Privacy Policy

Last updated: April 2026

1. Controller

The controller within the meaning of Art. 4 (7) GDPR is:
Bai Xu (Cozzify)
Bai Xu, c/o POSTFLEX PFX-008-567, Emsdettener Straße 10, 48268 Greven, Germany
Email: HelloBaixu@gmail.com
VAT ID: DE459892016

Full provider information is available in our Legal Notice.

2. Data we process

Account data: email address, login information, role.
Uploaded content: photos of rooms you submit for analysis.
Usage data: analyses you create, credits purchased and consumed, history.
Technical data: IP address, device and browser identifiers, server log files.
Support data: the content of your messages to us.

Payment data (card numbers, billing address) is collected and processed directly by our Merchant of Record Paddle. We do not see your full payment details.

3. Purposes and legal bases

Purpose	Legal basis
Account, authentication, providing the service	Art. 6 (1) (b) GDPR (performance of a contract)
Running AI analyses on your photos	Art. 6 (1) (b) GDPR (performance of a contract)
Payment processing, invoicing	Art. 6 (1) (b) and (c) GDPR (contract and legal obligations, in particular tax law)
Security, abuse and fraud prevention	Art. 6 (1) (f) GDPR (legitimate interest)
Optional analytics / marketing cookies	Art. 6 (1) (a) GDPR in conjunction with §25 (1) TTDSG (consent)
Responding to support requests	Art. 6 (1) (b) and (f) GDPR

4. Recipients and processors

We use carefully selected service providers. We have data processing agreements in place with all processors under Art. 28 GDPR.

Recipient	Function	Location / processing
Paddle.com Market Limited	Merchant of Record, payments, taxes, invoices	Ireland (group also UK / USA)
Supabase Inc. ("Lovable Cloud")	Database, authentication, file storage (photos, analyses)	EU region; parent in USA
Cloudflare, Inc.	Hosting, CDN, DDoS / bot protection	USA / global edge network
Google LLC (Gemini models)	AI analysis of uploaded photos	USA
OpenAI, L.L.C. (GPT models)	AI analysis as alternative / fallback provider	USA
Transactional email providers	Account emails (verification, password reset, receipts where applicable)	EU / USA
PostHog (PostHog Inc.)	Product analytics, error tracking and session replay (with PII masked client-side); only active after you opt in via cookie settings	EU (Frankfurt); parent company in USA

We do not sell your personal data. Uploaded photos are not used to train third-party AI models; our AI providers are contractually required not to use submitted content for model training.

5. International transfers

Some recipients are based in the USA. Where personal data is transferred to third countries, we rely on appropriate safeguards under Art. 46 GDPR, in particular the EU Standard Contractual Clauses (SCCs), as well as supplementary technical and organisational measures (e.g. transport encryption, access controls). Where a recipient is certified under the EU–US Data Privacy Framework, we additionally rely on the corresponding adequacy decision of the European Commission.

6. Retention

Account and analysis data: for as long as your account exists. You can delete individual analyses at any time.
After account deletion: deletion or anonymisation within around 30 days.
Invoice / payment data: retained under §147 AO and §257 HGB for up to 10 years.
Server log files: typically 30 days.

7. Cookies and local storage

We use strictly necessary cookies and local-storage entries for session management. Optional categories (analytics / marketing) are only enabled with your consent under §25 TTDSG and can be withdrawn at any time via the .

Name	Purpose	Provider	Retention	Category
cozzify.cookie-consent	Stores your cookie choices	Cozzify (1st-party)	12 months	strictly necessary
sb-* (auth tokens)	Keeps you signed in	Lovable Cloud / Supabase	session / 7 days	strictly necessary
pending_credit_purchase	Links the checkout return to your session (sessionStorage)	Cozzify (1st-party)	active session only	strictly necessary
ph_*_posthog	Anonymous distinct id, feature flags and session replay state. Only set after you opt in to analytics.	PostHog (EU)	up to 12 months	analytics (consent)

If you enable analytics, we record an anonymised session replay via PostHog. All form inputs, text content and images are masked client-side before anything leaves your browser, so the replay shows your interactions (clicks, navigation, scroll) without revealing the content you see or type, and never includes your room photos. You can switch this off at any time via ; revoking consent stops further recording immediately and clears your local PostHog identifier.

8. Security

We apply appropriate technical and organisational measures (TLS encryption, access controls, row-level security in the database, short-lived signed URLs for file access). Absolute security cannot be guaranteed.

9. Automated decisions / AI

Cozzify uses AI models to generate suggestions about your room. These outputs are advisory and do not produce legal effects or similarly significant impacts within the meaning of Art. 22 GDPR. No automated decisions are made about creditworthiness, employment, insurance or similar matters.

10. Your rights

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing based on legitimate interests (Art. 21 GDPR)
Right to withdraw consent with effect for the future
Right to lodge a complaint with a supervisory authority. The authority competent for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), ldi.nrw.de. You may also contact the data-protection authority of your own federal state or EU member state.

To exercise your rights, contact us at HelloBaixu@gmail.com. Signed-in users can also export their data or delete their account directly from My Account.

11. Changes

We may update this privacy policy as needed. We will communicate material changes through the service.