Privacy Notice for Vectreal

Last updated April 03, 2025

This Privacy Notice for Vectreal ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at http://www.vectreal.com, or any website of ours that links to this Privacy Notice, hosted using Cloudflare's infrastructure.
• Use vectreal's 3D Saas Platform which provides powerful open-source 3D model generation and editing tools, with data storage and management via Supabase.
• Engage with us in other related ways, including any sales, marketing, or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed, although we rely on third-party providers like Supabase, Google Cloud Platform, and Stripe for key infrastructure and services. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at info@vectreal.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. This includes information you provide directly, data collected automatically (e.g., via Cloudflare Turnstile for security), and data received from third-party logins like Google. Data is stored using Supabase. Learn more about personal information you disclose to us and information automatically collected.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we collect any information from third parties? We receive information from Google if you use Google login, and payment information is processed via Stripe. We use Supabase for backend services and Cloudflare for hosting and security, which process data on our behalf.

How do we process your information? We process your information to provide, improve, and administer our Services (using infrastructure from Supabase and Cloudflare), communicate with you, for security (including CAPTCHA verification via Cloudflare Turnstile) and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

In what situations and with which types of parties do we share personal information? We share information with necessary third-party service providers, including Supabase (database, auth, storage), Stripe (payments), Cloudflare (hosting, security, CAPTCHA), Google (auth), and AI Service Providers (like Replicate). Learn more about when and with whom we share your personal information.

How do we keep your information safe? We rely on the organizational and technical processes of both our own and our key providers like Supabase and Cloudflare to protect your personal information. However, no electronic transmission or storage is 100% secure. Learn more about how we keep your information safe.

What are your rights? Depending on your geographic location, applicable privacy law may grant you certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way is by visiting vectreal.com/profile (accessing data managed via Supabase) or by contacting us. We will act upon requests according to applicable data protection laws.

Want to learn more? Review the Privacy Notice in full.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?
6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
7. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
8. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
9. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
10. HOW LONG DO WE KEEP YOUR INFORMATION?
11. HOW DO WE KEEP YOUR INFORMATION SAFE?
12. WHAT ARE YOUR PRIVACY RIGHTS?
13. CONTROLS FOR DO-NOT-TRACK FEATURES
14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
15. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
16. DO WE MAKE UPDATES TO THIS NOTICE?
17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us, which is stored and managed using Supabase infrastructure.

We collect personal information that you voluntarily provide when you register (authentication handled via Supabase), express interest in our products/Services, participate in activities, or contact us.

Personal Information Provided by You: The info collected depends on your interactions, choices, and the features you use. It may include:

• names
• email addresses
• passwords (securely managed by Supabase Auth)
• billing addresses
• debit/credit card numbers (processed by Stripe)
• contact or authentication data (managed by Supabase Auth)
• Uploaded photos and generated images (stored via Supabase Storage)

Sensitive Information: We do not process sensitive information.

Payment Data: We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by Stripe Inc. You may find their privacy notice link(s) here: https://stripe.com/en-de/privacy.

Social Media Login Data: We may provide options to register/log in using third-party social media accounts, specifically Google. If you choose this, Supabase Auth facilitates the connection, and we receive certain profile information from Google. This typically includes your name, email address, profile picture, and other info you choose to make public via Google. We use this info only for purposes described in this notice or otherwise stated. We do not control and are not responsible for other uses by Google. Review Google's privacy notice.

Application Data: If you use our application(s), we may collect info if you grant access/permission:

• Mobile Device Access: May request access to device features (e.g., camera, storage).
• Push Notifications: May request to send push notifications regarding your account or features. You can change access/permissions in device settings.

Key Fact: This information is primarily needed to maintain the security and operation of our Services (relying on Supabase and Cloudflare), for troubleshooting, and internal analytics/reporting.

All personal information you provide must be true, complete, and accurate, and you must notify us of changes.

Information automatically collected

In Short: Some information (IP address, browser/device characteristics, interaction data for CAPTCHA) is collected automatically when you visit our Services, often facilitated by Cloudflare.

We automatically collect certain information when you visit, use, or navigate the Services. This doesn't reveal your specific identity but includes device/usage info like IP address, browser/device characteristics, OS, language preferences, referring URLs, device name, country, location, info about how/when you use Services, and technical info. This is needed for security, operation (leveraging Cloudflare infrastructure), internal analytics, and reporting.

Crucially, to protect against bots and abuse, we use Cloudflare Turnstile, an invisible CAPTCHA service. When you interact with parts of our site protected by Turnstile, Cloudflare automatically collects certain information about your browser, device, and interaction patterns to verify you are human. This processing is handled by Cloudflare according to their privacy policy.

Like many businesses, we also collect information through cookies and similar technologies.

The information we collect includes:

• Log and Usage Data: Service-related, diagnostic, usage, performance info automatically collected by our systems and infrastructure providers (Cloudflare, Supabase) (IP address, device info, browser type/settings, activity timestamps, pages viewed, searches, device event info, hardware settings, error reports).
• Device Data: Computer, phone, tablet info (IP address, device/application IDs, location, browser type, hardware model, ISP/mobile carrier, OS, system configuration).
• Location Data: Precise or imprecise device location info. Collection depends on device type/settings. GPS and other tech may be used. You can opt out by refusing access or disabling Location settings.
• Cloudflare Turnstile Data: Data collected by Cloudflare for CAPTCHA verification purposes, as described above.

Information collected from other sources

In Short: We may collect limited data from public databases, marketing partners, social media platforms (like Google via login), and other outside sources.

To enhance our ability to provide relevant marketing, offers, and services and update records, we may obtain info from other sources like public databases, joint marketing partners, affiliate programs, data providers, social media platforms, and other third parties. This includes mailing addresses, job titles, email addresses, phone numbers, intent data, IP addresses, social media profiles/URLs, and custom profiles for targeted advertising and event promotion. If interacting via social media (e.g., Facebook), we receive info like name, email, gender, birthday, current city, profile pic URL, based on your social media settings. If interacting via social media (e.g., using Google login), we receive info like name, email, based on your Google account settings.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, administer Services (using Supabase, Cloudflare), communicate, ensure security/fraud prevention (using Cloudflare Turnstile), and comply with law. We may also process for other purposes with your consent.

We process personal information for various reasons, depending on your interaction with our Services, including:

• To facilitate account creation and authentication and manage user accounts (using Supabase Auth).
• To deliver and facilitate delivery of services (hosted on Cloudflare, data managed via Supabase).
• To respond to inquiries and offer support.
• To send administrative information.
• To fulfill and manage orders, payments (via Stripe), returns, and exchanges.
• To enable user-to-user communications (with each user's consent).
• To request feedback.
• To send marketing and promotional communications.
• To deliver targeted advertising.
• To protect our Services (fraud monitoring/prevention, CAPTCHA verification via Cloudflare Turnstile).
• To identify usage trends.
• To save or protect an individual's vital interest.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

In Short: We only process your personal information when we believe it's necessary and have a valid legal reason (legal basis) under applicable law, like with your consent, to comply with laws, provide services, fulfill contractual obligations, protect your rights, or fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The GDPR and UK GDPR require us to explain the valid legal bases we rely on. We may rely on:

• Consent: If you gave specific permission for a particular purpose. You can withdraw consent anytime (see Section 12). Withdrawal doesn't affect processing before withdrawal.
• Performance of a Contract: When processing is necessary to perform a contract you're party to, or take steps pre-contractually at your request.
• Legitimate Interests: When processing is necessary for our legitimate business interests, provided they don't override your interests and fundamental rights/freedoms. Examples: send marketing info, analyze service usage for improvement, diagnose problems, prevent fraud, support activities. We won't use it if your interests override ours, unless we have consent or legal obligation.
• Legal Obligations: When necessary to comply with our legal obligations (e.g., cooperate with law enforcement/regulatory agencies, exercise/defend legal rights, disclose info in litigation).
• Vital Interests: When necessary to protect your vital interests or those of a third party (e.g., situations involving potential threats to safety).

If you are located in Canada, this section applies to you.

We may process your information if you gave express consent for a specific purpose, or where consent can be implied (e.g., inferred from actions). You can withdraw consent anytime (see Section 12).

In limited cases, law may permit processing without consent, e.g.:

• Investigation of potential law breach suggests collection is reasonable.
• For journalistic, artistic, literary purposes.
• It was produced in employment, business, professional capacity and collection is consistent with purpose produced.
• For identifying injured, ill, deceased person and contacting next of kin.
• Reasonable grounds to believe individual victim of financial abuse.
• Necessary to assess, process, settle insurance claim.
• For witness statement in insurance claim.
• Necessary to respond to emergency threatening life, health, security.
• For statistical, scholarly study, research purposes if conditions met.
• If publicly available and specified by regulations.
• If required by law. (This section remains the same as the previous version)

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information with necessary third-party service providers including Supabase, Stripe, Cloudflare, Google, and AI service providers like Replicate.

Vendors, Consultants, Other Third-Party Service Providers: We share data with third-party vendors, service providers, contractors, agents who perform services for us or on our behalf and require access to such info. This includes core infrastructure and service providers. Unless described here, we don't share, sell, rent, trade info with third parties for promotional purposes.

We have contracts designed to safeguard your personal information with these providers.

Categories of third parties we share personal information with:

• Cloud Infrastructure Providers: Supabase (Database, Authentication, Storage), Cloudflare (Hosting, CDN, Security, CAPTCHA).
• Payment Processors: Stripe Inc.
• Authentication Services: Google (if using Google login via Supabase Auth).
• AI Service Providers: Replicate (for specific AI features).
• Ad Networks
• Affiliate Marketing Programs
• Communication & Collaboration Tools
• Data Analytics Services (e.g., Google Analytics)
• Data Storage Service Providers (covered by Supabase)
• Finance & Accounting Tools
• Government Entities (if legally required)
• Order Fulfillment Service Providers
• Performance Monitoring Tools
• Product Engineering & Design Tools
• Retargeting Platforms
• Sales & Marketing Tools
• Social Networks (related to Google Login)
• Testing Tools
• User Account Registration & Authentication Services (covered by Supabase, Google)
• Website Hosting Service Providers (covered by Cloudflare)

We may also need to share in these situations:

• Business Transfers: In connection with/during negotiations of merger, sale of assets, financing, acquisition of all/part of our business.

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

In Short: We are not responsible for the safety of information you share with third parties we may link to (like Stripe, Google, Supabase, Cloudflare policies) but are not directly affiliated with our core service offering.

Services may link to third-party websites, online services, apps, and/or contain ads from non-affiliated third parties. We make no guarantee regarding such third parties and aren't liable for loss/damage from their use. Links/ads don't imply endorsement. We can't guarantee safety/privacy of data you provide them. Data collected by them isn't covered by this notice. We aren't responsible for content, privacy/security practices of third parties. Review their policies and contact them directly. We aren't responsible for content, privacy/security practices of third parties, including those linked from our Services (e.g., Stripe, Google, Supabase, Cloudflare). Review their policies and contact them directly.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and similar tech (potentially including those set by Cloudflare or other integrated services) to collect/store information.

We may use cookies, web beacons, pixels to gather info. Some help maintain security, prevent crashes, fix bugs, save preferences, assist with basic site functions.

We permit third parties/service providers online tracking on Services for analytics and advertising (manage/display ads, tailor ads to interests, abandoned cart reminders). They use tech for tailored ads on our Services or other sites.

If these are deemed "sale"/"sharing" (incl. targeted advertising) under US state laws, you can opt out via methods in Section 14.

Specific info on tech use and refusal options is in our Cookie Notice: vectreal.com/cookies.

Google Analytics

We may share info with Google Analytics to track/analyze Service use. Features used may include: Remarketing, Demographics/Interests Reporting, Display Network Impressions Reporting.

• Opt out of Google Analytics tracking: https://tools.google.com/dlpage/gaoptout.
• Opt out of Advertising Features via Ads Settings and mobile Ad Settings.
• Other opt-outs: http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice.
• Google Privacy & Terms: https://policies.google.com/privacy.

We permit third parties/service providers (including potentially Cloudflare as part of its services) online tracking on Services for analytics and advertising

7. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: We offer AI products/features using third-party providers like Replicate.

We offer AI Products to enhance experience and provide innovative solutions. This Notice governs their use.

Use of AI Technologies: We provide AI Products via third-party AI Service Providers (e.g., Replicate). Your input, output, personal info will be shared with and processed by these providers for purposes outlined in Section 3[cite: 149, 150]. Do not violate provider terms/policies.

Our AI Products: Designed for functions like:

• Image generation
• Image analysis

How We Process Your Data Using AI: Handled per our Privacy Notice and third-party agreements. Ensures high security and safeguards.

8. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you use Google login (facilitated by Supabase Auth), we may access certain info about you from Google.

Services offer registration/login via third-party social media, specifically Google, integrated via Supabase Auth. Choosing this means sharing certain profile info with us from Google. Info received depends on Google and your privacy settings, but typically includes name, email, profile picture.

We use info only for purposes described here or disclosed on Services. We don't control/aren't responsible for other uses by Google. Review Google's policies.

9. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: We may transfer, store, process your information in countries other than your own, including where our servers (United States) and our service providers (like Supabase, Cloudflare, Stripe, Google, Replicate) operate.

Our primary servers are in the United States. Your information will be processed here and potentially in other countries where our third-party service providers (Supabase, Cloudflare, Stripe, Google, Replicate) maintain facilities. Data protection laws in these countries may differ from yours.

We will take measures to protect info per this notice and applicable law, relying on mechanisms like the EU-US/UK-US Data Privacy Framework (where applicable for US transfers) and contractual clauses with our providers.

EU-US / UK-US Data Privacy Framework: We comply with EU-US Data Privacy Framework (DPF) and UK Extension regarding transfer from EU/UK. We certified adherence to DPF Principles. If conflict between this notice and Principles, Principles govern. Learn more: https://www.dataprivacyframework.gov/.

We adhere to DPF Principles for transfers, including onward transfer liability (remain liable if third parties process inconsistently, unless we prove not responsible).

FTC has jurisdiction over our DPF compliance. We may need to disclose info to public authorities (e.g., law enforcement).

For unresolved DPF complaints, contact our US-based dispute resolution provider (free): Data Privacy Framework Services. If still unresolved, you may invoke binding arbitration.

10. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep information as long as necessary (e.g., while your account managed via Supabase is active), unless longer retention required/permitted by law.

We keep personal information only as long as needed for purposes set out in this notice, unless longer period required/permitted by law (e.g., tax, accounting, legal). No purpose requires keeping info longer than user account remains active.

No purpose requires keeping info longer than user account (managed via Supabase) remains active. When no ongoing legitimate business need exists, we delete or anonymize info stored in Supabase. If not possible (e.g., backup archives), we securely store and isolate it until deletion possible.

11. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect info via organizational/technical security measures, relying significantly on the security practices of Supabase and Cloudflare.

We implement appropriate technical/organizational security measures. We rely heavily on the security infrastructure and practices of our core providers, Supabase (for data storage, auth) and Cloudflare (for network security, hosting, CAPTCHA). However, despite safeguards from us and our providers, no transmission/storage is 100% secure. Transmission to/from Services is at your own risk. Access Services only within secure environment.

12. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions (EEA, UK, Canada), you have rights allowing greater access/control over personal information stored in Supabase. You can review, change, terminate your account anytime.

Regions like European Economic Area (EEA), UK, Canada grant specific rights under applicable data protection laws:

• Access/copy of your personal information.
• Request correction or erasure.
• Restrict processing.
• If applicable, data portability.
• In certain circumstances, object to processing. To make requests regarding data stored via Supabase, use contact details below (Section 17) or your profile settings. If relying on consent, you can withdraw it anytime. Withdrawal doesn't affect prior lawful processing or processing on other legal bases.

If in EEA/UK and believe unlawful processing, you can complain to your Member State data protection authority or UK authority. Swiss residents can complain to Federal Data Protection and Information Commissioner.

Withdrawing Consent: Use contact details (Section 17) or account settings.

Opting out of marketing: Unsubscribe via link in emails or contact us (Section 17). You'll be removed from marketing lists but may still receive service-related messages.

Account Information: Review/change info or terminate account (managed via Supabase) anytime by:

• Logging into account settings.
• Contacting us (Section 17). Upon termination request, we deactivate/delete account/info from active Supabase databases.

Cookies: Most browsers accept cookies by default. You can usually set browser to remove/reject cookies (may affect features). Opt-out info for interest-based advertising: http://www.aboutads.info/choices/. More info in Cookie Notice: vectreal.com/cookies.

If you have questions/comments about rights, email info@vectreal.com.

13. CONTROLS FOR DO-NOT-TRACK FEATURES

Most browsers and some mobile OS/apps include Do-Not-Track (DNT) feature/setting you can activate to signal privacy preference not to have online Browse activity monitored/collected. No uniform tech standard for recognizing/implementing DNT signals exists yet. Thus, we currently do not respond to DNT browser signals or other mechanisms automatically communicating your choice. If standard adopted later, we'll inform you via revised notice.

14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Yes, if you reside in certain US states (e.g., California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, Vermont), you have specific rights regarding personal information access and use.

State-Specific Rights: Refer to specific state laws for details (e.g., CCPA/CPRA for California)[cite: 198, 199]. General rights may include:

• Right to Know/Access: Request disclosure of categories/specific pieces of personal info collected, sources, purpose, third parties shared with.
• Right to Delete: Request deletion, subject to exceptions.
• Right to Correct: Request correction of inaccurate info.
• Right to Opt-Out of Sale/Sharing/Targeted Advertising: Direct us not to sell/share personal info (sharing often includes targeted advertising). We do not sell personal info as traditionally defined. We may share for targeted advertising (see Section 6). To opt out of sharing/targeted ads, use methods in Cookie Notice or contact us.
• Right to Limit Use/Disclosure of Sensitive Personal Information (SPI): If we collect SPI, you may have right to limit its use. We do not collect SPI.
• Right to Non-Discrimination: Not be discriminated against for exercising rights.

Verification Process: We need to verify identity before responding to requests. May require matching info you provide to our records. May ask for additional info if needed. Authorized agents can submit requests but need proof of authorization.

How to Exercise Rights:

• Visit vectreal.com/profile.
• Contact us via email: info@vectreal.com or mail (see Section 17).

California "Shine The Light" Law: Residents can request info once/year (free) about personal info disclosed to third parties for direct marketing purposes in preceding calendar year. If applicable, includes list of categories shared and names/addresses of third parties. Submit request in writing (see Section 17).

(Specific sections detailing rights for each listed state follow in the original document but are omitted here for brevity while retaining the overall structure and key facts applicable to all listed states.)

15. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Yes, residents of Australia, New Zealand, and potentially other regions may have specific rights.

(Sections detailing rights for Australia and New Zealand follow in the original document.)

16. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we update this notice as necessary to stay compliant with relevant laws.

We may update this notice periodically. Updated version indicated by revised "Last updated" date; becomes effective when accessible. Material changes may be notified via posting notice or direct notification. Review this notice frequently to stay informed.

17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If questions/comments about this notice, email info@vectreal.com

18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on applicable laws, you may have the right to request access, correct inaccuracies, or delete your personal information (stored primarily within Supabase). You may also have right to withdraw consent. To request review, update, delete info, visit vectreal.com/profile or submit a request via mail at info@vectreal.com.

If you would like to find out more about cookies and other similar technologies, please visit allaboutcookies.org.