ThingSpin — Privacy Policy

Effective Date: March 24, 2026

This Privacy Policy explains how ThingSpin ("we," "us," or "our") collects, uses, discloses, and otherwise processes information when you use the ThingSpin service ("the Service").

This is a beta-period privacy policy. Our data practices may evolve as the Service develops. We will notify you of material changes through the Service.

1. What We Collect

When you use ThingSpin, we collect the following categories of information:

  • Prompts and design requests — The text you type to describe what you want to create, including edit requests and follow-up instructions.
  • Images you upload — If you upload a photo, sketch, or logo image to the Service, that image is processed to generate or modify a design. Images uploaded for sketch analysis are transmitted to a third-party AI vision provider (see Section 3). Images uploaded for logo vectorization are processed entirely on our servers and are not transmitted to any third party; only the resulting vector graphic (SVG) is retained as part of your design history.
  • CAD files you upload — If you upload an existing STL or STEP file as a design source, that file is stored on our servers for the duration of your session and used to generate outputs.
  • Generated outputs — The 3D models, design files, and related outputs produced by the Service based on your prompts, including any vector graphics derived from logos you provide.
  • Product analytics data — Pages you visit, features you use, and actions you take within the Service (such as which design tools you interact with and which manufacturing options you explore). This data is collected by a third-party analytics provider (see Section 3) and used to understand how the Service is used and to improve it.
  • Usage metadata — Service usage data and interaction metadata.
  • Device and browser information — IP address, browser type, operating system, and screen resolution (collected automatically via error monitoring and product analytics).
  • Error data — Stack traces, error messages, and diagnostic information when something goes wrong.

2. How We Use Your Information

We use the information we collect to:

  • Operate the Service — Process your prompts, generate designs, and serve files.
  • Debug and fix problems — Investigate errors, reproduce issues, and improve reliability.
  • Improve quality — Analyze prompt–output patterns to make the AI design engine better. This includes using your prompts and interactions to improve the Service, as described in our Terms of Service (Section 6).
  • Monitor security — Detect and prevent abuse, unauthorized access, and malicious activity.

3. Third-Party Services That Receive Your Data

We use the following third-party services to operate ThingSpin. Your prompts are sent to these services as part of normal operation:

  • LLM / AI vision providers — Your prompt text, and any images you upload for sketch analysis, are sent to a third-party AI provider to generate design outputs. Which provider is used may change over time based on model selection and routing. Each provider's handling of API data is governed by their own terms and policies. Images uploaded for logo vectorization are not sent to any third-party AI provider.
  • Observability tools — We use third-party observability tools to trace prompt-to-output quality, latency, and cost. Traces include your prompt text.
  • Error monitoring — We use a third-party error-monitoring service. Error events may include fragments of prompt text in stack traces. Text displayed on screen is masked in error replays.
  • Product analytics — We use PostHog, a third-party product analytics service, to understand how features are used, track page views, and measure engagement. PostHog receives page URLs, interaction events, device type, and browser information. PostHog does not receive your prompt text or design data. PostHog stores a user identifier in your browser's local storage to distinguish returning visitors. See PostHog's privacy policy at posthog.com/privacy.
  • Cloud infrastructure — Our infrastructure runs on a US-based cloud provider. Your data is stored in a US datacenter.

4. What We Do Not Do

  • We do not sell your personal information to any third party.
  • We do not serve advertising or use advertising cookies.
  • We do not share your prompts with other users. Your prompts and generated outputs are not visible to or accessible by other users of the Service.

5. When We May Disclose Your Information

We may disclose your information if we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, or legal process.
  • Respond to lawful requests from public authorities, including law enforcement.
  • Protect the rights, safety, or property of ThingSpin, our users, or the public.
  • Investigate or prevent fraud, abuse, or security threats.

6. Data Retention

During the beta period:

  • Prompts and job data are retained indefinitely in our database. There is no automated purge.
  • Generated files are retained indefinitely on our server.
  • Logo vector graphics (SVG) derived from images you upload for the logo appliqué feature are embedded in your job's generated design code and retained as part of that job record. The original raster image you uploaded is not retained.
  • Sketch and annotation images uploaded for sketch analysis or design editing are retained alongside the associated job record on our server when a design is generated. Images from failed or abandoned analyses are deleted automatically.
  • Uploaded CAD files (STL/STEP) are retained on our server for the duration of your session. We may implement automated deletion of uploaded source files in the future.
  • Observability traces and error data are retained by their respective third-party providers according to each provider's data retention policies for our plan tier. Exact retention periods may vary as provider policies change.
  • Application logs are subject to log rotation on our server.

We may implement automated retention limits in the future. If you want your data deleted sooner, see Section 8.

7. Cookies and Tracking

  • We do not use advertising cookies. The Service does not serve ads.
  • Product analytics — Our analytics provider (PostHog) stores a randomly generated identifier in your browser's local storage to distinguish returning visitors and measure feature usage. This identifier does not contain personal information and is not shared with advertisers or other third parties. PostHog does not track you across other websites.
  • Error monitoring — Our error-monitoring service uses a session identifier to group related errors but does not track you across sites.
  • Authentication — If you create an account, our authentication provider may set cookies necessary for login. These are functional, not tracking cookies.
  • No other cookies are set by the Service beyond what is required for basic operation.

8. Your Rights

You may:

  • Request deletion of your prompts and generated data by emailing contact@thingspin.com. We will delete your data from our primary database and file storage. Please note:
  • Residual copies may persist in encrypted backups until those backups are rotated.
  • Fragments of prompt text may appear in internal error-monitoring events and application logs, which are subject to their own rotation and retention schedules.
  • Data already sent to third-party services (LLM providers, observability and error-monitoring tools) is subject to those services' own retention and deletion policies.
  • We may retain certain data where required by law or to protect against fraud, abuse, or security threats.
  • Request a copy of the data we hold about you by emailing contact@thingspin.com.

Because the Service currently operates without user accounts, we may ask you to provide information (such as the approximate time and content of your prompts) to help us locate your data.

We will respond to requests within 30 days.

9. Security

We use industry-standard technical and organizational measures to protect your information, including:

  • Encryption in transit (HTTPS/TLS) for all connections to the Service.
  • Restricted infrastructure access protected by authentication and multi-factor verification.
  • Isolation of AI-generated processes from production systems.

The Service currently operates without user accounts, so no passwords or login credentials are stored. No security measures are perfect, and we cannot guarantee absolute security of your information.

10. Important Warnings

Do not submit passwords, API keys, secrets, regulated data (such as health or financial records), or highly sensitive personal information through the Service. Prompts and any images you upload for sketch analysis are stored in our database and sent to third-party AI providers. We cannot guarantee the confidentiality of prompt or image content beyond the measures described in this policy.

11. Children

The Service is intended for users who are at least 18 years old, as described in our Terms of Service. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at contact@thingspin.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. If we make material changes, we will notify you through the Service or by other reasonable means. Where required by applicable law, we will obtain your consent or provide additional notice before making changes that materially affect how we process your information.

13. Contact

For questions about this Privacy Policy or to exercise your rights, contact us at: contact@thingspin.com