Privacy Policy
Last updated 17 July 2026
The short version: we collect the minimum needed to run a metered CAD tool — your email address, your plan and download counters, and basic metadata about each unfold. Your CAD files are processed ephemerally and deleted; we don't keep your parts. Payments are handled by Stripe, so we never see your card details. Data lives in the EU. No advertising trackers.
Bendline is a brand of Headfully Ltd (company number 12525707, registered office Champleys Accountants, Champleys Mews, Market Place, Pickering, United Kingdom, YO18 7AE), which operates the service and is the data controller for personal data processed through bendline.io and the Bendline app. Contact: hello@bendline.io.
1. What we collect, and why
| Data | What it is | Why (lawful basis) |
|---|---|---|
| Account | Email address; if you sign in with Microsoft or Google, the name/email your provider shares. | To create and secure your account and send sign-in codes (contract). |
| Entitlement & billing records | Your plan, download allowance and credit balance, a ledger of credit changes, Stripe customer/subscription IDs. Not card numbers — Stripe holds those. | To meter downloads and manage your subscription (contract); to keep accounting records (legal obligation). |
| Unfold metadata | Per unfold: the file name you uploaded, flat-pattern dimensions, bend count, warnings, and whether/when it was downloaded. | To show your history, operate the download gate, and understand service quality (contract / legitimate interest). |
| Your CAD files | The STEP model you upload and the files generated from it. | Processed only to compute your unfold. Held in memory/temporary storage during processing; generated files sit in a short-lived cache (≈1 hour) so you can download them, then are deleted. Not retained, not used for anything else, never used to train models. |
| Transactional email events | Delivery status of the emails we send you (via Resend). | To make sure sign-in codes and receipts actually reach you (legitimate interest). |
| Technical logs | Standard server logs (IP, user-agent, timestamps) kept short-term by us and our hosting providers. | Security, abuse prevention and debugging (legitimate interest). |
The app uses browser localStorage for your session and to restore an in-progress unfold after sign-in — functional storage only. For usage analytics we use Cloudflare Web Analytics, a privacy-friendly, cookieless tool that measures aggregate page views and traffic sources without cookies, without cross-site tracking, and without profiling or identifying individual visitors. We do not use advertising cookies or trackers, so we don't need a cookie-consent banner.
2. Who processes it for us
We use a small set of infrastructure providers, each processing data only on our instructions:
| Provider | Role | Location |
|---|---|---|
| Supabase | Accounts, database, sign-in | EU (Frankfurt) |
| Fly.io | Unfold compute (your CAD files are processed here, ephemerally) | UK (London) |
| Cloudflare | Website & app hosting, CDN, and cookieless Web Analytics | Global edge; EU/UK serving |
| Stripe | Payments, receipts, billing portal | EU/US (its own safeguards apply) |
| Resend | Sending our emails (sign-in codes, receipts, reminders) | EU region selected |
| Microsoft / Google | Only if you choose "Continue with Microsoft/Google" — they authenticate you and share your email with us | Per their policies |
Where a provider transfers data outside the UK/EEA (e.g. Stripe), the transfer is protected by recognised safeguards such as the UK Addendum to the EU Standard Contractual Clauses or an adequacy decision. We don't sell personal data, and we don't share it with anyone else except if required by law.
3. How long we keep it
- CAD files: minutes to ~1 hour (the processing cache), then gone.
- Account, entitlement and unfold metadata: while your account exists. Ask us to delete your account and we will, promptly.
- Billing/ledger records: kept up to 6 years after the transaction (UK accounting rules), even after account deletion.
- Server logs: short-term (typically ≤30 days).
4. Your rights
Under UK/EU GDPR you can ask us for access to your data, correction, deletion, restriction, portability, or object to processing based on legitimate interests. Email hello@bendline.io — we'll respond within a month. You can also complain to the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority, though we'd appreciate the chance to fix things first.
5. Email
We send transactional email only: sign-in codes, a welcome note, purchase confirmations, and a reminder before purchased credits expire. We won't send marketing email unless you separately opt in, and any such email would have a working unsubscribe.
6. Security
Sign-in is passwordless (no password database to breach). Data is encrypted in transit; database access is restricted by row-level security so clients can only read their own records; money-bearing records can only be changed server-side. Card data never touches our systems. No system is perfectly secure — if a breach affects your data we will notify you and the regulator as the law requires.
7. Changes
We'll post any changes here and, for material changes, tell you by email or in-app. This policy pairs with the Terms of Service.
Contact
hello@bendline.io · Headfully Ltd, Champleys Accountants, Champleys Mews, Market Place, Pickering, United Kingdom, YO18 7AE