Who we are
Controller: PixelArt3DCreator (UK). Contact: support@pixelart3dcreator.com.
What we collect
- Account details: username, email address, and a password hash (we never store plaintext passwords). We also store basic account metadata such as created date, approval status, and last login time.
- Plans and quotas: your plan (Free / Premium / Premium Commercial) and any storage quota applied to your account.
- Password reset data: if you request a password reset, we store a hashed reset token and an expiry time so we can validate the reset link.
- Security/session data: a session identifier stored in a cookie to keep you signed in.
- Abuse prevention: IP address and timestamps used to rate limit login, registration, and password reset requests.
- Server logs: IP address, device/browser information, timestamps, and requested pages (for security, diagnostics, and troubleshooting).
- Projects you save:
- On your device: the app can autosave projects and preferences in your browser’s local storage.
- In your account (cloud saves): if you use the in‑app save feature, we store your project data on our server under your account, along with a small preview image and project metadata (name, timestamps, and whether it’s shared with the community).
- Support communications: if you email us, we’ll receive your email address and whatever you send us.
Community sharing
The app includes an optional “community” toggle for saved projects. If you turn this on for a project, other logged‑in users may be able to see your project’s:
- name and preview image,
- owner username, and
- downloadable project data (so they can open it in the app).
If you don’t want this, keep the community toggle off. You can switch it off later to stop sharing going forward (users who already downloaded a copy may still have it).
We do not put community projects on the public homepage by default.
Why we use it and our lawful basis
- Provide the service (account access, saving projects, exporting files, plan/quota enforcement) – contract and/or legitimate interests.
- Account administration (review and approval of registrations, enforcing access rules) – legitimate interests.
- Transactional emails (password reset emails, account approval notifications where configured) – contract and/or legitimate interests.
- Security (prevent abuse, protect accounts, investigate incidents) – legitimate interests.
- Support (respond to your messages) – legitimate interests.
Cookies and local storage
We use a strictly necessary session cookie for login security. The app also uses local storage on your device for autosave and preferences. See Cookies for details.
Who we share data with
We don’t sell your personal data.
- Other users: only if you enable community sharing for a project (see above).
- Service providers: our hosting and email infrastructure providers may process limited personal data on our behalf (for example, storing your account records/projects and delivering emails). They will also receive standard request data such as IP address and user‑agent in their logs.
- Third‑party libraries/CDNs: the app may load JavaScript libraries (for example, JSZip for creating export files) from a third‑party CDN. Your browser will connect directly to those providers and they may receive standard request data like IP address and user‑agent.
- Legal/safety: we may share information if required by law or to protect users, the service, or our rights.
International transfers
Depending on where our providers are located, your data may be processed outside the UK. Where relevant, we use appropriate safeguards for international transfers (for example, contractual protections).
Retention
- Account records: kept while your account is active; deleted when your account is deleted by an admin (subject to any required legal retention).
- Cloud saves: kept until you delete them in the app, or until your account is deleted (beta services may also be reset).
- Community flags: stored until you turn sharing off or delete the project.
- Password reset records: reset tokens are stored in hashed form and expire automatically after a short period.
- Rate limiting records: small temporary records keyed to your IP that roll over as you retry and may be cleaned up by the server.
- Server logs: retained for a limited period for security and diagnostics.
- Local storage: stays on your device until you clear site data or use in‑app clear options.
Your rights
Depending on your circumstances, you may have rights including access, correction, deletion, restriction, objection, and data portability. To make a request, email support@pixelart3dcreator.com.
You can also complain to the UK Information Commissioner’s Office (ICO) if you think your data has been handled improperly.
Security
We use reasonable technical measures to help protect accounts and stored data (for example, hashed passwords, session protections, and rate limiting). No system is perfectly secure, so please use a strong password and keep it private.
Updates
We may update this notice when the app changes. The date at the bottom of this page shows the latest update.