Privacy Policy — Vrex Visual
Effective date: [launch date]
1. Who we are
Vrex Visual is a product of Vixel AS, a Norwegian company, [registered address]. Vixel AS is the data controller for the personal data described in this policy. Contact: support@vrexvisual.com.
2. What Vrex Visual does with your content
Vrex Visual turns images of your building designs (viewpoints from 3D/BIM models, uploads, reference images) into photorealistic renders. To do that, the images you submit and the text prompts and settings you write are sent to Google’s Gemini API for processing, and your uploads and generated outputs are stored in our object storage (Cloudflare R2). Google processes this content as our processor to produce your results; we do not use your content to train models (see the Image Rights page).
3. Data we process
- Account data — your email address and, when you sign in through our sign-in provider (WorkOS), the name/profile your identity provider shares. Accounts belong to an organization (your workspace).
- Content — images you upload, reference images, prompts and generation settings, generated outputs, and derived files we create to display them (thumbnails, zoomable tiles).
- Billing data — your subscription plan and status and a Stripe customer reference. Payment is handled by Stripe; card details never reach our servers. We also keep a credit ledger (credit grants and per-generation charges) for your organization.
- Usage telemetry — per-generation technical records (provider used, resolution tier, estimated provider cost, timing/status). These contain no image content and are used to operate and price the service.
- Feedback — if you submit in-app feedback: your comment, an optional screenshot, and a snapshot of the app’s state at submit time (to reproduce your issue).
- Technical logs — standard server logs for security and operations.
4. Purposes and legal bases (GDPR)
- Providing the service (generation, storage, billing, support) — performance of a contract (Art. 6(1)(b)).
- Security, abuse prevention, and service improvement (rate limiting, logs, aggregated telemetry) — legitimate interests (Art. 6(1)(f)).
- Accounting and tax records — legal obligation (Art. 6(1)(c)).
5. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC (Gemini API) | AI image generation and image analysis | USA |
| Cloudflare, Inc. (R2) | Object storage for uploads and outputs | [region per bucket config — REVIEW] |
| Sevalla | Application and database hosting | [hosting region — REVIEW] |
| Stripe, Inc. | Payments and subscription billing | USA/EU |
| WorkOS, Inc. | Sign-in / authentication | USA |
International transfers. Where processing happens in the USA (notably Google’s Gemini API), the transfer is based on the EU Standard Contractual Clauses and/or an EU adequacy decision (the EU–US Data Privacy Framework, for providers certified under it).
6. Retention and deletion
- Your uploads, outputs, and account data are kept until you delete them or delete your account.
- You can delete individual images and generations in the app.
- You can delete your entire account in the app (Billing panel → danger zone). This erases your
organization’s database records (users, projects, images, generations, credit ledger) and the files
stored for your organization. The same erasure is available via the API (
DELETE /api/account). - Residual copies can persist for a limited period in encrypted database backups before expiring.
- Telemetry and server logs are kept for operations.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests. Contact support@vrexvisual.com to exercise them. You can also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.
8. Cookies and local storage
The app uses a session credential to keep you signed in and minimal browser storage for convenience (for example, remembering the email on the login form). We do not use advertising cookies or cross-site trackers in the app.
9. Security
Traffic is encrypted in transit (TLS). Stored files live in private buckets accessed only through signed, short-lived URLs. Tenant isolation is enforced at the database layer (row-level security), so one organization’s data is not readable by another.
10. Changes
We will post updates to this policy on this page and, for material changes, notify account holders by email.