Privacy Policy
Last updated: 13 February 2026
This policy explains how Tracefinity ("we", "us") collects, uses, and protects your personal data. We are based in Ireland and comply with the General Data Protection Regulation (GDPR).
1. Data we collect
Account data
When you sign up we collect your email address and an optional display name. Your password is hashed with bcrypt and never stored in plain text.
Uploaded content
Images you upload, traced outlines, and generated 3D model files (STL/3MF). These are stored on DigitalOcean Spaces, isolated per user account.
Billing data
Payment details are handled entirely by Stripe. We store your Stripe customer ID and subscription status but never see or store your card number.
Usage data
We track the number of AI traces you make per month to enforce plan limits. We do not use third-party analytics or tracking scripts.
2. How we use your data
- To provide and maintain the Service
- To process your images via the Google Gemini API
- To manage your subscription and billing via Stripe
- To enforce usage limits
- To communicate with you about your account (e.g. password resets)
3. Third-party processors
| Service | Purpose | Data shared |
|---|---|---|
| Google Gemini API | AI image processing | Your uploaded images (processed, not stored by Google) |
| Stripe | Payment processing | Email, payment method, billing address |
| DigitalOcean | Hosting and file storage | All Service data (EU/US data centres) |
4. Cookies
We use two cookies, both functional:
- authjs.session-token -- your login session (httpOnly, secure, same-site)
- tracefinity-app-token -- passes your authentication to the core app (secure, same-site, 24h expiry)
We do not use advertising, analytics, or any other tracking cookies.
5. Data retention
Your data is kept for as long as your account is active. If you delete your account, we remove your personal data and uploaded files within 30 days. Anonymised usage statistics may be retained.
6. Your rights (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data in a machine-readable format
- Object to processing
- Restrict processing
To exercise any of these rights, email [email protected]. We will respond within 30 days.
7. Security
Passwords are hashed with bcrypt. All connections use TLS. File storage is access-controlled per user. Database backups are encrypted at rest on DigitalOcean Spaces.
8. Children
The Service is not intended for anyone under 16. We do not knowingly collect data from children.
9. Changes to this policy
We may update this policy. Material changes will be communicated via email or a notice on the site.
Contact
Data controller: Tracefinity, Ireland.
Email: [email protected]