Privacy Policy

1. What we collect

We collect three categories of personal data:

• Account data — email address and (optional) display name when you sign up. Used to authenticate you and send transactional emails.
• Calculation data — the 3D model files you upload, the printer/material parameters you choose, and the slicer output (weight, time, cost). Stored against your account so you can revisit past calculations.
• Payment data — when you buy tokens, our payment processor (Visa/Mastercard via a PCI-DSS-compliant acquirer) returns the last 4 digits of your card and the brand name. We never see or store the full card number.

We also log technical metadata (IP address, user-agent string, request timing) to detect abuse and meet our security obligations under GDPR Article 32.

2. Why we process it (legal basis)

• Contract performance (GDPR Art. 6(1)(b)) — to deliver the calculation service you signed up for and bill you for it.
• Legitimate interests (Art. 6(1)(f)) — to secure the platform from fraud, abuse, and bot traffic via rate-limits and anomaly detection on request logs.
• Legal obligation (Art. 6(1)(c)) — invoices and payment records retained for 10 years per German fiscal law (§ 147 AO).
• Consent (Art. 6(1)(a)) — for non-essential cookies and product newsletters (you can withdraw at any time without affecting prior processing).

3. How long we keep it

• Account + calculations — retained while your account is active. Deleted within 30 days of your account deletion request.
• Payment records + invoices — 10 years from the transaction date (German fiscal retention).
• Server logs — 90 days, then aggregated and anonymised for capacity planning.
• Audit log entries (security-relevant events, e.g. login failures, refund requests) — 24 months.

4. Who we share it with

We do not sell your personal data. We share it only with the processors required to run the service:

• Hosting provider (EU data centres, GDPR- aligned DPA in place). All app data lives in the EU.
• Payment acquirer — for card processing. They see card details, we don't.
• Email delivery — transactional emails (sign- up confirmation, invoices, refund updates). EU-based transactional-email provider.
• Authorities — only when legally required (court order, tax inquiry).

5. Your rights under GDPR

You have the right to:

• Request a copy of all personal data we hold about you.
• Correct any inaccurate data we hold.
• Request deletion of your data (subject to legal retention requirements above).
• Restrict processing while a dispute is being resolved.
• Receive your data in a portable, machine-readable format.
• Object to processing based on legitimate interests.
• Lodge a complaint with the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin's data protection authority) at any time.

To exercise any of these, email dpo@printastic.com. We respond within 30 days.

6. Security

We host on EU infrastructure with TLS in transit, encrypted backups at rest, and isolated dev/prod environments. Sensitive credentials (payment processor tokens) are stored in an encrypted application column. We do not store full card numbers, CVVs, or any cardholder data.

7. Changes to this policy

When we update this policy materially, we'll email all active accounts and post the updated text here at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent change.