Privacy Policy

PAULGA ("PAULGA", "we", "our", or "the Company") provides an AI design workspace for architecture, interior, and design teams. This Privacy Policy explains how we process personal data when you use our website, account system, checkout, community features, AI rendering/chat/document workflows, Desktop/CAD connections, support channels, and privacy request forms.

This policy is intended for global users. Some country-specific rights apply only when the relevant law covers you. The production vendor list, data regions, and enterprise security terms may vary by deployment or contract.

We collect the following categories of data:

Account data: name, email address, password hash, profile image, authentication provider, role, account status, and session token metadata.

Onboarding and profile data: role, tools, team size, goals, market, company, and product preferences.

Service data: prompts, chat messages, render requests and settings, generated outputs, command history, knowledge bases, documents or images you explicitly upload, document metadata, community prompts, community knowledge uploads, ideas, votes, comments, reports, and feedback.

Payment and credit data: plan, billing cycle, order IDs, payment keys, customer keys, masked card summary, subscription status, credit balance, top-up orders, refunds, and transaction history. We do not store raw card numbers.

Usage, device, and security data: IP-derived request metadata, browser and device data, locale, cookies/localStorage choices, activity events, feature usage, duration, success/failure states, error logs, and abuse-prevention signals.

Privacy/support data: DSAR or deletion request email, reason, confirmation token, hashed anti-abuse metadata, support messages, and provider task records.

PAULGA does not collect or store users' native CAD/BIM project files for standard web service operation. Desktop/CAD connections run in the user local environment. Only documents, images, prompts, and request data that you explicitly upload or attach to a requested workflow are sent for service processing.

We process data for these purposes:

Contract necessity: account creation, login, session management, subscription billing, credits, service delivery, AI/CAD workflows, saved content, and customer support.

Legitimate interests: security monitoring, abuse prevention, fraud control, debugging, service reliability, internal product analytics, enforcing terms, and protecting legal claims, balanced against user rights.

Consent: optional analytics/marketing storage, optional cookies, and any feature where we ask for separate consent.

Legal obligation: tax, accounting, payment, consumer-protection, regulatory, security, and dispute records.

User direction: AI providers, payment providers, email providers, and CAD/Desktop workflows receive only the data needed to complete the action you request.

PAULGA may process prompts, images, documents, generated outputs, render settings, and request payloads when you use AI rendering, chat, knowledge search, or connected CAD context features. Standard PAULGA workflows do not upload or store native CAD/BIM project files. Desktop/CAD workflows operate locally except for the specific documents, images, prompts, or request payloads you explicitly choose to send for a service action.

Do not upload or submit confidential documents, personal data, third-party trade secrets, restricted government data, or contract-prohibited material unless your organization has approved the applicable PAULGA plan and provider configuration. AI results may be inaccurate and must be reviewed by qualified professionals before use in design, code, permitting, construction, safety, or client deliverables.

We do not sell customer data for model training. External AI provider use, retention, and training restrictions depend on the provider contract and production configuration.

We share personal data only as needed to operate the service, comply with law, or complete your requested workflow. Current or expected processor categories include hosting and infrastructure providers, database/storage providers, email providers, analytics providers, payment processors and merchants of record, AI model providers, customer support and security tools, and professional advisers.

Examples currently reflected in the product include Resend for transactional email, Lemon Squeezy/Stripe-related payment flows for public USD checkout, Google Analytics and Vercel Analytics when analytics consent is enabled, and AI providers such as OpenAI, Anthropic, Google/Gemini, Replicate, and embedding/rerank providers depending on the feature.

We do not sell personal information. We do not knowingly share personal information for cross-context behavioral advertising without the required notice and choice.

If you post ideas, comments, prompts, knowledge documents, votes, reports, or other community content, that content and related profile information may be visible to other users or administrators. Upload only content you have the right to share. Do not upload personal data, confidential project data, copyrighted material without permission, malware, unlawful content, or third-party secrets.

We may remove, hide, or restrict community content, investigate reports, preserve evidence needed for disputes or legal duties, and process uploader pledges or takedown records.

We keep personal data only as long as needed for the purposes above, unless a longer period is required for legal, tax, security, accounting, dispute, or fraud-prevention reasons.

Account data is kept while your account is active and then deleted or anonymized after validated deletion. Payment, tax, subscription, refund, and accounting records may be retained for legally required periods. Security and access logs are retained for limited operational periods. User-uploaded files, prompts, generated outputs, community content, and knowledge records are retained until deleted by you, removed by moderation, or no longer needed for service delivery, subject to backups and legal exceptions.

The backend deletion workflow may anonymize the account shell, delete or unlink many user-owned records, redact payment identifiers, optionally delete file artifacts, and create external provider tasks. Backup and provider deletion completion may follow separate operational schedules.

We use necessary cookies for login, security, and service operation. We use localStorage for locale preference (`paulga-locale`) and cookie consent state. Google Analytics and Vercel Analytics are loaded only after analytics consent where configured. Marketing storage is used only if separately enabled and consented.

You can change optional cookie choices from the footer cookie settings. Blocking necessary cookies may prevent login or core service functions.

PAULGA is operated from Korea and may use providers located in Korea, the United States, the EU/EEA, or other countries. Your data may be processed outside your country of residence. Where GDPR or similar laws apply, we use appropriate safeguards such as adequacy decisions, standard contractual clauses, data processing terms, or other lawful transfer mechanisms as applicable.

If your project contract prohibits cross-border transfers or specific AI providers, do not use the standard service for that project until an approved enterprise arrangement is in place.

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of your personal data, and to withdraw consent for optional processing. EU/EEA and UK users may also have the right to data portability and to lodge a complaint with a supervisory authority. California users may have rights to know, delete, correct, opt out of sale/share, limit certain sensitive data uses, and non-discrimination. Korean users may exercise rights under the Personal Information Protection Act.

Use the privacy deletion page for account deletion requests or email paulga.support@gmail.com for access, correction, export, restriction, objection, consent withdrawal, or other privacy requests. We may need to verify your identity and may retain records where required by law.

We use technical and organizational measures designed to protect personal data, including TLS in transit, httpOnly secure authentication cookies, password hashing, role-based access controls, payment-key encryption in the backend, administrative review controls, activity logs, and operational security reviews. No internet service can be guaranteed perfectly secure.

The service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child provided personal data, contact us so we can take appropriate action.

PAULGA uses AI to generate design-support outputs, search answers, renderings, and workflow suggestions. These outputs do not make legally binding decisions about you. Human review is required for professional, legal, safety, billing-dispute, moderation, or account-enforcement decisions where required.

Privacy contact: PAULGA privacy team

Email: paulga.support@gmail.com

We may update this Privacy Policy as the service, vendors, or legal requirements change. Material changes will be posted on this page and, where appropriate, communicated by email or in-service notice before they take effect.