Privacy Policy
- Scope and Applicability
- Data Controller
- Key Definitions
- Information We Collect
- Sources of Information
- Purposes and Legal Bases
- Disclosures to Third Parties
- International Data Transfers
- Data Retention
- Information Security
- Your Rights and Choices
- Account and Data Deletion
- Children's Privacy
- Tracking and Analytics
- Device Permissions
- Shared and Public Content
- Third-Party Services and Links
- California Residents (CCPA/CPRA)
- EEA and United Kingdom Residents (GDPR)
- Canadian Residents (PIPEDA)
- Changes to this Policy
- Contact Us
1. Scope and Applicability
This Policy applies to Personal Information processed by OpenhouseXR in connection with:
- Our mobile application(s) for iOS (the "Mobile App");
- Our web-based viewer accessible through standard web browsers (the "Web Client");
- Our virtual-reality, mixed-reality, and extended-reality clients, including any current or future native applications for head-mounted displays (collectively, the "XR Clients");
- Our marketing website at the domain on which this Policy is hosted (the "Website"); and
- Backend application-programming interfaces, cloud processing services, and supporting infrastructure (collectively, the "Platform").
This Policy does not apply to information collected by third parties whose products, services, or websites are not controlled by us, even where such third parties are referenced or linked from within the Services. We encourage you to review the privacy policies of any third party before providing them with Personal Information.
2. Data Controller
The entity responsible for the processing of your Personal Information described in this Policy is OpenhouseXR. For the contact details of our privacy representative, please refer to Section 22 (Contact Us).
3. Key Definitions
- "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to identifiers such as name, email address, account identifiers, or other information that can reasonably be linked, directly or indirectly, to a specific individual.
- "Processing" means any operation performed on Personal Information, whether or not by automated means, including collection, recording, organization, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
- "User Content" means any data, files, images, three-dimensional spatial captures, room dimensions, furniture placements, or other materials that you upload, capture, generate, submit, or otherwise make available through the Services.
- "Service Providers" means third parties engaged by us to perform services on our behalf and under our instructions.
4. Information We Collect
4.1 Information You Provide Directly
When you register for, configure, or use the Services, we may collect the following Personal Information that you provide directly:
- Account Registration Information: email address; password (processed and stored exclusively through a managed identity provider in a cryptographically protected form — we do not have access to your plaintext password); optional username or display name.
- Authentication Credentials: session tokens and refresh tokens issued upon sign-in, retained on your device in operating-system-level secure storage facilities (for example, the iOS Keychain or equivalent secure storage on other platforms) for the purpose of maintaining your authenticated session.
- Communications: the contents of any correspondence you send to us, including support requests, feedback, or inquiries submitted via email.
4.2 User Content
The Services are designed to capture, store, and render spatial representations of physical environments. In connection with your use of the Services, we collect and process User Content that you elect to create or upload, which may include:
- Three-dimensional spatial captures of rooms or other physical spaces, including derived geometric information such as wall positions, openings, surface dimensions, and structural features;
- Photographs or images that you capture or select from your device for the purpose of generating three-dimensional models;
- Derived three-dimensional models in standard interchange formats produced from the foregoing inputs;
- User-supplied metadata associated with the foregoing, including names, descriptions, room measurements, furniture categories, placement coordinates, and texture or material selections; and
- Processing status, timestamps, and lifecycle events relating to the foregoing.
You retain ownership of your User Content. We process User Content solely for the purposes described in this Policy and in accordance with our Terms of Service.
4.3 Technical and Device Information
When you interact with the Services we may automatically collect limited technical information necessary for the operation, security, and integrity of the Services, including:
- An opaque, randomly generated account identifier issued by our identity provider, which is not derived from and cannot independently be used to identify you outside the Services;
- Server-side request logs containing information such as request timestamps, requested endpoints, response status codes, and the foregoing opaque account identifier, retained for a limited period for security monitoring, abuse prevention, and debugging;
- General device characteristics necessary to render content appropriately (for example, screen dimensions or rendering capabilities reported by your browser or operating system).
4.4 Information We Do Not Collect
We do not intentionally collect the following categories of information through the Services:
- Precise or coarse geolocation data (including GPS coordinates, IP-derived location for marketing purposes, or location inferred from your device's sensors);
- Contact lists, calendars, messages, call history, or other communications stored on your device;
- Biometric identifiers, health information, or financial-account information;
- Audio recordings or microphone input;
- Behavioural analytics, advertising identifiers, or cross-application tracking data;
- Sensor data unrelated to spatial capture (such as accelerometer, gyroscope, or motion data collected for purposes other than performing a scan or rendering an XR experience).
5. Sources of Information
We obtain Personal Information from the following sources only:
- Directly from you, when you register an account, configure the Services, capture or upload User Content, or contact us;
- Automatically, through your interaction with the Services as described in Section 4.3;
- From our Service Providers, where such providers facilitate authentication, storage, or processing on our behalf and in accordance with documented instructions.
6. Purposes of Processing and Legal Bases
We process Personal Information for the purposes set forth in the table below. Where the General Data Protection Regulation ("GDPR") or the United Kingdom General Data Protection Regulation ("UK GDPR") applies, the corresponding legal basis is identified.
| Purpose | Legal Basis (EEA/UK) |
|---|---|
| To create, authenticate, and maintain your account, and to deliver the core functionality of the Services. | Performance of a contract with you (Art. 6(1)(b) GDPR). |
| To store, process, convert, and render User Content at your request, including format conversion between interchange formats. | Performance of a contract (Art. 6(1)(b) GDPR). |
| To respond to your inquiries, requests, or support communications. | Performance of a contract and our legitimate interests in providing customer support (Art. 6(1)(b) and (f) GDPR). |
| To maintain the security, integrity, availability, and proper operation of the Services, including detection and prevention of fraud, abuse, and unauthorized access. | Our legitimate interests in operating a secure service (Art. 6(1)(f) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR). |
| To enforce our Terms of Service, defend or establish legal claims, or comply with applicable law, regulation, legal process, or governmental request. | Compliance with legal obligations (Art. 6(1)(c) GDPR) and our legitimate interests (Art. 6(1)(f) GDPR). |
| To improve the Services, including diagnostic review of error conditions and operational telemetry, in each case using the minimum information necessary. | Our legitimate interests in improving and maintaining the Services (Art. 6(1)(f) GDPR). |
We do not process Personal Information for the purposes of behavioural advertising, profiling that produces legal or similarly significant effects, or sale of Personal Information to third parties.
7. Disclosures to Third Parties
We disclose Personal Information only as described below. We do not sell Personal Information, and we do not share Personal Information for cross-context behavioural advertising.
7.1 Service Providers
We engage carefully selected Service Providers to perform functions on our behalf, including:
- Cloud-infrastructure providers that host our application servers, databases, message queues, and object-storage systems;
- Managed authentication and identity-management providers that operate the credential storage, authentication, and password-reset infrastructure underlying your account;
- Email-delivery providers that transmit transactional messages (such as password-reset codes) on our behalf;
- Content-delivery networks that facilitate efficient delivery of static assets.
Service Providers are bound by written agreements that restrict their processing of Personal Information to the purposes for which we have engaged them and require the implementation of appropriate technical and organizational safeguards.
7.2 Legal and Safety Disclosures
We may disclose Personal Information where we have a good-faith belief that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of OpenhouseXR, our users, or the public, as required or permitted by law.
7.3 Business Transactions
In the event that OpenhouseXR is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, or sale of all or a portion of its assets, Personal Information may be transferred to the acquiring party or successor entity, subject to the commitments made in this Policy or as otherwise consented to by you.
7.4 With Your Direction or Consent
We may disclose Personal Information to additional third parties where you direct us to do so or otherwise consent to such disclosure.
8. International Data Transfers
OpenhouseXR is based in Canada. Personal Information that we collect may be processed in, transferred to, and stored in Canada and other jurisdictions where we, our Service Providers, or our affiliates maintain facilities. These jurisdictions may have data-protection laws that differ from those in your country of residence.
Where required by applicable law, we implement appropriate safeguards for international data transfers, which may include the European Commission's Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement or Addendum, or transfers to jurisdictions that have been recognized as providing an adequate level of protection. You may request a copy of the safeguards applicable to a specific transfer by contacting us at the address in Section 22.
9. Data Retention
We retain Personal Information only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specifically:
- Account information is retained for the duration of your account and for a limited period thereafter as required to wind down the account or comply with applicable retention obligations;
- User Content is retained until you delete it through the Services or terminate your account, subject to limited operational retention periods during which backup or replica copies may persist before being overwritten in the ordinary course of system operation;
- Server logs are retained for a limited period (typically no longer than is reasonably required for security monitoring and operational debugging) and are then deleted or aggregated;
- Communications with our support function are retained for as long as is necessary to address the subject matter of the communication and for a reasonable period thereafter.
Where Personal Information is no longer required, we will securely delete or anonymize it.
10. Information Security
We implement and maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such safeguards include, without limitation:
- Encryption of data in transit using current industry-standard transport-layer security;
- Encryption of data at rest for stored User Content and database records using cryptographic protections provided by our cloud-infrastructure providers;
- Use of time-limited, signed access credentials for retrieval of User Content, such that direct access to underlying storage is not exposed to end users;
- Storage of authentication credentials and tokens within operating-system-level secure storage on client devices;
- Logical access controls restricting access to Personal Information to personnel with a legitimate business need;
- Periodic review of our security practices and dependencies.
No method of transmission over the internet or method of electronic storage is one hundred percent secure. While we strive to use commercially reasonable means to protect your Personal Information, we cannot guarantee its absolute security.
11. Your Rights and Choices
Subject to applicable law and to the limitations and exceptions set forth therein, you may have the following rights with respect to your Personal Information:
- Right of access: to obtain confirmation as to whether we process Personal Information about you, and, if so, to obtain a copy of such Personal Information;
- Right of rectification: to request the correction of inaccurate or incomplete Personal Information;
- Right of erasure: to request the deletion of your Personal Information, subject to certain legal limitations;
- Right to restrict processing: to request that we restrict our processing of your Personal Information in certain circumstances;
- Right to data portability: to receive a copy of certain categories of your Personal Information in a structured, commonly used, and machine-readable format;
- Right to object: to object to processing of your Personal Information that is based on our legitimate interests;
- Right to withdraw consent: where processing is based on your consent, to withdraw such consent at any time without affecting the lawfulness of processing carried out prior to withdrawal;
- Right to lodge a complaint: with a competent supervisory authority in the jurisdiction in which you reside, work, or where an alleged infringement occurred.
To exercise any of these rights, please contact us using the details in Section 22. We may require you to verify your identity before responding to a request. We will respond within the time period required by applicable law.
12. Account and Data Deletion
You may delete your account at any time. Account deletion is performed through the in-application account-management interface and results in the removal of your account record and associated User Content from our active production systems. Authentication credentials maintained by our identity provider are deactivated as part of the deletion process.
Following deletion, residual copies of Personal Information may persist in encrypted operational backups for a limited period before being overwritten in the ordinary course of system operation. We do not access such residual copies except as necessary for disaster recovery or legal compliance.
If you are unable to access the in-application deletion mechanism, you may submit a deletion request to us at the address in Section 22 and we will process the request without undue delay.
13. Children's Privacy
The Services are not directed to, and we do not knowingly collect Personal Information from, children under the age of thirteen (13) years (or such higher age threshold as may apply under the laws of your jurisdiction, including age sixteen (16) in certain European jurisdictions). If you believe that a child has provided Personal Information to us, please contact us at the address in Section 22 and we will take steps to delete such information.
14. Tracking, Analytics, and Cookies
We do not use third-party advertising networks, behavioural-analytics providers, cross-site tracking pixels, advertising identifiers, or session-replay tools in the Mobile App or XR Clients. We do not track you across other applications or websites for advertising purposes, and we do not respond to "Do Not Track" signals because we do not engage in tracking that would be modified by such signals.
The Website may use a limited number of strictly necessary cookies or equivalent technologies required for the operation of the site (for example, to remember your cookie-consent preferences where applicable). Where required by law, we will obtain your consent before placing any non-essential cookies.
The Mobile App and XR Clients do not use cookies. Authentication state is maintained through tokens stored in operating-system-level secure storage as described in Section 4.1.
15. Device Permissions
To enable certain features of the Services, we request access to specific device capabilities. You may grant or deny these permissions at the time of the request and may modify your choices at any time through your device's settings:
- Camera and Depth Sensor: required for capturing three-dimensional spatial scans of rooms and for capturing photographs to generate three-dimensional models. Camera input is processed locally on your device to produce the resulting spatial capture or photograph; raw camera feeds are not transmitted to our servers except as embodied in the resulting User Content that you choose to save or upload.
- Photo Library: required if you choose to select an existing photograph from your device for use in generating a three-dimensional model.
- Extended-Reality Session and Tracking: on XR Clients, the operating system or browser may request session-level permissions to deliver an immersive experience, including head and controller pose data. Such pose data is processed locally for the purpose of rendering the experience and is not transmitted to or stored by us.
Denying any of the foregoing permissions will prevent the corresponding feature from functioning but will not affect other functionality of the Services.
16. Shared and Public Content
The Services may permit you to generate a shareable link to a specific scan or environment that allows third parties to view that content without authenticating to the Services. If you choose to share such a link, any person in possession of the link may access the associated User Content for the duration that the link remains active. You are solely responsible for the distribution of any shareable link that you generate, and we recommend that you share links only with intended recipients. You may revoke a shareable link at any time through the Services.
17. Third-Party Services and Links
The Services may contain links to, or interoperate with, third-party services, websites, content, or applications that are not owned or controlled by OpenhouseXR. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third party with which you interact in connection with your use of the Services.
18. Additional Information for California Residents
This section applies to residents of the State of California and supplements the foregoing provisions in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA").
18.1 Categories of Personal Information Collected and Disclosed
In the twelve (12) months preceding the Effective Date of this Policy, we have collected the categories of Personal Information described in Section 4, which correspond to the following statutory categories under the CCPA: identifiers (including email address and account identifier); customer-records information (such as username); internet or other electronic-network-activity information (such as request logs); and visual information (such as User Content consisting of photographs or spatial scans). We have disclosed such categories of Personal Information to Service Providers as described in Section 7.1 for the business purposes set forth in Section 6.
18.2 No Sale or Sharing of Personal Information
We do not sell Personal Information, and we do not share Personal Information for cross-context behavioural advertising, as those terms are defined under the CCPA. We have not engaged in any such sale or sharing in the twelve (12) months preceding the Effective Date of this Policy.
18.3 Sensitive Personal Information
We do not use or disclose sensitive Personal Information (as defined under the CCPA) for purposes other than those permitted under the CCPA without notice.
18.4 California Privacy Rights
California residents have the right to: (i) know what Personal Information we have collected, used, disclosed, and sold (if any); (ii) request deletion of Personal Information; (iii) request correction of inaccurate Personal Information; (iv) opt out of any sale or sharing of Personal Information (which we do not engage in); and (v) be free from unlawful discrimination for exercising their CCPA rights. You may exercise these rights by contacting us at the address in Section 22.
18.5 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We may require the authorized agent to provide proof of your written authorization and may require you to verify your identity directly with us.
19. Additional Information for EEA and United Kingdom Residents
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set forth in Section 11 in addition to any rights provided by applicable local law. The legal bases on which we rely for processing your Personal Information are set forth in Section 6. You have the right to lodge a complaint with the data-protection supervisory authority in the jurisdiction of your habitual residence, place of work, or place of the alleged infringement.
20. Additional Information for Canadian Residents
We comply with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation, including, where applicable, Québec's Act respecting the protection of personal information in the private sector. You have the right to access and request correction of your Personal Information, to withdraw consent (subject to legal or contractual restrictions and reasonable notice), and to file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial commissioner.
21. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will revise the "Last Updated" date at the top of this Policy and, where required by applicable law or where the changes materially affect your rights, we will provide you with additional notice (for example, by in-application notification or by email to the address associated with your account). Your continued use of the Services following the effective date of any updated Policy constitutes your acknowledgement of such updates.
22. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your Personal Information, please contact us at:
OpenhouseXR
Attention: Privacy
Email: support@solv-x.ca
We will endeavour to respond to all legitimate requests within the time periods required by applicable law.