Privacy Policy

VertexData is operated as an independent service based in France. We are the data controller for all personal data processed in connection with the cloud storage service available at www.rencarndata.com.

For any privacy-related questions or data requests, contact us at: contact@codeandcraft3d.com. We aim to respond to all requests within 30 days.

We collect only the data necessary to provide the service:

• Email address — collected at registration to identify your account.
• Password — stored as a one-way bcrypt hash. Your actual password is never stored or readable by us.
• Files you upload — stored encrypted (AES-256) in AWS S3, EU region (Stockholm, Sweden). The content of your files is never read or analysed by us.
• File metadata — filenames, sizes, and file types, stored in our database (Supabase, EU region). Used solely to display your file list.
• Payment data — processed by Stripe (web) and Apple App Store (iOS/Apple TV). We never store card numbers or payment method details. We store only Stripe customer IDs, Apple transaction IDs, and RevenueCat customer IDs.
• RevenueCat customer ID — stored to manage subscription entitlements across web, iOS and Apple TV. RevenueCat processes subscription events on our behalf.
• Mobile device data — if you use the iOS or Apple TV app, we collect anonymous crash reports and app version data via Apple's standard frameworks. No personal data is collected beyond what is listed above.
• Bandwidth usage logs — bytes transferred per session, used solely for billing calculations. Not shared with third parties.
• Session tokens — a JWT stored in a secure httpOnly cookie named cd_auth. Expires automatically after 7 days.

We do not use analytics trackers, advertising cookies, or sell any data to third parties.

• Account management — Contract performance (Art. 6(1)(b)): Creating and managing your account is necessary to deliver the service you signed up for.
• File storage — Contract performance (Art. 6(1)(b)): Storing and serving your files is the core purpose of the service.
• Billing records — Legal obligation (Art. 6(1)(c)): EU tax law requires invoices and payment records to be retained for 7 years. These records are kept even after account deletion.
• Security and fraud prevention — Legitimate interests (Art. 6(1)(f)): Maintaining session tokens and bandwidth logs to detect abuse and prevent unauthorised access.

• To create and manage your account
• To store and serve your files via AWS S3 (EU North region)
• To process subscription payments via Stripe (web) and, where applicable, Apple App Store and RevenueCat (iOS/Apple TV)
• To send transactional emails (receipts, password resets) — not marketing
• To enforce storage quotas and plan limits
• To detect and prevent abuse or unauthorised access

We share data only with the following sub-processors, all bound by GDPR-compliant data processing agreements:

• Account and file data: Retained until you delete your account. When you delete your account, all files and personal data are removed from our systems immediately.
• Billing records: Retained for 7 years as required by EU tax law (Art. 6(1)(c) GDPR). This is the only data retained after account deletion.
• Session tokens: Expire automatically after 7 days. Clearing your cookies or logging out invalidates the token immediately.
• Deleted files: Permanently removed from S3 within 30 days of deletion (due to S3 versioning). Files deleted via "Delete my account" are removed immediately.

As a data subject under GDPR, you have the following rights:

• Right to access (Art. 15): Email contact@codeandcraft3d.com to request a copy of all personal data we hold about you.
• Right to erasure (Art. 17): Use the "Delete my account" button in Account Settings to permanently erase your data immediately.
• Right to data portability (Art. 20): Download your files at any time from the Files section of your dashboard.
• Right to rectification (Art. 16): Update your email address in Account Settings, or contact us to correct other data.
• Right to object (Art. 21): Contact contact@codeandcraft3d.com to object to processing based on legitimate interests.
• Right to restriction (Art. 18): Contact us to request that we limit processing of your data pending a dispute.
• Right to lodge a complaint: You may contact your national data protection authority. In France: CNIL — cnil.fr.

We aim to respond to all privacy requests within 30 days.

We use a single essential cookie: cd_auth — an httpOnly, Secure, SameSite=Lax JWT cookie used solely to authenticate your session. It expires after 7 days.

We do not use tracking, advertising, or analytics cookies.

Passwords are hashed using bcrypt (cost factor 12) and never stored in plain text. All data in transit is encrypted via TLS. Files at rest in S3 are encrypted using AES-256 server-side encryption. Access to your files requires a short-lived (15-minute) presigned URL tied to your authenticated session.

We may update this policy from time to time. Material changes will be notified by email at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.

The VertexData app for iOS and Apple TV is available on the Apple App Store. When you use the app:

• Your VertexData account credentials are stored securely in the iOS Keychain using Apple's Security framework
• In-app subscription purchases are processed by Apple and subject to Apple's Privacy Policy
• We receive purchase confirmation from Apple via RevenueCat but never receive your payment details
• The app requests access to your Photo Library only when you explicitly choose to upload photos
• No location data, contacts, or other device data is collected by the app