Privacy Policy
Last updated: April 2026
1. Who We Are
ScaleCad ("we", "us", or "our") operates this website as a curated download platform for Fusion 360 CAD files, Python scripts, and related digital assets. We are the data controller responsible for your personal information collected through this platform.
For privacy-related enquiries, you can contact us at: info@scalelegno.net
2. What Data We Collect
Account Information
Accounts on this platform are restricted to site administration only and are not publicly available. If you are an administrator, we collect your email address and a hashed password. We do not store passwords in plain text.
Purchase Information
For paid downloads, we collect your payment details (processed securely by Stripe — we do not store full card numbers), your email address, and a record of what you purchased.
Download Logs
We maintain an append-only log of file download events for abuse prevention, license compliance, and security auditing. This log records which file was accessed and when.
Technical Data
Our servers and hosting provider (Vercel) may collect standard web server logs including IP addresses, browser type, and referring URLs. This data is used solely for security monitoring and is automatically deleted after 30 days.
3. Legal Basis for Processing (GDPR)
We process your personal data only where we have a lawful basis to do so under the General Data Protection Regulation (EU) 2016/679:
- •Contract performance (Art. 6(1)(b)): Processing your email and order details to fulfil your download purchase.
- •Legitimate interests (Art. 6(1)(f)): Maintaining download audit logs and server security logs to prevent fraud and abuse.
- •Legal obligation (Art. 6(1)(c)): Retaining payment and transaction records as required by applicable tax law (typically 7 years in most EU member states).
4. How We Use Your Data
- •To authenticate you and provide access to your purchased downloads
- •To process payments and send purchase confirmations
- •To detect and prevent fraud, abuse, or unauthorised access
- •To comply with our legal obligations (tax records, security incident reporting)
We do not sell your personal data to third parties. We do not use your data for automated profiling or marketing without your explicit consent.
5. Third-Party Processors
We use the following third-party services that may process your personal data on our behalf. Each is bound by a Data Processing Agreement:
Supabase (database & authentication)
Stores account credentials, order records, and download logs. Hosted on AWS infrastructure in the EU region.
Stripe (payment processing)
Handles payment card data. Stripe is PCI DSS Level 1 certified. We never see or store full card numbers. Stripe may transfer data outside the EU under Standard Contractual Clauses.
Vercel (hosting & content delivery)
Serves the website and may log request metadata (IP address, user agent). Logs are retained for 30 days.
6. Data Retention
- •Account data (admin only): Retained for as long as the account is active. Deleted within 30 days of an account deletion request.
- •Payment and order records: Retained for 7 years to meet tax and accounting obligations.
- •Download audit logs: Retained for 12 months for security and licence compliance purposes.
- •Server access logs: Retained for 30 days by our hosting provider.
7. Your Rights Under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
You can ask us to correct inaccurate data.
Right to Erasure (Art. 17)
You can request deletion of your personal data where there is no overriding legal reason to retain it.
Right to Data Portability (Art. 20)
You can request your data in a structured, machine-readable format.
Right to Object (Art. 21)
You can object to processing based on our legitimate interests.
Right to Restrict Processing (Art. 18)
You can ask us to pause processing while a dispute is resolved.
To exercise any of these rights, email us at info@scalelegno.net. We will respond within 30 days.
8. Cookies
We use only technically necessary cookies. We do not use advertising or tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Authentication session (Supabase) | Persistent (keeps you logged in) |
9. International Data Transfers
Where personal data is transferred outside the European Economic Area (e.g. by Stripe for payment processing), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR.
10. Supervisory Authority
You have the right to lodge a complaint with your national data protection supervisory authority. In the EU, you can find a list of authorities at edpb.europa.eu. We would, however, appreciate the opportunity to address your concern directly first.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be indicated by updating the "Last updated" date at the top of this page.