Data controller: Designmatix Ltd. (Company number 12697280, registered in England and Wales). ICO registration: ZB483460.
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
Contact for data protection enquiries: faizal@designmatix.co.uk
Canonical version: the authoritative copy of this notice is published at https://ai.designmatix.co.uk/text-to-cad/privacy. The Markdown source of truth lives in our private application repository; the page at the URL above is generated from that source. If the two ever diverge, the canonical URL prevails.
1. Who we are and what this notice covers
Designmatix Ltd. ("Designmatix", "we", "us", or "our") is a company registered in England and Wales (company number 12697280). We operate the Designmatix Text-to-CAD service (the "Service").
This notice applies only to:
- The Text-to-CAD application at https://app.designmatix.co.uk, and
- The marketing pages for Text-to-CAD at https://ai.designmatix.co.uk/text-to-cad (including the waitlist signup form hosted there).
This notice does not cover the separate corporate / WordPress site at https://designmatix.co.uk, which is governed by its own privacy notice.
2. What we collect
We collect the minimum data needed to operate the Service. Specifically:
2.1 Email address (waitlist signups)
If you choose to sign up for our waitlist via the form on https://ai.designmatix.co.uk/text-to-cad, we collect:
- Your email address
- The timestamp of your signup
- A double opt-in confirmation click (we email you a confirmation link; you must click it before being added to our list)
We collect this only when you voluntarily submit the form. The form is processed by our email service provider, Kit (see Section 5).
2.2 Technical data (collected automatically when using the Service)
- IP address, hashed using SHA-256 with only the first 16 characters of the hash retained. We do not store raw IP addresses. The hashed value is used solely for rate limiting (enforcing our quota of 10 generations per hour per user) and is not linked to your identity.
- Browser user-agent string, if recorded by the underlying web server for operational purposes.
- Timestamps of each generation attempt.
2.3 User-submitted content
- Prompts you submit to the Service (the natural-language descriptions you type).
- Feedback ratings (thumbs up / thumbs down) you provide on generated parts.
2.4 Generation metadata
For each generation request we log a row to our application database containing the following operational metadata:
- model — which Claude model produced the output (e.g. the primary or fallback model)
- success — whether the generation succeeded
- attempts — how many internal retries the pipeline used
- error — any error message returned by the pipeline (for debugging)
- code — the CadQuery code generated for your prompt
- uid — the 8-character random identifier we assign to the generated files
This metadata is used to monitor reliability, debug failures, and improve the Service. It is retained under the same 90-day window as the rest of the generation record (see Section 7).
2.5 Generated content
- CadQuery code, STEP files, and STL files produced in response to your prompts. The STEP and STL files are stored temporarily on our servers and automatically deleted after 2 hours. The CadQuery source string is logged with the generation row (see 2.4) and follows the 90-day retention policy.
2.6 What we do NOT collect
- We do not require you to create an account to use the core Service.
- We do not collect your name, phone number, postal address, or payment information.
- We do not use advertising pixels, social-media trackers, or fingerprinting. The marketing site uses Plausible Analytics for aggregate, cookieless measurement; see Section 5.
- We do not use your prompts to train any AI model.
3. Anthropic API key handling
To use the Service, you must provide an Anthropic API key (your own credential for Anthropic's Claude API). The key is:
- Used in your browser to authenticate generation requests with Anthropic's servers
- Never stored on our servers in any form
- Never logged to our application logs or database
- Held only in your browser's session memory while you use the Service
When you close your browser tab or refresh the page, your API key is discarded. We have no record of it.
4. Legal basis for processing (UK GDPR Article 6)
We rely on the following lawful bases:
- Consent (Article 6(1)(a)) — for adding you to our waitlist email list, where you have voluntarily submitted the form and confirmed via the double opt-in link.
- Performance of a contract (Article 6(1)(b)) — for processing your prompts to deliver the generated CAD output you requested.
- Legitimate interests (Article 6(1)(f)) — for hashed IP storage (rate-limit enforcement and abuse prevention), technical logs, generation metadata used to monitor reliability, and operating the Service.
5. Third-party processors
To deliver the Service, we share limited data with the following sub-processors:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Anthropic, PBC (Claude API) | Generates CAD code from your prompt | Your prompt text (transmitted using your API key) | USA (UK Data Protection Addendum and Standard Contractual Clauses in place) |
| Hostinger International Ltd. | Provides VPS hosting infrastructure and automated server snapshots for the Service | Technical logs, hashed IPs, generation requests, full server snapshots | United Kingdom (Manchester). Hostinger is a Lithuanian company; certain administrative and support functions may be operated from the EEA. Any resulting data flows are covered by the UK government's adequacy decision for the EEA. |
| Kit (formerly ConvertKit, by SubStack Inc.) | Manages our waitlist email list | Email address, signup timestamp | USA (UK Data Protection Addendum and Standard Contractual Clauses in place) |
| Plausible Insights OÜ (Plausible Analytics) | Aggregate page-view and link-click measurement on the marketing site only (ai.designmatix.co.uk); not used by the Text-to-CAD application. | Page URL, referrer, browser type, and country derived in-memory from your IP. The IP address is not stored. No cookies are set and no cross-site identifiers are used. | European Union (Germany) |
We do not use advertising, social-media, or behavioural-tracking third parties. Our only analytics processor is Plausible (above), which is cookieless and stores no personal data.
Privacy notices for our processors:
- Anthropic: https://www.anthropic.com/legal/privacy
- Hostinger: https://www.hostinger.com/privacy-policy
- Kit: https://kit.com/privacy
- Plausible: https://plausible.io/privacy
6. International transfers
The servers that hold your data are located in the United Kingdom (Manchester), and your use of the Service does not by itself involve an international transfer of personal data.
Limited transfers outside the UK occur in two situations:
- Prompts you submit are transmitted to Anthropic's servers in the United States so that Claude can generate the CadQuery code.
- Email addresses, if you sign up for the waitlist, are stored on Kit's servers in the United States.
Transfers outside the UK to the United States rely on:
- The processor's Data Processing Addendum incorporating Standard Contractual Clauses (SCCs); and
- Our assessment that each transfer provides appropriate safeguards as required under UK GDPR Article 46.
Any administrative access to your data from Hostinger's corporate operations in the EEA is covered by the UK government's adequacy decision for the European Economic Area and does not require additional safeguards.
7. Data retention
| Data | Retention |
|---|---|
| Generated STEP/STL files | Deleted automatically after 2 hours (file TTL on disk) |
| Generation record (prompt, hashed IP, generation metadata per Section 2.4, CadQuery code, feedback rating) | Retained for up to 90 days, then deleted. Enforced daily by the designmatix-purge.timer systemd unit, which runs a hardened oneshot service that deletes rows older than 90 days from the generations and feedback tables and reclaims free pages via VACUUM. |
| Hostinger automated server snapshots | Snapshots of the VPS filesystem (which may transiently contain database rows that have already been purged at application level) are retained by Hostinger under their standard backup schedule, typically up to 7 days, before being overwritten. We do not retain snapshots beyond this. |
| Technical error logs | Retained for up to 30 days |
| Email address (waitlist) | Retained until you unsubscribe; you can unsubscribe at any time via the link in any email we send you |
8. Cookies and similar technologies
The Service itself uses only session cookies required to keep your browser session active while you use the application. These are deleted when you close your browser.
The waitlist form embedded on our marketing site is provided by Kit and may set cookies for spam protection (reCAPTCHA) and to remember whether you have already submitted the form. These cookies are governed by Kit's privacy notice (linked above) and are functional, not advertising.
We do not use Google Analytics, Facebook Pixel, or any other analytics or advertising cookies. The marketing site uses Plausible Analytics (see Section 5), which is cookieless and sets no cookies of any kind.
9. Your rights under UK GDPR
You have the right to:
- Access your personal data and receive a copy.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten"), subject to our legal obligations.
- Restrict or object to our processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent where consent is the lawful basis (e.g., your waitlist signup).
- Lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk or by calling 0303 123 1113.
For most of our data (hashed IPs, anonymised logs), we may not be able to identify your specific records from an access or erasure request without additional information (such as the approximate time of use and the original IP address). For waitlist email addresses, you can simply send us your email address and we will action your request.
To exercise any right, email faizal@designmatix.co.uk.
10. Security
We take reasonable technical and organisational measures to protect personal data, including:
- HTTPS encryption in transit (TLS 1.3 or above)
- Hashed (not raw) IP storage
- Automatic STEP/STL file deletion after 2 hours
- Automatic database retention purge after 90 days, enforced by the
designmatix-purge.timersystemd unit (daily run, randomised within a 5-minute window, withPersistent=trueso a missed run on a rebooted host catches up) - Application and purge processes run under a dedicated unprivileged Linux user (
designmatix) with systemd hardening:NoNewPrivileges,PrivateTmp,ProtectSystem=strict,ProtectHome=read-only, restrictiveReadWritePaths,ProtectKernelTunables/Modules/Logs, andProtectControlGroups. The purge service additionally runs withPrivateNetwork=truesince it requires no network access. - API keys stored as environment secrets, not in source code
- Server access controlled by SSH key authentication, not passwords
No system can be guaranteed secure. If we become aware of a personal-data breach likely to result in risk to your rights, we will notify the ICO within 72 hours as required by UK GDPR Article 33, and notify affected individuals where required.
11. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at faizal@designmatix.co.uk and we will delete it.
12. Changes to this notice
We may update this notice from time to time to reflect changes in our practices or legal requirements. The effective date at the top will be updated and material changes will be notified via the Service interface or by email (for waitlist subscribers).
13. Contact
Data protection enquiries:
Email: faizal@designmatix.co.uk
71-75 Shelton Street
Covent Garden
London WC2H 9JQ
United Kingdom
Company number: 12697280
ICO registration number: ZB483460