Privacy Policy
Last updated: March 2026
Introduction
CAD60 ("we," "us," or "our") operates the CAD60 parametric fabrication drawing generator available at cad60.com (the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your information.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
Information We Collect
Account Information
When you sign in using Google OAuth, we receive and store your name, email address, and profile image. We also store a unique user identifier associated with your account.
Drawing and Configuration Data
When you use the Service, we collect the data you provide, including:
- Drawing parameters and dimensions you submit to the configurator
- Saved jobs, parameter presets, and title block defaults
- Company logos you upload for use in title blocks
- Your preferred unit system (metric or imperial)
- Onboarding profile details (user type, referral source)
Payment Information
Payment processing is handled entirely by Stripe. We do not receive or store your credit card number, expiration date, or CVV. We store your Stripe customer ID, subscription tier, and billing status so that we can manage your account and enforce access controls.
Usage and Analytics Data
We collect analytics data through PostHog to understand how you use the Service and to improve it. This includes page views, feature interactions, and session recordings. Session recordings mask sensitive inputs such as email addresses and passwords. We also use Vercel Analytics to measure page performance.
Device and Technical Data
When you access the Service, our servers and third-party providers may automatically collect technical information such as your IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
Communications
If you contact us through the contact form, we collect your name, email address, message content, and the category of your inquiry. These submissions are delivered via Resend, our transactional email provider.
How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: To generate fabrication drawings, store your configurations, and provide access to your account
- Billing and payments: To process subscription payments, manage your tier, and enforce download quotas
- Improvement and development: To analyse usage patterns, identify bugs, and develop new features
- Communication: To respond to your inquiries and send important service updates
- Security: To detect and prevent fraud, abuse, and unauthorized access through rate limiting, CSRF protection, and audit logging
- Legal compliance: To comply with applicable laws, regulations, and legal processes
Cookies and Tracking Technologies
We use the following categories of cookies:
Essential Cookies
These cookies are required for the Service to function. They manage your authentication session and cannot be disabled. Without these cookies, features such as signing in and accessing your account would not work.
Analytics Cookies
PostHog sets cookies to track page views, feature usage, and session recordings. These cookies help us understand how the Service is used so we can improve it. You can opt out of analytics cookies at any time by adjusting your browser settings to block or delete cookies.
Performance Cookies
Vercel Speed Insights collects anonymised performance metrics (such as page load times and Core Web Vitals) to help us monitor and improve site performance.
We do not use advertising, retargeting, or third-party tracking cookies.
Third-Party Services
We share data with the following third-party service providers, each of which operates under its own privacy policy:
| Provider | Purpose | Data Shared |
|---|---|---|
| OAuth authentication | Authentication tokens, profile data | |
| Neon | Database storage, session management | All account and application data |
| Stripe | Payment processing | Name, email, payment details |
| PostHog | Product analytics, session recording | Usage events, anonymised session data |
| Vercel | Hosting, web analytics, performance monitoring | Page views, performance metrics, server logs |
| Resend | Transactional email | Name, email, message content |
| Fly.io | Backend compute (geometry engine) | Drawing parameters (no personal data) |
We do not sell, rent, or trade your personal data to any third party. Data is only shared with the providers listed above for the specific purposes described.
Data Storage and Security
Your data is stored in a managed Neon PostgreSQL database with row-level security policies that restrict access at the database level. All data in transit is encrypted using TLS. Our infrastructure is hosted on managed cloud platforms (Vercel and Fly.io) that maintain their own security certifications and compliance programs.
While we implement commercially reasonable security measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using industry-standard practices including CSRF protection, rate limiting, input validation, and audit logging.
Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:
- Account data: Retained while your account remains active. Deleted upon account deletion request.
- Drawing data and saved jobs: Retained while your account is active. Deleted when you remove them or delete your account.
- Audit logs: Retained for a reasonable period for security and compliance purposes.
- Analytics data: Subject to the retention policies of PostHog and Vercel.
- Payment records: Retained as required by applicable tax and financial regulations.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated personal data through your account settings or by contacting us
- Opt out of analytics: Disable analytics cookies at any time by adjusting your browser settings to block or delete cookies from our domain
European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation, including:
- Data portability: Receive your data in a structured, commonly used, machine-readable format
- Restriction: Request restriction of processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Supervisory authority: Lodge a complaint with your local data protection authority
Our legal bases for processing are: performance of a contract (providing the Service), consent (analytics), and legitimate interests (security, fraud prevention, service improvement).
California (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us through our contact page. We will respond to verified requests within 30 days.
International Data Transfers
Your data may be transferred to and processed in countries other than the country in which you reside. Our service providers operate infrastructure in multiple regions globally. Where such transfers occur, we rely on appropriate safeguards, including standard contractual clauses and the data protection commitments of our service providers, to ensure your data receives an adequate level of protection.
Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us through our contact page.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes are posted constitutes your acceptance of the revised Privacy Policy.
Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our contact page.