Privacy Policy
Effective Date: 13 April 2026
PrintYard ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the PrintYard marketplace platform ("Platform") at printyard.io.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data-protection laws.
1. Data Controller
The data controller for your personal data is:
Inženirske in razvojne storitve, Borut Černe, s.p.
Erjavčeva ulica 9
5000 Nova Gorica
Slovenia
Davčna št.: 57944920
Matična št.: 7393954000
Email: info@printyard.io
2. What Personal Data We Collect
2.1. Account & Profile Data
- All users: name, email address, profile image (from Google OAuth or custom upload), account creation date.
- Credential-based accounts: password (stored as a bcrypt hash — we never store plaintext passwords).
- Google OAuth accounts: OAuth tokens (access token, refresh token, token expiry) provided by Google during sign-in.
- Client profiles: postal address, country, phone number, VAT number (optional, for business clients).
- Partner profiles: company name, description, country, city, postal address, website, phone number, VAT number.
2.2. Order & Transaction Data
- Order details: title, notes, deadline, quantity, material, colour, infill percentage, quality level.
- Bid details: price, estimated delivery days, material suggestions, status.
- Payment references: Mollie payment and order identifiers (we do not store credit card numbers or banking details — these are handled by Mollie).
- Financial records: partner amount, client total, platform fee for each order.
2.3. 3D Model & File Data
- 3D model files (STL, 3MF, OBJ, STEP) and preview images uploaded to the Platform.
- File metadata: file format, file size, bounding-box dimensions.
- Model information: title, description, category, tags, licence type, source attribution.
2.4. Communications & Reviews
- In-platform notifications (type, title, body, read status).
- Reviews and ratings left by Clients for Partners.
- Emails sent through the Platform (order confirmations, bid notifications, shipping updates).
2.5. Technical & Security Data
- Session tokens and JWT authentication data (stored in HTTP-only, secure cookies).
- Email-verification and password-reset tokens (with limited expiry).
- Rate-limiting data (request counts per IP/user to prevent abuse).
3. Legal Bases for Processing (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Order processing, bidding & payment | Contract performance (Art. 6(1)(b)) |
| Partner verification (KYC) | Legal obligation (Art. 6(1)(c)) & legitimate interest (Art. 6(1)(f)) |
| Email notifications (order updates, shipping) | Contract performance (Art. 6(1)(b)) |
| Platform security & abuse prevention (rate limiting) | Legitimate interest (Art. 6(1)(f)) |
| Financial record-keeping & tax compliance | Legal obligation (Art. 6(1)(c)) |
| Reviews & ratings | Legitimate interest (Art. 6(1)(f)) |
| Cookie consent preferences | Consent (Art. 6(1)(a)) |
4. How We Use Your Data
We use your personal data to:
- Create and manage your user account.
- Facilitate orders, bids, and payments between Clients and Partners.
- Process payments securely via our payment provider (Mollie).
- Send transactional emails: order confirmations, bid notifications, shipping updates, review requests, and account-related communications.
- Verify Partner eligibility and business credentials.
- Calculate and record platform fees, partner earnings, and financial audit trails.
- Host and serve 3D model files and preview images.
- Display reviews and aggregate ratings on Partner profiles.
- Protect the Platform against abuse, fraud, and unauthorised access.
- Comply with legal obligations (tax records, KYC/AML requirements).
5. Who We Share Your Data With
We only share personal data with third parties when necessary to provide our services or comply with legal obligations:
5.1. Service Providers (Data Processors)
| Provider | Purpose | Data Shared |
|---|---|---|
| Mollie B.V. (Netherlands) | Payment processing | Email, order amount, order ID, billing address |
| Supabase Inc. | Database hosting & file storage | All Platform data (encrypted at rest) |
| Resend Inc. | Transactional email delivery | Email address, user name, order details in email content |
| Google (OAuth) | Authentication | Email, name, profile picture (received from Google during sign-in) |
| Vercel Inc. | Application hosting | Server logs, request metadata |
5.2. Other Users
When you place an order or submit a bid, limited profile information (name, company name for Partners, review history) is visible to the other party in the transaction. Credit card details, passwords, and full addresses are never shared with other users.
5.3. Legal & Regulatory
We may disclose personal data to law enforcement, regulatory bodies, or courts when required by applicable law or to protect our legal rights.
6. International Data Transfers
Our primary payment processor (Mollie) is based in the EU. Some of our service providers (Supabase, Resend, Vercel) are based in the United States. Where personal data is transferred outside the EEA, we ensure adequate protection through:
- EU–US Data Privacy Framework (DPF) certification of the recipient.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Other appropriate safeguards under Art. 46 GDPR.
You may request a copy of the relevant transfer safeguards by contacting us.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account & profile data | Until you delete your account, plus 30 days for backup removal |
| Order & transaction data | 7 years after order completion (tax/accounting obligation) |
| Financial records (invoices, fees) | 10 years (Slovenian accounting law) |
| 3D model files (user uploads) | Until the user deletes the model or their account |
| Email verification tokens | 24 hours (auto-expire) |
| Password reset tokens | 1 hour (auto-expire) |
| Session tokens | Until session expiry or logout |
| Reviews & ratings | Until account deletion or removal request |
| Notifications | 90 days, then automatically purged |
We use soft deletion for orders and models, meaning records are marked as deleted but retained in the database for the applicable retention period before permanent removal.
8. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g., non-essential cookies).
To exercise any of these rights, contact us at info@printyard.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) or the supervisory authority in your EU member state of residence.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Passwords are hashed using bcrypt before storage.
- Authentication sessions use signed, HTTP-only, secure JWT cookies.
- 3D model files are stored in private buckets with time-limited signed URLs (1-hour expiry).
- Payment data is handled by PCI DSS-compliant Mollie — credit card details never reach our servers.
- Database connections use TLS encryption.
- Rate limiting protects against brute-force and abuse attacks.
- Role-based access control restricts dashboard and API access by user role.
10. Children's Privacy
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
11. Cookies
We use cookies on the Platform. For detailed information about which cookies we use and how to manage your preferences, please see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify registered users by email at least 30 days before material changes take effect. The "Effective Date" at the top of this page indicates the date of the latest revision.
13. Contact & Data Protection Enquiries
For any questions about this Privacy Policy or to exercise your data protection rights, contact us at:
Email: info@printyard.io
General support: info@printyard.io