PRIVACY POLICY
1. Who We Are
MeshForge is a 3D mesh repair service operated by MeshForge Solutions Oy (Y-tunnus TBD), a company registered in Finland and co-owned by Cadwill and Dataplug. This policy explains what personal data we collect when you use MeshForge, why we collect it, and what rights you have under the EU General Data Protection Regulation (GDPR).
Contact us regarding privacy: support@meshforgesolutions.com
2. Data We Collect
Device identifier (forge_uid)
When you first visit MeshForge, we generate a random UUID and store it in your browser's localStorage under the key forge_uid. This identifier is sent with every API request as the X-Forge-Uid header. It is a persistent pseudonymous identifier and constitutes personal data under GDPR.
- Purpose: linking your jobs and orders within one browser session, enabling job history and re-downloads without requiring an account.
- Legal basis: legitimate interest (Article 6(1)(f)) — enabling a coherent service experience without a mandatory account.
- Retention: we store it in our database as long as associated jobs or orders exist. You can erase it at any time (see §5).
- The UID is not shared with Cloudflare, Stripe, or any other third party.
Mesh files you upload
Files you upload are stored in object storage (Cloudflare R2 in production, Hetzner-hosted MinIO in our development environment). They may contain intellectual property. We treat uploaded files as confidential and access them only to run the repair pipeline.
- Retention: unpaid jobs are deleted after 7 days. Files associated with a paid order are retained for 30 days to allow re-downloads, then deleted automatically.
- Legal basis: contract performance (Article 6(1)(b)).
Account email and password (optional)
Registration is optional. If you create an account we store your email address (used as your login identifier and for transactional mail) and a salted hash of your password (Argon2id — the plaintext is never written to disk). We also store opaque session tokens for your active sign-ins and a short-lived hashed token whenever we send you a verification or password-reset link.
- Purpose: letting you reach your job history and paid downloads from multiple devices and recover access if your browser storage is wiped.
- Legal basis: contract performance (Article 6(1)(b)).
- Retention: account data is kept until you delete your account (DELETE /api/me while signed in). Verification and reset tokens expire after 24 h and 1 h respectively.
Order and payment information
When you place an order we store: the job ID, selected quality tier, amount, and (optionally) the email address you provide at checkout. We never see or store your card number, CVV, or other payment credentials — these are handled entirely by Stripe.
- Retention: order records are retained for 7 years for Finnish accounting law compliance, then deleted.
- Legal basis: contract performance (Article 6(1)(b)) and legal obligation (Article 6(1)(c)).
Server logs
Our server (Hetzner VPS, Falkenstein, Germany) logs standard HTTP access logs including IP address, request path, and response status. These are retained for 30 days and used for security and abuse prevention only.
3. Third-Party Data Processors
- Cloudflare — CDN and Pages (static hosting), R2 object storage. EU Standard Contractual Clauses in place. Cloudflare processes IP addresses for DDoS protection and caching.
- Stripe — Payment processing. Stripe is the data controller for card data. EU SCCs in place. We receive only payment confirmation and a session ID from Stripe.
- Hetzner — VPS hosting in Falkenstein, Germany (EU). Data processing agreement in place.
- Mailgun (Sinch) — Transactional email delivery (verification and password-reset links) from the sending domain dataplug.ovh. The Mailgun account is hosted in Mailgun's US region; transfer of your email address to Sinch in the United States relies on the EU–US Data Privacy Framework (Sinch is DPF-certified) as the Article 45 adequacy mechanism. Mailgun receives your email address, the verification or reset link, and standard SMTP envelope metadata — nothing else.
We do not use Google Analytics, Facebook Pixel, or any other third-party analytics or tracking.
4. Cookies and Local Storage
We do not use cookies. We use up to two localStorage entries: forge_uid (your device identifier — always present) and forge_session (an opaque session token, present only while you are signed in). Both are functional necessities, not tracking — without them the app cannot associate your uploaded file with your download link or keep you signed in.
5. Your Rights
Under GDPR you have the right to:
- Access the data we hold about your device identifier or registered account via GET /api/me.
- Erasure ("right to be forgotten") — send DELETE /api/me with your X-Forge-Uid header (or your session bearer token while signed in). This immediately deletes your account, all your jobs, orders, and associated files from our storage and database. Your browser's localStorage entry is cleared by the app.
- Portability, rectification, restriction, objection — contact us at support@meshforgesolutions.com.
- Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
6. Data Security
All data in transit is encrypted with TLS 1.2+. Object storage buckets are private; files are accessible only via short-lived signed URLs. Download tokens are cryptographically signed and expire after 24 hours. Job IDs and tokens are randomly generated (UUID4 / 32-byte random hex) and unguessable.
7. Changes to This Policy
We will post material changes to this page with an updated effective date. Continued use of the service after the effective date constitutes acceptance.
8. Contact
MeshForge Solutions Oy · Finland
support@meshforgesolutions.com