Privacy Policy

1. Definitions and Interpretation

Data: Collectively all information that you submit to FabDigit, Inc. via the Website. This definition incorporates, where applicable, the definitions provided in relevant Data Protection Laws.

Cookies: A small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website.

Data Protection Laws: Any applicable U.S. federal or state law relating to the processing of personal Data, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act, the Delaware Personal Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Data Privacy Act, the Tennessee Information Protection Act, the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, and any successor or similar legislation.

Authentication Data: Data we generate or receive in connection with creating, securing, and maintaining your account. Includes, but is not limited to, hashed passwords (we never store passwords in plaintext), session tokens, OAuth tokens received from Google when you choose to sign in with Google, the email address verification status of your account, and the IP addresses and timestamps associated with login events.

FabDigit, Inc., "we" or "us": FabDigit, Inc., a company incorporated in California, with a registered office at 11501 Dublin Blvd Ste 200, Dublin, CA 94568, USA.

User or you: Any third party that accesses the Website and is not either (i) employed by FabDigit, Inc. and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to FabDigit, Inc.

Website: The website that you are currently using, https://fabdigit.com, and any sub-domains of this site unless expressly excluded by their own terms and conditions.

2. Scope of this Privacy Policy

This Privacy Policy applies only to the actions of FabDigit, Inc. and Users with respect to this Website and our manufacturing services. It does not extend to any websites or services that can be accessed from this Website including, but not limited to, any links we may provide to social media websites or to Google's authentication services.

3. Data We Collect

We may collect the following Data, which includes personal Data:

• Contact Information: Name, email address, telephone number;
• Business Information: Company name, job title, shipping and billing addresses;
• Technical Specifications: CAD files, 2D drawings, designs, tolerances, finishes, quantities, and other project requirements you submit through the Website;
• Order and Communications History: Quotes you have requested, orders you have placed, messages exchanged with our team, and uploaded attachments;
• Payment Information: Billing details processed through our payment processor (currently Stripe). We do not store full credit card numbers on our servers;
• Authentication Data: Hashed passwords, session tokens, OAuth tokens received from Google, email-verification status, and login IP addresses with timestamps;
• Device and Usage Data: IP address, web browser type and version, operating system, device type, referring pages, pages visited within the Website, and timestamps — collected automatically through cookies and server logs.

4. How We Collect Data

We collect Data in the following ways:

Data given to us by you: Through web forms, account registration, quote and order submissions, file uploads, or direct communication (email or phone).

Data received via Google Sign-In: When you choose to sign in or sign up with Google, Google shares limited profile information with us. The exact scope is described in Section 6 below.

Data collected from third parties: From trusted business partners or public directories (for example, LinkedIn or corporate registries) for business-development purposes, and from our payment processor for transaction reconciliation.

Data collected automatically: Via Cookies, server logs, and web-tracking technology as you navigate the Website.

5. How We Use Data

We use Data only for the purposes described below. We distinguish two categories of use because the legal and ethical considerations differ:

5.1 Uses of individually-identifiable Data (data linked to you or your organization)

We use individually-identifiable Data for these specific, customer-facing purposes:

• Internal record keeping and fulfillment of the contract you have placed with us;
• Authenticating your identity, securing your account, and detecting fraudulent or unauthorized activity;
• Generating quotes, processing orders, coordinating with manufacturing partners, and shipping finished goods;
• Sending transactional communications about your account and your orders;
• Sending marketing emails about products and services that may interest you, in compliance with the U.S. CAN-SPAM Act. Every marketing email contains a one-click unsubscribe link;
• Conducting targeted advertising on third-party platforms (for example, Google Ads or LinkedIn). Under California and several other state privacy laws this constitutes "sharing" your Data; you have the right to opt out — see Section 10;
• Complying with applicable law, regulation, court order, or lawful request of a public authority, and enforcing our Terms and Conditions and other legal rights.

Except for the purposes listed above, and except where you give us separate, explicit, affirmative consent (e.g. under Section 13 below), we do not use your individually- identifiable Data, your CAD files, or your specifications for any other purpose. In particular, we do not use individually-identifiable Data to train, fine-tune, or evaluate AI or machine-learning models, and we do not use it to develop products that compete with yours.

5.2 Uses of aggregated and de-identified information

Separately from the uses above, we may produce and use aggregated and de-identified information derived from many users' activity to operate, secure, and improve the Website and our Services. For example, we may compute and analyze:

• anonymous statistics about quote response times, order throughput, or page-level interaction;
• aggregate manufacturing-process selection patterns (e.g. "X% of orders this month selected anodizing") and tolerance-feasibility distributions; and
• security and operational telemetry about login patterns, error rates, and infrastructure health.

Information is "aggregated and de-identified" for the purposes of this Section only when it has been processed so that it can no longer reasonably be used, alone or in combination with other available information, to identify you or your organization. We commit not to attempt to re-identify aggregated data and to require third parties who receive aggregated data from us to make the same commitment. Our use of aggregated and de-identified information is the only kind of "service improvement" use covered by Section 9.5 of our Terms and Conditions; any use of individually-identifiable Data for AI/ML training requires your separate opt-in under Section 13.

6. Authentication via Google Sign-In

FabDigit offers, as a convenience, the ability to create an account or sign in using your Google account. When you choose this option, you authorize Google to share with us the following data, limited to the OAuth scopes openid, email, and profile:

• Your email address, and whether Google has verified ownership of that address;
• Your basic profile information: first name, last name, profile picture URL, and Google account ID;
• The locale or language preference associated with your Google account.

We use this information solely to:

• Create or identify your FabDigit account;
• Pre-fill your name and email on your profile;
• Authenticate you on subsequent visits.

What we do NOT do: We do not receive your Google password, your Gmail content, your Google Drive files, your contacts, or any other Google data outside the scopes listed above. We do not use Google user data for advertising. We do not sell Google user data to third parties. We do not use Google user data to train AI or machine-learning models.

Google's processing of your data during the sign-in flow is governed by Google's own Privacy Policy at https://policies.google.com/privacy. You can revoke FabDigit's access to your Google account at any time at https://myaccount.google.com/permissions.

7. Who We Share Data With

We may share your Data with the following groups for the following reasons:

Manufacturing Partners: Strictly the technical specifications and delivery information necessary to obtain quotes and fulfill your orders. Manufacturing partners are contractually bound to confidentiality obligations no less restrictive than those imposed on us under our Terms and Conditions.

Service Providers: Third-party vendors that perform services on our behalf, including our payment processor (Stripe), email-delivery provider (Amazon SES), cloud-hosting provider (AWS), authentication identity provider (Google for Sign-In), logistics carriers, and IT-support providers. These vendors may only use your Data to provide their services to us.

Analytics and Product-Improvement Providers: Subject to your consent through our cookie banner, we share limited Device and Usage Data (defined in Section 3) with the following analytics providers so we can understand how the Website is used and improve it. We do not share your name, email address, password, CAD files, technical specifications, order history, or payment information with any of these providers.

• Google Analytics 4 (Google LLC) — page-view counts, session duration, traffic source, conversion events, and the pseudonymous identifier described in Section 14. IP addresses are processed for geolocation and then truncated. Google's processing is governed by Google's Privacy Policy.
• PostHog Cloud (PostHog, Inc., hosted in the United States) — funnel analytics, custom event capture, and user-level cohort analysis using the same pseudonymous account identifier we send to Google Analytics. Session recordings on PostHog are disabled in our configuration. PostHog's processing is governed by PostHog's Privacy Policy.
• Microsoft Clarity (Microsoft Corporation) — session replay, click heatmaps, and scroll heatmaps. Clarity records a video-style reconstruction of how users interact with the Website (mouse movements, clicks, scroll positions, and viewport changes). We rely on Clarity's default content masking to redact text inputs, passwords, and form values from those reconstructions, but you should assume that any text you paste into a non-input area of the page may be visible. Clarity's processing is governed by the Microsoft Privacy Statement.

None of these analytics providers loads its scripts or sets its cookies until you explicitly accept the cookie banner. If you decline the banner, or before you make a choice, no data flows to any of them. You can change your choice at any time by clearing your browser's site data for fabdigit.com — the banner will reappear on your next visit.

Advertising Partners: Where you have not opted out, we may share limited Data with advertising platforms (for example, Google Ads or LinkedIn) to deliver targeted advertising.

Legal and Regulatory Authorities: Where required to comply with legal obligations, respond to lawful requests (such as subpoenas or court orders), enforce our Terms and Conditions, or protect the rights, property, or safety of FabDigit, Inc., our Users, or others.

Business Transfers: In the event of a merger, acquisition, financing, reorganization, or sale of assets, your Data may be transferred to the successor entity, subject to a commitment that such successor will honor this Privacy Policy or provide notice and choice as required by applicable law.

We do not sell your personal information for monetary consideration.

8. Data Security

We use industry-standard technical and organizational measures to safeguard your Data, including encryption of data in transit (TLS), encryption at rest for sensitive data, hashed password storage (passwords are never stored in plaintext), least- privilege access controls for employees and contractors, and secure third-party processors for payment information.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Data, we cannot guarantee its absolute security. If we become aware of a security incident affecting your Data, we will notify you in accordance with applicable law.

9. Data Retention

We retain Data only as long as is reasonably necessary to fulfill the purposes for which it was collected, to comply with legal, tax, or regulatory requirements, to resolve disputes, and to enforce our agreements. Specifically:

• Account Data (name, email, hashed password, login history): for the lifetime of your account, plus 30 days after deletion to complete account-closure operations and respond to any final disputes.
• Quote and Order Records (including uploaded CAD files, 2D drawings, BOMs, and invoices): for 7 years from the date of the quote or order, to comply with U.S. tax- record-keeping rules and California / multi-state statutes of limitation on commercial contracts.
• Payment Information: Tokenized identifiers from our payment processor for 7 years; no full payment-card numbers are retained on our systems.
• Authentication Tokens (session tokens, Google OAuth refresh tokens): until you sign out, until the token naturally expires, or until you revoke access — whichever occurs first.
• Server and Security Logs (IP addresses, user- agent strings, request paths): 90 days, then automatically purged.
• Marketing Communications Records (opt-in status, opt-out timestamps): for as long as you have an account with us, plus 3 years after account closure to honor your opt-out preferences should you re-engage with us.

After the applicable retention period, Data is either deleted or anonymized so that it can no longer be associated with you.

Aggregated and de-identified information. We may retain aggregated and de-identified information derived from your activity (as described in Section 5.2) for as long as we have a legitimate business interest in doing so, and without time limit, because such information no longer identifies you. Your individual rights under Section 10 do not apply to information that has been so aggregated or de-identified, except as required by applicable law.

10. Your Privacy Rights

10.1 Baseline Rights (All Users)

Regardless of where you reside, FabDigit recognises the following rights with respect to Data we hold about you:

• Right to Access: Request a copy of the personal Data we hold about you.
• Right to Correct: Have inaccurate or incomplete Data rectified.
• Right to Delete: Request that we delete your Data, subject to legal-retention requirements (e.g. tax records).
• Right to Opt Out of Marketing: Unsubscribe from marketing emails at any time via the link in every marketing email, or by emailing privacy@fabdigit.com.
• Right to Non-Discrimination: We will not deny you service, charge you a different price, or provide a different level of service because you exercised any of these rights.
• Right to Appeal: If we decline a request, you may appeal by replying to our denial email. We will respond to appeals within 60 days.

10.2 California Residents (CCPA / CPRA)

In addition to the baseline rights above, California residents have:

• Right to Know the specific pieces of personal information we have collected about you in the past 12 months.
• Right to Opt Out of "Sale" or "Sharing" of personal information for cross- context behavioral advertising. We honor opt-outs submitted via:
  • The "Your Privacy Choices" link in our footer;
  • Browser-level Global Privacy Control (GPC) signals, which we treat as a valid opt-out request from the corresponding browser;
  • Direct request to privacy@fabdigit.com.
• Right to Limit Use of Sensitive Personal Information (see Section 12).
• Right to Data Portability in a structured, commonly-used, machine-readable format.
• Authorized Agents: California residents may designate an authorized agent to make requests on their behalf. We will require the agent to provide written proof of authorization (notarized power of attorney) and may verify the request directly with you.
• Disclosure regarding past 12 months: In the past 12 months, we have shared Identifiers and Internet Activity Information with advertising partners for cross-context behavioral advertising. We have not sold personal information for monetary consideration.

10.3 Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland

If you reside in any of these states, you have rights substantially similar to the baseline rights in Section 10.1, and additionally:

• Right to Opt Out of Targeted Advertising and of profiling that produces legal or similarly significant effects;
• Right to Data Portability where granted by your state's law;
• Right to Appeal a denied request within 60 days, with a written response from us within an additional 60 days.

10.4 How to Exercise Your Rights

To exercise any of these rights, email privacy@fabdigit.com from the email address associated with your FabDigit account (or, if you do not have an account, the address you used to communicate with us). We will verify your identity through the account email and, if needed, through additional confirmation.

We aim to respond to verified requests within 45 days. We may extend this period by an additional 45 days where reasonably necessary; if we do, we will notify you of the extension and the reason.

11. Children's Privacy

This Website is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in violation of the U.S. Children's Online Privacy Protection Act (COPPA). If you believe that a child under 13 has provided us with personal information, please contact privacy@fabdigit.com so we can promptly delete it.

12. Sensitive Personal Information

FabDigit does not collect or process "sensitive personal information" (as defined under California and similar state privacy laws) in the ordinary course of business. Specifically, we do not collect government-issued identifiers (other than tax-resale certificates you voluntarily submit for sales-tax exemption), precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, biometric data, or information concerning health.

We do not use or disclose sensitive personal information to infer characteristics about you. To the extent any such data is incidentally received by us, you have the right to limit its use; contact privacy@fabdigit.com.

13. AI, Machine Learning, and Customer Designs

We do not currently use customer-uploaded designs, technical specifications, or personal Data to train, fine-tune, or otherwise develop artificial-intelligence or machine-learning models. Aggregated, de-identified information (such as anonymous statistics about quote response times) may be used to improve our Website and quoting tools, but no individually-identifiable design or customer record is used for model training.

14. Cookies and Tracking Technologies

This Website uses Cookies to provide and improve your experience.

Strictly Necessary: Required for the operation of the Website (for example, to keep you signed in or to preserve your shopping cart). These cannot be disabled while using the site.

Analytical / Performance: Allow us to recognise and count visitors and see how they move around the site so we can improve it. These technologies are off by default, do not run on first visit, and do not run at all unless you affirmatively click Accept on the consent banner that appears the first time you visit the Website. Specifically, this category includes:

• Google Analytics 4 sets the cookies _ga and _ga_<property-id> to distinguish users and sessions. Lifetime: up to 2 years.
• PostHog Cloud sets a first-party identifier cookie (ph_<project-id>_posthog) and additional helper cookies for session continuity. Lifetime: up to 1 year.
• Microsoft Clarity sets the cookies _clck and _clsk to associate recorded session segments with the same anonymous visitor. Lifetime: up to 1 year (_clck) and 1 day (_clsk).

Functionality: Used to remember your preferences and provide enhanced features (for example, the sidebar collapsed state and your analytics-consent choice itself, which is stored in your browser's localStorage). These do not transmit data to third parties.

Targeting / Advertising: We do not currently set targeting or advertising cookies of our own. If we add a retargeting vendor in the future, this Privacy Policy will be updated under the material-change procedure in Section 16, and the consent banner will require a new affirmative opt-in. Under California and several other state privacy laws, sharing data with such a vendor would constitute "sharing"; you would be entitled to opt out as described in Section 10.2.

Session replay (Microsoft Clarity). Within the Analytical / Performance category above, Microsoft Clarity additionally records a video-style reconstruction of your interactions with the Website (mouse movements, clicks, scrolls, and viewport changes). We rely on Clarity's default content-masking behavior to redact text input fields (including passwords, payment fields, and address fields), but because session replay is a higher-sensitivity category than ordinary page-view analytics, the consent banner's disclosure language calls Clarity out separately. Declining the banner disables session replay along with all other third-party analytics.

Withdrawing consent. Your consent choice is persisted in your browser's localStorage under the key fabdigit:analytics-consent. To withdraw consent after you have accepted, clear localStorage / site data for fabdigit.com in your browser settings; the banner will reappear on your next visit, and you may decline. To withdraw consent without clearing your browser, email privacy@fabdigit.com and we will additionally suppress your account from analytics ingestion.

Global Privacy Control (GPC): If your browser sends a Global Privacy Control signal, we treat that signal as a valid opt-out of "sale" and "sharing" for that browser. This replaces the older, now-deprecated "Do Not Track" signal.

15. International Transfers

FabDigit is based in the United States, and our infrastructure is hosted in the United States. We may transfer, store, and process your Data in countries outside of the United States where our manufacturing partners are located. We require those partners to protect your Data through appropriate contractual safeguards.

We do not currently target customers in the European Union or the United Kingdom; if you nonetheless choose to use our services from those regions, you do so on your own initiative and at your own risk regarding cross-border transfers. If you have concerns about how your Data is handled in connection with an international transfer, contact privacy@fabdigit.com.

16. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. We distinguish between two categories of changes:

Minor changes (typo corrections, clarifications of existing language, contact information updates): take effect immediately upon posting. The "Last Updated" date at the top of this page will be revised.

Material changes (new categories of Data collected, new purposes of use, new categories of third-party recipients, changes that narrow your rights, or any decision to use Data for AI/ML training): we will give you at least 30 days' advance notice by email to the address on file and via a banner on the Website. For material changes that involve new uses of personal Data, we will require you to actively re-accept the updated Policy on your next sign-in. Your previously-submitted Data will continue to be governed by the version of this Policy in effect at the time you submitted it, unless you separately consent to the new use.

17. General Provisions

California Governing Law: This Privacy Policy is governed by and interpreted according to the laws of the State of California, without regard to its conflict-of-laws principles. Any disputes arising under this Policy are subject to Section 17 (Dispute Resolution) of our Terms and Conditions.

Severability: If any provision of this Privacy Policy is held by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

Contact Us

FabDigit, Inc.
11501 Dublin Blvd Ste 200, Dublin, CA 94568, USA.
Privacy questions and requests: privacy@fabdigit.com
General inquiries: support@fabdigit.com