Privacy Policy
Before launch: this policy describes the architecture as we understand it (Supabase for auth, database and storage; Stripe for payments; Netlify for hosting; client-side geometry). Verify every claim against what the app actually does before publishing — a privacy policy that misdescribes your processing is itself a compliance problem. Add your legal entity, a contact address, and an EU/UK representative if you have users there.
This policy explains what [LEGAL ENTITY NAME] ("Shadow Forge", "we") collects when you use the Shadow Forge website and application, why we collect it, and what control you have over it.
The short version: we collect the minimum needed to run your account. Your photos and geometry are processed in your own browser, not on our servers. We do not sell your data, and we do not run advertising trackers.
Contents
1. What we collect
| Category | What | Why |
|---|---|---|
| Account | Email address, hashed password, account creation date | To create and secure your account and sign you in |
| Profile | Any name, organisation or address you choose to enter | To personalise the app and populate drawing title blocks |
| Your work | Tool outlines, drawer layouts, toolbox metadata, uploaded photos | To store your library and sync it across your devices |
| Subscription | Plan, status, billing period, Stripe customer and subscription ids | To give you the access you paid for |
| Payment | Handled by Stripe. We receive the last four digits and card brand only | To show you which card is on file. We never see your full card number |
| Technical | IP address, browser type, timestamps in server and auth logs | Security, abuse prevention, and debugging |
We do not collect location data, contacts, or advertising identifiers, and we do not build behavioural profiles.
2. Where your geometry is processed
This is the part most privacy policies would not tell you, and it matters here.
Every step that produces geometry runs client-side, inside your browser. Separating a tool from the background, tracing its outline, applying kerf offset and fillets, generating the 3D pocket mesh, and writing the DXF, STL and PDF — all of it happens on your own machine. That work does not require sending anything to us, and we do not send it.
What is stored on our servers is the result, if you are signed in: your outlines, drawer layouts and any photos you chose to save, held in your account so you can reach them from another device. You can delete any of it at any time.
If you use the app without an account, nothing leaves your browser at all.
3. Why we use it
We use your information to: operate and secure the Service; authenticate you; store and sync your library; process subscriptions and payments; provide support you ask for; comply with legal obligations; and send you service messages (billing, security, material changes to terms).
We will only send you marketing email if you opt in, and every marketing email has a one-click unsubscribe. Service messages are not marketing and you cannot opt out of them while you hold an account.
Before launch: if you operate in the EU/UK, state your GDPR lawful basis per purpose — contract for account and billing, legitimate interests for security and abuse prevention, consent for marketing.
4. Who we share it with
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We share it only with processors who help us run the Service:
| Processor | Purpose | Data |
|---|---|---|
| Supabase | Database, authentication and file storage | Account, profile, your work |
| Stripe | Payments, checkout and subscription management | Email, payment details, subscription state |
| Netlify | Website and application hosting | Technical / request logs |
We may also disclose information if required by law, to enforce our terms, or to protect the rights and safety of our users — and we will tell you unless legally barred from doing so. If we are ever acquired, your information may transfer as part of that transaction; you will be notified.
Before launch: confirm this processor list is complete and current, including any email-sending service, error tracker or analytics tool that gets added later.
5. How long we keep it
| Data | Retention |
|---|---|
| Account and your work | For as long as your account is open |
| After you delete your account | Deleted from live systems; backups age out on their own cycle |
| Billing and tax records | Kept as long as tax and accounting law requires, typically 7 years |
| Server and auth logs | A short rolling window for security and debugging |
Before launch: replace the vague retention windows with the real numbers once you have confirmed your backup cycle and log retention. "Backups age out on their own cycle" is not a defensible answer to a regulator.
6. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal information, to object to processing, and to withdraw consent. You can do much of this yourself in the app's Settings. For anything else, contact us and we will respond within the time the law allows — 30 days in most cases.
We will not discriminate against you for exercising these rights. If you are in the EEA or UK you may also complain to your local supervisory authority.
7. Security
See our Security page for how we protect your data. In short: encryption in transit and at rest, row-level security so accounts cannot read each other's data, hashed passwords, and secrets held outside the client.
8. International transfers
We are based in [STATE / COUNTRY] and our infrastructure runs in the United States. If you access the Service from elsewhere, your information will be transferred to and processed in the United States, which may have different data protection laws than your country.
Before launch: if you have EEA/UK users, you need a lawful transfer mechanism — Standard Contractual Clauses with your processors — and you should name it here.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has given us information, contact us and we will delete it.
10. Changes
We may update this policy. If a change materially affects your rights, we will notify you by email or in the app before it takes effect. The "last updated" date at the top always reflects the current version.
11. Contact
Questions, requests, or complaints about privacy: contact us.
Before launch: regulators expect a postal address and a named contact (or DPO, if you need one). Add them.
