Privacy Policy
Effective Date: October 24, 2025
Last Updated: December 26, 2025
Version: 2.1
Overview
At Thirdrez, privacy isn't just a policy—it's a core design principle. We've built our platform to minimize data collection while maximizing your creative freedom.
- We don't collect personal data beyond what's essential
- Authentication is handled by trusted OAuth providers
- Payments are processed entirely by Stripe
- You control your cookies and analytics preferences
- We never sell your data. Period.
1. Information We Collect
1.1 Information We DON'T Collect
Let's start with what we don't store:
| Data Type | Collected? | Notes |
|---|---|---|
| Passwords | ❌ Never | OAuth providers handle authentication |
| Credit card numbers | ❌ Never | Stripe handles all payment data |
| Social security/ID numbers | ❌ Never | Not required for our service |
| Precise location | ❌ Never | Only country for tax compliance |
| Biometric data | ❌ Never | Not applicable |
| Private messages | ❌ Never | We don't have messaging features |
1.2 Information We DO Collect
Account Information
When you create an account via OAuth:
✓ Display name (from OAuth provider)
✓ Email address (for account recovery & notifications)
✓ Profile picture URL (optional, from OAuth provider)
✓ OAuth provider ID (for authentication)
Usage Information
To operate and improve the Service:
✓ Download history (which assets you've downloaded)
✓ Subscription status and plan
✓ Kinetiq Editor usage (features used, not content created)
✓ MotionPrint registrations (hashes only, not file contents)
Technical Information
Automatically collected for security and performance:
✓ IP address (anonymized in analytics)
✓ Browser type and version
✓ Device type (desktop/mobile)
✓ Operating system
✓ Referral source
✓ Page views and interactions
2. How We Use Your Information
2.1 Service Operation
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account authentication | OAuth ID, email | Contract performance |
| Subscription management | Email, plan status | Contract performance |
| Download tracking | Account ID, asset IDs | Contract performance |
| Customer support | Email, usage history | Legitimate interest |
| Security monitoring | IP, technical data | Legitimate interest |
2.2 Communications
We may contact you for:
- Transactional: Order confirmations, receipts, account alerts
- Service: Important updates, security notices, policy changes
- Marketing: New features, promotions (opt-in only)
All marketing emails include an unsubscribe link. Transactional emails cannot be disabled while your account is active.
2.3 Analytics & Improvement
With your consent, we use Google Analytics to understand:
- Which features are most popular
- How users navigate the site
- Performance bottlenecks
- Conversion funnel optimization
We do NOT use analytics for:
- Individual user tracking
- Advertising or ad targeting
- Selling to third parties
3. Authentication & Third-Party Services
3.1 OAuth Providers
We use OAuth for secure, password-less authentication:
| Provider | Data Received | Their Privacy Policy |
|---|---|---|
| Name, email, profile picture | policies.google.com/privacy | |
| Discord | Username, email, avatar | discord.com/privacy |
| GitHub | Username, email | docs.github.com/privacy |
When you sign in:
- You're redirected to the provider's login page
- You authorize Thirdrez to access basic profile info
- Provider sends us a token and profile data
- We never see your password
3.2 Payment Processing (Stripe)
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified processor.
What Stripe handles:
- Credit/debit card processing
- Subscription billing
- Invoice generation
- Refund processing
- Fraud detection
What we receive from Stripe:
- Subscription status (active/canceled)
- Plan type
- Last 4 digits of card (for display only)
- Transaction IDs
What we NEVER see:
- Full card numbers
- CVV/security codes
- Bank account details
Stripe Privacy: stripe.com/privacy
3.3 Hosting & Infrastructure
| Service | Purpose | Data Processed |
|---|---|---|
| Vercel | Website hosting | Access logs, edge caching |
| Supabase | Database, auth | User data, application data |
| AWS S3 | File storage | Animation assets |
| Cloudflare | CDN, security | Traffic data, DDoS protection |
All infrastructure providers are GDPR-compliant and maintain appropriate security certifications.
4. Cookies & Tracking
4.1 Cookie Categories
| Category | Purpose | Required? | Examples |
|---|---|---|---|
| Essential | Core functionality | Yes | Session, auth tokens |
| Functional | Preferences | Optional | Theme, language |
| Analytics | Usage statistics | Optional | Google Analytics |
| Marketing | Promotions | No (we don't use) | N/A |
4.2 Essential Cookies
These are required for the Service to function:
// Session management
__session: Maintains your login state
sb-access-token: Supabase authentication
sb-refresh-token: Token refresh
// Security
__cf_bm: Cloudflare bot protection
csrf_token: Cross-site request forgery protection
4.3 Analytics Cookies (Optional)
If you consent to analytics:
// Google Analytics
_ga: Distinguishes users (2 years)
_ga_*: Session state (2 years)
_gid: Distinguishes users (24 hours)
_gat: Throttles request rate (1 minute)
4.4 Managing Cookies
On first visit: A cookie banner lets you accept or decline optional cookies.
Changing preferences:
- Click the cookie icon in the footer
- Adjust your preferences
- Click "Save"
Browser settings: You can also manage cookies in your browser settings, though this may affect site functionality.
5. MotionPrint™ Privacy
5.1 Public Verification (No Account Required)
When you verify a MotionPrint watermark without logging in:
✓ Verification is CLIENT-SIDE ONLY
✓ Your file NEVER leaves your device
✓ We only receive the extracted watermark hash
✓ No personal data is collected
✓ No logs are kept
This is the most privacy-preserving verification method possible.
5.2 Signed Reports (Logged In Users)
When you generate a signed verification report:
What we store:
- Watermark hash (not the file)
- Timestamp of verification
- Your user ID
- Report format requested (JSON/PDF)
What we DON'T store:
- The animation file itself
- File contents or previews
- Metadata from your local filesystem
5.3 Data Retention
| Data Type | Retention Period | Deletion |
|---|---|---|
| Verification logs | 30 days | Automatic |
| Signed reports | Until you delete | On request |
| Registration records | Permanent (blockchain-like) | Cannot delete (integrity) |
MotionPrint registrations are designed to be permanent proof of authorship. Like a blockchain, deleting records would undermine the integrity of the provenance system.
6. Data Security
6.1 Security Measures
We implement industry-standard security:
| Layer | Protection |
|---|---|
| Transport | TLS 1.3 encryption for all connections |
| Storage | AES-256 encryption at rest |
| Authentication | OAuth 2.0, no password storage |
| Access Control | Role-based permissions, MFA for staff |
| Monitoring | 24/7 intrusion detection |
| Backups | Encrypted, geographically distributed |
6.2 Data Breach Response
In the unlikely event of a data breach:
- Within 72 hours: We notify affected users and relevant authorities
- Immediate action: Contain the breach and assess scope
- Transparency: Public disclosure of what happened and remediation steps
- Prevention: Post-incident review and security improvements
7. Your Privacy Rights
7.1 Rights Under GDPR (EU/EEA)
If you're in the European Union or EEA, you have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Get a copy of your personal data | Email [email protected] |
| Rectification | Correct inaccurate data | Account settings or email us |
| Erasure | Delete your personal data | Account settings → "Delete Account" |
| Portability | Export your data in machine-readable format | Request via email |
| Restriction | Limit how we process your data | Email us with specific request |
| Objection | Object to processing based on legitimate interest | Email us |
| Withdraw Consent | Revoke previously given consent | Cookie settings or email us |
Data Protection Authority: You have the right to lodge a complaint with your local supervisory authority.
7.2 Rights Under CCPA (California)
If you're a California resident, you have the right to:
- Know what personal information we collect
- Delete your personal information
- Opt-out of sale of personal information (we don't sell data)
- Non-discrimination for exercising your rights
Under CCPA, "sale" includes sharing data for advertising. We don't do this. Your data is never sold, shared for ads, or monetized in any way.
7.3 Rights Under LGPD (Brazil)
Under Brazil's Lei Geral de Proteção de Dados:
- Confirmation of data processing
- Access to your data
- Correction of incomplete or inaccurate data
- Anonymization, blocking, or deletion of unnecessary data
- Portability to another service provider
- Deletion of data processed with consent
- Information about sharing with third parties
- Revocation of consent
7.4 Exercising Your Rights
Self-Service:
- Account Settings → Privacy → Download My Data
- Account Settings → Delete Account
Contact Us:
- Email: [email protected]
- Response time: Within 30 days (GDPR) / 45 days (CCPA)
8. International Data Transfers
8.1 Where Data Is Processed
Our infrastructure spans multiple regions:
| Service | Location | Safeguards |
|---|---|---|
| Primary servers | United States | Standard Contractual Clauses |
| CDN edge | Global | GDPR-compliant provider |
| Backups | EU (Germany) | EU data residency |
8.2 Transfer Mechanisms
For transfers outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Privacy Shield successor frameworks where applicable
9. Children's Privacy
9.1 Age Requirements
Thirdrez is not intended for children under 18. We do not knowingly collect personal information from minors.
9.2 Parental Rights
If you believe a child under 18 has provided personal information to us:
- Contact [email protected] immediately
- We will delete the data within 48 hours
- The account will be terminated
10. Data Retention
10.1 Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until deletion + 90 days | Grace period for recovery |
| Download history | 3 years | License verification |
| Transaction records | 7 years | Tax/legal requirements |
| Analytics data | 26 months | Google Analytics default |
| Support tickets | 2 years | Service improvement |
| Security logs | 1 year | Incident investigation |
10.2 After Account Deletion
When you delete your account:
- Immediately: Account disabled, login blocked
- Within 30 days: Personal data anonymized/deleted
- Within 90 days: Backups purged
- Retained: Anonymized analytics, transaction records (legal requirement)
11. Changes to This Policy
11.1 Notification
We'll notify you of material changes via:
- Email to your registered address
- Prominent banner on the website
- Changelog entry in documentation
11.2 Review
We review this Privacy Policy quarterly and update it as needed for:
- Legal compliance
- New features/services
- Industry best practices
12. Contact Us
12.1 Privacy Inquiries
| Type | Contact | Response Time |
|---|---|---|
| General questions | [email protected] | 48 hours |
| Data requests (GDPR/CCPA) | [email protected] | 30 days |
| Security concerns | [email protected] | 24 hours |
| Legal matters | [email protected] | 5 business days |
12.2 Data Protection Officer
For EU data protection matters:
Data Protection Contact
Email: [email protected]
12.3 Contact Information
Isaías Reis Verdin
Green Cloud
Brazil