TanskyLabTanskyLab
Sign in

TanskyLab

Privacy Policy

Last updated: June 22, 2026

This Privacy Policy explains how TanskyLab (“Service”, “we”, “us”) collects, uses, stores, and protects your personal data when you use the Service. It applies to all Users who access TanskyLab through the website or related services.

1. Data controller

The data controller responsible for your personal data is:
Next Real sp. z o.o. (spółka z ograniczoną odpowiedzialnością)
Gdańska 13, 50-334 Wrocław, Poland
KRS: 0001242343 · NIP: 8982334148 · REGON: 544812952
Email: contact@tanskylab.com

If you have questions or concerns about how your data is processed, or if you wish to exercise your rights, you may contact us at the email address above.

2. What data we collect

We collect the following categories of personal data:

2.1 Account data

  • Email address (provided during registration or via Google OAuth)
  • Authentication provider (Google or email/password)
  • Hashed password (if you register with email; we never store plain-text passwords)
  • Account creation date and last sign-in date
  • Terms acceptance timestamp
  • Marketing opt-out preference

2.2 Generation data

  • Generation job history (job ID, status, timestamps)
  • Generator settings (dimensions, depth range, layer height, filament colors, image tuning parameters)
  • Monthly usage counters
  • Paths to uploaded images and generated files in cloud storage
  • Technical metadata (pixel dimensions, triangle count)

2.3 Uploaded images

Photographs you upload for puzzle generation. These are stored temporarily in private cloud storage buckets and are not publicly accessible.

2.4 Technical data

  • IP address and approximate geolocation (collected automatically by hosting infrastructure)
  • Browser type, operating system, and device information
  • Pages visited, referral source, and session duration
  • Cookies and similar technologies (see section 8)

2.5 Payment and billing data

  • Plan purchased, amount, currency, and purchase and expiry dates
  • Billing name and address, and any tax identification number (e.g. NIP) you provide for an invoice
  • A payment processor (Stripe) customer identifier and payment confirmation metadata

Payment card numbers are entered directly on Stripe and are never received or stored by us.

3. Legal bases for processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Performance of a contract(Art. 6(1)(b) GDPR) — processing necessary to provide the Service, including account creation, authentication, file generation, download link delivery, job history, and usage limit enforcement.
  • Legitimate interests(Art. 6(1)(f) GDPR) — processing necessary for our legitimate interests, including service security, fraud prevention, abuse detection, debugging failed generations, and improving the generator. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent(Art. 6(1)(a) GDPR) — where we rely on your consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Legal obligation(Art. 6(1)(c) GDPR) — where processing is necessary to comply with a legal obligation (e.g., tax records, lawful data retention requests).

4. How we use your data

We use your personal data to:

  • create and manage your account;
  • authenticate you when you sign in;
  • process uploaded images and generate STL/3MF files;
  • deliver generated files through private signed download links;
  • enforce monthly generation limits;
  • restore previous generation jobs so you can regenerate with adjusted settings;
  • send transactional emails (account confirmation, password reset, email change);
  • detect and prevent abuse, fraud, and unauthorized access;
  • debug failed generations and improve the Service;
  • comply with legal obligations;
  • send marketing communications (only with your consent).

5. Uploaded images and generated files

Uploaded images are stored in private cloud storage buckets and are only accessible to you through time-limited signed URLs. Images are used solely to generate output files for your account. We do not use your images for training machine learning models, advertising, or any purpose beyond providing the Service.

Generated files (STL, 3MF) are similarly stored in private buckets and delivered through signed URLs. Input images are intended to be retained for up to 24 hours. Generated files are intended to remain available for approximately 24 hours. Actual retention may vary as automated cleanup processes evolve.

6. Data sharing and processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of third-party service providers (“processors”) who process data on our behalf and under our instructions:

  • Supabase Inc.(United States) — authentication, database, and file storage. Supabase processes account data, generation history, uploaded images, and generated files.
  • Vercel Inc.(United States) — website hosting and serverless computing. Vercel processes technical data (IP addresses, request logs) and executes the file generation pipeline.
  • Google LLC(United States) — OAuth authentication provider, if you choose to sign in with Google. Google receives your authentication token and basic profile information during the sign-in flow.
  • Stripe, Inc.(United States / Ireland) — payment processing for paid plans. When you purchase a plan, Stripe processes your payment details, billing name and address, and any tax identification number (e.g. NIP) you provide, and issues receipts and invoices. We receive confirmation of payment, the plan purchased, and limited billing metadata, but never your full payment card number.

We may also disclose data if required by law, court order, or governmental authority, or to protect our rights, safety, or property.

7. International data transfers

Our processors (Supabase, Vercel, Google, Stripe) operate in the United States or other countries outside your own. Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or the processor's participation in recognized certification frameworks, to ensure an adequate level of data protection. You may contact us to obtain further information about the safeguards in place.

8. Cookies and similar technologies

The Service uses cookies and similar technologies. When you first visit the Service, a consent banner allows you to accept all cookies, customize your preferences, or accept only required cookies. You can change your preferences at any time by clicking “Cookie Settings” in the website footer.

8.1 Essential cookies

These cookies are strictly necessary for the Service to function. They include authentication session cookies set by Supabase to keep you signed in, and technical cookies set by Vercel for load balancing and security. Essential cookies do not require consent and cannot be disabled.

8.2 Functional cookies

Functional cookies remember your preferences such as language, region, and UI settings to provide a more personalized experience. These cookies are set only with your consent.

8.3 Analytics cookies

Analytics cookies help us understand how visitors interact with our website by collecting anonymous usage data such as pages visited, session duration, and referral sources. This data helps us improve the Service. These cookies are set only with your consent.

8.4 Marketing cookies

Marketing cookies are used to deliver relevant advertisements and measure campaign effectiveness. They may be set by third-party advertising partners. These cookies are set only with your consent.

8.5 Managing your preferences

You can change your cookie preferences at any time by clicking “Cookie Settings” in the website footer. You may also delete cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service. Your consent preferences are stored in a cookie on your device for up to 365 days.

9. Data retention

We retain your data for the following periods:

  • Account data — retained while your account is active and for up to 30 days after account deletion to allow recovery, unless a longer period is required by law.
  • Generation job history — retained while your account is active.
  • Uploaded input images — intended to be deleted within 24 hours of upload.
  • Generated output files — intended to be available for approximately 24 hours, then deleted.
  • Usage counters — retained for the current and preceding calendar months.
  • Payment and billing records — retained as required by tax and accounting law (in Poland, generally up to 5 years), independently of account deletion.
  • Technical/server logs — retained by our hosting providers according to their own retention policies, typically up to 30 days.

When data is no longer needed for the purposes described in this policy, we delete or anonymize it. Exact timing depends on automated cleanup schedules and may vary.

10. Your rights

Under the GDPR and applicable data protection law, you have the following rights regarding your personal data:

  • Right of access(Art. 15 GDPR) — you may request a copy of the personal data we hold about you.
  • Right to rectification(Art. 16 GDPR) — you may request correction of inaccurate or incomplete data.
  • Right to erasure(Art. 17 GDPR) — you may request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restriction of processing(Art. 18 GDPR) — you may request that we restrict processing of your data in certain circumstances.
  • Right to data portability(Art. 20 GDPR) — you may request to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to object(Art. 21 GDPR) — you may object to processing based on legitimate interests, including profiling. Where processing is for direct marketing purposes, you have an absolute right to object at any time.
  • Right to withdraw consent(Art. 7(3) GDPR) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decision-making(Art. 22 GDPR) — we do not use automated decision-making or profiling that produces legal effects concerning you.

To exercise any of these rights, contact us at contact@tanskylab.com. We will respond within 30 days, as required by the GDPR. We may ask you to verify your identity before processing your request.

11. Right to lodge a complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO): uodo.gov.pl. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EEA.

12. Marketing communications

New accounts are opted out of marketing by default. We will only send marketing emails (about new projects, features, or updates) with your prior consent. Every marketing email includes an unsubscribe link. Transactional emails (account confirmation, password reset, important service notices) are not marketing and may be sent without separate consent as they are necessary for the performance of the contract.

13. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us.

14. International users and US privacy rights

The Service is operated from Poland (European Union) and is available to users worldwide. By using the Service, you acknowledge that your data may be processed in the EU and transferred to third-party processors in the United States as described in section 7.

California residents (CCPA/CPRA): Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to know what personal data we collect and how it is used, the right to request deletion of your personal data, and the right to opt out of the sale or sharing of personal data. We do not sell or share your personal data as defined by the CCPA. To exercise your rights, contact us at contact@tanskylab.com. We will not discriminate against you for exercising your privacy rights.

15. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS/TLS), hashed passwords, private storage buckets with signed URLs, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If changes are material, we will make reasonable efforts to notify you (e.g., by email or a notice in the Service). Continued use after the updated policy takes effect constitutes acceptance. We encourage you to review this page periodically.

17. Contact

For questions about this Privacy Policy, to exercise your data protection rights, or for any other privacy-related inquiry, contact us at: contact@tanskylab.com

Terms of ServiceBack to projects

Cookie Preferences

Choose which cookie categories you allow. Essential cookies cannot be disabled as they are required for the website to function.

Essential

Required for the website to function. Includes authentication sessions and security tokens. These cannot be disabled.

Functional

Remember your preferences such as language, region, and UI settings to provide a personalized experience.

Analytics

Help us understand how visitors interact with our website by collecting anonymous usage data like page views and session duration.

Marketing

Used to deliver relevant advertisements and track campaign effectiveness across platforms.