Legal · Privacy

Privacy Policy

This policy explains what solidSF collects, why we collect it, who we share it with, how long we keep it, and how you can access, export, or delete it.

Effective date: May 21, 2026. Last updated: May 21, 2026.

Scope

This policy applies to solidsf.com, solidsf.com, and every subdomain operated by solidSF, Inc., a Delaware corporation headquartered in San Francisco, California. It covers visitors to our marketing surface and signed-in users of the solidSF workspace.

solidSF, Inc. is the data controller for personal information described below. Questions or requests under this policy go to privacy@solidsf.com.

What we collect

We collect only what we need to operate the product, support customers, bill, and keep the service secure.

Account information — name, email address, hashed password (or identity provider subject), workspace name, role, and (where you provide it) profile photo and time zone.
Design data — the parts, assemblies, drawings, sketches, parameters, feature trees, and metadata you create, import, or upload into a workspace.
Usage telemetry — feature events, errors, performance traces, and aggregated session data used to fix bugs, plan capacity, and improve the kernel.
Device and network data — IP address, browser, operating system, GPU class, and timestamps. Used for security, fraud prevention, and rate limiting.
Billing data — when you upgrade, Stripe processes your payment method. We store the resulting customer ID, last-four digits, billing country, and invoice history. We never see or store your full card number.
Communications — support tickets, in-app messages, and emails you send us.

Why we collect it

We process the data above on the following legal bases:

Contract — to provide the workspace, store your design data, deliver invoices, and respond to support.
Legitimate interest — to keep the service available, prevent abuse, debug crashes, and develop features. We do not use design data for any purpose outside operating your account.
Consent — for optional AI features that send prompts to third-party models, optional product analytics on the marketing site, and any future research opt-in.
Legal obligation — to keep tax and accounting records, and to respond to lawful process.

Third parties (sub-processors)

solidSF uses a small set of named sub-processors. Each is bound by a written data processing agreement.

Cloudflare — edge delivery, DDoS protection, TLS termination, and bot management. Cloudflare may see metadata for any request to our domains.
Amazon Web Services (AWS) — primary hosting, document storage, compute, and managed database. All data is stored in the United States.
Stripe — payment processing. Stripe handles your card number; we never store it.
OpenAI and Anthropic — large language model providers powering optional AI features. Prompts and minimal context are sent only when you explicitly invoke an AI feature, and never include design data outside the active workspace. We have signed enterprise terms with both providers that prohibit training on customer content.
Email and support tooling — transactional email and customer support platforms used to operate the service and answer support requests.

An up-to-date list of sub-processors is available on request to privacy@solidsf.com. We will notify Enterprise customers in advance of any material change.

Cookies and similar technologies

solidSF uses a small set of first-party cookies for authentication, CSRF protection, and remembering UI preferences. We do not use third-party advertising cookies, and we do not sell personal information. A consent banner manages optional analytics in jurisdictions that require it.

Retention

We retain account and design data for the life of your account. When you delete a document, it is removed from the active workspace immediately and purged from backups within 30 days. When you delete your account, all design data is purged within 30 days, except where retention is required by law (for example, tax records held up to 7 years).

Telemetry is retained for 13 months in detailed form and indefinitely in aggregated form that cannot be tied back to an individual.

Your rights

You have the right to access, export, correct, and delete your personal information. You can also object to processing on legitimate-interest grounds and withdraw consent for optional features at any time.

Most rights can be exercised directly inside the workspace. Account export delivers a ZIP containing your documents in native and standard interchange formats. To submit a formal request, email privacy@solidsf.com. We respond within 30 days. California residents have additional rights under the CCPA; EU and UK residents have rights under the GDPR.

International transfers

solidSF operates in the United States. If you access solidSF from outside the US, your data is transferred to and processed in the US. We will update this policy with additional transfer mechanisms before a formal EU rollout.

Children's privacy

solidSF is not directed to children under 13, and we do not knowingly collect data from anyone under 13. If you believe a child has provided us personal information, contact privacy@solidsf.com and we will delete it. Use of solidSF by users aged 13 to 18 requires parental or guardian consent where required by local law.

Security

We describe our technical and organisational measures in detail at solidsf.com/security. Highlights: AES-256 at rest, TLS 1.3 in transit, role-based access control, audit logs on Team and Enterprise, and an active vulnerability disclosure programme at security@solidsf.com.

Updates to this policy

We may update this policy when our practices change. Material changes will be announced in-app at least 14 days before they take effect, and the "Last updated" timestamp at the top of this page will be revised. Continued use after the effective date constitutes acceptance.

Contact

Privacy questions or data subject requests: privacy@solidsf.com. General contact: solidsf.com/contact. Mailing address: solidSF, Inc., San Francisco, CA, United States.