OrbitrenderBack

Privacy Policy

Last Updated: 15 June 2025

1. Controller of Personal Data

This service is operated by Daniel Sánchez Díaz, a self-employed developer (natural person), responsible for the processing of personal data.

Contact: contact@orbitrender.com

Location: Barcelona, Spain.

2. Scope and Purpose

This Privacy Policy applies to your use of Orbitrender, a platform for creating, storing, and rendering 3D models. We collect data to:

  • Manage your user account
  • Authenticate via Google Sign-In
  • Process payments through Stripe
  • Store and provide access to your content
  • Respond to support requests
  • Maintain platform security and performance

3. Types of Collected Data

  • Account Data: Name and email address
  • Authentication Data: OAuth tokens
  • Payment Info: Transaction confirmation (via Stripe)
  • User Content: 3D files, renders, metadata
  • Support Data: Email content and system information
  • Usage Data: IP addresses, logs, performance metrics and cookie identifiers (e.g. _ga) if you consent to analytics.

4. Cookies and Tracking Technologies

Orbitrender uses cookies and similar technologies:

  • Essential cookies – session tokens required for authentication and security; they cannot be disabled.
  • Preference cookies – remember UI settings (e.g. language); optional but set locally and never shared with third parties.
  • Analytics cookies – Google Analytics 4 sets _ga and _ga<container-id> to collect aggregated, anonymised statistics (page views, render duration, device type). These cookies are loaded only after you give explicit consentvia the cookie banner, and IP addresses are anonymised (anonymize_ip=true).

You can withdraw consent at any time by clicking “Manage cookies” in the footer or clearing the orbit_consent cookie; analytics scripts will stop loading immediately. Full details are available in our Cookie Policy.

5. Legal Bases

  • Contractual Necessity: Account creation, authentication
  • Legal Obligation: Financial record-keeping
  • Legitimate Interests: Security, fraud prevention
  • Consent: Optional marketing (not currently in use)

6. Sharing Data with Third Parties

We disclose only the data that is strictly necessary to trusted providers:

  • Google Sign-In for authentication (name, email, token only).
  • Stripe Payments Europe for secure card processing. Card details never touch our servers.
  • EU-based cloud infrastructure that hosts the app, database and object storage under encryption and strict IAM.
  • Courts or regulators if a legally binding request compels us.

Orbitrender does not sell, rent or monetise your personal data.

7. International Data Transfers

When Google LLC or Stripe Inc. process data in the United States or Singapore, the transfer is protected by Standard Contractual Clauses (SCCs), annual Transfer Impact Assessments and technical safeguards such as TLS 1.3 in transit and AES-256 at rest. A live list of sub-processors and their locations is published on our website with 30 days’ notice before changes.

8. Data Retention

We keep personal data no longer than necessary:

  • Account data is erased 30 days after you delete your account and purged from backups within 90 days.
  • Billing records are kept five years to satisfy tax laws.
  • User files stay until you delete them or close the account, then remain in encrypted backups for 30 days.
  • Security logs and IPs are retained for up to 12 months, then aggregated or anonymised.
  • Support tickets are archived for 24 months after closure.

9. Your Rights

Under the EU GDPR you may exercise the following rights at any time:

  • Access – obtain a copy of the personal data we hold about you.
  • Rectification – correct inaccurate or incomplete data.
  • Erasure – request deletion when legal grounds apply (“right to be forgotten”).
  • Restriction – ask us to block processing while a request is assessed.
  • Portability – receive your data in a structured, machine-readable format and transmit it to another controller.
  • Objection – oppose processing based on legitimate interest or direct marketing.
  • Withdrawal of consent – revoke any consent you have given, without affecting prior lawful processing.
  • Complaint – lodge a complaint with the Agencia Española de Protección de Datos (www.aepd.es) or your local authority.

To exercise any of these rights, email contact@orbitrender.com. We will respond within one month (extendable to two months for complex requests) and may ask you to verify your identity to protect your privacy.

10. Security Measures

Orbitrender applies defence-in-depth:

  • TLS 1.3 and HSTS for all traffic; AES-256 encryption at rest.
  • bcrypt/Argon2 password hashing and optional multi-factor authentication.
  • Least-privilege IAM, vault-stored secrets and continuous audit logging.
  • Automated vulnerability scanning, weekly dependency reviews and yearly independent penetration tests.
  • 24 × 7 monitoring, intrusion detection, DDoS mitigation and a GDPR-compliant incident response plan (72-hour authority notice).
  • Geo-redundant encrypted backups verified by monthly restore tests.

11. Children

Orbitrender is not intended for users under 14 years of age (or the applicable minimum age in their jurisdiction). We do not knowingly collect children’s data; if we discover it, we delete it promptly and, where feasible, notify the guardian.

12. Policy Updates

We review this Privacy Policy at least annually and whenever our data practices or relevant laws change. Material changes will be announced 30 days in advance via in-app banner and email. All versions are archived, and the “Last modified” date reflects the current revision. Your continued use after the effective date signifies acceptance of the new terms.

13. Contact

Email: contact@orbitrender.com
Controller: Daniel Sánchez Díaz, Barcelona, Spain

© 2025 Orbitrender