Privacy Policy

Version 2026-04-08 · Last updated 2026-04-08

This Privacy Policy explains what personal data CRAFT collects when you visit cadcraft.ai, submit a form, or install and use the CRAFT desktop product, and how we use and protect it. CRAFT is designed to minimize data collection. The desktop product does not send your project files, drawings, or model content to our servers.

In plain language

✓ Website analytics are cookieless and collect no personal data.
✓ We only process the information you give us through forms, and we use it to respond to you.
✓ The desktop product runs locally. Your project data does not leave your machine unless you explicitly opt in to a feature that requires it.
✓ We do not sell or share personal data for cross-context behavioral advertising, we do not run ads, and we do not profile users.
✓ We honor Global Privacy Control (GPC) signals.

1. Who We Are (Controller Identity)

The controller of personal data processed through the Site and the desktop product is:

[TBD — legal entity name]

Organized under the laws of [TBD — jurisdiction of incorporation]

[TBD — registered office address]

Registration number: [TBD — registration number (optional in the US)]

Privacy contact: [email protected]

We have not formally appointed a Data Protection Officer because the scale of our processing does not require one under GDPR Article 37. If that changes we will update this policy.

If CRAFT is not established in the EU or UK, a representative under Article 27 of the respective GDPR regimes will be appointed before general availability. Until then, contact [email protected] for any privacy matter.

2. What We Collect and Why

2.1 Website analytics

We use Plausible Analytics, a cookieless, privacy-friendly analytics tool. Plausible does not set cookies, does not track users across sites, and does not collect personal data. The analytics script is proxied through our own domain (/ps/script, /ps/event) so it remains functional when third-party trackers are blocked; it still sends only aggregate, anonymous traffic data. Data categories: page URL, HTTP referrer, browser type, OS type, device type, country (derived from IP, with IP discarded immediately). Purpose: to understand aggregate site usage. Retention: aggregated indefinitely; no individual record retained.

2.2 Forms on this site

When you submit the early access or contact form, we collect the fields you provide:

Name and work email (required)
Company name, team size, CAD host, topic, use case or message (as applicable)
Technical metadata: UTM parameters, HTTP referrer, submission timestamp
Acceptance record: which version of the Terms and Privacy Policy you accepted, and when

Form submissions are transported through Formspree, which acts as our data processor for delivery, and are routed to our team inbox. Purpose: to respond to your request, evaluate fit for early access, and maintain a record of your acceptance of our Terms. Retention: 24 months after last contact, then deleted or anonymized, unless a longer period is required to resolve a dispute or comply with law. We do not use form data to send unrelated marketing messages.

2.3 Desktop product (CRAFT add-in)

The CRAFT desktop product is designed around a local execution boundary. Project files, model content, drawing data, and host environment data stay on your machine. Specifically:

Telemetry is off by default. No crash reports, usage metrics, or analytics are sent unless you explicitly opt in through the product’s settings. If you opt in, you can turn it off again at any time.
License validation contacts our licensing server to refresh your seat token. This exchanges your license key and a pseudonymous device identifier derived from stable machine characteristics, so we can detect and prevent key sharing. It is not a tracking ID and is not linked to any other data source. It does not carry your name, email, or project content.
Artifact downloads fetch signed automation packages from our registry. Download logs are retained in aggregate for operational purposes (rate limiting, abuse detection) and for up to 90 days in identifiable form.
Egress disclosure. Any automation that declares network access shows its egress profile in the Preview/Validate Gate before it runs. You see where data is going before it goes.

For the full technical model, see Security & Trust.

3. Legal Basis for Processing (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

Pre-contractual steps (Art. 6(1)(b)). When you submit a form to request early access or to contact us, we process your data to take steps at your request before entering into a contract.
Performance of a contract (Art. 6(1)(b)). When you install and activate the Product, we process license data to provide the Product to you under the EULA.
Legitimate interests (Art. 6(1)(f)). We process aggregate, anonymous website analytics and pseudonymous license-validation data for the legitimate interests of understanding how our site and product are used, preventing abuse, and keeping our services secure. We have conducted a Legitimate Interests Assessment and balanced our interests against your rights.
Legal obligation (Art. 6(1)(c)). We process certain data, including license and tax records, to comply with our legal obligations.
Consent (Art. 6(1)(a)). If you opt in to desktop telemetry or to receiving newsletters, we process that data based on your consent, which you can withdraw at any time.

We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art. 22). We do not intentionally collect "special category" personal data as defined in Art. 9.

4. Retention

Website analytics: aggregated, no individual record retained.
Form submissions: 24 months after last contact, then deleted or anonymized.
License and activation records: for the life of your early access participation plus up to 7 years after termination, or as required by tax and accounting law in [TBD — jurisdiction of incorporation].
Artifact download logs: up to 90 days in identifiable form, then aggregated.
Clickwrap acceptance records (which Terms version you accepted and when): for the life of your participation plus 6 years, for dispute defense.
Security incident records: as long as necessary to investigate and respond, plus any period required by law.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We disclose personal data only to the categories below:

Our subprocessors (see Section 6), who process data on our behalf under written agreements requiring confidentiality and security.
Professional advisors (lawyers, accountants, auditors) as needed to operate the business.
Authorities where required by valid legal process. We require valid legal process and we notify affected users where permitted by law.
Acquirers in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy commitments.

6. Subprocessors

We use the following third parties to deliver the Site, the licensing service, and the desktop product:

Cloudflare (United States) — website hosting, CDN, DDoS protection
Fly.io (United States) — licensing API and artifact registry hosting
Plausible (European Union) — cookieless website analytics
Formspree (United States) — contact and early access form delivery

We will update this list when we add new subprocessors and, for material changes, we will notify active early access participants at least 30 days in advance so they can object before the change takes effect. A Data Processing Addendum (DPA) is available on request from [email protected].

7. International Data Transfers

Some of our subprocessors are located in the United States. Where personal data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that the European Commission has not recognized as providing an adequate level of protection, we rely on one or more of the following transfer mechanisms:

The EU–US Data Privacy Framework, the UK Extension to the DPF, and the Swiss–US DPF, where our US subprocessors are certified under these programs.
Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), together with the UK International Data Transfer Addendum, where certification under the DPF is not available or has lapsed.
A Transfer Impact Assessment performed in line with the European Data Protection Board’s recommendations on supplementary measures, and additional technical and organizational safeguards where that assessment identifies risks.

Copies of the SCCs executed with our subprocessors and our current Transfer Impact Assessment are available to early access participants on request from [email protected].

8. Your Rights

Depending on where you live, you may have some or all of the following rights. We honor these rights regardless of whether the specific law in your jurisdiction requires us to.

Access the personal data we hold about you
Correct inaccurate data
Delete your data ("right to be forgotten")
Object to processing or request restriction of processing
Data portability: receive your data in a structured, commonly-used, machine-readable format
Withdraw consent where processing is based on consent
Opt out of direct marketing at any time
Not be subject to automated decision-making with legal or significant effects (we do not do this)
Lodge a complaint with a supervisory authority (see below)

To exercise any of these rights, email [email protected]. We will respond within one month of receiving your request, as required by GDPR Article 12(3). For particularly complex or numerous requests, we may extend this by up to two additional months and will notify you of the extension and the reason.

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. In the United Kingdom, that is the Information Commissioner’s Office (ICO). In the European Union, you can find your national authority via the European Data Protection Board.

9. California Privacy Rights (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively "CCPA"). These include the right to know what personal information we collect, use, and disclose; to correct inaccurate personal information; to delete personal information; to opt out of the sale or sharing of personal information; to limit the use of sensitive personal information; and to not be discriminated against for exercising these rights.

Notice at collection. In the prior 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code §1798.140): identifiers (name, email, company, IP address), commercial information (inquiries about our product), internet or other electronic network activity information (page views, referrers, UTMs), and professional information (team size, role, CAD host). We collect this information from you directly through forms and, for analytics, from your use of the Site. We use it to respond to inquiries, evaluate fit for early access, deliver the Product, and understand how the Site is used.

We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information beyond the limited purposes permitted by Cal. Civ. Code §1798.121(a).

Global Privacy Control. We honor GPC signals as opt-out requests, even though we do not sell or share personal information for behavioral advertising in any case.

To exercise any California right, email [email protected]. We will verify your identity before responding. You may designate an authorized agent to make a request on your behalf.

10. Children’s Privacy

CRAFT is a professional tool intended for adults in a work context. We do not direct the Site or the Product to children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected personal data from a child, email [email protected] and we will delete it promptly.

11. Security

We use administrative, technical, and organizational measures appropriate to the sensitivity of the data, including encryption in transit (TLS) and at rest, access controls, and least-privilege processing. No system is perfectly secure, but we take data protection seriously as the core of our brand. To report a security issue, see our vulnerability disclosure policy.

12. Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Any cookies present are strictly necessary and set by Cloudflare to operate the edge network. See the Cookie Notice for details.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version at this URL with a new version number and effective date. Material changes that affect your rights or the purposes for which we process data will be notified in advance, by email to active early access participants or by a prominent notice on the Site, at least 30 days before they take effect.

14. Contact

[TBD — legal entity name]
[TBD — registered office address]
Privacy contact: [email protected]