Privacy Policy
Last Updated: November 7, 2025
This Privacy Policy describes how OC3D GmbH ("we", "us", or "our") collects, uses, and discloses your personal information when you use our website oc3d.io (the "Website") and our platform services (collectively, the "Services"), and the choices you have associated with that data.
1. Controller Information
The controller responsible for the processing of your personal data pursuant to the General Data Protection Regulation (GDPR) is:
OC3D GmbHFraunhoferstraße 9
45657 Recklinghausen
Germany
Commercial Register: HRB 10080, Amtsgericht RecklinghausenVAT ID: DE457329541
Email: info@oc3d.io
Phone: +49 176 4173 4103
2. General Information on Data Processing
a) Scope of Processing
We process personal data of our users only to the extent necessary to provide a functional website and our platform services. The processing of personal data is regularly carried out only with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by statutory regulations.
b) Legal Basis for Processing Personal Data
Where we obtain consent from the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.
For the processing of personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.
In cases where vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
If processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Article 6(1)(f) GDPR serves as the legal basis for processing.
c) Data Erasure and Storage Duration
Your personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. Storage may continue if this has been provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for conclusion or performance of a contract.
3. Provision of the Website and Creation of Log Files
a) Description and Scope of Data Processing
Our website is hosted by Webflow, Inc. (398 11th Street, 2nd Floor, San Francisco, CA 94103, USA), and the domain is registered with GoDaddy.com, LLC (2155 E. GoDaddy Way, Tempe, AZ 85284, USA).
Every time you access our website, our hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. The information collected includes:
•Browser type and browser version
•Operating system used
•Referrer URL (the previously visited page)
•Host name of the accessing computer
•Time of the server request
•IP address
This data is not merged with other data sources. The data is stored separately from other personal data of the users.
b) Legal Basis for Data Processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
c) Purpose of Data Processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
Storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR.
d) Duration of Storage
The data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymized, so that an assignment of the calling client is no longer possible.
4. Use of Cookies and Cookie Consent Management
a) Description and Scope of Data Processing
We use Cookie Script (UAB "Cookie-script", J. Basanavičiaus g. 15, LT-03108 Vilnius, Lithuania) to manage cookie consents on our website. This tool allows us to obtain and manage your consent for data processing via cookies in accordance with GDPR requirements.
Cookies are small text files that are stored on your device when you visit our website. We use cookies to make our website more user-friendly. Some cookies remain stored on your device until you delete them. They enable us to recognize your browser on your next visit.
We use the following types of cookies:
Technically Necessary Cookies: These cookies are essential for the operation of the website and cannot be disabled in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms.
Analytics Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
Marketing Cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
b) Legal Basis for Data Processing
The use of technically necessary cookies is based on Article 6(1)(f) GDPR. Our legitimate interest lies in ensuring the functionality and user-friendliness of our website.
The use of all other cookies (e.g., for marketing or analysis purposes) is based on your consent pursuant to Article 6(1)(a) GDPR.
c) Purpose of Data Processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.
The user data collected through technically necessary cookies is not used to create user profiles.
d) Duration of Storage, Objection and Removal
Cookies are stored on the user's computer and transmitted to our site by it. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically.
You can revoke your consent to the use of cookies at any time by changing the cookie settings in the cookie banner or by adjusting your browser settings.
5. Contact Form and Email Contact
a) Description and Scope of Data Processing
A contact form is available on our website which can be used for electronic contact. If you send us an inquiry via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions.
Alternatively, you can contact us via the email address provided. In this case, the user's personal data transmitted with the email will be stored.
The data will not be passed on to third parties in this context. The data is used exclusively for processing the conversation.
b) Legal Basis for Data Processing
The legal basis for the processing of data transmitted in the course of sending an email or via the contact form is Article 6(1)(f) GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Article 6(1)(b) GDPR.
c) Purpose of Data Processing
In the case of contact via the contact form or email, this also constitutes the necessary legitimate interest in the processing of the data.
d) Duration of Storage
The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data sent by email or via the contact form, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
6. Registration and Use of the Platform
a) Description and Scope of Data Processing
To use our platform services, you must register for an account. During the registration process, we collect the following personal data:
•Full name
•Email address
•Company name and information
•Password (encrypted)
For the use of our platform, you may upload project data, including:
•CAD files
•3D models
•Reference images
•Project specifications and briefs
•Feedback and comments
This data is stored on the servers of our cloud provider Hostinger International Ltd. (61 Lordou Vironos Street, 6023 Larnaca, Cyprus). The data of our freelancers and artists (including portfolio materials, contact information, and project submissions) is also stored with Hostinger.
b) Legal Basis for Data Processing
The legal basis for the processing of data after registration for the performance of a contract or for the implementation of pre-contractual measures is Article 6(1)(b) GDPR.
c) Purpose of Data Processing
Registration of the user is necessary for the provision of our platform services and to enable the matching of clients with 3D artists, project management, file sharing, and payment processing.
d) Duration of Storage
The data is deleted as soon as it is no longer necessary for the purpose for which it was collected.
Data collected during the registration process is deleted when the registration on our website is canceled or modified. You can request deletion of your account at any time by contacting us at info@oc3d.io.
Project data uploaded to the platform will be retained for the duration of the project and for a reasonable period thereafter to fulfill warranty obligations and resolve any disputes. You may request deletion of specific project files after project completion.
7. Payment Processing
a) Description and Scope of Data Processing
We use Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) for payment processing. When you make a payment through our platform, your payment data (such as credit card number, bank account details, billing address) is transmitted directly to Stripe.
We do not store your complete payment card details on our servers. Stripe processes your payment information in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
b) Legal Basis for Data Processing
The processing of your payment data is necessary for the performance of the contract pursuant to Article 6(1)(b) GDPR.
c) Data Processing Agreement
We have concluded a data processing agreement (DPA) with Stripe in accordance with Article 28 GDPR. Stripe acts as a processor on our behalf.
d) Data Transfer to Third Countries
Stripe is based in the USA. The transfer of data to the USA is based on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses approved by the European Commission. You can find more information in Stripe's privacy policy at https://stripe.com/privacy.
8. Web Analysis by Google Analytics
a ) Description and Scope of Data Processing
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies to help analyze how users use the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
We have activated IP anonymization on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity, and providing other services relating to website activity and internet usage to the website operator.
b) Legal Basis for Data Processing
The legal basis for the use of Google Analytics is your consent pursuant to Article 6(1)(a) GDPR, which you provide through the cookie consent banner.
c) Purpose of Data Processing
Google Analytics is used to analyze the use of our website and to regularly improve it. The statistics obtained enable us to improve our offering and make it more interesting for you as a user.
d) Data Processing Agreement
We have concluded a data processing agreement with Google Ireland Limited in accordance with Article 28 GDPR.
e) Data Transfer to Third Countries
For those exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-U.S. Data Privacy Framework. You can find more information in Google's privacy policy at https://policies.google.com/privacy.
f ) Objection and Removal
You can prevent the storage of cookies by a corresponding setting of your browser software; however, please note that if you do this, you may not be able to use all functions of this website to their full extent.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout.
Alternatively, you can revoke your consent to the use of Google Analytics at any time by changing the cookie settings in the cookie banner.
9. Your Rights as a Data Subject
You have the following rights with respect to your personal data:
a ) Right of Access (Article 15 GDPR)
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and information about the processing.
b) Right to Rectification (Article 16 GDPR)
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.
c) Right to Erasure (Article 17 GDPR)
You have the right to obtain the erasure of personal data concerning you without undue delay under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
d) Right to Restriction of Processing (Article 18 GDPR)
You have the right to obtain restriction of processing under certain circumstances, such as when you contest the accuracy of the personal data.
e) Right to Data Portability (Article 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from us.
f) Right to Object (Article 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
g) Right to Withdraw Consent (Article 7(3) GDPR)
Where processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
h) Right to Lodge a Complaint (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The competent supervisory authority for OC3D GmbH is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4
40213 Düsseldorf
Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de
10. Data Transfers to Third Countries
Some of our service providers are based outside the European Economic Area (EEA ), particularly in the United States. We only transfer personal data to third countries where adequate safeguards are in place:
•Webflow, Inc. (USA): EU-U.S. Data Privacy Framework and Standard Contractual Clauses
•GoDaddy.com, LLC (USA): EU-U.S. Data Privacy Framework and Standard Contractual Clauses
•Stripe, Inc. (USA): EU-U.S. Data Privacy Framework and Standard Contractual Clauses
•Google Ireland Limited (USA servers): EU-U.S. Data Privacy Framework and Standard Contractual Clauses
The EU-U.S. Data Privacy Framework has been recognized by the European Commission as providing an adequate level of protection for personal data transferred from the EU to participating U.S. organizations.
You can obtain copies of the Standard Contractual Clauses by contacting us at info@oc3d.io.
11. Data Security
We use appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
•Encryption of data in transit using SSL/TLS protocols
•Encryption of data at rest on our servers
•Regular security assessments and updates
•Access controls and authentication mechanisms
•Employee training on data protection
However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
12. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling as defined in Article 22 GDPR that would produce legal effects concerning you or similarly significantly affect you.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data.
14. Contact Us
If you have any questions about this Privacy Policy or our data processing practices, please contact us at:
OC3D GmbHFraunhoferstraße 9
45657 Recklinghausen
Germany
Email: info@oc3d.io
Phone: +49 176 4173 4103
Vertreten durch die Geschäftsführer:
Julian Kaupper, Erik Wilberg