Legal · Privacy

What we do with your data.

We collect what we need to run the studio today, and (once it is possible) to make a piece of furniture and get it to you. Optional first-party analytics only runs after consent. Reddit ad measurement only runs after separate marketing consent. This page lists every category of data we hold, why we hold it, and how to get it back or deleted under GDPR.

Last updated 25 May 2026 GDPR · NL controller
On this page
  1. 01. Who is the controller
  2. 02. What this covers
  3. 03. What we collect
  4. 04. Why we collect it
  5. 05. How long we keep it
  6. 06. Who else touches it
  7. 07. Transfers outside the EEA
  8. 08. Your rights under GDPR
  9. 09. Cookies and analytics
  10. 10. Children
  11. 11. Changes to this policy
  12. 12. Contact
The basics

Who is the controller

knuslabs, Amsterdam, the Netherlands. KvK 57878889. Director: Ruud Niewenhuijse. We are the data controller for everything described on this page.

For any privacy question or to exercise a right under GDPR, write to ruud@knuslabs.com. That inbox is monitored by Ruud directly. No help-desk maze.

What is live, what is planned

What this covers

Two things sit under this policy: using the knuslabs website (live today, including the design studio) and ordering custom furniture (not yet available; in development).

The sections that talk about payments, shipping, and order records describe how we plan to handle that data once paid ordering goes live. Until then, no order data is collected. We will update this page before paid ordering launches and notify anyone with an active project.

The sections about studio use, analytics, cookies, GDPR rights, and contact apply today.

Categories

What we collect

Account data (today)

If you sign in: name and email. Anything else (billing address, shipping address, phone number) is collected later, only if you place an order, and only once ordering exists.

Project data (today)

The photo of your space, the dimensions, the brief text you write, the design options you keep, and any saved renders or bills of materials. Generated in the studio, stored against your account.

Operational data (today)

Account events, support emails, and the basics every web server logs: IP address, user agent, timestamp. Kept short for security.

Optional analytics and ad measurement data (today, with consent)

If you consent, we collect first-party journey events so we can see where people get stuck. These events can include page path, route, referrer, campaign parameters, anonymous id, session id, start or design request id when relevant, event name, timestamps, status or error codes, duration, file count, prompt length, and prompt word count.

If you separately consent to Reddit ad measurement and arrive from a Reddit ad, we store Reddit's click id for up to 28 days and can send limited conversion events to Reddit Ads through Reddit's server-side Conversions API. Those events can include a start submission, newsletter signup, generated design page reach, event type, timestamp, page URL or domain, Reddit click id, user agent, IP address, and screen dimensions.

Analytics and ad measurement events do not store raw prompts, uploaded file names, image URLs, email addresses, OTP codes, or payment details.

Payment data (future)

We do not take payments today. Once paid ordering goes live, card payments will be handled end to end by a regulated payment processor. We will never see or store your card number; the processor will send us back the brand, last four digits, and billing country, so we can answer questions about a specific charge and meet our bookkeeping obligations.

Order and shipping data (future)

Order history, shipping address, optional phone number for delivery coordination, and tracking numbers. Collected only when ordering is live and you place an order.

Legal basis

Why we collect it

Studio account and project data is needed to run the service you signed in for. In future, order, payment, and shipping data will be needed to make and deliver your piece. Both fall under contract performance in GDPR terms.

A small set of processing rests on legitimate interest: the basic web server logs we need for security and fraud prevention, and (once pieces exist to photograph) showing anonymised final renders of your design in our portfolio. You can object to the portfolio use at any time, see Section 4 of our terms for the opt-out, or just email us.

Anything else (the newsletter, optional analytics, Reddit ad measurement) is on consent. We ask before we collect, and you can withdraw consent at any time without affecting anything else.

How long

How long we keep it

  • Studio account and project data: kept while your account is active. Delete your account and we delete this data, except where law requires us to keep something (mostly invoices, which do not exist yet).
  • Marketing list: until you unsubscribe. There is an unsubscribe link in every email.
  • Web server logs: thirty days, then rotated and deleted.
  • Support emails: twenty-four months after the last reply, then archived offline for another two years in case a future warranty issue surfaces.
  • First-party analytics events: kept without a scheduled deletion date so we can compare long-term journey quality. If you withdraw consent and ask us to delete identifiable analytics data, we will delete or anonymise what we can link to your identifiers.
  • Reddit ad click id: kept in your browser for up to 28 days after consent, or until you withdraw marketing consent or clear browser storage.
  • Order records (future): once orders exist, seven years after the order ships. We are legally required to keep invoices and tax records that long under Dutch tax law.
Sub-processors

Who else touches it

The list is short, and we keep it that way on purpose.

In use today

  • Hetzner Online, hosting. Servers in Germany. Your data lives on EU infrastructure.
  • OpenAI, generating design options from your brief. We send the dimensions, brief text, and (when relevant) a low-resolution version of the room photo. We use the API tier with no training on customer data.
  • Anthropic, also used for generating and refining designs from your brief, on the same input shape as OpenAI. Same no-training-on-customer-data API tier.
  • Reddit Ads, ad measurement. Only if you consent to marketing measurement and arrive from a Reddit ad, we send limited conversion events through Reddit's Conversions API so we can measure and optimise campaigns.

Planned, not in use yet

  • A regulated payment processor for cards, once paid ordering exists.
  • Shipping carriers for outbound parcels, once we ship. They will receive the recipient name, address, and any phone number you provided.
  • A transactional email provider for order confirmations and shipping notifications, once orders exist.

We sign data processing agreements with each sub-processor we work with. If we add or change one, we update this page and email anyone with an open project.

Outside the EEA

Transfers outside the EEA

Your account, project, and analytics data lives on EU servers (Hetzner, Germany).

The exceptions are OpenAI, Anthropic, and Reddit, all US-based. We reach OpenAI and Anthropic through their enterprise APIs and rely on the European Commission's standard contractual clauses, with the supplementary safeguards their data processing agreements set out. We only send what is needed to generate or refine a design (brief text, dimensions, a low-resolution photo when relevant), and we use the API tiers that do not train on customer data. Reddit ad measurement is limited to consented conversion metadata, not your prompts or uploaded images.

GDPR

Your rights under GDPR

You have the following rights and we will honour them. No charge.

  • Access: ask what we hold on you and get a copy.
  • Rectification: fix anything that is wrong.
  • Deletion: have your data removed, except records we are legally required to keep.
  • Portability: get your data in a machine-readable format to take elsewhere.
  • Restriction and objection: pause or object to a specific use, including the portfolio use mentioned earlier.
  • Withdraw consent: for anything that runs on consent (newsletter, optional analytics, Reddit ad measurement), withdraw at any time.

Email ruud@knuslabs.com with what you want and we will reply within five working days. We may ask for proof that you are who you say you are, though most of the time the email address on file is enough.

If you are not happy with how we handled a request, you can complain to the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or to the supervisory authority in the EU country where you live.

Browser storage

Cookies and analytics

We do not run third-party analytics tags. There is no Google Tag Manager, Facebook Pixel, or Reddit Pixel. Necessary cookies and browser storage keep sign-in, uploads, design sessions, and fraud prevention working. Optional first-party analytics and Reddit ad measurement start only after you consent.

The analytics storage names are knuslabs_cookie_consent, knuslabs_anonymous_id, and knuslabs_analytics_session_id. Reddit ad measurement can also use knuslabs_reddit_attribution. The full list is on our cookies page, where you can also reopen your choices and withdraw analytics or marketing consent.

Under 16

Children

knuslabs is not aimed at children. We do not knowingly collect personal data from anyone under sixteen. If you think a child has sent us data, write to ruud@knuslabs.com and we will delete it.

Versioning

Changes to this policy

The "Last updated" date at the top reflects the most recent change. For meaningful changes (adding a new processor, changing the legal basis for something) we will email anyone with an active project before the change takes effect.

Get in touch

Contact

Privacy questions, GDPR requests, anything else: ruud@knuslabs.com. One inbox, one human (Ruud) reading it.

Or by post: knuslabs, Amsterdam, the Netherlands. KvK 57878889.

This privacy policy was last updated 25 May 2026.