What VADE does
with your data.

VADE is operated by Rough, an interior design studio based in Edinburgh, United Kingdom. The data controller for the purposes of UK GDPR and the EU GDPR is Rough Ltd. Contact: hello@vade.design.

From you, when you create an account:

• Email address, display name, and (optional) avatar — collected and stored by Clerk on our behalf.
• Organisation name, slug, and members — when you create or join a studio.

When you save a URL (web app or Chrome extension):

• The URL itself, plus the page’s public metadata: title, description, hero image, OpenGraph/Twitter cards, prices and JSON-LD if present.
• A dominant colour palette extracted from the page’s hero image.
• AI-generated category, tags, region and price-tier guesses (see below).
• Your own additions: notes, tags, collection memberships.

When you use the assistant chat:

• The messages you send, the tool calls the assistant makes (web search, page fetch), and the responses returned.

When you customise your studio brand:

• An optional brand title (text, used on shareable client moodboards in place of the org name).
• An optional brand logo file you upload (PNG, JPG, or SVG, up to 2 MB). Stored on Vercel Blob and served to anyone who has a public share link to one of your moodboards.

When your subscription changes:

• An audit row of the subscription event (created, updated, cancelled, trial-ending) is recorded so we can prove the lifecycle to you or to a regulator. The full Clerk event payload is kept; this never includes payment-card details (Stripe/Clerk handle those directly).

We use Google Analytics for basic usage analytics (see Third-party services below), but we do not set advertising cookies or run session-replay tools. Standard server-access logs (IP address, user-agent, request path, response status) are retained for up to 30 days for operational and abuse-prevention purposes only.

The VADE Chrome extension requests two permissions: cookies and storage. These are required for Clerk’s “Sync Host” feature, which lets the extension share your existing web-app session so you don’t have to sign in twice.

Cookies are read only from app.vade.design and clerk.vade.design — solely to confirm whether you’re already signed in. They are not read from any other domain you visit.

Storage is used to cache your Clerk session token locally so the extension can authenticate API calls without re-fetching every click.

When you right-click a page or image to save it, the extension sends only the target URL (and, where applicable, the specific image URL you clicked) to api.vade.design together with your Clerk JWT. It does not read the contents of pages you browse, inject scripts, or transmit anything else from your browser.

We use a small number of trusted sub-processors. We share only the data necessary for them to provide their service.

• Vercel (vercel.com) — application hosting and CDN for the frontend and API (US/EU). Privacy policy.
• Neon (neon.tech) — Postgres database storing your saves, vendors, collections and assistant conversation history. Hosted in EU (Frankfurt). Privacy policy.
• Clerk (clerk.com) — authentication, organisation membership and billing. Receives email, name, avatar, organisation metadata. Privacy policy.
• Stripe (stripe.com) — payment processing for paid plans, via Clerk Billing. Card details go to Stripe directly and never touch our servers. Privacy policy.
• Sentry (sentry.io) — error monitoring. Receives stack traces and request metadata when something breaks. Privacy policy.
• OpenRouter (openrouter.ai) — AI model gateway used to classify saves (category, tags) and power the assistant. Receives page titles, descriptions, hero-image URLs and your chat messages. Privacy policy.
• Google (Gemini) — image generation for composed moodboards, accessed via the Vercel AI Gateway. Receives the save images included in a board you compose. Privacy policy.
• Cohere (cohere.com) — reranking of search results for the assistant, proxied through OpenRouter. Privacy policy.
• Tavily (tavily.com) — web search backend used by the assistant. Receives only the search query string you submit. Privacy policy.
• Upstash (upstash.com) — durable job queue (QStash) that carries background enrichment work. Receives save IDs and URLs in queued messages. Privacy policy.
• Vercel Blob (vercel.com) — image storage for mirrored save images, composed moodboard canvases and your uploaded brand logo. Privacy policy.
• Resend (resend.com) — transactional email (welcome, plan changes) and inbound email-forward capture. Receives your email address and forwarded capture messages. Privacy policy.
• Jina (jina.ai) — page reading for the assistant’s fetch-page tool. Receives the URL of the page being read. Privacy policy.
• Google Analytics (Google LLC) — website and app usage analytics. Receives usage events (pages viewed, device type, approximate location derived from IP address) so we can understand how VADE is used. Not linked to your saves, library content or assistant conversations. Privacy policy.

We do not sell your data to anyone. We do not use your saves, your assistant conversations, or your library content to train AI models.

VADE’s database is hosted on Neon in the EU (Frankfurt). Vercel serves application traffic from regional edge locations but authenticated requests resolve to our backend in Washington, DC for now — we may relocate this for EU customers as the user base grows. Clerk operates globally; their handling of personal data is covered by their privacy policy linked above.

• Account & saves — kept until you delete them, or you delete your account.
• Assistant chat history — kept until you delete a conversation, or your account.
• Server access logs — 30 days, then deleted.
• Backups — encrypted, retained for 14 days, then rotated out.

Under UK and EU GDPR you have the right to access, correct, export and delete the personal data we hold about you, and to object to or restrict our processing of it. To exercise any of these:

• Sign in and use Settings to update or delete your organisation, members, saves and collections directly.
• Right to erasure (one click): as a studio admin, the “Danger zone” section of your Settings page hard-deletes your studio and every save, collection, moodboard and project belonging to it, along with the cached subscription audit log for that studio. Stripe billing records are retained where required by law (UK accounting rules, typically six years) but are stripped of identifying linkage to the deleted studio.
• Email hello@vade.design to request a full export of your data. We aim to respond within 14 days.
• You also have the right to lodge a complaint with your data-protection authority (in the UK, the ICO).

When you publish a collection as a shared moodboard, the URL contains a random token and is publicly accessible to anyone who has the link. Shared moodboards are NOT indexed by search engines — the page carries a noindex meta tag and /share is disallowed in robots.txt.

Only the fields you’ve enabled on the share settings appear on the moodboard (vendor, price, notes, metadata — each independently toggleable). We log the URL in standard server-access logs for 30 days. Anyone with the link can view the content until you unpublish or rotate the link in the collection’s share panel.

VADE is not directed at children under 16 and we do not knowingly collect personal data from them.

If we make a material change to this policy we’ll update the date at the top of this page and notify signed-in users by email before the change takes effect. The current version is always live at vade.design/privacy.