Privacy Policy

When you sign up: your name, email, hashed password. When you use Furnishes: your style preferences, budget, conversations with Eva, uploaded room photos, addresses you save, payment tokens (never raw card numbers — those live with Stripe), and order history.

To provide the service: personalising Eva's recommendations, fulfilling orders, sending receipts and delivery updates. For marketing: only if you opt in, via the Contact preferences page.

Sub-processors we work with: Stripe (payments), Resend (email), Cloudflare R2 (photo storage), Anthropic / OpenAI (Eva's underlying model). We have data processing agreements with each. We never sell your data.

You can: access your data (via Account → Privacy & Data → Export your data), correct inaccuracies (via Profile), withdraw consent for marketing (via Contact preferences), and request deletion (7-day grace period then permanent).

We retain your account data while your account is active, and for 30 days after deletion for backup recovery. Order records are kept for 7 years for tax compliance, as required by Singapore law.

Passwords hashed with bcrypt. TLS in transit. Encrypted at rest. Payment data never touches our servers. We've implemented reasonable technical measures as required by PDPA section 24.

We use essential cookies for authentication and session management. Analytics cookies are opt-in via the cookie banner. We don't use third-party tracking cookies for advertising.

For PDPA access, correction, or deletion requests, contact our DPO: dpo@furnishes.sg. We'll respond within 30 days as required by law.

If we update this policy, we'll email account holders and note the change in your Activity log. Material changes require renewed consent.