Privacy Policy
Last updated: January 2025
1. Data Controller
The data controller responsible for your personal data is the company listed below. If you have any questions about how your data is processed, please contact us at the address provided.
2. Personal Data We Collect
When you request a quote or use our services, we collect the following personal data:
- Name and email address — provided when you submit a quote request
- 3D model files (STL format) — uploaded to generate your print quote
- Order details — selected materials, colors, quantities, and notes
- Communication records — messages exchanged regarding your order
3. Legal Basis for Processing
We process your personal data on the legal basis of contractual necessity (Article 6(1)(b) GDPR). Processing is necessary to provide you with a 3D printing quote and fulfil your order. Where required by law (e.g., tax records), we also rely on legal obligation (Article 6(1)(c) GDPR).
4. How We Use Your Data
- To generate and communicate your 3D printing quote
- To manage and fulfil your print order
- To send transactional emails (quote confirmation, order status updates, delivery notifications)
- To comply with applicable legal obligations
5. Data Retention
We retain personal data only as long as necessary for the purposes described above:
| Data type | Retention period |
|---|---|
| Quote requests and order data | 2 years after quote creation or order completion |
| Financial / invoice records | 7 years (legal obligation) |
| 3D model files | Deleted after order delivery or 6 months from quote expiry |
| Email communications | 6 months |
| Authentication session data (Clerk) | 30–90 days (managed by Clerk) |
6. Sub-processors
We share your data with the following trusted sub-processors, all operating under appropriate data processing agreements:
Clerk
Authentication and user session management · USA (SCCs in place)
Neon (PostgreSQL)
Database hosting for orders and quotes · EU (AWS eu-central-1)
Vercel
Application hosting and CDN · USA/EU (SCCs in place)
Email provider (SMTP)
Transactional email delivery · EU or USA (SCCs in place)
7. Cookies
We use only essential cookies required for authentication and session management via our identity provider (Clerk). These cookies are strictly necessary and cannot be disabled without breaking the service. We do not use advertising, analytics, or tracking cookies.
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access: You can request a copy of the personal data we hold about you.
- Rectification: You can ask us to correct inaccurate or incomplete data.
- Erasure: You can request deletion of your data, subject to our legal retention obligations.
- Portability: You can request your data in a structured, machine-readable format.
- Restriction: You can request that we restrict processing of your data in certain circumstances.
- Objection: You can object to processing based on legitimate interests.
- Lodge a complaint: You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or your local supervisory authority.
To exercise any of these rights, please contact us at: office@toplayer.eu
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Data is encrypted in transit (TLS) and at rest. Access to personal data is restricted to authorised personnel only.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The 'Last updated' date at the top of this page reflects the most recent revision. Continued use of our services after changes are posted constitutes your acceptance of the updated policy.