PRIVACY POLICY

1. Who We Are

FORGE is a 3D mesh repair service operated by FORGE Oy (Y-tunnus TBD), a company registered in Finland and co-owned by Cadwill and Dataplug. This policy explains what personal data we collect when you use FORGE, why we collect it, and what rights you have under the EU General Data Protection Regulation (GDPR).

Contact us regarding privacy: privacy@forge3d.fi

2. Data We Collect

Device identifier (forge_uid)

• Purpose: linking your jobs and orders within one browser session, enabling job history and re-downloads without requiring an account.
• Legal basis: legitimate interest (Article 6(1)(f)) — enabling a coherent service experience without a mandatory account.
• Retention: we store it in our database as long as associated jobs or orders exist. You can erase it at any time (see §5).
• The UID is not shared with Cloudflare, Stripe, or any other third party.

Mesh files you upload

Files you upload are stored in object storage (Cloudflare R2 in production, Hetzner-hosted MinIO in our development environment). They may contain intellectual property. We treat uploaded files as confidential and access them only to run the repair pipeline.

• Retention: unpaid jobs are deleted after 7 days. Files associated with a paid order are retained for 30 days to allow re-downloads, then deleted automatically.
• Legal basis: contract performance (Article 6(1)(b)).

Order and payment information

When you place an order we store: the job ID, selected quality tier, amount, and (optionally) the email address you provide at checkout. We never see or store your card number, CVV, or other payment credentials — these are handled entirely by Stripe.

• Retention: order records are retained for 7 years for Finnish accounting law compliance, then deleted.
• Legal basis: contract performance (Article 6(1)(b)) and legal obligation (Article 6(1)(c)).

Server logs

Our server (Hetzner VPS, Falkenstein, Germany) logs standard HTTP access logs including IP address, request path, and response status. These are retained for 30 days and used for security and abuse prevention only.

3. Third-Party Data Processors

• Cloudflare — CDN and Pages (static hosting), R2 object storage. EU Standard Contractual Clauses in place. Cloudflare processes IP addresses for DDoS protection and caching.
• Stripe — Payment processing. Stripe is the data controller for card data. EU SCCs in place. We receive only payment confirmation and a session ID from Stripe.
• Hetzner — VPS hosting in Falkenstein, Germany (EU). Data processing agreement in place.

We do not use Google Analytics, Facebook Pixel, or any other third-party analytics or tracking.

4. Cookies and Local Storage

We do not use cookies. We use one localStorage entry (forge_uid) to store your device identifier. This is a functional necessity, not tracking — without it the app cannot associate your uploaded file with your download link.

5. Your Rights

Under GDPR you have the right to:

• Access the data we hold about your device identifier via GET /api/me/history.
• Erasure ("right to be forgotten") — send DELETE /api/me with your X-Forge-Uid header. This immediately deletes all your jobs, orders, and associated files from our storage and database. Your browser's localStorage entry is cleared by the app.
• Portability, rectification, restriction, objection — contact us at privacy@forge3d.fi.
• Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

6. Data Security

All data in transit is encrypted with TLS 1.2+. Object storage buckets are private; files are accessible only via short-lived signed URLs. Download tokens are cryptographically signed and expire after 24 hours. Job IDs and tokens are randomly generated (UUID4 / 32-byte random hex) and unguessable.

7. Changes to This Policy

We will post material changes to this page with an updated effective date. Continued use of the service after the effective date constitutes acceptance.

8. Contact

FORGE Oy  ·  Finland
privacy@forge3d.fi