Privacy Policy
Effective May 2, 2026
This is the privacy policy for Staging Assistant, a property staging inventory product operated by Staging Assistant LLC, a Washington State limited liability company. We've written it in plain English. If anything is unclear, email us at admin@stagingassistant.com.
1. Who this policy applies to
This policy describes how we handle personal information for:
- Account holders — people who sign up to use Staging Assistant on behalf of a staging company (admins, stagers, movers).
- Visitors — people who browse our marketing site or contact us without an account.
When you upload information about your own clients (homeowners, agents, crew members) into Staging Assistant, your company is the controller of that information and we are the processor handling it on your instructions. We say more about that in section 6.
2. What we collect
Account information. Your name, email address, a hashed password, your role within your company, your Stripe customer ID, and timestamps for things like account creation, last login, and recent activity. We collect this directly from you when you sign up or accept an invitation, or from the admin who invites you.
Content you upload. Houses, items, people, photos, notes, custom fields, and settings — everything you put into the product to do your job. This often includes information about your clients and the agents you work with: names, addresses, phone numbers, sometimes financial details. You're the controller for that content; we hold it on your behalf.
Payment information. Billing is handled by Stripe. We store your Stripe customer ID and your subscription state (plan, status, renewal date). We do not store credit card numbers, bank account numbers, or any other payment instrument details.
Communications. Emails you send us, contact form submissions, and in-app feedback you submit.
Cookies. We use a small number of first-party cookies to operate
the service. The main one is a token cookie that keeps you signed in
(HttpOnly, marked Secure). We may also set short-lived first-party
cookies during the sign-up flow to remember your progress between
steps. We do not use analytics cookies, advertising cookies, or
third-party tracking cookies, and we don't sell or share any cookie
data. Because we only use cookies that are strictly necessary to
provide the service, no consent banner is required.
Server logs. Standard request logs containing IP address, user agent, request path, status code, and timestamp. We use these for security, debugging, and abuse prevention. We retain them for 60 days and then delete them.
Bot and abuse prevention signals. Sign-up, sign-in, password reset, and the contact form are protected by Cloudflare Turnstile, a privacy-respecting CAPTCHA alternative. When you interact with one of these forms, your browser sends signals to Cloudflare — including device characteristics, browser environment, and your IP address — which Cloudflare uses to verify that you're a human and issue a short-lived verification token. Turnstile may set a temporary first-party cookie during this exchange. This information is processed by Cloudflare in accordance with the Cloudflare Privacy Policy. We use Turnstile only for bot and abuse prevention; we don't use it for analytics, tracking, or profiling.
3. Photos and metadata
When you upload a photo, your browser re-encodes it before sending it to us. That re-encoding strips EXIF metadata, including any GPS coordinates the camera embedded. We never see the original file or its metadata — only the re-encoded version is stored on our servers.
4. How we use information
We use the information described above to:
- Operate Staging Assistant and provide it to you and your team.
- Bill you for the service through Stripe.
- Send transactional emails (account verification, invitations, password resets, notifications you've asked for) through SendGrid.
- Respond to support requests and feedback.
- Detect and prevent fraud and abuse, including bot traffic via Cloudflare Turnstile.
- Process telemetry and diagnostic information — error reports, usage events, performance metrics — through AI providers including Google (Vertex AI) to investigate issues, summarize trends, and improve the product. We do not intentionally include Customer Content in backend telemetry AI analysis. However, diagnostic records such as error reports, support requests, and operational logs may occasionally contain limited Customer Content if that content is part of the issue being investigated. We use these records to operate, secure, debug, and improve the service, and we work to minimize or redact Customer Content where practical. We do not use Customer Content to train our own models, and we do not authorize AI providers to train general models on Customer Content. Any in-app AI features that process Customer Content (for example, AI-assisted item descriptions or categorization) are opt-in: the relevant data is only sent to AI providers when you've enabled the feature. Data we send to AI providers — whether for backend telemetry or for opt-in product features — is sent through the providers' commercial APIs and handled according to those API terms.
5. Who we share information with
We share information with the following subprocessors strictly to operate the service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | United States |
| PayPal | Payment processing (legacy subscriptions only) | United States |
| SendGrid (Twilio) | Transactional email | United States |
| Google Cloud Platform | Hosting, file storage, database | United States |
| Google Vertex AI | AI processing of backend telemetry; opt-in product features if enabled | United States |
| Cloudflare | Bot/abuse prevention (Turnstile) | Global edge |
We don't sell personal information, and we don't share it with advertisers. We may disclose information when required by law (valid subpoena, court order, similar legal process) or when necessary to protect our rights or the safety of others; we'll tell you about such requests where we're legally permitted to.
If we add or change subprocessors, we'll update this list. Material changes will be communicated by email to active accounts.
6. Controller and processor
Most B2B SaaS products carry two layers of personal data, and so does Staging Assistant:
Your account data — your name, email, login activity, role. We are the controller for this data. You can exercise the rights listed in section 8 directly with us.
Data you upload about your clients and agents — your customers' names, addresses, phone numbers, the photos of their homes, notes about jobs. Your company is the controller for this data. We are the processor: we hold it, host it, and operate on it according to your instructions.
If you're a homeowner, agent, or other third party whose information is in someone else's Staging Assistant account, your first stop is the staging company that holds the data — they decide what's collected, what it's used for, and how long it's kept. If they don't respond or you can't identify them, email us at admin@stagingassistant.com and we'll help you reach them or, if necessary, follow our fallback deletion process.
A Data Processing Addendum is available on request from admin@stagingassistant.com.
7. How long we keep information
Active subscriptions. We retain your Customer Content and account data for as long as your subscription is active.
After cancellation or expiry. We retain your Customer Content for at least 90 days after your subscription ends, so you have time to re-subscribe or recover anything you need. After that minimum window, Customer Content becomes eligible for deletion and is removed on a routine schedule as part of normal data hygiene. We do not retain Customer Content indefinitely. Backups roll over on their own schedule; any deleted data still present in backups is overwritten through normal rotation.
Earlier deletion on request. If you'd like your data deleted sooner — whether your subscription is active or already cancelled — email admin@stagingassistant.com and we'll handle it. We respond to deletion requests within 30 days.
Server logs. 60 days, then deleted.
Billing records. Stripe (and PayPal, for legacy subscriptions) retain billing records on their own systems according to their policies and applicable tax and accounting requirements. We don't retain Stripe or PayPal identifiers on our side after the deletion window closes.
Communications. Support emails and feedback are kept for as long as we need them to do our job and meet our legal obligations.
8. Your rights
You have the following rights with respect to your personal information:
- Access. Most of your data is visible directly in the product. If you want a copy of something you can't see, email us.
- Correct. Edit your data in the product, or email us.
- Delete. Admins can remove individual users from their team in the product. To delete an entire company's data, or to request deletion of a specific account that your admin won't process, email admin@stagingassistant.com. Customer Content is also deleted as part of normal retention once a subscription has been cancelled or expired (see "How long we keep it"). We respond to deletion requests within 30 days.
- Export. Admins can export company data to Excel from inside the product. For other formats or scopes, email us.
- Object or restrict processing. Email us and we'll work it out.
- Withdraw consent where consent is the basis we're relying on.
- Lodge a complaint with your local data protection authority if you're in a jurisdiction that has one.
We respond to rights requests within 30 days. If we need more time because the request is complex, we'll tell you.
9. Security
- All traffic to and from the service runs over TLS.
- Passwords are hashed with bcrypt; we never store them in plain text.
- Session cookies are HttpOnly and marked Secure.
- The service is hosted on Google Cloud Platform in US regions.
- We follow the principle of least privilege internally: people on our team only have access to the systems they need.
No service is perfectly secure. We can't guarantee that information will never be exposed, but we work hard to make sure it isn't.
10. International transfers
All data is stored in the United States on Google Cloud. If you access the service from outside the US, your information is transferred to and processed in the US.
For users in the EU, UK, or other jurisdictions with cross-border transfer rules, we rely on Standard Contractual Clauses where applicable. These are referenced in our DPA, which is available on request.
11. Children
Staging Assistant is a B2B product for staging professionals. It's not intended for anyone under 16, and we don't knowingly collect personal information from anyone under 16. If you believe a child has given us their information, email admin@stagingassistant.com and we'll delete it.
12. Changes to this policy
We'll update this policy from time to time. The effective date at the top of the page reflects the most recent change. For material changes, we'll notify active accounts by email before the change takes effect.
13. Contact
Staging Assistant LLC Washington, USA admin@stagingassistant.com