TanskyLabTanskyLab
Sign in

TanskyLab

Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains how TanskyLab (“Service”, “we”, “us”) collects, uses, stores, and protects your personal data when you use the Service. It applies to all Users who access TanskyLab through the website or related services.

1. Data controller

The data controller responsible for your personal data is:
Szymon Tanski
Poland
Email: contact@tanskylab.com

If you have questions or concerns about how your data is processed, or if you wish to exercise your rights, you may contact us at the email address above.

2. What data we collect

We collect the following categories of personal data:

2.1 Account data

  • Email address (provided during registration or via Google OAuth)
  • Authentication provider (Google or email/password)
  • Hashed password (if you register with email; we never store plain-text passwords)
  • Account creation date and last sign-in date
  • Terms acceptance timestamp
  • Marketing opt-out preference

2.2 Generation data

  • Generation job history (job ID, status, timestamps)
  • Generator settings (dimensions, depth range, layer height, filament colors, image tuning parameters)
  • Monthly usage counters
  • Paths to uploaded images and generated files in cloud storage
  • Technical metadata (pixel dimensions, triangle count)

2.3 Uploaded images

Photographs you upload for puzzle generation. These are stored temporarily in private cloud storage buckets and are not publicly accessible.

2.4 Technical data

  • IP address and approximate geolocation (collected automatically by hosting infrastructure)
  • Browser type, operating system, and device information
  • Pages visited, referral source, and session duration
  • Cookies and similar technologies (see section 8)

3. Legal bases for processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Performance of a contract(Art. 6(1)(b) GDPR) — processing necessary to provide the Service, including account creation, authentication, file generation, download link delivery, job history, and usage limit enforcement.
  • Legitimate interests(Art. 6(1)(f) GDPR) — processing necessary for our legitimate interests, including service security, fraud prevention, abuse detection, debugging failed generations, and improving the generator. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent(Art. 6(1)(a) GDPR) — where we rely on your consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Legal obligation(Art. 6(1)(c) GDPR) — where processing is necessary to comply with a legal obligation (e.g., tax records, lawful data retention requests).

4. How we use your data

We use your personal data to:

  • create and manage your account;
  • authenticate you when you sign in;
  • process uploaded images and generate STL/3MF files;
  • deliver generated files through private signed download links;
  • enforce monthly generation limits;
  • restore previous generation jobs so you can regenerate with adjusted settings;
  • send transactional emails (account confirmation, password reset, email change);
  • detect and prevent abuse, fraud, and unauthorized access;
  • debug failed generations and improve the Service;
  • comply with legal obligations;
  • send marketing communications (only with your consent).

5. Uploaded images and generated files

Uploaded images are stored in private cloud storage buckets and are only accessible to you through time-limited signed URLs. Images are used solely to generate output files for your account. We do not use your images for training machine learning models, advertising, or any purpose beyond providing the Service.

Generated files (STL, 3MF) are similarly stored in private buckets and delivered through signed URLs. Input images are intended to be retained for up to 24 hours. Generated files are intended to remain available for approximately 30 days. Actual retention may vary as automated cleanup processes are developed.

6. Data sharing and processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of third-party service providers (“processors”) who process data on our behalf and under our instructions:

  • Supabase Inc.(United States) — authentication, database, and file storage. Supabase processes account data, generation history, uploaded images, and generated files.
  • Vercel Inc.(United States) — website hosting and serverless computing. Vercel processes technical data (IP addresses, request logs) and executes the file generation pipeline.
  • Google LLC(United States) — OAuth authentication provider, if you choose to sign in with Google. Google receives your authentication token and basic profile information during the sign-in flow.

We may also disclose data if required by law, court order, or governmental authority, or to protect our rights, safety, or property.

7. International data transfers

Our processors (Supabase, Vercel, Google) operate in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or the processor's participation in recognized certification frameworks, to ensure an adequate level of data protection. You may contact us to obtain further information about the safeguards in place.

8. Cookies and similar technologies

The Service uses cookies and similar technologies for the following purposes:

  • Strictly necessary cookies— authentication session cookies set by Supabase to keep you signed in. These are essential for the Service to function and do not require consent.
  • Hosting cookies— technical cookies set by Vercel for load balancing and security. These are essential and do not require consent.

We do not currently use analytics, advertising, or tracking cookies. If we introduce non-essential cookies in the future, we will obtain your consent before setting them.

9. Data retention

We retain your data for the following periods:

  • Account data — retained while your account is active and for up to 30 days after account deletion to allow recovery, unless a longer period is required by law.
  • Generation job history — retained while your account is active.
  • Uploaded input images — intended to be deleted within 24 hours of upload.
  • Generated output files — intended to be available for approximately 30 days, then deleted.
  • Usage counters — retained for the current and preceding calendar months.
  • Technical/server logs — retained by our hosting providers according to their own retention policies, typically up to 30 days.

When data is no longer needed for the purposes described in this policy, we delete or anonymize it. Exact timing depends on automated cleanup schedules and may vary.

10. Your rights

Under the GDPR and applicable data protection law, you have the following rights regarding your personal data:

  • Right of access(Art. 15 GDPR) — you may request a copy of the personal data we hold about you.
  • Right to rectification(Art. 16 GDPR) — you may request correction of inaccurate or incomplete data.
  • Right to erasure(Art. 17 GDPR) — you may request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restriction of processing(Art. 18 GDPR) — you may request that we restrict processing of your data in certain circumstances.
  • Right to data portability(Art. 20 GDPR) — you may request to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to object(Art. 21 GDPR) — you may object to processing based on legitimate interests, including profiling. Where processing is for direct marketing purposes, you have an absolute right to object at any time.
  • Right to withdraw consent(Art. 7(3) GDPR) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decision-making(Art. 22 GDPR) — we do not use automated decision-making or profiling that produces legal effects concerning you.

To exercise any of these rights, contact us at contact@tanskylab.com. We will respond within 30 days, as required by the GDPR. We may ask you to verify your identity before processing your request.

11. Right to lodge a complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO): uodo.gov.pl. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EEA.

12. Marketing communications

New accounts are opted out of marketing by default. We will only send marketing emails (about new projects, features, or updates) with your prior consent. Every marketing email includes an unsubscribe link. Transactional emails (account confirmation, password reset, important service notices) are not marketing and may be sent without separate consent as they are necessary for the performance of the contract.

13. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us.

14. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS/TLS), hashed passwords, private storage buckets with signed URLs, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If changes are material, we will make reasonable efforts to notify you (e.g., by email or a notice in the Service). Continued use after the updated policy takes effect constitutes acceptance. We encourage you to review this page periodically.

16. Contact

For questions about this Privacy Policy, to exercise your data protection rights, or for any other privacy-related inquiry, contact us at: contact@tanskylab.com

Terms of ServiceBack to projects