Privacy Policy

Kelvn ("we," "us," or "our") operates an AI-powered lighting design service. This Privacy Policy explains what personal data we collect when you use Kelvn, how we use it, who we share it with, and what rights you have over your data.

By using Kelvn, you acknowledge that data is collected and used as described here. If you are located in the European Economic Area (EEA), United Kingdom, California, or the People's Republic of China, additional rights and protections apply to you.

Account data. When you create an account, we collect your email address and, if you sign in with Google, your Google profile name and photo.

Uploaded photos. To generate lighting analyses, you upload photos of your spaces. These photos are personal data if they contain identifiable individuals. You are responsible for ensuring you have the right to upload any photo and for obtaining consent from anyone identifiable in them.

Room descriptions and inputs. Text you provide about your room, style preferences, and budget during the analysis wizard.

Generated content. AI-generated lighting reports and rendered images produced from your inputs and photos, saved to your account.

Technical data. IP address, browser type, device information, and usage logs collected automatically when you interact with the service.

Payment data. If you purchase a plan, payment details are collected and processed directly by Stripe. We never see or store your full card number.

We use your data solely to provide and improve Kelvn:

• To generate AI lighting analyses, reports, and rendered images from your photos and inputs
• To store and display your saved reports and design history
• To authenticate your account and keep it secure
• To process payments for paid plans
• To send transactional emails (account confirmations, receipts)
• To diagnose errors and improve service quality

We do not sell your data to third parties, use your photos for advertising, or train our own AI models on your uploaded content.

Kelvn relies on the following third-party services to function. By using Kelvn, your data is also subject to their terms.

Google Gemini AI. Your uploaded photos and room descriptions are sent to Google's Gemini API to generate lighting analyses and rendered images. Google may process this data according to its own privacy policy and may retain data submitted via the API for a limited period in accordance with its terms. We do not control Google's retention schedule for API inputs. Google's use of data sent via the Gemini API is governed by the Gemini API Terms of Service.

Firebase (Google Cloud). Your account data, saved reports, and uploaded image files are stored on Firebase, a Google Cloud service. Google processes this data as a data processor under its Data Processing Terms.

Stripe. Payment processing is handled by Stripe. Your payment information is sent directly to Stripe and is subject to Stripe's Privacy Policy. We retain only a record of your subscription status.

We may also disclose data when required by law, court order, or to protect the rights and safety of Kelvn or its users.

Your photos and descriptions are analyzed by artificial intelligence. AI-generated reports and images may contain errors, inaccuracies, or suggestions that are not feasible in your specific space. Generated content is provided for design inspiration only — it is not professional advice and should not be the sole basis for construction or renovation decisions.

Google may use data sent to the Gemini API to improve its own AI systems, subject to Google's terms. We recommend not uploading photos that contain sensitive personal information (e.g., identifying documents, faces of minors) beyond what is necessary for the room analysis. For our full position on biometric data and special-category processing, see the Biometric Data section below.

GDPR Art. 9 (Special Categories of Personal Data). Under the EU/UK General Data Protection Regulation, biometric data processed for the purpose of uniquely identifying a natural person is a "special category" subject to heightened protections. Kelvn uses uploaded photos exclusively for architectural room analysis — to assess lighting conditions, surface materials, spatial dimensions, and layout. We do not perform facial recognition, identity verification, or any other processing that would extract biometric identifiers from photos. We do not store or derive facial geometry, voiceprints, or any other biometric identifier from your images.

If your photos incidentally contain identifiable individuals, the legal basis for processing is your explicit consent, given when you upload images for the sole purpose of generating a lighting design report. You are responsible for ensuring that anyone identifiable in your photos has consented to having their image processed by AI for this purpose. We strongly recommend uploading photos where people are not the subject — wide-angle room shots with no identifiable individuals are ideal.

Illinois Biometric Information Privacy Act (BIPA). For users in Illinois: Kelvn does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as those terms are defined in the Illinois BIPA (740 ILCS 14/). This expressly includes: retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and biometric information derived from any of the above. Photos submitted to Kelvn are analyzed for room-level characteristics (lighting quality, surface reflectance, spatial layout) only. No biometric extraction, storage, or identification is performed.

Questions about these notices may be directed to contact@kelvn.app.

We retain your account data and saved reports for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., payment records, which Stripe retains for up to 7 years for tax compliance).

Uploaded photos stored in Firebase are deleted when you delete a report or close your account. Anonymised, aggregated analytics data may be retained indefinitely.

To delete your account and all associated data, go to Account → Danger Zone → Delete Account, or contact us at contact@kelvn.app.

Depending on where you are located, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request that inaccurate data be corrected.
• Erasure. Request deletion of your data (subject to legal retention requirements).
• Portability. Request your data in a machine-readable format.
• Objection. Object to processing based on legitimate interests.
• Withdraw consent. Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at contact@kelvn.app. We will respond within 30 days. EEA and UK residents may also lodge a complaint with their local supervisory authority. Where permitted by applicable law (including GDPR Art. 12(5)), we reserve the right to refuse requests that are manifestly unfounded or excessive — in particular where requests are repetitive. In such cases we will inform you of the reasons for refusal.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights in addition to those described above.

Categories of personal information collected. In the past 12 months we have collected: identifiers (email address, IP address, device identifiers); photos and room descriptions you voluntarily submit; commercial information (subscription and payment records); internet activity (usage logs, error logs); and inferences drawn from your data to generate your lighting report.

Sensitive personal information. Under the CPRA, photos containing facial images may constitute sensitive personal information. We use such photos solely to generate your lighting design report. We do not use or disclose them for any secondary purpose, and you may request that we limit their use to that purpose at any time by contacting us.

No sale or sharing of data. We do not sell your personal information and we do not share it with third parties for cross-context behavioural advertising. We share data with Google (AI processing, storage), Stripe (payments), and other service providers acting solely on our behalf — this is not a "sale" or "sharing" under the CCPA/CPRA.

Your California rights. You have the right to: (1) know what personal information we collect, use, disclose, or sell; (2) delete your personal information (subject to certain exceptions); (3) correct inaccurate personal information; (4) opt-out of sale or sharing (not applicable — we do not sell or share); (5) limit use of sensitive personal information; and (6) non-discrimination for exercising these rights. To exercise any right, email contact@kelvn.app with the subject "California Privacy Request." We will respond within 45 days. You may designate an authorised agent to submit requests on your behalf.

Kelvn uses browser localStorage (not traditional cookies) to remember your preferences between visits. No third-party tracking, advertising, or analytics cookies are set by Kelvn.

What we store locally.

• Theme preference — whether you have selected light or dark mode.
• Cookie notice acknowledgement — a flag confirming you have seen this notice.
• Language preference — your selected display language.
• Firebase authentication token — a secure session token set by Firebase to keep you signed in. This token is managed by Google Firebase and is necessary to use authenticated features of the service.

Third-party storage. Stripe, our payment processor, may set its own cookies on checkout pages to prevent fraud. These are governed by Stripe's privacy policy and are strictly necessary for payment processing.

You can clear localStorage at any time via your browser settings. Doing so will sign you out and reset your preferences.

In the event of a data breach that is reasonably likely to result in risk to your rights and freedoms, we will notify affected users without undue delay and within the timeframes required by applicable law.

New York SHIELD Act. Kelvn is headquartered in New York. Under the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, we maintain reasonable data security safeguards appropriate to the size and complexity of our business, the nature and scope of our activities, and the sensitivity of personal information we handle. In the event of a breach of private information of New York residents, we will notify affected individuals in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.

GDPR. For EEA and UK residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where feasible, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Breach notifications will be sent to the email address associated with your account and will describe: the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures we are taking or propose to take to address it.

China's Personal Information Protection Law (PIPL, effective 1 November 2021) applies to the processing of personal information of individuals located in China, including where that processing occurs outside China. If you are located in the PRC, the following applies to you.

Legal basis. We process your personal information on the basis of your informed, voluntary, and explicit consent, given when you create an account and upload content to Kelvn. You may withdraw consent at any time by deleting your account (Account → Danger Zone → Delete Account).

Sensitive personal information. Under PIPL Art. 28, biometric information — including facial images used to identify individuals — constitutes sensitive personal information requiring separate, explicit consent. As described in the Biometric Data section above, Kelvn does not perform facial recognition or extract biometric identifiers. Uploaded photos are processed for room-level lighting analysis only. Nonetheless, if your photos contain identifiable individuals, their facial images may constitute sensitive personal information under PIPL. By uploading such photos, you provide separate explicit consent for this processing solely for the purpose of generating a lighting design report.

Cross-border data transfer. Kelvn is operated from outside the PRC. When you use Kelvn, your personal information (including account data, uploaded photos, and room descriptions) is transferred to and processed in the United States by Kelvn and its service providers (Google, Stripe). By using Kelvn and providing your consent, you acknowledge and consent to this cross-border transfer. We take reasonable contractual and technical measures to protect your information during and after transfer.

Your PIPL rights. In addition to the general rights listed above, PRC users have the right to: know what personal information we process and how; restrict or refuse processing; obtain a copy of your personal information; request correction of inaccurate data; request deletion upon withdrawal of consent or where the processing purpose has been fulfilled; and receive an explanation of automated decision-making that significantly affects you. To exercise any of these rights, contact us at contact@kelvn.app. We will respond within 15 working days.

Minors. Under PIPL, individuals under 14 are minors requiring parental consent for data processing. Kelvn does not knowingly process personal information of individuals under 14. If you are the parent or guardian of a minor under 14 who has submitted information to Kelvn, contact us immediately at contact@kelvn.app.

Kelvn and its service providers (Google, Stripe) are primarily based in the United States. If you access Kelvn from the EEA or UK, your data is transferred to the US. We rely on Google's Standard Contractual Clauses and adequacy mechanisms for these transfers, as set out in Google Cloud's Data Processing Terms. If you access Kelvn from the PRC, see the China PIPL section above for cross-border transfer disclosures.

All data in transit is encrypted via HTTPS. Data at rest is protected by Firebase and Google Cloud's security infrastructure. While we take reasonable steps to secure your data, no system is completely secure and we cannot guarantee absolute security.

Kelvn is not directed at children under 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe a child has submitted data to Kelvn, please contact us and we will delete it promptly.

We may update this policy from time to time. We will notify you of material changes by email or by a notice within the app at least 14 days before they take effect. Continued use of Kelvn after that date constitutes acceptance of the updated policy.