep data only as long as necessary for the purposes above. See our retention schedule for specifics. When data ages out, it's deleted within 30 days; backups age out within 90 days.
We will notify you of material changes via email (if you have a license) and via a banner on the site for 30 days after the change. Non-material changes (typo fixes, clarification) take effect immediately and are noted in the version history.
Privacy questions, DSARs, complaints: privacy@cinemap.ai
General contact: hello@cinemap.ai
Postal: Daito Design Group LLC · address available on request to verified data-subjects
← back to the app