Introduction
DIYDerek (“we”, “our”, “us”) is operated by MT-DEVA LIMITED, a company registered in England and Wales (registered address: 71-75 Shelton Street, London, WC2H 9JQ). This Privacy Policy explains how we collect, use, and protect your personal information when you use the DIYDerek mobile application and related services (the “Service”).
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
Information We Collect
Account Information
When you sign in with Google, we collect:
- Email address — used for account identification and support communication
- Google account ID — used to link your account across sessions
Project Data
When you use the Service to analyse DIY projects, we collect:
- Photos you upload — images of your DIY projects submitted for analysis
- Project details — category, skill level, goals, and additional context you provide
- Coarse location — city, state/region, and country derived from your device’s GPS coordinates via reverse geocoding. We do not store precise GPS coordinates. Location is used solely to provide region-appropriate cost estimates and material availability.
Usage Data
We collect anonymised usage analytics to improve the Service:
- PostHog — hosted in the EU (Frankfurt). Collects anonymised usage events such as feature usage, session data, and app performance metrics. No personally identifiable information is sent to PostHog. See PostHog’s privacy policy.
- Sentry — error and crash reporting. When the app crashes or encounters an error, diagnostic data (device model, OS version, stack traces) is sent to Sentry. This data does not include your project photos or personal content. See Sentry’s privacy policy.
How We Use Your Information
We use the information we collect to:
- Provide and maintain the Service
- Analyse your DIY project photos and generate tool lists, instructions, cost estimates, and tips
- Provide region-appropriate pricing and material availability
- Communicate with you about your account or support requests
- Monitor and improve the Service’s performance and reliability
- Detect and prevent abuse or misuse
AI Processing (Google Gemini)
Your project photos and text are sent to the Google Gemini API for analysis. Important details:
- Google Gemini processes your data to generate project analysis results
- Google does not use your data to train its AI models when accessed via the paid API
- Data sent to Gemini is subject to Google’s API Terms of Service
- We send only the minimum data necessary for analysis (photos, project context, skill level, region)
Data Storage
- Photos — stored in Cloudflare R2 (S3-compatible object storage). Photos are retained for as long as your account exists or until you delete the associated project.
- Account and project data — stored in a PostgreSQL database hosted by Railway.
- All data is stored on servers located in the United States and Europe.
Data Retention
We retain your data for as long as your account is active. When you delete your account:
- All personal data, project data, and uploaded photos are permanently deleted
- Anonymised analytics data in PostHog and Sentry is retained indefinitely, as it cannot be linked back to your identity
Your Rights
For All Users
You have the right to:
- Access your data — request a copy of all data we hold about you
- Export your data — download your project data and analyses
- Delete your account — permanently remove all your data from our systems
- Delete individual projects — remove specific projects and their associated photos
To exercise any of these rights, contact us at support@diyderek.net or use the in-app account management features.
GDPR Rights (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, you additionally have the right to:
- Rectification — correct inaccurate personal data
- Restriction — request we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Lodge a complaint — with your local data protection authority
Our legal basis for processing is:
- Contract performance — to provide the Service you signed up for
- Legitimate interests — analytics and service improvement
- Consent — where explicitly provided
CCPA Rights (California Users)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Non-discrimination — we will not discriminate against you for exercising your rights
We do not sell your personal information to third parties.
Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Sign-In | Authentication | Google account ID, email |
| Google Gemini API | AI project analysis | Photos, project context |
| Cloudflare R2 | Photo storage | Uploaded photos |
| Railway | Database hosting | Account and project data |
| PostHog (EU) | Usage analytics | Anonymised events |
| Sentry | Error reporting | Crash diagnostics |
| Apple (App Store) | Distribution and payments | Purchase data (handled by Apple) |
International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we rely on Standard Contractual Clauses and equivalent safeguards to ensure your data receives an adequate level of protection.
Children’s Privacy
DIYDerek is rated 4+ on the App Store. We do not knowingly collect personal information from children under 13. The Service is intended for general audiences. If you believe a child under 13 has provided us with personal information, please contact us at support@diyderek.net and we will promptly delete it.
Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- JWT-based authentication with secure token handling
- Photos stored in access-controlled cloud storage
- Database access restricted to authorised services only
In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authorities within 72 hours as required by GDPR.
No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last updated” date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or your data, contact us at:
Email: support@diyderek.net
Registered address: MT-DEVA LIMITED, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom