Privacy Policy
Last updated: May 3, 2026
This Privacy Policy explains what personal data Penguin 3D AI collects, why we collect it, how we use and share it, and the rights you have over it. It applies to our website, account services, and any related products.
1. Data Controller
Penguin 3D AI ("we", "us", "our") is the controller of personal data processed under this policy. For privacy questions or requests, contact privacy@penguin3d.ai. Based on our current scale and the nature of our processing, we are not required to appoint a Data Protection Officer under GDPR Article 37; the privacy contact above acts as our point of contact for data protection matters.
2. Data We Collect
We collect: (a) account data — email, password hash, name, language and theme preferences, role; (b) transactional data — purchase history, subscription status, order identifiers and partial payment metadata returned by our Merchant of Record (we never receive or store full card numbers); (c) content data — collections, cart contents, downloaded models, custom-project requests; (d) communications — messages you send to support and email confirmations; (e) technical data — IP address, browser and device information, log timestamps, referrer; (f) cookies and local storage — authentication tokens, locale and theme cookies, cart persistence.
3. How We Use Data
We use personal data to: (a) create and secure your account and authenticate sessions; (b) deliver the platform and the 3D models you download or subscribe to; (c) process payments, renewals, and refunds; (d) send transactional emails (account confirmation, password reset, receipts); (e) provide customer support; (f) prevent fraud, abuse, and unauthorized access; (g) comply with legal obligations and enforce our Terms; (h) improve and debug the service through aggregated analytics.
4. Legal Basis (GDPR / 152-FZ)
Where GDPR applies, we rely on: performance of a contract (account, purchases, downloads); legitimate interests (security, fraud prevention, service improvement); consent (non-essential cookies, marketing email if any); legal obligation (tax, accounting, lawful requests). For users in the Russian Federation, processing is performed in accordance with Federal Law No. 152-FZ on Personal Data and on the legal grounds set out therein.
5. Sharing and Processors
We share personal data with the following third parties under written agreements: (a) Lemon Squeezy — our Merchant of Record (MoR). Lemon Squeezy handles payments, billing, sales-tax/VAT collection and remittance, fraud prevention, and refund processing. It acts as an independent controller of payment, tax, and fraud data for its own MoR obligations, and as our processor for the order data we share with it. Lemon Squeezy uses Stripe as a subprocessor to handle card payments. Its privacy policy is available at lemonsqueezy.com/privacy and its DPA at lemonsqueezy.com/dpa. (b) Resend — transactional email delivery (processor). (c) Cloudflare R2 — file storage and asset delivery (processor). (d) Our database hosting provider for MongoDB (processor). We have entered into Data Processing Agreements with each of the above where required, as contemplated by GDPR Article 28. We may also disclose data when required by law, court order, or to protect the rights, safety, or property of users or the public.
6. Cookies and Similar Technologies
We use strictly necessary cookies and local storage for authentication tokens, locale selection, theme preference, and cart persistence. Without these the platform cannot function. We do not use third-party advertising cookies. If we add analytics or marketing cookies in the future, we will request consent first via a cookie banner.
7. Data Retention
We retain personal data only as long as needed for the purposes set out above and to meet legal obligations. Specific retention periods by data category: • Account profile (email, name, preferences): until account deletion plus a 30-day grace period, then anonymized. • Authentication tokens: refresh tokens up to 30 days from issue or until revoked; access tokens are short-lived. • Transactional records (orders, invoices, subscription history): 7 years to satisfy tax and accounting law. • Subscription billing data: lifetime of the subscription plus 7 years. • Customer support correspondence: 3 years from the last contact. • Server access and security logs: up to 90 days. • Backups: rotated and fully overwritten within 35 days.
8. Your Rights
Subject to applicable law, you have the right to: access the personal data we hold about you; request correction or deletion; object to or restrict certain processing; withdraw consent where processing is based on consent; receive your data in a portable format; lodge a complaint with your local data protection authority. To exercise these rights, contact privacy@penguin3d.ai. We may need to verify your identity before responding.
9. Marketing Communications
We send transactional emails (account confirmation, password reset, receipts, security notices) on the basis of contract performance — these cannot be opted out of while your account is active. Any marketing communications, if introduced in the future, will be sent only with your prior consent and will include a one-click unsubscribe link in every message. Your unsubscribe choice does not affect transactional emails.
10. Security
We use industry-standard safeguards: encrypted transport (HTTPS/TLS), hashed passwords, JWT access plus rotating refresh tokens, role-based access controls, rate limiting, and isolated storage credentials. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33), and notify affected users without undue delay where the breach is high-risk (Article 34) or where required by Federal Law No. 152-FZ.
11. International Transfers
Our processors may store and process data outside your country of residence, including in the United States and the European Economic Area. Where required, transfers are governed by Standard Contractual Clauses or equivalent safeguards approved by the relevant authorities.
12. California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you additional rights. • No sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. Because we do not engage in sale or sharing, opt-out preference signals such as Global Privacy Control do not apply to our processing. • No automated decision-making. We do not use automated decision-making technology that produces legal or similarly significant effects about you. • Sensitive personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted by Cal. Civ. Code § 1798.121. • Non-discrimination. We will not deny services, charge different prices, or provide a different level of quality because you exercised your privacy rights. • Authorized agents. You may use an authorized agent to submit requests; we may require verification. • Shine the Light (Cal. Civ. Code § 1798.83). California residents may request information about disclosures of personal information to third parties for their direct marketing purposes — we have not made such disclosures in the preceding calendar year.
13. Russian Federation Residents (152-FZ)
If you are located in the Russian Federation, processing of your personal data is subject to Federal Law No. 152-FZ "On Personal Data" and related regulations. • Cross-border transfer. Our databases are currently located outside the Russian Federation. Pursuant to Article 12 of 152-FZ, we process personal data of Russian residents on the basis of the data subject's explicit, informed, written consent to cross-border transfer, which you provide at registration. You may withdraw this consent at any time by writing to privacy@penguin3d.ai, in which case your account will be closed and your personal data deleted within the retention periods set out in this policy. • Your rights. You may request access, correction, blocking, or destruction of your personal data, and withdraw consent at any time, by writing to privacy@penguin3d.ai. • Supervisory authority. You may also lodge a complaint with the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). • Breach notification. We will notify Roskomnadzor and affected users of any incident involving unauthorized transfer of personal data within the timeframes set by 152-FZ as amended.
14. Children
The platform is not directed to anyone under the age of 16, and we do not knowingly collect personal data from minors. By creating an account you confirm that you are at least 16 years old. If you believe a person under 16 has provided personal data to us, contact privacy@penguin3d.ai and we will delete it without undue delay.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. Updates are posted on this page with a new revision date. Material changes will be communicated by email or an in-platform notice where appropriate.
16. Contact
For privacy questions, data subject requests, or complaints, contact privacy@penguin3d.ai. We aim to respond within 30 days, in line with GDPR and Federal Law No. 152-FZ requirements.