Last updated: June 25, 2026 · Effective date: June 25, 2026
Stagify LLC ("Stagify", "Stagify.ai", "we", "us", or "our") operates the website at stagify.ai and related products, including virtual staging, mask editing, AI Designer, PDF floor-plan tools, Stagify+ subscriptions, and enterprise domain plans (collectively, the "Service").
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you visit our website, create an account, upload content, subscribe to a paid plan, or otherwise interact with the Service. It also explains your privacy rights and who owns content you submit or generate.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.
1. Who We Are (Data Controller)
For purposes of applicable privacy laws, including the EU and UK General Data Protection Regulation (GDPR), Stagify LLC is the data controller responsible for personal information processed through the Service.
Mailing address: Stagify LLC, 12 East 72nd Street, New York, NY 10021, United States
Stagify is operated from the United States. We have not appointed a separate EU or UK representative; please direct all privacy inquiries to the contact above.
2. Scope and Definitions
In this policy:
"Personal information" (or "personal data") means information that identifies, relates to, or could reasonably be linked with you or your household.
"Uploads" means photos, floor plans, PDFs, furniture reference images, masks, chat attachments, and other files you submit.
"Generated Output" means virtual staging results, mask edits, AI Designer images, CAD renders, and other content created for you by the Service.
"Account holder" means a registered user with an email-based or Google-linked Stagify account.
"Enterprise user" means a user whose email domain is covered by an active enterprise subscription.
This policy applies to the Service. It does not apply to third-party websites, services, or integrations that we do not control (such as Stripe's checkout pages or Google's sign-in flow), even if linked from our site.
3. Information We Collect
We collect the categories of information below. Not every category applies to every user.
3.1 Account and identity information
Email address
Password (stored only as a salted cryptographic hash; we never store plain-text passwords)
Google account identifier (sub) if you use Google Sign-In
Account ID, plan type (free, Stagify+, or enterprise-provisioned access), account creation date
Daily generation usage counters for free-tier accounts
Stripe customer ID and subscription ID for paid Stagify+ accounts
Timestamp if your account received a promotional Stagify+ grant
3.2 Authentication and session data
Server-side session tokens linked to your account
Sign-in token stored in your browser's local storage (stagifyAuthToken)
Password-reset tokens (valid for one hour, then deleted)
Text inputs: Staging prompts, room/style selections, mask-edit instructions, AI Designer chat messages, and optional memory requests
Generated Output: Delivered to your browser during your session; not stored by us as a permanent user gallery
3.4 AI Designer-specific data
Chat conversation content (text and references to uploaded or generated images)
Optional long-term "memories" you ask the AI to store, keyed to a pseudonymous user ID
A pseudonymous browser identifier for AI Designer (userId in local storage), which may differ from your account ID
Model preference (e.g., fast vs. pro) stored locally
3.5 Payment and enterprise information
Stagify+: Billing status and Stripe identifiers (payment cards are handled entirely by Stripe)
Enterprise signup: Company name, email domain, contact email, optional contact phone, and Stripe billing metadata associated with the organization
Enterprise usage: Aggregated generation counts attributed to an email domain for billing and admin reporting
3.6 Communications and support
Contact form and support messages (including name and email if provided)
Bug reports: description, steps to reproduce, email, page URL, user agent, optional conversation history you attach, and pseudonymous user ID
Password-reset and transactional emails sent via our email provider
Email open tracking: For certain outreach emails, we may record whether a recipient's email address has opened a message (via a tracking pixel loaded through known email-client proxies). Each address is counted at most once, ever. We do not use this for advertising profiles. You may opt out of outreach emails at any time by using the unsubscribe link in any such email or by emailing team@stagify.ai. Opting out of outreach does not affect transactional emails (e.g., password resets, billing notices).
3.7 Onboarding and optional profile answers
Optional answers such as professional role, referral source, or email address that you provide during onboarding or that are stored locally and submitted with staging requests
3.8 Technical, usage, and log data
IP address, browser type, device type, operating system, user agent, referring URL, and timestamps
Staging metadata logged for operations: room type, style, prompt text, remove-furniture flag, authenticated email, and IP address
Mask-edit logs: prompt text, model used, image dimensions, user identifier, IP address, and user agent
Chat logs: pseudonymous user ID, user message text, attached file names and types, IP address, and user agent (AI responses are not logged in this file)
Contact/onboarding logs: role, referral source, email, user agent, and IP address
Anonymous mobile usage counts keyed by IP address (UTC day) for free-tier enforcement when no account session is present
Aggregated, non-identifying site statistics (e.g., total generations, total contacts) displayed publicly on the homepage
3.9 Information we do not intentionally collect
We do not ask you to provide government ID numbers, financial account numbers (beyond what Stripe collects directly), precise geolocation, biometric identifiers, health information, or children's data. Uploads may incidentally contain personal belongings or reflections in room photos; you control what you upload.
4. How We Collect Information
Directly from you when you register, sign in, upload content, enter prompts, subscribe, contact us, or submit bug reports
Automatically when you use the Service (technical logs, IP address, usage metadata)
From third parties such as Google (Sign-In verification), Stripe (payment and subscription status), and email-client proxies (for open tracking)
From your browser via local storage for authentication tokens, language, and preferences
From authorized integrations where a business customer uses our server-side staging API with an endpoint key (no end-user account required; usage is attributed to that integration)
5. Data Ownership and Generated Content
This section describes ownership of your content. It applies to all users, including free, Stagify+, and enterprise accounts.
5.1 You retain ownership
As between you and Stagify, you retain all ownership rights in:
Your Uploads (including photographs, floor plans, PDFs, and reference images); and
Generated Output (including virtually staged rooms, mask edits, AI-generated images, and CAD renders produced for you).
Stagify does not claim copyright, ownership, or other proprietary rights over your Uploads or Generated Output. We do not sell, publicly display, or license your Uploads or Generated Output for our own marketing or commercial purposes separate from operating the Service.
5.2 Limited license you grant to Stagify
By using the Service, you grant Stagify a limited, non-exclusive, worldwide, royalty-free license to host, store (temporarily), transmit, reproduce, and process your Uploads solely as necessary to:
Provide, maintain, and secure the Service;
Send content to our AI and infrastructure providers for inference and processing;
Troubleshoot errors, prevent abuse, and comply with law.
This license is scoped to operating the Service for you and ends when your content is deleted from our active systems, except where a longer period is required by law or reasonably necessary for encrypted backups, security logs, billing records, or dispute resolution.
5.3 Your responsibilities
You must have the necessary rights, permissions, and consents to upload content and to use Generated Output.
You are solely responsible for how you use Generated Output, including in property listings, client deliverables, advertising, and social media.
You must comply with applicable laws, MLS/board rules, disclosure requirements, copyright law, and privacy rights of individuals who may appear in or be identifiable from your Uploads.
AI-generated content may not be unique and may be subject to limitations under copyright or other laws in some jurisdictions. Stagify does not guarantee that Generated Output is free from third-party claims.
5.4 No training on your content
We do not use your Uploads or Generated Output to train Stagify's own machine-learning models. We submit content to third-party AI APIs solely to produce results for you. Those providers process data under their own terms and privacy policies (see Section 10).
5.5 Enterprise accounts
Enterprise domain access does not transfer ownership of user Uploads or Generated Output to the enterprise organization or to Stagify. Individual users retain the ownership rights described above. Enterprise administrators may receive aggregated usage reporting (such as generation counts per domain) but do not receive ownership of user content through that reporting.
6. How We Use Information
We use personal information for the following purposes:
Providing virtual staging, mask editing, AI Designer chat, PDF processing, and related features
Creating, authenticating, and managing accounts and sessions
Processing Stagify+ and enterprise subscriptions and usage-based billing
Enforcing plan limits, detecting abuse, and protecting Service integrity
Sending transactional communications (password resets, billing-related notices, support replies)
Responding to contact messages, support requests, and bug reports
Operating internal analytics, quality monitoring, and aggregated statistics
Measuring outreach email engagement (open/ not-open, per address)
Complying with legal obligations and enforcing our terms
Developing and improving the Service using aggregated or de-identified data where possible (we do not use your Uploads or Generated Output to train our own models — see Section 5.4)
We do not use your personal information for cross-context behavioral advertising.
7. Legal Bases for Processing (EEA, UK, and Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal data under these legal bases:
Performance of a contract: To provide the Service you request, manage your account, process staging, and handle subscriptions.
Legitimate interests: To secure the Service, prevent fraud, maintain operational logs, improve features, measure email delivery, and communicate about the Service — where not overridden by your rights.
Consent: Where required by law, such as for non-essential cookies or optional marketing. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation: Where we must retain or disclose data to comply with applicable law, regulation, or valid legal process.
8. AI Processing Disclosure
Core features of Stagify rely on artificial intelligence. When you use these features:
Your Uploads, prompts, and related context are transmitted to our servers and to third-party AI providers for processing.
Image generation and editing (virtual staging, mask edits, image generation in AI Designer) primarily use Google's Gemini API.
Text chat, memory evaluation, image annotation, and related AI Designer logic use OpenAI's API.
PDF floor-plan to 3D rendering (in AI Designer) is processed using Google's Gemini API, the same provider used for image generation.
AI outputs are probabilistic and may contain errors, artifacts, or unintended changes. You should review Generated Output before use.
AI features do not make binding legal, credit, employment, or housing eligibility decisions about you.
As of the effective date of this policy, Google's Gemini API and OpenAI's API do not use data submitted through their API services to train their models by default, per each provider's current API terms. This is subject to change; we encourage you to review the provider privacy policies linked in Section 10.
Do not submit sensitive personal information in prompts unless necessary, and avoid uploading images you are not authorized to share.
9. Cookies and Local Storage
We use cookies and similar technologies (including browser local storage and IndexedDB) as follows:
Authentication:stagifyAuthToken — keeps you signed in
UI preferences: background video playback position and similar functional settings
Masking Studio session (Stagify+): the room photo and highlighted areas from your most recent session are saved in your browser's IndexedDB (stagify-masking-studio) so you can resume where you left off. This data stays on your device and is not transmitted to us by this feature; on a shared or public device, choose "Start fresh" or clear your browser storage to remove it.
These are strictly functional and necessary to operate the Service. We do not deploy third-party advertising cookies or tracking scripts on the core staging experience. You may clear cookies and local storage in your browser at any time; doing so may sign you out and reset preferences. If you are located in the EEA or UK, you may contact us to ask which local-storage items are active in your session.
10. How We Share Information
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
We disclose information only to the categories of recipients below, and only as needed:
10.1 Service providers (processors)
Google — Gemini API for image generation/editing; Google OAuth for optional Sign-In (Google Privacy Policy)
OpenAI — chat, memory evaluation, and related AI Designer text/image analysis (OpenAI Privacy Policy)
Stripe, Inc. — payment processing and subscription management for Stagify+ and enterprise plans (Stripe Privacy Policy)
Cloud hosting providers (such as Render) — application hosting and persistent storage for accounts and operational logs
These providers are authorized to process personal information only on our instructions and for the purposes described in this policy. Where required by applicable law, we enter into data processing agreements with these providers that impose data-protection obligations consistent with GDPR, UK GDPR, and applicable U.S. state privacy laws.
10.2 Enterprise administrators
If your organization has an enterprise plan, authorized Stagify administrators may access aggregated domain-level usage data (such as total generations). We do not provide enterprise administrators with access to individual users' Uploads or Generated Output through that reporting.
10.3 Authorized business integrations
Business customers may connect to our server-side staging API using an authorized endpoint key. Those integrations can submit images for processing without an end-user Stagify account. The business customer is responsible for its own privacy notices to its users.
10.4 Legal, safety, and business transfers
We may disclose information if required by law, subpoena, court order, or governmental request, or to protect the rights, property, or safety of Stagify, our users, or others.
If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred subject to this Privacy Policy or equivalent notice.
11. International Data Transfers
Stagify is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States and in other countries where we or our service providers operate (including countries that may not provide the same level of data protection as your home jurisdiction).
Where required by applicable law, we implement appropriate safeguards for international transfers, including the Standard Contractual Clauses issued under European Commission Decision 2021/914 (Module Two: controller to processor), the UK International Data Transfer Addendum (IDTA) issued by the ICO, or reliance on adequacy decisions where applicable.
12. Data Retention
We retain personal information only as long as reasonably necessary for the purposes described in this policy:
Account data: While your account is active, plus a reasonable period afterward for disputes, enforcement, and legal compliance.
Session and password-reset tokens: Sessions until logout or expiry; password-reset tokens for up to one hour.
Uploads: Processed in memory during your request and not permanently stored as a user image library afterward. Temporary copies may exist in server memory, transit logs, or short-lived backups.
Generated Output: Returned to your browser during the session; we do not maintain a long-term hosted gallery of your results.
Operational logs (prompt, chat, mask, contact, bug-report, and email-open logs): Typically up to 24 months, unless a longer period is required for security investigations, legal compliance, or active disputes.
AI Designer memories: Until you delete them, reset them through the Service, or request account deletion.
Email open status: Retained as a binary opened/not-opened record per email address for internal analytics.
Billing records: Retained as required by tax, accounting, and payment law (often several years).
Aggregated statistics: May be retained indefinitely in de-identified form.
When retention expires, we delete or de-identify information using reasonable technical and organizational measures.
13. Security
We implement reasonable administrative, technical, and organizational measures designed to protect personal information, including:
HTTPS/TLS encryption for data in transit
Password hashing using salted one-way functions
Restricted access to production data on a need-to-know basis
Access keys and credentials for administrative and export endpoints
Rate limiting and abuse detection on sensitive endpoints
No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and sign-in token on your device.
If we become aware of a data breach that creates a legal notification obligation, we will notify affected users and regulators as required by applicable law.
14. Children's Privacy
The Service is not directed to children under 13 years of age (or under 16 where applicable in the EEA/UK), and we do not knowingly collect personal information from children in violation of applicable law, including the Children's Online Privacy Protection Act (COPPA). If we discover or are notified that an account is held by a user under the applicable minimum age, we will terminate that account and delete the associated personal information. If you believe a child has provided us with personal information, contact team@stagify.ai and we will take steps to delete it promptly.
15. Your Privacy Rights
Depending on your location, you may have some or all of the rights below:
Access — know what personal information we hold about you
Correction — request correction of inaccurate information
Deletion — request deletion of your account and associated personal data, subject to legal exceptions
Restriction — request that we limit certain processing
Portability — receive personal information you provided in a portable format, where applicable
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent
Non-discrimination — we will not discriminate against you for exercising privacy rights
How to exercise your rights: Email team@stagify.ai or use our contact page. We may verify your identity before fulfilling a request. We aim to respond within 30 days (or the timeframe required by applicable law, such as 45 days under certain U.S. state laws). Where permitted by applicable law, we may extend this period by up to two additional months for complex or numerous requests, in which case we will notify you of the extension and the reasons within the initial 30-day period.
Appeals: If we decline to act on your request, we will explain why. Residents of states that provide an appeal right (including Colorado, Virginia, and Connecticut) may appeal our decision by emailing team@stagify.ai with the subject line "Privacy Appeal." If we deny your appeal, you may contact your state attorney general to submit a complaint.
Account deletion: You may request account deletion by contacting us. We will delete or de-identify personal information associated with your account, except where retention is required by law or for legitimate business purposes (e.g., billing records, fraud prevention).
EEA/UK complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.
16. U.S. State Privacy Notice
This section supplements the policy for residents of U.S. states with comprehensive privacy laws, including California, Colorado, Connecticut, Virginia, and others that may become effective.
16.1 Categories of personal information collected (last 12 months)
Identifiers: Name (if provided), email, account ID, IP address, Google ID, pseudonymous AI Designer ID
Customer records: Account and subscription information
Internet/network activity: Log data, feature usage metadata, email open status
Audio/visual information: Uploads and Generated Output submitted or produced during use (processed transiently; not stored as a permanent gallery)
Inferences: We do not create advertising profiles about you
16.2 Sources, purposes, and sharing
See Sections 3, 4, 6, and 10 for details on sources, business/commercial purposes, and categories of third parties with whom information is shared.
16.3 Sale and sharing
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not respond to legacy "Do Not Track" browser signals because there is no industry standard for compliance; however, we honor Global Privacy Control (GPC) signals as opt-outs from the sale or sharing of personal information for California residents, as required under the CPRA. Because we do not sell or share personal information for cross-context behavioral advertising, honoring GPC signals has no material effect on our data practices for most users. We do not track you across unrelated third-party sites for advertising.
16.4 Sensitive personal information
We do not intentionally collect sensitive personal information as defined by California law. Do not upload content containing sensitive data unless you have a lawful basis to do so and accept the risks of processing through AI providers.
16.5 Authorized agents (California)
You may designate an authorized agent to submit a request on your behalf. We may require proof of authorization and direct verification of your identity.
17. Automated Decision-Making
We do not use solely automated decision-making that produces legal or similarly significant effects concerning you. AI features generate content and suggestions based on your inputs but do not determine eligibility for housing, credit, employment, or government benefits.
18. Third-Party Links and Services
Our site may contain links to third-party websites or services (such as Stripe's customer portal, social media, or partner tools). We are not responsible for their privacy practices. We encourage you to review their policies before providing personal information.
19. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" and "Effective date" at the top of this page. If changes are material, we will provide additional notice where required (such as by email or a prominent notice on the Service). Continued use after the effective date constitutes acceptance of the updated policy, to the extent permitted by law.
20. Contact Us
For privacy questions, data-rights requests, or concerns about this policy:
Legal entity: Stagify LLC
Mailing address: 12 East 72nd Street, New York, NY 10021, United States