← getsimplehaven.com

Privacy Policy

Product: SimpleHaven Provider: Jazz Systems LLC ("we", "us", "our") Effective Date: 2026-05-27 Version: 1.0 (Full legal version. A consumer-facing marketing version is published separately.)


TL;DR (Plain English)

We built SimpleHaven to be the most private home-visualization app on the market. Concretely:

The rest of this document is the long, legally-precise version. In a conflict between the TL;DR and the formal sections below, the formal sections control.


1. Scope

This Privacy Policy describes how Jazz Systems LLC ("we", "us") collects, uses, discloses, and protects personal information in connection with:

We address several major privacy frameworks here:

Other jurisdictions (Virginia, Colorado, Connecticut, Texas, Utah, Quebec, Brazil, etc.) have analogous statutes; we treat all users consistently with the highest-bar framework that applies to them.


2. Who We Are; How to Contact Us

Data Controller (GDPR Article 4(7)): Jazz Systems LLC Texas, USA

Privacy contact: [email protected] General legal: [email protected] EU Representative (Article 27 GDPR): Not applicable — US distribution only. UK Representative: Not applicable — US distribution only.

We do not currently meet the EU GDPR threshold requiring a Data Protection Officer (Article 37). When we do, we will appoint one and update this Policy.


3. Architecture in One Paragraph (So You Understand the Data Flows)

SimpleHaven uses Apple's CloudKit with a private container (iCloud.com.getsimplehaven.com). Within that container, Your data goes to the private database, which is part of Your iCloud storage, not ours. The technical effect is that we — Jazz Systems LLC — cannot read, copy, modify, or back up Your scans, room layouts, device assignments, or any other content You create. Apple operates the container under Apple's own privacy commitments (see https://www.apple.com/legal/privacy/data/en/icloud/). We see only StoreKit purchase metadata (product ID, transaction ID, purchase date, family-shared flag) and crash/diagnostic data that You opt to share through Apple's standard "Share with App Developers" toggle. We do not operate a separate backend that holds Your scans.


4. Categories of Information We Process

4.1 What stays on Your device and in Your iCloud (we do NOT see):

Category Examples Storage
Scan geometry Scan files from the room-scanning framework; mesh data; room dimensions; wall/floor/ceiling planes On-device + Your iCloud private CloudKit DB
Photos / camera frames Frames captured during a scan, used transiently for on-device detection; reference photos You attach to a room On-device only (frames are not persisted); attached photos go to Your iCloud DB
Depth data Depth readings from devices with a depth sensor; depth feature points Transient on-device only; not persisted
Color samples Paint color analysis from scan photos On-device + Your iCloud private DB
Furniture metadata Recognized and positioned furniture; placement positions; catalog selections On-device + Your iCloud private DB
Device assignments Which HomeKit accessory is in which room/zone; manual notes On-device + Your iCloud private DB
Room names and notes "Living Room", "Home Office", custom notes On-device + Your iCloud private DB
Theme selections Magnolia / Dark / Cyberpunk / etc. theme picks On-device + Your iCloud private DB
HomeKit state Real-time device state (light on/off, lock locked/unlocked) read via HomeKit framework Read transiently from Apple HomeKit; never persisted by us; never transmitted off-device by us
Rendered hero images Output of on-device rendering On-device cache + Your iCloud private DB

4.2 What we DO receive (limited set):

Category What we get Source Retention Legal basis (GDPR)
StoreKit purchase metadata Product ID, original transaction ID, purchase date, expiration date, environment, family-shared flag, signed JWS transaction Apple StoreKit Duration of subscription + statute of limitations on revenue/tax claims (typ. 7 yrs) Contract performance (Art. 6(1)(b)) + legal obligation (Art. 6(1)(c))
Crash and diagnostic reports (only if You opt in via iOS Settings → Privacy → Analytics & Improvements → "Share with App Developers") Anonymized crash logs, energy metrics, performance metrics — delivered through Apple's pipeline Apple (via opt-in) 90 days Legitimate interest (Art. 6(1)(f))
Support emails Whatever You voluntarily send us Direct from You 2 years from last contact Contract performance (Art. 6(1)(b))
Beta-test enrollment (if You opt in to TestFlight) Email, device model — handled by Apple Apple TestFlight While You remain in TestFlight + 90 days Consent (Art. 6(1)(a))
Web analytics on getsimplehaven.com If enabled: anonymized aggregate metrics (page views, country bucket, referrer category). We do not use third-party trackers like Google Analytics. Our own server-side analytics 13 months Legitimate interest (Art. 6(1)(f)) where lawful, consent in cookie-consent jurisdictions

4.3 What we explicitly do NOT collect:


5. Purposes of Processing

We process information for the following purposes only:

5.1 Service delivery

5.2 Billing and entitlement management

5.3 Customer support

5.4 Security and abuse prevention

5.5 Service improvement (only where lawful)

5.6 Legal compliance

We do not process information for:


6. GDPR-Specific Disclosures

6.1 Lawful Bases (GDPR Article 6)

See the "Legal basis" column in Section 4.2. In summary: we rely on contract performance for service delivery and billing, legal obligation for tax/record-keeping, legitimate interests for crash diagnostics and security (subject to Your objection right under Article 21), and consent for opt-in features such as TestFlight enrollment and any future cloud-rendering pipeline.

6.2 Special Categories of Personal Data (GDPR Article 9)

We are conservative about Article 9 risk. Article 9 covers biometric data processed for the purpose of uniquely identifying a natural person, plus health, racial origin, religious belief, political opinion, sexual orientation, and similar categories. SimpleHaven's default operation does not process Article 9 data:

If a future feature would process Article 9 data, we will (a) re-disclose, (b) seek explicit consent under Article 9(2)(a), and (c) update this Policy with a clear "what changed" notice.

6.3 International Transfers (GDPR Chapter V)

Because User Content lives in Your private CloudKit database, the geographic location of Your data is determined by Apple's iCloud regional architecture. EU users' iCloud data is typically stored in Apple's European data centers per Apple's published policies; see https://www.apple.com/legal/privacy/. For the limited data we receive (StoreKit metadata, support emails, server-side web analytics), processing occurs via Apple CloudKit and Replicate (cloud render) and is currently located in the United States. We rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework where applicable, and on Standard Contractual Clauses as a backup. If You are in the EU/UK, contact [email protected] for a copy of our SCCs.

6.4 Data Subject Rights (Articles 12–22)

EU/UK residents have the following rights, subject to lawful exceptions:

To exercise any right, contact [email protected]. We will respond within 30 days of a verified request, with a possible 60-day extension where complex. We will verify Your identity via Your Apple ID email and an in-app confirmation where feasible.

6.5 Retention (Article 5(1)(e))

We retain personal data only as long as necessary for the purpose. Specific retention windows are in Section 4.2.

6.6 No "Significant Decisions" Automated Processing

We do not use automated profiling to make decisions that produce legal or similarly significant effects.


7. CCPA / CPRA-Specific Disclosures (California residents)

7.1 Categories Collected (in the 12 months prior to the Effective Date)

The categories enumerated in Cal. Civ. Code § 1798.140 that we collect are:

Statutory category What we collect Source Purpose Disclosed to
A. Identifiers Apple ID email (where You contact us), IP address (web only, transient) You; Apple StoreKit; web server logs Service delivery; support; security Apple (as processor)
G. Geolocation (coarse) Country bucket (web analytics only) Web server Aggregate analytics None
F. Internet activity Web pages visited on getsimplehaven.com (server-side, aggregated) Web server logs Site performance None
K. Inferences Aggregate, anonymized usage patterns (if and when we add telemetry; currently not collected) Web server Service improvement None
L. Sensitive personal information (CPRA) None collected in default operation

We do not collect, in the past 12 months:

7.2 Sale and Sharing

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined in Cal. Civ. Code § 1798.140(ad) and (ah). Because we do not sell or share, the "Do Not Sell or Share My Personal Information" link required by § 1798.135 is not strictly required, but we will still honor any signal a California resident sends (including the Global Privacy Control signal on our web property).

7.3 Rights of California Residents

California residents have the following rights:

To exercise, contact [email protected]. We will verify identity via Apple ID email + an in-app confirmation where feasible. We will respond within 45 days, with a 45-day extension where complex.

Authorized agents acting on a California resident's behalf must provide signed permission and proof of identity.

7.4 Retention (CPRA § 1798.100(a)(3))

See Section 4.2 above; we do not retain personal information for longer than reasonably necessary for the disclosed purposes.

7.5 No Financial Incentives

We do not offer financial incentives in exchange for personal information.


8. Other U.S. State Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Tennessee (TIPA), Montana (MCDPA), Indiana (INCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA), Minnesota (MNCDPA), Nebraska (NDPA), Rhode Island (RIDPA), and other states with comprehensive consumer-privacy laws have rights analogous to CCPA/CPRA (access, deletion, correction, portability, opt-out of targeted advertising / sale, opt-out of profiling for legally significant decisions). We honor these rights through the same contact channel: [email protected].


9. Children's Privacy (COPPA / Apple Kids Category)

SimpleHaven is not directed to children under 13. We do not knowingly collect personal information from children under 13. The App Store rating is 4+ (suitable for ages 4 and up) but the app's primary use case (scanning and customizing a home) presumes an adult user.

If we learn we have collected personal information from a child under 13 without verifiable parental consent in compliance with COPPA (16 C.F.R. Part 312, as amended with the April 22, 2026 compliance deadline), we will delete that information promptly.

If You are a parent or guardian and believe Your child under 13 has provided personal information through SimpleHaven, contact [email protected].

COPPA 2.0 and teen protection: Should the pending Children and Teens' Online Privacy and Protection Act ("COPPA 2.0") be enacted into law, we will extend equivalent protections to users under 17 as required.


10. Apple Frameworks — Specific Disclosures

10.1 HomeKit

Per Apple's developer requirements, our use of HomeKit data is governed by the following:

10.2 Matter

Same restrictions as HomeKit. Matter accessories are accessed via Apple's Home framework on-device only.

10.3 Room Scanning

Scans are produced on-device by Apple's room-scanning framework using the depth sensor (where available) and camera input. The resulting scan file is written exclusively to Your private CloudKit database; raw camera frames are processed transiently and discarded. We do not transmit raw frames, depth data, or geometry to our servers in the default configuration.

10.4 CloudKit Private Container

Apple operates the iCloud service under Apple's iCloud Privacy commitments. SimpleHaven's CloudKit private container has the following structure:

10.5 Privacy Manifest (PrivacyInfo.xcprivacy)

Per Apple's privacy-manifest requirements (effective spring 2024), SimpleHaven includes a PrivacyInfo.xcprivacy file declaring all data types we access and the Required Reason API uses. We update this file as the codebase evolves.


11. Automated and Generative Features

11.1 On-Device by Default

The Application performs all automated inference on-device unless and until We explicitly offer a cloud-rendering opt-in. The on-device stack includes:

None of these models train on Your data. The models are frozen at the version we ship; running inference on Your scans does not improve them.

11.2 Generative Model License Compliance

The generative models used for on-device rendering are licensed under the CreativeML Open RAIL++-M License (and openrail++ variant), which contains use-based restrictions prohibiting use to generate or propagate content that, among other things, (a) defames, harasses, abuses, threatens, or is harmful to others; (b) discriminates against individuals or groups; (c) violates applicable law; (d) generates personal data without consent or for unlawful purposes; (e) creates non-consensual deepfakes or sexual content involving real persons; or (f) is used in the administration of justice or law enforcement without human oversight.

By using SimpleHaven's rendering features, You agree to comply with these use-based restrictions. See OPEN_SOURCE_ATTRIBUTIONS.md for the full text and pointers to the upstream license.

11.3 Future Cloud Rendering (Not Currently Active)

If we ever offer a cloud-rendering option (for example, to render a higher-quality hero image than the on-device model can produce on older hardware), it will:

We will update this Policy with full specifics before launching any such feature.


12. Cookies and Web Analytics (getsimplehaven.com)

The getsimplehaven.com marketing website may use:

A cookie banner conformant with the EU ePrivacy Directive will be presented to EU/UK visitors. The Global Privacy Control browser signal will be honored as an opt-out request.


13. Affiliate Links

When You click an affiliate link in SimpleHaven or on getsimplehaven.com, the third-party retailer (e.g., a paint or furniture brand) may set its own cookies and may collect data about Your visit per its own privacy policy. We share with affiliate networks only aggregate click data (e.g., "user clicked from SimpleHaven" plus the product SKU). We do not share Your name, Apple ID, email, precise location, or Your home/scan data. See TERMS_OF_SERVICE.md Section 9 for our FTC affiliate-disclosure practices.


14. Security

We follow industry-standard practices to protect personal information:

No system is 100% secure. If a breach occurs that affects Your personal information, we will notify You and the relevant regulator(s) in accordance with applicable law (e.g., GDPR Article 33 — within 72 hours where required; state-level breach-notification laws).


15. Children's Family Sharing Considerations

Apple Family Sharing entitles a family organizer to share an in-app purchase with up to five additional family members. If a family member is under 13:

Apple, not we, controls who can be added to a Family group and what content is shared.


16. Government and Law-Enforcement Requests

We respond to legally valid requests from government and law-enforcement authorities. Because Your content lives in Your iCloud private database, in most cases authorities would need to direct their request to Apple, not to us. When we do receive a request:


17. Changes to This Policy

We may update this Policy from time to time. Material changes (e.g., a new category of data we collect, a new processing purpose) will be:

The "Effective Date" at the top of this document indicates when the current version took effect.


18. Specific Statutory Rights — Summary

Jurisdiction Right of access Right to delete Right to correct Right to opt out of sale/share Right to limit sensitive PI Right to portability Appeal right
EU/UK (GDPR) Yes (Art. 15) Yes (Art. 17) Yes (Art. 16) N/A (we don't sell) N/A (we don't collect Art. 9) Yes (Art. 20) Yes (Supervisory authority)
California (CCPA/CPRA) Yes (§ 1798.110) Yes (§ 1798.105) Yes (§ 1798.106) Yes (§ 1798.120) Yes (§ 1798.121) — but we don't collect Yes (subset of access) Yes
Virginia (VCDPA) Yes Yes Yes Yes N/A Yes Yes
Colorado (CPA) Yes Yes Yes Yes N/A Yes Yes
Connecticut (CTDPA) Yes Yes Yes Yes N/A Yes Yes
Texas (TDPSA) Yes Yes Yes Yes N/A Yes Yes
Utah (UCPA) Yes Yes No Yes N/A Yes Yes
Other comprehensive-privacy states Approximate equivalents per applicable statute

19. Contact

Jazz Systems LLC (operator of SimpleHaven) Attn: Privacy Team Texas, USA

Privacy: [email protected] Security: [email protected] General Legal: [email protected]

SimpleHaven v1 is distributed in the United States only; an EU/UK Article 27 representative is therefore not applicable. The GDPR/UK GDPR disclosures in this Policy are provided for transparency and will govern if and when EU/UK distribution begins, at which point a representative will be appointed.


20. Revision History

Version Effective Date Changes
1.0 2026-05-26 Initial version.
1.0.1 2026-05-27 SimpleNest → SimpleHaven rename pass; effective-date refresh. No substantive policy changes.

End of Privacy Policy.