Introduction
DIYDerek (“we”, “our”, “us”) is operated by MT-DEVA LIMITED, a company registered in England and Wales (registered address: 71-75 Shelton Street, London, WC2H 9JQ). This Privacy Policy explains how we collect, use, and protect your personal information when you use the DIYDerek mobile application and related services (the “Service”).
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
Information We Collect
Account Information
When you sign in with Google or Apple, we collect:
- Email address - used for account identification and support communication
- Google account ID - used to link your account across sessions
- Apple account ID - used to link your account across sessions when you choose Sign in with Apple
- Guest device identifier - used to create and restore guest sessions before you sign in
Project Data
When you use the Service to analyse DIY projects, we collect:
- Photos you upload - images of your DIY projects submitted for analysis
- Project details - category, skill level, goals, and additional context you provide
- Coarse location - city, state/region, and country derived from your device’s GPS coordinates via reverse geocoding. We do not store precise GPS coordinates. Location is used solely to provide region-appropriate cost estimates and material availability.
- Toolbox inventory - tool name, purpose, optional details, category, and ownership status when you add tools you own, plan to borrow, plan to rent, or need to buy.
- Measurements - manual dimensions or RoomPlan-derived room dimensions, surface measurements, total wall/floor area, and capture timestamp when you add measurements to a project. RoomPlan scan data is converted on your device into measurement values; we do not store raw RoomPlan scan files.
- Job review details - category, description, photos, and the amount you say you paid when you request a review.
- Purchase records - App Store product ID, transaction ID, credit balance changes, and transaction environment used to verify purchases and prevent duplicate credit grants.
Usage Data
We collect usage analytics and diagnostics to improve the Service:
- PostHog - hosted in the EU (Frankfurt). Collects linked usage events such as screen views, feature usage, onboarding actions, credit purchase events, app version, and coarse event properties. We do not send project photos, project descriptions, email addresses, or exact GPS coordinates to PostHog. Session replay is disabled. See PostHog’s privacy policy.
- Sentry - error and crash reporting. When the app crashes or encounters an error, diagnostic data such as device model, OS version, app version, stack traces, user ID, request IDs, and sanitized error context may be sent to Sentry. This data does not include your project photos or personal content. See Sentry’s privacy policy.
How We Use Your Information
We use the information we collect to:
- Provide and maintain the Service
- Analyse your DIY project photos and generate tool lists, instructions, cost estimates, and tips
- Provide region-appropriate pricing and material availability
- Verify App Store purchases and maintain your credit balance
- Communicate with you about your account or support requests
- Monitor and improve the Service’s performance and reliability
- Detect and prevent abuse or misuse
AI Processing
Your project photos and text are sent to our AI processing provider for analysis. Important details:
- The provider processes your data only to generate your project plan, estimate, or review
- Your data is not used to train AI models without our permission or instruction under the provider’s data governance commitments
- We send only the minimum data necessary for analysis: photos, project context, skill level, coarse region, clarifying answers, job review details, relevant toolbox ownership status, and relevant measurements
- DIYDerek does not offer on-device AI processing in the current iOS app; AI-backed project analysis, quick estimates, and job reviews require cloud processing
Data Storage
- Photos - stored in Cloudflare R2 (S3-compatible object storage). Photos are retained with the associated saved project, quick estimate, or job review until you delete that item or your account.
- Account, project, toolbox, measurement, estimate, review, and purchase records - stored in a PostgreSQL database hosted by Railway.
- Temporary processing - photos and text may be held temporarily while a request is uploaded, transformed, and processed. We do not use those temporary processing copies for unrelated purposes.
- AI processing location - AI requests are processed through our configured cloud AI region.
- All saved app data is stored on servers located in the United States and Europe.
Data Retention
We retain saved projects, toolbox inventory, measurements, estimates, reviews, account data, and associated photos for as long as your account is active, unless you delete an individual item sooner.
When you delete an individual project, quick estimate, or job review, we delete the saved record and its associated uploaded photos from server-side media storage. When you delete your account:
- All personal data, project data, and uploaded photos are permanently deleted
- Analytics and diagnostic data in PostHog and Sentry is retained according to those service configurations and may remain after account deletion in aggregated or operational logs.
Your Rights
For All Users
You have the right to:
- Access your data - request a copy of all data we hold about you
- Export your data - download your project data and analyses
- Delete your account - permanently remove all your data from our systems
- Delete individual projects - remove specific projects and their associated photos
To exercise any of these rights, contact us at support@diyderek.net or use the in-app account management features.
GDPR Rights (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, you additionally have the right to:
- Rectification - correct inaccurate personal data
- Restriction - request we limit processing of your data
- Portability - receive your data in a structured, machine-readable format
- Object - object to processing based on legitimate interests
- Lodge a complaint - with your local data protection authority
Our legal basis for processing is:
- Contract performance - to provide the Service you signed up for
- Legitimate interests - analytics and service improvement
- Consent - where explicitly provided
CCPA Rights (California Users)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Non-discrimination - we will not discriminate against you for exercising your rights
We do not sell your personal information to third parties.
Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Sign-In | Authentication | Google account ID, email |
| Sign in with Apple | Authentication | Apple account ID, email |
| AI processing provider | AI project analysis | Photos, project context, skill level, coarse region, clarifying answers, job review details, toolbox ownership status, measurements |
| Cloudflare R2 | Photo storage | Uploaded photos |
| Railway | Database hosting | Account, project, toolbox, measurement, estimate, review, and purchase records |
| PostHog (EU) | Usage analytics | Linked usage events, user ID, app/version data |
| Sentry | Error reporting | Crash and diagnostic data, user ID |
| Apple (App Store) | Distribution and payments | Purchase data handled by Apple; signed transaction data shared with us for credit verification |
International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we rely on Standard Contractual Clauses and equivalent safeguards to ensure your data receives an adequate level of protection.
Children’s Privacy
DIYDerek is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@diyderek.net and we will promptly delete it.
Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- JWT-based authentication with secure token handling
- Photos stored in access-controlled cloud storage
- Database access restricted to authorised services only
In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authorities within 72 hours as required by GDPR.
No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last updated” date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or your data, contact us at:
Email: support@diyderek.net
Registered address: MT-DEVA LIMITED, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom