LEGAL Privacy Policy

Privacy Policy

LAST UPDATED: APRIL 2026

01 — Who we are

OnyxCAD ("we", "us", "our") is operated as an independent software product accessible at onyxcad.com. We provide a browser-based STEP file annotation and sharing tool for engineers and manufacturers.

This Privacy Policy explains what personal data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy, contact us at:

support.onyxcad@gmail.com

02 — What data we collect

We collect the following categories of personal data:

Account data: When you create an account, we collect your email address and, if you use Google Sign-In, your name and Google profile picture as provided by Google's OAuth service. We do not store your Google password.

Uploaded file data: STEP files you upload are stored on our servers for the purpose of providing the service. Files are associated with your account and are permanently deleted when you delete the project or close your account. We do not access, read, or analyse the contents of your STEP files beyond what is required to render and process them for you.

Annotation data: Tolerances, thread specifications, colours, and other annotations you create are stored in our database, associated with your account and your uploaded files.

Share link data: When you generate a share link, we store the link token and the association between that token and your project. Anyone with the link can view the associated model. We log basic access events (timestamp, IP address) when share links are accessed for security purposes.

Usage and technical data: We may collect standard technical data including your IP address, browser type, device type, and pages visited. This data is used for security, debugging, and service improvement. If we use a third-party analytics service, it will be a standard provider operating under a data processing agreement with us. We do not sell this data or use it for advertising.

Payment data: Payments are processed by Polar.sh, our payment processor. We do not store your card details. Polar.sh handles all payment data under their own privacy policy. We receive confirmation of subscription status from Polar.sh but no raw payment card information.

03 — How we use your data

We use the data we collect for the following purposes:

— To provide and operate the OnyxCAD service, including storing your files, annotations, and projects.
— To manage your account and authenticate your identity.
— To process subscription payments via Polar.sh.
— To send transactional emails such as account confirmation and payment receipts. We do not send marketing emails without your explicit consent.
— To respond to support requests sent to our support email.
— To maintain the security and integrity of the service.
— To improve the service based on aggregated usage patterns.

Our lawful basis for processing under UK GDPR is:

Contract performance: processing your files and annotations to deliver the service you signed up for.
Legitimate interests: security logging, abuse prevention, and service improvement.
Legal obligation: where required by UK law.

04 — Data storage and retention

Your data is stored on servers provided by Supabase, Inc., a cloud infrastructure provider operating data centres in the European Union. Supabase processes data under a Data Processing Agreement compliant with UK GDPR requirements for international transfers.

We retain your data for as long as your account is active. Specifically:

STEP files: permanently deleted when you delete the associated project, or when you close your account.
Annotation data: permanently deleted when you delete the associated project or close your account.
Account data (email, name): retained until you request account deletion.
Payment records: retained for 7 years as required by UK financial record-keeping obligations.
Security logs: retained for 90 days, then deleted.

05 — Sharing your data with third parties

We do not sell your personal data. We share data only with the following third parties, strictly for the purpose of operating the service:

Supabase, Inc.: database, file storage, and authentication infrastructure.
Polar.sh: subscription and payment processing.
Google LLC: authentication via Google OAuth, if you choose to sign in with Google.
Analytics provider: if we introduce a third-party analytics service, it will be listed here. We will only use providers that offer UK GDPR-compliant data processing agreements and do not use your data for advertising.

We do not share your STEP files or annotation data with any third party other than the infrastructure providers listed above, who process it only on our behalf.

06 — Your rights under UK GDPR

You have the following rights regarding your personal data:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: request correction of inaccurate data.
Right to erasure: request deletion of your personal data. You can delete your projects and account directly in the app, which permanently deletes associated files and annotations.
Right to data portability: request your annotation data in a machine-readable format.
Right to object: object to processing based on legitimate interests.
Right to restrict processing: request that we limit how we use your data in certain circumstances.

To exercise any of these rights, contact us at:

support.onyxcad@gmail.com

We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

07 — Cookies

We use only essential cookies required to operate the service, specifically:

Authentication session cookies: to keep you logged in during a browser session.
Security cookies: to protect against cross-site request forgery (CSRF).

We do not use advertising cookies, tracking cookies, or third-party cookies for profiling purposes. If we introduce any non-essential cookies in future, we will update this policy and obtain your consent where required.

08 — Children's privacy

OnyxCAD is intended for professional use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, please contact us at support.onyxcad@gmail.com and we will delete the account promptly.

09 — Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice on the site before the changes take effect. The "last updated" date at the top of this page will always reflect the most recent version.

Continued use of OnyxCAD after changes are posted constitutes acceptance of the updated policy.

10 — Contact

For any privacy-related questions, data requests, or complaints, contact us at:

support.onyxcad@gmail.com
onyxcad.com
These documents were last reviewed in April 2026. OnyxCAD is an independent product. These terms do not constitute legal advice. If you have specific legal concerns about data protection or contract terms, consult a qualified solicitor.