1. Controller
The data controller is Cult Shield s.r.o., registered in Bratislava, Slovak Republic. Reach us at privacy@cultshield.com.
2. What we collect
Account data
- Email address (required to create an account)
- Display name (optional, your choice)
- Legal name, postal address, and phone number (required only when you choose to have Cult Shield file DMCA notices on your behalf, because the statute requires the rights-holder's verifiable contact details)
Uploaded work
- The 3D model files you upload (STL, OBJ, GLB, etc.)
- Cryptographic hashes (SHA-256, perceptual PDQ) computed from those files
- Renders we generate from the files for fingerprinting and evidence display
Detection & case data
- URLs of suspect listings on third-party marketplaces
- Screenshots, HTML snapshots, and page hashes captured for evidence
- The full text of DMCA / DSA notices drafted and filed
- Replies received from marketplaces and counterparties
Usage data
- Standard server logs: IP address, user-agent string, request timestamps, response codes (retained 30 days for security and abuse prevention)
- Product analytics: anonymized event counters (page views per route, feature usage) via self-hosted analytics; no third-party trackers
3. Why we collect it (lawful bases under GDPR)
- Contract (Art. 6(1)(b)) for account data and uploaded work: we cannot provide the service without them.
- Legal obligation (Art. 6(1)(c)) for evidence and audit-log retention: the DMCA and EU DSA require traceability of takedown notices.
- Legitimate interests (Art. 6(1)(f)) for security logs and product analytics: operating a safe service.
- Consent (Art. 6(1)(a)) for optional onboarding emails and beta-feature invitations; revocable at any time.
4. Who sees it
- You and any sub-users on your account.
- Marketplaces and hosts you authorize us to file notices with (only the data inside the notice).
- Our subprocessors: Supabase (Postgres, EU region), Hetzner (compute, EU region), Brevo (transactional email, EU region), Anthropic and Google (AI model providers, US region; we send only the minimum data required to generate the notice text).
- Law enforcement under a binding legal request that meets the EU GDPR Article 23 threshold.
We do not sell or rent personal data. We do not run third-party advertising trackers.
5. Where it lives
Primary storage is in the EU (Supabase Frankfurt and Hetzner Falkenstein). AI providers process content in the US under EU-US Data Privacy Framework adequacy. Cryptographic timestamps go to FreeTSA and DigiCert (US/EU) and the Bitcoin chain (global).
6. How long we keep it
- Account data: while your account is active, plus 90 days after deletion (for billing reconciliation).
- Uploaded work: for as long as the model is monitored, plus 30 days after you remove it.
- Evidence and audit log: seven years after a notice is filed (statute-of-limitations alignment under U.S. copyright law).
- Server logs: 30 days.
- Analytics counters: 13 months (anonymized, no personal data).
7. Your rights
Under GDPR you have the right to access, rectify, delete, restrict, port, and object to processing of your personal data. To exercise any of these, email privacy@cultshield.com. We respond within 30 days. You may also lodge a complaint with the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) or your local supervisory authority.
8. Cookies
Cult Shield uses a single first-party session cookie required for authentication. No third-party cookies, no marketing cookies, no consent banner required (because we only set strictly necessary cookies).
9. Children
Cult Shield is not intended for use by people under 18. We do not knowingly collect data from minors.
10. Changes
We will email you about material changes to this policy and post the new version here with the effective date.