Legal
Privacy Policy
Effective date: 4 July 2026
This policy explains what personal data PropertyVR ("we", "us") collects when you use www.propertyvr.co (the "Service"), why we collect it, who we share it with, and the choices you have. We designed the Service to collect as little personal data as possible.
1. Data we collect
- Account data — your email address, display name, and a hashed password (we never see your actual password), or your Google account email and name if you sign in with Google.
- Profile & listing data — anything you add to your profile (such as a studio name) and the content of your listings: 360° photos, videos, titles, prices, locations, and descriptions. Published listings are public by design.
- Payment data — handled entirely by Stripe. We receive only your subscription status, plan, and a Stripe customer reference — never your card number.
- Usage data — standard technical logs (IP address, browser type, pages requested) kept by our hosting providers for security and debugging, and aggregate view counts on tours.
- Communications — messages you send us, for example support emails.
2. Why we use it (and our legal bases)
- To provide the Service — create your account, host your tours, show listings, process subscriptions (performance of a contract).
- To keep the Service secure and prevent abuse (legitimate interest).
- To respond to your messages (legitimate interest).
- To store optional preference data on your device (consent — see Cookies below).
We do not sell personal data, and we do not use it for third-party advertising.
3. Who we share it with
Only service providers that make the platform work, acting on our behalf:
| Provider | Purpose | Where |
|---|---|---|
| Supabase | Authentication, database, and file storage for your account, profile, and tours | Cloud (region of our project) |
| Stripe | Subscription payments and billing portal | Global |
| Optional "Sign in with Google" | Global | |
| Vercel | Website hosting and serverless functions | Global CDN |
| Tour embed providers (Matterport, Kuula, CloudPano) | Playing tours that Sellers embed from those platforms | Per provider |
We may also disclose data if required by law, or as part of a business transfer, in which case this policy continues to apply.
4. Cookies and local storage
We use a small number of cookies and similar technologies (localStorage):
| Name | Type | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Strictly necessary | Keeps you signed in to your PropertyVR account (Supabase session) | Until sign-out / expiry |
| pvr_cookie_consent_v1 | Strictly necessary | Remembers your cookie choice | Persistent |
| pvr_visitor | Preferences (consent) | Anonymous visitor identifier for device preferences | Persistent |
| Stripe cookies | Strictly necessary | Fraud prevention and payment when you open checkout or the billing portal (set by stripe.com) | Per Stripe |
| Google cookies | Strictly necessary | Set by accounts.google.com when you use "Sign in with Google" | Per Google |
You can change your choice at any time:
5. How long we keep data
- Account and listing data — for as long as your account exists. Deleting a listing removes it from the marketplace; closing your account deletes your profile and tours.
- Billing records — kept as long as required by tax and accounting law.
- Technical logs — kept briefly by our providers (typically 30–90 days).
6. Security
Traffic is encrypted with HTTPS, passwords are hashed by Supabase Auth, database access is protected with row-level security so users can only modify their own data, and payment details never touch our servers. No system is 100% secure, but we follow current good practice.
7. International transfers
Our providers may process data outside your country. Where required, transfers rely on the providers' standard contractual safeguards.
8. Your rights
Depending on where you live — including under Thailand's Personal Data Protection Act (PDPA) and the EU/UK GDPR — you have the right to access, correct, download, or delete your personal data, to object to or restrict certain processing, to withdraw consent at any time, and to complain to your data-protection authority. You can edit your profile in the app, and you can exercise any of these rights by emailing us at the address below. We respond within 30 days.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. For material changes we will give reasonable notice on the site or by email. The effective date above always shows the current version.
11. Contact
Data controller: PropertyVR
Email: tanya.duangtecha@gmail.com