Privacy Policy
1. Controller and scope
This Privacy Policy applies to the use of 3d-voxelia.com and all related Voxelia 3D services.
Marc Hammerschmidt (Voxelia 3D)
Karolingerstraße 9a
55283 Nierstein, Germany
Legal form: Sole proprietorship
Email: info@3d-voxelia.com
Phone: +49 151 16520282
Additional mandatory information in the Imprint.
2. Processing purposes, data categories, and legal bases
We process personal data only where legally permitted. The table below summarizes the main processing operations under Art. 13 GDPR.
| Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|
| Website delivery and IT security | IP address, timestamp, requested URL, user agent, referrer, technical error data | Art. 6(1)(f) GDPR (security, stability, abuse prevention) | Generally 14 to 30 days |
| Registration, login, and account management | Email address, name, password hash, authentication and session data | Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligations) | Until account deletion, then deletion or restriction under legal requirements |
| Order processing and delivery of our 3D services | Customer profile data, project/upload data, communication content, order and status data | Art. 6(1)(b) GDPR; where necessary Art. 6(1)(f) GDPR | Project-related data generally until completion, then according to contract terms or deletion policy |
| Contact requests and support | Name, email, phone number (optional), message content, technical request metadata | Art. 6(1)(b) GDPR (pre-contractual/contractual), Art. 6(1)(f) GDPR (support quality) | Typically up to 3 years after completion of the request |
| Payment processing and accounting | Billing data, payment status, payment provider IDs, invoice data | Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (tax/commercial law obligations) | Statutory retention periods (typically 6 to 10 years) |
| Transactional emails and delivery evidence | Email address, delivery metadata, delivery status, optional technical open/click events | Art. 6(1)(b) GDPR; for optional tracking Art. 6(1)(a) GDPR | Email delivery logs generally up to 24 months, unless longer retention is legally required |
| Optional analytics and product improvement | Pseudonymous usage events, interaction data, technical device/browser information | Only with consent: Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG | Until withdrawal of consent or expiry of analytics settings |
3. Cookies, local storage, and consent management
We use technically necessary storage mechanisms (for example session cookies and security-related storage values) to provide login, session management, and protection features.
Optional tracking/analytics mechanisms are only used based on prior consent (Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG). Any consent can be withdrawn at any time with future effect.
4. Recipients and processors
We use service providers that process personal data solely under data processing agreements pursuant to Art. 28 GDPR.
| Service provider | Role | Third-country context |
|---|---|---|
| Eigene Hosting-/Server-Infrastruktur | Platform operation, database and file processing | Germany/EU |
| Supabase | Authentication, database, API services | Primarily EU hosting; where third countries are involved only with appropriate safeguards |
| Stripe | Payment processing | Possible third-country transfer (e.g., US) with SCCs/adequacy mechanisms |
| E-Mail-Provider (z. B. SMTP/Resend) | Transactional email delivery and routing | Depending on provider EU or third country; contractual safeguards in place |
| Cloud-Speicher (z. B. AWS S3) | File storage and download delivery | Depending on configuration EU or third country with safeguards |
| Upstash Redis (optional) | Rate limiting and abuse prevention | Depending on region EU or third country with contractual safeguards |
5. International data transfers
Where data is transferred outside the EU/EEA, this is done only under Art. 44 et seq. GDPR. We rely in particular on adequacy decisions or Standard Contractual Clauses (SCCs).
For US-based providers, we additionally take into account whether certification under the EU-U.S. Data Privacy Framework exists.
6. Your rights as a data subject
Under Art. 15 to 22 GDPR, you have in particular the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent at any time with future effect (Art. 7(3) GDPR)
To exercise your rights, an informal message to the contact details above is sufficient.
7. Right to object under Art. 21 GDPR
Where we process data based on Art. 6(1)(f) GDPR, you may object at any time for reasons arising from your particular situation.
8. Right to lodge a complaint with a supervisory authority
You may lodge a complaint with a data protection supervisory authority, especially in the Member State of your habitual residence, your workplace, or the place of the alleged infringement.
For our office in Rhineland-Palatinate, the State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate is a key authority (https://www.datenschutz.rlp.de).
9. Data security (Art. 32 GDPR)
- Transport encryption (TLS) for external connections
- Role-based access control for administrative access
- Logging of security-relevant events and monitoring
- Rate limiting and anti-abuse protections
- Infrastructure hardening and regular security checks
10. Obligation to provide data and automated decisions
Where personal data is required to conclude or perform a contract, providing this data is necessary. Without it, we may be unable to provide services fully or at all.
We currently do not carry out solely automated decision-making within the meaning of Art. 22 GDPR.
11. Changes to this Privacy Policy
We update this Privacy Policy when processing activities, legal requirements, or technical processes change. The version published on this page applies.
Last updated: February 12, 2026