Privacy policy

Last updated: November 24, 2025

Last Updated: 16 November 2025


This Privacy Policy explains how HeroCAD Ltd. (“HeroCAD”, “we”, “us”, “our”) collects, uses, and protects personal data when you use the HeroCAD platform (the “Platform”).


HeroCAD Ltd. is registered at:

Bromfield Chambers, 38 Radford Street, Stone, England, ST15 8DA


For any privacy-related questions, contact:

josiah@herocad.com

1. Overview & Roles Under GDPR


1.1 HeroCAD as Data Controller


HeroCAD acts as a Data Controller for:

  • account data
  • platform usage data
  • billing and payment information
  • communication preferences
  • marketing preferences


1.2 Labs, Designers & Patient Data


For any design-related data:

  • Labs are the Data Controller for any personal data contained in files or job instructions.
  • HeroCAD and Designers act as Data Processors.


1.3 Absolute Patient Anonymity Requirement


Labs must not upload any Patient Identifiable Information (PII/PHI).

All STL/CAD files must be fully anonymised.


If identifiable patient data is uploaded:

  • the files may be removed
  • the Lab is notified
  • HeroCAD may take compliance action
  • the Lab is fully responsible legally and financially

2. Data We Collect


2.1 Data You Provide

  • Name, email, business details
  • Role (Lab or Designer)
  • Profile and portfolio details
  • Account settings and preferences
  • Web push & email notification preferences
  • Messages sent in the Platform
  • Job postings and job-related content
  • Support requests


2.2 Automatically Collected Data

  • IP address and device data
  • Browser type, OS, device identifiers
  • Log files, activity logs
  • Usage analytics
  • Cookie data (see Cookie Policy below)


2.3 Payment Data (Stripe)


We do not store full card numbers.

Stripe processes:

  • card details
  • billing address
  • payment method tokens


We receive only limited transactional info (e.g., last 4 digits, expiry, status).


2.4 Notification Data (OneSignal)


If notifications are enabled, we share:

  • your email address (email notifications)
  • device/browser ID (push)
  • your opt-in/opt-out status


We never share job files or patient data with OneSignal.

3. How We Use Your Data


3.1 To Operate the Platform


Legal basis: Contract (Art. 6(1)(b)), Legitimate Interests


Includes:

  • account creation
  • matchmaking between Labs & Designers
  • job workflow
  • messaging
  • escrow payments
  • skill ratings and performance stats


3.2 Payments & Billing


Legal basis: Contract, Legal obligation


Via Stripe:

  • payment processing
  • issuing invoices
  • fraud monitoring


3.3 Customer Support


Legal basis: Legitimate interests, Contract


We use your data to:

  • respond to support tickets
  • resolve disputes
  • manage technical issues


3.4 Email & Push Notifications (OneSignal)


Legal basis:

  • Consent (marketing notifications)
  • Legitimate interests (job alerts, operational updates)


Users can enable/disable email & push notifications in their dashboard.

Your choice is sent to OneSignal immediately.


3.5 Platform Improvement & Analytics


Legal basis: Legitimate interests


Includes:

  • usage analytics
  • performance monitoring
  • error reporting


3.6 Marketing Communications


Legal basis: Consent or Legitimate interests


Includes:

  • new features
  • product updates
  • platform insights


You may opt out at any time.


3.7 Security, Fraud Prevention & Enforcement


Legal basis: Legal obligations, Legitimate interests

4. Sharing Your Data


Your personal data may be shared with:


4.1 Other Platform Users


Only where necessary for proper functioning:

  • Labs and Designers see each other’s profile and job-related data.


4.2 Service Providers (Processors)


Including:

  • Stripe (payments)
  • OneSignal (notifications)
  • Hosting providers
  • Email servers
  • Analytics and monitoring tools


All providers are contractually bound to GDPR-compliant processing.


4.3 Regulators & Legal Authorities


Where required by law or to protect our rights.


4.4 Corporate Transactions


If HeroCAD is sold, merged, or acquired.


We never sell your personal data.

5. International Transfers


We may transfer data outside the UK/EEA.

Where we do, we rely on:

  • Adequacy decisions, or
  • Standard Contractual Clauses (SCCs)

6. Data Retention

  • Account data: retained while active
  • Transaction records: 6–7 years (legal requirement)
  • Support communications: as long as reasonably necessary
  • Notification preferences: until updated or account closed
  • Analytics: retained in anonymised form where possible

7. Security


We use appropriate technical and organisational measures including:

  • encryption
  • secure hosting
  • limited internal access
  • audit logging
  • password hashing


You are responsible for securing your login credentials.

8. Your Rights


Under UK GDPR you have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Object to processing
  • Port your data
  • Withdraw consent (for marketing / push)


To exercise your rights, email: josiah@herocad.com


You may also complain to the ICO.

9. Changes to This Policy


We will notify users of any major updates via email or Platform notification.

10. Contact


HeroCAD Ltd.

Bromfield Chambers, 38 Radford Street, Stone, England, ST15 8DA

josiah@herocad.com