1. Overview

This Privacy Policy describes how Prompt2CAD ("we", "us"), operated at prompt2cad.com, collects, uses, and protects your information when you use our Service.

Data controller. The Service is operated by Michele Lugano, a sole proprietor established in Portugal, who is the data controller for the personal data described in this Policy. For any data-protection question, contact us at support@prompt2cad.com.

2. Information We Collect

Account information. When you sign in with Google, we receive your name, email address, and profile picture from Google. This is used solely for authentication and displaying your identity within the app.

Billing information. Payment processing is handled entirely by Stripe. We do not store your credit card details. We store your credit balance in Cloudflare KV and your transaction history (amounts, timestamps, action type, token counts, internal cost) in Cloudflare D1, both keyed to your user ID.

Conversation data. Your chat messages, uploaded images, and the AI's responses are sent to Google's Gemini API for processing. Conversations (chat history, geometry code, parameters, checkpoints, renders) are stored in your browser's IndexedDB database. For signed-in users, project metadata and geometry are also synced to our servers (Cloudflare D1) so the same projects appear when you sign in on another device.

Uploaded images. Reference images you upload are sent to Google's Gemini API as part of the conversation context. They are persisted locally as part of the project, and synced to our servers for signed-in users alongside the rest of the project state.

Transactional emails. Onboarding and product emails (welcome message, tips, inspiration) are delivered through Resend. We send these to the email address Google provided at sign-in; every message contains an unsubscribe link that you can use to stop further emails at any time.

3. Lawful Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

Contract performance (Art. 6(1)(b)). We process your account information, project data, parameters, geometry, and credit balance to provide the Service you contracted for when you signed up.
Legal obligation (Art. 6(1)(c)). We retain billing and invoice records for the period required by Portuguese tax and accounting law (see Section 8, Data Retention).
Legitimate interest (Art. 6(1)(f)). We process server logs, aggregated usage analytics, and security telemetry to operate, secure, debug, and improve the Service. You may object to this processing at any time by contacting us.
Consent (Art. 6(1)(a)). Optional marketing communications (the onboarding email sequence and any future newsletters) are sent on the basis of consent. You can withdraw consent at any time via the unsubscribe link in any message or by contacting us.

4. Analytics

We use the following analytics and measurement services to understand how the Service is used:

PostHog — product analytics (page views, feature usage, anonymous session data). Hosted in the European Union for our project, so analytics data does not leave the EEA. PostHog's privacy policy: posthog.com/privacy.
Google Analytics 4 (gtag) — site-level traffic and audience measurement. GA4 uses cookies (such as _ga) and processes truncated/anonymised IP addresses. Google's privacy policy: policies.google.com/privacy.
Google Ads (gtag) — conversion tracking for advertising. Google's privacy policy: policies.google.com/privacy.

5. Third-Party Services

The Service relies on the following third-party providers, each with their own privacy policies:

Google — AI model provider (Gemini), authentication (Google Sign-In), audience measurement (Google Analytics 4), and conversion tracking (Google Ads). Your prompts, uploaded images, and the AI's responses are processed by the Gemini API; site usage is measured via GA4; advertising conversions are tracked via Google Ads. policies.google.com/privacy
Stripe — Payment processing. stripe.com/privacy
Cloudflare — Hosting, edge infrastructure, and managed storage (KV for credit balances, D1 for projects and transactions, R2 for material textures). cloudflare.com/privacypolicy
Resend — Transactional email delivery (onboarding sequence, feedback receipts). resend.com/legal/privacy-policy
PostHog — Product analytics (see Analytics section above). PostHog is hosted in the European Union for our project (eu.posthog.com), so analytics data does not leave the EEA. posthog.com/privacy

6. International Data Transfers

Some of the third-party providers we rely on process personal data outside the European Economic Area (EEA), primarily in the United States. We rely on the following safeguards under GDPR Art. 46 to make these transfers lawful:

Google (Gemini, Authentication, Google Analytics 4, Google Ads) — certified under the EU-U.S. Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) additionally available.
Stripe — DPF-certified; SCCs additionally in place.
Cloudflare — DPF-certified; SCCs in place. Where available, data is stored in Cloudflare's EU edge infrastructure.
Resend — DPF-certified.
PostHog — hosted in the European Union for our project; no transfer outside the EEA.

You can request a copy of the relevant Standard Contractual Clauses by contacting us at support@prompt2cad.com.

7. Local Storage

Your project data (3D models, conversation history, parameters, checkpoints, cached renders, and settings) is stored in your browser's IndexedDB database under the nameprompt2cad. Accounts created on earlier versions of the app may also retain residual entries in localStorage prefixed with 3dmg:; these are migrated automatically into IndexedDB on first use of the new schema.

For signed-in users, project metadata and geometry are synced to our servers (Cloudflare D1). Checkpoints and cached renders are local-only. Clearing your browser data will remove the local copy; synced projects can be recovered by signing in again.

8. Cookies

We use essential cookies for authentication sessions (set by Google Sign-In and our session layer). The analytics and advertising services we rely on — PostHog, Google Analytics 4, and Google Ads — may set their own cookies (for example, _ga for GA4) to measure usage and conversions. You can control cookie behaviour through your browser settings, and you can opt out of GA4 tracking site-wide by installing the Google Analytics opt-out browser add-on.

9. Data Retention

Account data (name, email, profile picture, project metadata stored server-side) is retained for as long as your account exists. Upon a verified deletion request, we remove this data within 30 days, in line with GDPR.
Billing and invoice records are retained for 10 years from the date of the transaction, as required by Portuguese tax law (Lei Geral Tributária, Art. 52). These records cannot be deleted on request until the retention period expires.
Server logs (technical logs used for operating and securing the Service) are retained for up to 90 days.
Analytics data is retained per the respective provider's policies (PostHog default is 1 year).
Project data stored locally in your browser remains there until you clear browser data or delete the project. This storage is under your control.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Request correction or deletion of your personal data.
Object to or restrict processing of your data.
Request data portability.

To exercise these rights, contact us at support@prompt2cad.com.

11. Children's Privacy

The Service is not directed to children under 13. Under Portuguese Law 58/2019, which implements GDPR Article 8, the minimum age at which a child can give valid consent to the processing of personal data by an information-society service is 13. We do not knowingly collect personal information from children under that age. If you become aware that a child under 13 has provided us with personal information, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service. Continued use after changes constitutes acceptance.

13. Contact

For privacy-related questions, contact us at support@prompt2cad.com.