Privacy Policy
Last updated: June 2026
1. What We Collect
- Account data: Email address, display name (optional), hashed password (managed by Supabase Auth).
- Usage data: Generation history, job status, credit transactions, machine type selections.
- Product analytics: How you use the site — pages viewed, buttons and elements you interact with, and (via session replay) a video-like reconstruction of your visit — collected through PostHog to help us improve the product. See section 4.
- Payment data: Stripe handles all payment information. We store only your Stripe Customer ID, never raw card details.
- Uploaded images: Images you upload for processing are stored temporarily in Cloudflare R2 and automatically deleted after 24 hours.
- Generated files: DXF output files are stored for 24 hours then deleted.
- Log data: Standard server logs (IP address, request path, timestamps) for security and debugging. Logs are retained for 30 days.
2. What We Do NOT Store
- Uploaded images are not retained beyond 24 hours. We do not use your images to train our own models, and we only send them to the AI providers listed in section 4 (Google Gemini and OpenAI) to perform the transformation you requested, under their API terms.
- We do not sell or rent your personal data, and we do not share it with third parties for their own advertising.
- We do not track you across other, unrelated websites for advertising.
3. How We Use Your Data
- To operate the service (process jobs, track credits, manage your account).
- To send transactional emails (email verification, purchase receipts, bug report updates).
- To detect and prevent abuse (rate limiting, spam protection via Google reCAPTCHA).
- To understand how the site is used and improve it — using PostHog product analytics and session replay (see section 4). For signed-in users this can be tied to your account ID and email.
4. Third-Party Processors
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication | Email, profile data |
| Cloudflare R2 | File storage | Uploaded images, DXF files (24h TTL) |
| Stripe | Payment processing | Email, payment details |
| Google reCAPTCHA v3 | Bot protection on signup | Browser fingerprint, IP |
| Resend | Transactional email | Email address |
| Google Gemini API | AI image generation | Uploaded images (processed for the requested edit; not stored by Google per their API terms) |
| OpenAI (gpt-image-2) | AI image generation | Uploaded images (processed for the requested edit; not used to train OpenAI's models per their API terms) |
| PostHog | Product analytics & session replay (to measure and improve the site) | Pages viewed, in-app actions, device/browser, approximate location from IP, and session recordings. For signed-in users: account ID, email, paid status, role, country. |
| Railway / Vercel | Hosting | Log data |
Analytics & session replay (PostHog)
We use PostHog (hosted in the United States, us.i.posthog.com) as our product-analytics platform to understand how people use StencilCut and to improve the experience. Because PostHog is a broad product-analytics tool, it can do a lot — here is specifically what it does for us:
- Event & pageview tracking: records the pages you view and, via autocapture, the buttons, links, and form elements you interact with as you use the site.
- Session replay: reconstructs a video-like recording of your visit (mouse movement, clicks, navigation, and on-page changes) so we can find and fix confusing or broken flows. Sensitive inputs can be masked; we do not intend to capture passwords or payment fields.
- User identification: for signed-in users, ties this activity to your account using your user ID, email, paid status, role, and country, so we can analyze the experience across sessions and devices. Anonymous visits are kept separate until you sign in.
- Product improvement: we may also use PostHog's funnels, heatmaps, feature flags, and A/B experiments to test and roll out improvements to the site.
We use this only to operate and improve StencilCut. We do not use PostHog to sell your data or to advertise to you on other websites. If you want your analytics data removed, contact us using the details below.
5. Cookies
We use session cookies for authentication (managed by Supabase Auth) and first-party cookies / local storage for PostHog analytics (see section 4) so we can measure and improve how the site is used. We do not use third-party advertising cookies or tracking pixels, and we do not track you across unrelated websites for advertising.
6. Your Rights
- Access: You can view your account data and transaction history in your Account page.
- Deletion: To request account deletion and erasure of all associated data, email [email protected]. We will process requests within 30 days.
- Portability: You can export your transaction history from the Account page.
- Correction: Update your display name from the Account page at any time.
7. Data Security
All data is encrypted in transit (TLS 1.2+). Supabase encrypts data at rest. Access to production systems is restricted to authorized personnel only. We use Row Level Security so users can only access their own data.
8. Children's Privacy
This service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us immediately.
9. Changes to This Policy
We will notify you by email of material changes to this policy at least 14 days before they take effect.
Contact
Privacy questions: [email protected]