Privacy Policy

There are three groups of people whose data we may process:

• Retailers and other business customers who hold an account with us and subscribe to our service.
• End userswho interact with the Visualiseo widget embedded on a retailer's website — for example, to upload a photo of a space and generate a product visualisation.
• Website visitors who browse visualiseo.co.uk without signing up.

The rules that apply to you depend on which of these you are.

Data protection law treats the person who decides why data is collected (the controller) differently from the person who processes it on their instructions (the processor). Where two organisations jointly decide the why and how, they are joint controllers under Article 26 UK GDPR. Our role changes depending on the context:

• For retailer account data (your name, email, company, payment records) we are the controller.
• For photos uploaded by end users through a retailer's widget in order to generate a render, the retailer is the controller and we are the processor acting under a Data Processing Agreement (see /dpa).
• For the public gallery that we run at visualiseo.co.uk and that retailers run on their own sites, we and the retailer are joint controllers. A plain-English summary of that arrangement is available at /legal/joint-controller-summary.
• For the “Email me this render” feature — where an end user asks us to email their render and that address is passed to the retailer as a sales lead — the retailer is the controller and we are the processor acting on their behalf (see section 6).
• For our own server logs, security telemetry, and aggregate usage statistics about the widget, we are the controller.
• For renders generated through a demo or free visualiser that we host on our own site(for example the “try it” tool on our homepage or our free flooring and worktop visualiser pages), there is no retailer involved — so we are the sole controllerof everything you do there, including the photo upload and render, the short-lived rate-limit counters, the pseudonymous session analytics, and any optional gallery publication. The data we handle and our legal bases are exactly the same as described elsewhere in this policy; only our role differs. Where this policy says the retailer is the controller, or that the gallery is run under joint controllership, or refers to “the retailer's privacy notice”, that does not apply to our own hosted demos — for those, we are the controller you exercise your rights against, at privacy@visualiseo.co.uk.

Automated decision-making. We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Articles 22 / 22A–22D UK GDPR. Render generation is automated but produces a visual preview, not a decision about you. You have the right to contest any automated processing and to request human intervention; contact privacy@visualiseo.co.uk.

We never use your uploaded images to train AI models. Every AI provider we use is engaged under a paid commercial contract that contractually prohibits training on customer inputs.

A photograph is not automatically special-category data under UK law; it becomes so only where it is processed for biometric identification (Art. 9 UK GDPR). We do not carry out biometric identification and our AI providers have confirmed contractually that inputs are not used for face-matching or identification.

However, a photograph of a space may incidentally reveal information that is special-category data under Art. 9 (for example, religious markers in the home, visible mobility aids, or details that suggest ethnicity). We minimise this risk by prohibiting and rejecting photos of people before any AI processing occurs and by stripping EXIF / GPS metadata from every upload.

For the render itself (the processing that happens even if you never publish to the gallery), we rely on your explicit consent under Art. 9(2)(a) UK GDPR, captured at the widget's pre-flight notice — the consent tick covers Article 6(1)(a) and Article 9(2)(a) and is the basis we use for any special-category information that might incidentally appear in the photo of your space.

For gallery publication, we rely on a separate, more granular explicit consent under Art. 6(1)(a) and Art. 9(2)(a) — captured at the Save popup, withdrawable via a tokenised link shown on the widget result screen at the moment of publication for you to copy and keep.

You may withdraw either consent at any time. Withdrawal stops future processing — it does not make past processing unlawful. The provider's file-API copy of your photo is deleted automatically within 48 hours regardless.

We rely on a small set of trusted sub-processors to run the service:

The canonical list is published at /sub-processors. We give retailers at least 30 days' email notice of any material addition or replacement of a sub-processor, and retailers can object on reasonable data-protection grounds.

Email leads. Separately from the sub-processors above, when you ask us to email a render to you we share your email address, the render, and the product visualised with the retailer whose widget you used, so they can follow up about that product. The retailer is an independent controller of that lead and handles it under their own privacy notice. We pass it to them as their processor; we do not use it for our own purposes.

We do not trade or monetise personal data. We do not share it with advertisers. We do not use third-party analytics, cross-site tracking pixels, or behavioural advertising cookies.

We may disclose data where we are legally required to (for example, a court order) or where it is necessary to investigate fraud, abuse, or a threat to safety.

Some of our sub-processors are based outside the UK and EEA. Where this is the case we rely on safeguards recognised by UK data protection law, in particular:

• The UK-US Data Bridge (UK extension to the EU-US Data Privacy Framework) for providers that are DPF-certified.
• Standard Contractual Clauses together with the UK International Data Transfer Addendum.
• Adequacy decisions issued by the UK government, where available.

We have completed a Transfer Risk Assessment for each international sub-processor. A summary is available on request from privacy@visualiseo.co.uk.

You have the following rights under UK data protection law:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Ask us to delete your data (“right to be forgotten”).
• Restrict or object to processing based on legitimate interest.
• Receive your data in a portable format.
• Withdraw consent you have given. For gallery publication, a self-serve withdrawal linkis shown on the widget result screen at the moment you tick “Share publicly”, for you to copy and keep. You can use that link at any time without contacting us. You can also email us at privacy@visualiseo.co.uk, use the complaints form, or use the retailer's own channel.
• Complain directly to us using our electronic complaints form at /complaints. This is a statutory right under the DUAA 2025 (amended Art. 77 UK GDPR). We will acknowledge your complaint within 30 days and inform you of the outcome without undue delay.
• Complain to the Information Commissioner's Office at ico.org.uk.

If you used the widget on a retailer's website for a render, the retailer is the controller for that upload. You can contact either them or us — for the public gallery, because we are joint controllers, you can exercise your rights against either party (Art. 26(3) UK GDPR).

If you are an account holder, email privacy@visualiseo.co.uk or use /complaints. We will respond within one calendar month.

We only use first-party storage. We do not use advertising, analytics, or cross-site tracking cookies, so no cookie banner is shown. Our marketing-page analytics are cookieless and run server-side (see §1).

You can clear any of these at any time through your browser's privacy settings.

Visualiseo is not directed at children. You must be 18 or over to hold an account or to use the widget. We do not knowingly collect data from anyone under 18.

The widget accepts photographs of spaces only. A server-side check rejects any image that appears to contain a person before it is sent to any AI provider. We believe this restriction, combined with the age statement in the pre-flight notice, removes the material risks that the Children's Code and Online Safety Act 2023 are designed to address.

We have carried out a Children's Access Assessment (under the ICO Children's Code and the Online Safety Act 2023) and have concluded that the service is not likely to be accessed by children in significant numbers. Even so, we apply relevant standards — data minimisation, opt-in publication, no profiling, no dark patterns — as data protection by design.

If you believe a child has used our service, contact privacy@visualiseo.co.uk and we will delete their data.

Every render produced by the widget is AI-generated. In line with Article 50 of the EU AI Act (which applies to us when we serve EU users) and our own transparency commitments:

• Every image displayed in our public gallery carries a visible “AI-generated” label.
• The widget discloses before you upload that the final image is produced by AI and may not exactly match the product's real colour or finish.
• We do not use synthetic media to impersonate real people; photographs of people are rejected before any AI processing.

• All traffic to and from our servers uses TLS encryption.
• Data stored by our providers (Google Cloud Storage, Neon, Vercel) is encrypted at rest using provider-managed keys.
• Passwords are stored as bcrypt hashes, never in plain text.
• API keys are unique per account and can be rotated by you at any time.
• Each retailer's widget installation is restricted to domains they allowlist.
• EXIF, GPS, and other embedded metadata are stripped from every uploaded image before it is processed or stored.
• Access to production data is restricted to the minimum number of people needed to operate the service.
• We operate an incident-response process with 72-hour ICO notification per Article 33 UK GDPR.
• We carry out Data Protection Impact Assessments for new processing and review them annually.

If we make a material change to this policy we will email account holders and update the “Last updated” date at the top of this page. Continuing to use the service after the change means you accept the updated policy.

• Privacy questions and data subject requests: privacy@visualiseo.co.uk
• Electronic complaints form: /complaints
• General support: support@visualiseo.co.uk

You can also reach us by post at our registered office: