LithophaneLabs

Privacy

HomeOpen App

Privacy Policy

LithophaneLabs is a browser-based tool. Source images are processed on your device for preview and export generation. We do not upload your photos to any server.

Who is responsible for your data?

The data controller is:

LithophaneLabs (sole trader)

England, United Kingdom

Email: me@paddybuilds.com

What data we collect

Account data

  • Email address — required for account creation and authentication via Supabase Auth.
  • Account identifier (UUID) — unique internal ID linked to your profile.
  • Display name — optional, you choose.
  • Billing information — Stripe customer ID, subscription status, and premium expiry date. We do not store payment card details — these are handled entirely by Stripe.

Usage data

  • Export metadata — when you export a lithophane, we may record (with analytics consent): format (STL/3MF), file size, dimensions, preset used, timestamp, and your user ID (or an anonymous session hash if not signed in). We do not store email addresses in export logs.
  • Aggregate statistics — lifetime export counters (total and by format) stored without any user identifiers.

Website analytics (opt-in)

  • Vercel Analytics & Speed Insights — only loaded after you explicitly allow analytics. These services may collect anonymous usage data. You can change this at any time via Privacy settings in the footer.

Server & security logs

  • Our hosting provider (Vercel) and infrastructure may process IP addresses, request timestamps, and basic request metadata for security, abuse prevention, and reliability purposes.

Lawful basis & purposes

We process your data under the following lawful bases under UK GDPR:

  • Contract — Account creation and authentication are necessary to provide our service. Billing data is processed to fulfil your purchase contract.
  • Legitimate interests — Security logging, fraud prevention, and aggregate analytics help us maintain and improve the service. We have assessed that these interests are not overridden by your rights.
  • Consent — Optional analytics (Vercel) are only enabled after you give explicit consent via the banner or Privacy settings.

Who we share your data with

We use third-party processors who handle data on our behalf:

ProviderPurposeLocation
SupabaseAuthentication, databaseEU (Ireland)
StripePayment processingEU / Global
VercelHosting, analytics (opt-in)Global (EU/US)

International transfers

Some of our processors (Stripe, Vercel) may process data outside the UK/EEA. Where applicable, we rely on:

  • UK adequacy regulations (for transfers to the EU/EEA)
  • Standard Contractual Clauses (SCCs) approved by the UK
  • Stripe's binding corporate rules for payment data

How long we keep your data

  • Account data — retained while your account exists. Upon deletion, your profile and auth record are removed within 30 days.
  • Billing data — retained for 6 years after account closure for tax/compliance obligations (legal obligation under UK VAT Act 1994).
  • Export analytics — retained for 12 months, then automatically deleted.
  • Account deletion audit logs — retained for 7 days only, then automatically purged.
  • Server logs — typically retained for short periods (up to 30 days) by our hosting provider.

How we protect your data

  • HTTPS/TLS encryption for all data in transit between your browser and our servers.
  • Database-level access controls and Row Level Security (RLS) policies in Supabase.
  • Admin access is restricted to the sole developer and protected by strong authentication.
  • Payments are processed via Stripe's secure, PCI-DSS compliant infrastructure — we never handle raw card data.

Your rights under UK GDPR

You have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten"), with exceptions for legal retention requirements.
  • Restriction — request limitation of processing in certain circumstances.
  • Data portability — request your data in a structured, commonly used format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, email us at me@paddybuilds.com. We will respond within one month.

Right to complain to the ICO

If you believe we have handled your data incorrectly, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator.

Website: ico.org.uk

Cookies

We do not use first-party cookies directly. However, our optional analytics partners may set cookies if you enable analytics consent.

  • Essential cookies — none used for authentication (Supabase handles this via secure tokens, not cookies).
  • Analytics cookies — only set after you grant consent via the banner or Privacy settings.

Children

Our service is not intended for children under 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately and we will delete it.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will post the new version here and update the "Last updated" date. For significant changes, we may notify you via email (if you have an account) or a banner on the site.

Contact

For any privacy-related requests or questions:

Email: me@paddybuilds.com

Last updated: 12 February 2026