Privacy Policy

1. Introduction

3DWebGen ("we", "our", or "us") operates the website and platform at 3dwebgen.com (the "Service"). This Privacy Policy describes in detail how we collect, use, store, share, and protect your personal information when you access or use our AI-powered 3D model generation platform, including our image-to-3D, text-to-3D, GLB-to-STL conversion tools, email communications, subscription billing, and all related services.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your full name and email address. If you register via email, we store a securely hashed version of your password (using bcrypt with a salt factor of 12). If you sign in with Google OAuth, we receive your name, email address, and profile picture URL from Google. We never store your Google password.

2.2 Uploaded Content

When you use our image-to-3D or multi-view features, images you upload are stored on our dedicated storage service and transmitted to third-party AI model providers (specifically fal.ai) for processing. Uploaded images are tagged with your user information and stored securely in our storage infrastructure. They are also uploaded to fal.ai's cloud storage for AI processing. Text prompts you enter for text-to-3D generation are transmitted directly to the AI provider.

2.3 Generated 3D Models

3D models generated from your inputs are stored as GLB files on both the AI provider's cloud storage and our dedicated storage service for redundancy. Model URLs, generation parameters (mode, quality settings, textured mesh option, multi-view option), generation status, and credit cost are stored in our database linked to your account. This allows you to access your generation history and download your models.

2.4 Blog Images

Images uploaded for blog posts are stored on our dedicated storage service. These images are publicly accessible and may include metadata such as alt text, captions, dimensions, and titles that are managed through our admin panel.

2.5 GLB to STL Conversions

When you use the GLB-to-STL converter (either URL-based or file upload), we process the conversion server-side. Converted STL files are saved to our storage service with user tagging for tracking purposes. We log the conversion activity including file name and file sizes.

2.6 Payment and Subscription Data

Subscription payments are processed through Polar (our payment provider). We do not store your credit card numbers, bank account details, or other sensitive financial information on our servers. We store your Polar customer ID, subscription ID, subscription status (active, canceled, past_due), current plan tier (Free, Starter, Pro, Enterprise), and billing period end date.

2.7 Credit Transaction Logs

Every credit transaction is logged in detail including: the action type (signup bonus, generation spend, generation refund, admin grant/deduct, purchase), the credit amount, your balance after the transaction, associated generation ID (if applicable), a human-readable description, and additional metadata about the transaction context.

2.8 Email Communication Data

We collect and store the following data related to our email communications with you:

• Email logs — For every email we send, we store: the recipient email address, email type (transactional or marketing), subject line, the Resend delivery ID, delivery status (sent, delivered, bounced, opened, clicked, failed), timestamp of sending, and any error messages for failed deliveries
• Open tracking data — When you open an email, we record the timestamp of the open event via a tracking pixel (1x1 transparent image) embedded in the email
• Click tracking data — When you click a link in our emails, we record which link was clicked, the timestamp, and the total number of clicks. Links are routed through our tracking endpoint before redirecting you to the destination URL
• Bounce and complaint data — If your email provider bounces our emails or if you mark them as spam, we receive and log this information via webhook notifications from Resend

2.9 Email Preferences and Consent

We store your email communication preferences including:

• Your opt-in/opt-out status for each email category: marketing emails, product updates, tips and tutorials, and promotional offers
• Your preferred email frequency (real-time, daily digest, or weekly digest)
• The date, time, and IP address when you gave marketing consent (for GDPR compliance)
• The date and time when you unsubscribed, if applicable
• Your unique unsubscribe token (a cryptographically random 24-byte hex string used to securely process unsubscribe requests without requiring login)

2.10 Activity Logs and IP Addresses

We log platform activity for security and fraud prevention purposes. Activity logs include: your user ID, the action performed (registration, generation start/complete/fail, file upload, STL conversion), your IP address (obtained from CF-Connecting-IP, X-Forwarded-For, or X-Real-IP headers), your browser user agent string, a description of the action, and relevant metadata. These logs are stored indefinitely for security auditing.

2.11 Technical Data

We automatically collect standard technical data including your IP address, browser type and version, operating system, referring URL, pages visited, time and date of visits, time spent on pages, and other diagnostic data. This is collected through server logs and session cookies.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery — To process your 3D generation requests, manage your account, track your credit balance, and deliver generated 3D models
• AI processing — To transmit your images and text prompts to our AI provider (fal.ai) for 3D model generation
• Billing — To manage subscriptions, process credit allocations, and handle payment-related operations through Polar
• Transactional emails — To send you essential service-related communications such as welcome emails, password reset links, generation completion notifications, low credit warnings, and subscription status updates
• Marketing communications — With your consent, to send you product updates, tips, tutorials, promotional offers, blog digests, and campaign newsletters. These are personalized using your name, plan tier, and other account details to provide relevant content
• Email engagement analysis — To track email open rates and click-through rates in aggregate, helping us understand what content is valuable and improve our communications
• Security and fraud prevention — To monitor for abuse, prevent unauthorized access, detect fraudulent activity, and protect the integrity of the platform using IP-based logging
• Credit auditing — To maintain an accurate audit trail of all credit transactions including charges, refunds, and bonuses
• Platform improvement — To analyze usage patterns, diagnose technical issues, and improve platform features and performance
• Legal compliance — To comply with applicable laws, respond to legal requests, and enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Contract performance — Processing necessary to fulfill our contract with you (account management, 3D generation, credit tracking, subscription management, transactional emails)
• Consent — Marketing emails, promotional communications, and email tracking are based on your explicit opt-in consent. You can withdraw consent at any time via email preferences or the unsubscribe link
• Legitimate interests — Security monitoring, fraud prevention, platform improvement, and aggregate analytics, where these interests are not overridden by your data protection rights
• Legal obligation — Processing required to comply with applicable laws (tax records, fraud reporting, law enforcement requests)

5. Third-Party Services and Data Sharing

We share your data with the following third-party services strictly as necessary to operate the platform:

• fal.ai (AI Model Provider) — Your images, text prompts, and generation parameters are transmitted to fal.ai for 3D model generation. fal.ai processes this data on their servers and returns the generated 3D model. We use the following fal.ai endpoints: tri-mamba/text-to-3d for text prompts, hunyuan3d for image inputs, and hunyuan3d/multi-view for multi-angle generation. fal.ai's processing is governed by their own privacy policy.
• Polar (Payment Provider) — Subscription management and payment processing are handled by Polar. When you subscribe to a paid plan, Polar collects and processes your payment information. We receive webhook notifications from Polar about subscription events (creation, update, cancellation, payment). We share your email, name, and internal user ID with Polar for customer identification.
• Google (Authentication Provider) — If you choose to sign in with Google, Google's OAuth service handles the authentication flow. Google shares your name, email, and profile picture with us upon your consent. Google's data handling is governed by Google's Privacy Policy.
• Resend (Email Provider) — All email communications (transactional and marketing) are sent through Resend, a third-party email delivery service. We share the following data with Resend for each email: recipient email address, email subject, email body content (HTML), and sender information. Resend provides us with delivery status updates (sent, delivered, bounced, failed) via webhooks. Resend processes email data in accordance with their privacy policy and data processing agreement. Resend does not use your email address for their own marketing purposes.
• MongoDB Atlas (Database) — All account data, generation records, credit logs, email logs, email preferences, and activity logs are stored in MongoDB Atlas, a cloud-hosted database service with encryption at rest and in transit.

We do not sell, rent, or trade your personal information to any third parties. We do not share your data with advertisers or data brokers. We do not share your email address or any personal information with third parties for their marketing purposes.

6. Email Communications and Tracking

6.1 Types of Emails We Send

We send the following categories of emails:

• Transactional — Password reset, welcome email, email verification, generation completion, low credits warning, subscription confirmations and reminders. These are essential for service operation and cannot be opted out of
• Marketing campaigns — Newsletters, product announcements, tips and tutorials, promotional offers. These require your consent and can be unsubscribed from at any time

6.2 Email Personalization

Our emails may be personalized using information from your account, including:

• Your name and first name
• Your email address
• Your current subscription plan
• Your credit balance
• Your total number of generations
• Your account signup date

This personalization is applied at the time of sending and is used solely to provide you with relevant, contextual content. Personalized data is embedded directly in the email content and is not dynamically loaded from our servers when you open the email.

6.3 Email Tracking Technologies

Our emails contain the following tracking technologies:

• Open tracking pixel — A 1x1 transparent GIF image is embedded at the end of each email. When your email client loads this image, it sends a request to our server at /api/email/track/open/[logId], which records that the email was opened and the timestamp. This tracking can be prevented by disabling remote image loading in your email client
• Click-through tracking — Links in marketing emails (except unsubscribe links) are wrapped to route through our tracking endpoint at /api/email/track/click/[logId]. When you click a tracked link, we record the click event and immediately redirect you (HTTP 302) to the original destination URL. We track which link was clicked, the timestamp, and the total number of clicks per email

6.4 How We Use Email Tracking Data

• To measure the effectiveness of our email campaigns (aggregate open rates and click rates)
• To identify what content is most relevant and valuable to our users
• To improve the timing, frequency, and content of future communications
• To identify and suppress inactive email addresses to maintain list health
• To detect potential email deliverability issues (high bounce rates, spam complaints)

Email tracking data is not shared with any third party, is not used for advertising purposes, and is not combined with data from other sources to build behavioral profiles.

6.5 Opting Out of Email Tracking

While we do not currently offer a per-user toggle to disable email tracking, you can take the following steps to limit tracking: (1) disable remote image loading in your email client to prevent open tracking; (2) copy link URLs manually instead of clicking them to prevent click tracking; (3) unsubscribe from marketing emails entirely to stop receiving tracked communications. Transactional emails may still contain tracking pixels for delivery monitoring purposes.

7. Email Preferences and Unsubscribe

7.1 Managing Preferences

You can manage your email preferences at any time through your account settings. Available options include:

• Toggle individual email categories on or off: marketing emails, product updates, tips and tutorials, promotional offers
• Set your preferred email frequency: real-time (immediate), daily digest, or weekly digest

7.2 Unsubscribe Mechanism

Every marketing email includes an unsubscribe link in the footer. The unsubscribe process works as follows:

• Clicking the unsubscribe link takes you to our unsubscribe endpoint with your unique, cryptographically-generated unsubscribe token — no login required
• You can unsubscribe from a specific email category or from all marketing emails at once
• Unsubscribe requests are processed immediately and take effect within seconds
• After unsubscribing, you are redirected to a confirmation page at /unsubscribe
• Your unsubscribe status is permanently recorded with a timestamp and is honored for all future sends

7.3 Re-subscribing

If you wish to re-subscribe to marketing emails after unsubscribing, you can do so through your account email preference settings. Re-subscribing will record a new consent timestamp and your IP address for compliance purposes.

8. Data Retention

• Account data — Retained for as long as your account is active, plus 30 days after deletion request to allow for recovery
• Generation history — Retained as long as your account is active. Generated 3D model files are stored on fal.ai's infrastructure and may be subject to their retention policies
• Uploaded images — Stored locally on our server until manually cleaned up. Images uploaded to fal.ai are subject to fal.ai's retention policies
• Email logs — Retained indefinitely for delivery monitoring, compliance auditing, and troubleshooting email delivery issues. Email logs include delivery status, open/click timestamps, and error messages
• Email preferences — Retained as long as your account is active. Unsubscribe records are retained even after account deletion to ensure we honor your opt-out preferences permanently
• Marketing consent records — Consent timestamps and IP addresses are retained indefinitely for GDPR compliance and audit purposes, even after you withdraw consent
• Credit and activity logs — Retained indefinitely for security auditing, fraud prevention, and financial record-keeping. IP addresses in logs are retained as part of these records
• Subscription data — Retained as long as your account is active and for any period required by tax and financial regulations after cancellation

9. Data Security

We implement the following security measures to protect your data:

• All connections are encrypted via HTTPS/TLS
• Passwords are hashed with bcrypt (salt factor 12) and never stored in plaintext
• Authentication uses JWT-based sessions with secure, HTTP-only cookies
• Database connections use encrypted channels with connection pooling
• Webhook payloads from Polar and Resend are verified using cryptographic signatures
• API endpoints require authentication and verify resource ownership before returning data
• IP-based activity logging enables detection of suspicious behavior and unauthorized access attempts
• Unsubscribe tokens are cryptographically random (24-byte hex) and unique per user, preventing unauthorized unsubscribe actions
• Email tracking endpoints use database log IDs that are not enumerable, preventing unauthorized access to tracking data

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security practices.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access — Request a copy of all personal data we hold about you, including generation history, credit logs, email logs, email preferences, and activity logs
• Right to rectification — Request correction of inaccurate or incomplete personal data
• Right to erasure — Request deletion of your account and all associated data, subject to our legal retention obligations. Note that unsubscribe records will be retained to honor your communication preferences
• Right to restrict processing — Request that we temporarily stop processing your data in certain circumstances
• Right to data portability — Request your data in a structured, machine-readable format (JSON), including your email preferences and communication history
• Right to object — Object to processing of your data for certain purposes, including marketing communications and email tracking
• Right to withdraw consent — Withdraw any previously given consent at any time, including marketing email consent. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal
• Right to opt out of email tracking — While not a statutory right in all jurisdictions, we respect your right to limit email tracking as described in Section 6.5

To exercise any of these rights, contact us at privacy@3dwebgen.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Cookies and Local Storage

We use the following types of cookies and browser storage:

• Session cookies — Essential cookies set by NextAuth.js for authentication and session management. These are HTTP-only, secure cookies that expire when your session ends or after the configured session lifetime
• CSRF tokens — Security cookies to prevent cross-site request forgery attacks
• Local storage — We use browser local storage (via Zustand) to temporarily store your current generation form state, active task progress, and toast notifications. This data stays on your device and is not transmitted to our servers

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies. We do not participate in any advertising networks or cross-site tracking.

12. International Data Transfers

Your data may be processed in countries outside of your residence, including countries where our third-party service providers (fal.ai, MongoDB Atlas, Polar, Resend) operate their infrastructure. These transfers are necessary for providing the Service, including email delivery which may be routed through servers in multiple jurisdictions. Where applicable, we rely on standard contractual clauses and adequacy decisions to ensure appropriate safeguards are in place for international data transfers.

13. Children's Privacy

The Service is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children, and we do not send marketing emails to minors. If we become aware that we have collected data from a child without parental consent, we will delete that information promptly and remove them from all email lists. If you believe a child has provided us with personal data, please contact us immediately at privacy@3dwebgen.com.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it
• Right to delete — You may request deletion of your personal information, subject to certain exceptions
• Right to opt out of sale — We do not sell your personal information. We do not share your email address, usage data, or any other personal data with third parties for monetary or other valuable consideration
• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at privacy@3dwebgen.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting a prominent notice on our website and updating the "Last updated" date at the top of this page. For significant changes that materially affect how we handle your data (especially regarding email tracking, data sharing, or new categories of data collection), we will also send a notification to your registered email address. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

16. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy, our data practices, email communications, or if you want to exercise any of your data rights, please contact us:

We aim to respond to all privacy-related inquiries within 30 calendar days. For GDPR data subject requests, we will respond within the legally required timeframe.