Data Protection & GDPR — ARC3D™

1. About This Policy

This Data Protection Policy explains how HSAN Studios (trading as "HSAN Studios — a Private Limited Company") processes personal data in connection with the ARC3D™ architectural design software and the website at hsan-studios.com.

This policy is written in accordance with:

The UK General Data Protection Regulation (UK GDPR), retained from EU Regulation 2016/679
The Data Protection Act 2018 (DPA 2018)
Guidance from the Information Commissioner's Office (ICO)

By creating an account or using ARC3D™, you acknowledge that you have read and understood this policy.

2. Data Controller

The data controller responsible for your personal data is:

HSAN Studios

45 Merefield Street, Rochdale, OL11 3RH

United Kingdom

Email: support@hsan-studios.com

Website: hsan-studios.com

If you have any questions about how your personal data is handled, please contact us at the above address.

3. Lawful Basis for Processing

Under Article 6 of the UK GDPR, we process personal data on the following lawful bases:

Purpose	Lawful Basis	GDPR Article
Account creation & authentication	Performance of a contract	Art. 6(1)(b)
Processing payments & purchases	Performance of a contract	Art. 6(1)(b)
Cloud project storage & sync	Performance of a contract	Art. 6(1)(b)
Customer support	Legitimate interest	Art. 6(1)(f)
Security & fraud prevention	Legitimate interest	Art. 6(1)(f)
Legal compliance (financial records)	Legal obligation	Art. 6(1)(c)

We do not rely on consent as a lawful basis for any core data processing. Where consent is used (e.g., optional marketing emails in the future), it will be freely given, specific, informed, and withdrawable at any time.

4. Personal Data We Collect

4.1 Account Data

Data	Purpose	Storage
Full name	Account profile, correspondence	Server + local
Email address	Login, email confirmation, support	Server + local
Password	Authentication	Server (bcrypt hash), local (SHA-256 hash)
Phone number (optional)	Profile, contact	Server only
Company name (optional)	Profile	Server only

            We never store your password in plain text. Server-side passwords are hashed with bcrypt (adaptive cost factor). Local passwords are hashed with SHA-256 via the Web Crypto API.
        

4.2 Payment Data

Data	Purpose	Storage
Last 4 digits of card number	Display reference only	Server + local
Card expiry date	Display reference only	Server + local
Cardholder name (hashed)	Verification reference	Server + local
PayPal email (if chosen)	Payment processing	Server + local
Purchase records	Transaction history, invoices	Server + local

            We do not store full card numbers, CVV/CVC codes, or PIN numbers. Actual payment processing is handled by external payment processors (PayPal). We only retain a receipt-level summary.
        

4.3 Project Data

Data	Purpose	Storage
Project files (JSON)	Saving architectural designs	Local IndexedDB + cloud (if logged in)
Project metadata	Name, type, description, address	Local IndexedDB + cloud
Thumbnails (PNG)	Project preview images	Local IndexedDB + cloud

Project data may contain addresses and client contact details that you enter. This data is only stored for your use and is not accessed by HSAN Studios unless you explicitly share it with us for support purposes.

4.4 Technical Data

We may automatically collect:

IP address (server access logs, retained for security)
Browser type and version (error diagnostics)
Timestamp of server requests

We do not use analytics services, advertising trackers, or fingerprinting technologies.

5. How We Use Your Data

We use your personal data exclusively for the following purposes:

Authentication — verifying your identity when you log in
Account management — profile updates, password changes, account deletion
Payment processing — recording purchases, managing subscriptions
Cloud synchronisation — storing and retrieving your project files across devices
Customer support — responding to your enquiries
Security — rate limiting, fraud prevention, breach detection

We do not:

Sell, rent, or trade your personal data
Use your data for automated decision-making or profiling
Send unsolicited marketing emails
Share your project files with any third party

6. Data Storage & Security

6.1 Local Storage (Your Device)

Account data and projects are stored in your browser's IndexedDB and localStorage
This data exists only on your device and is not transmitted unless cloud sync is active
Clearing your browser data will permanently delete local data

6.2 Cloud Server

When you log in, account and project data is transmitted over HTTPS (TLS encryption in transit)
Server data is stored in MongoDB with access restricted by JWT authentication
Passwords are hashed with bcrypt (minimum cost factor 10)
API endpoints are protected by rate limiting and Helmet.js security headers
Database access requires authentication; no public read/write endpoints exist

6.3 Security Measures

Measure	Implementation
Encryption in transit	HTTPS / TLS for all server communication
Password hashing	bcrypt (server), SHA-256 (local)
Authentication tokens	JWT with expiration, stored in localStorage
Rate limiting	20 auth attempts / 15 min; 100 general requests / 15 min
Security headers	Helmet.js (CSP, HSTS, X-Frame-Options, etc.)
CORS	Restricted to allowed origins only
Input validation	Server-side validation on all endpoints
No raw credentials stored	Full card numbers and CVV never stored

7. Cloud Synchronisation

ARC3D™ offers optional cloud synchronisation to allow you to access your projects from any device:

When active: project data is transmitted to our server over HTTPS and linked to your authenticated account
When offline: all data remains local in IndexedDB; the application works fully offline
Fallback: if the server is unreachable, local storage is used automatically

Cloud sync is triggered when you save a project while logged in. You can delete individual cloud projects at any time from the Project Database panel, or delete your entire account (which removes all cloud data) via the Dashboard.

8. Data Sharing & Third Parties

We do not share your personal data with any third parties except in the following limited circumstances:

Payment processors — PayPal processes payments on our behalf under their own privacy policy. We do not send them your ARC3D™ account data, only the transaction amount.
Legal requirements — if required by law, regulation, or valid legal process (e.g., a court order), we may disclose data to the relevant UK authority.
Infrastructure providers — our server hosting provider processes data on our behalf under a data processing agreement. They do not have independent access to your data.

We do not use:

Google Analytics or any analytics platform
Advertising or retargeting networks
Social media tracking pixels
Any AI/ML training on your data

9. International Data Transfers

Your data is primarily processed and stored in the United Kingdom. If data is transferred outside the UK (e.g., if using a cloud hosting provider with international data centres), we ensure that:

The receiving country provides an adequate level of data protection as recognised by the UK Secretary of State, or
Appropriate safeguards are in place, such as Standard Contractual Clauses (UK International Data Transfer Agreement) or binding corporate rules

You may contact us for details on the specific safeguards applied to any international transfer.

10. Data Retention

Data Category	Retention Period
Account data	Until you delete your account
Cloud project files	Until you delete the project or your account
Local project files	Until you clear browser data or delete them
Purchase records	6 years from transaction date (HMRC requirement)
Server access logs (IP, timestamp)	90 days, then automatically purged
Support correspondence	2 years from last contact, or until deletion requested

When you delete your account, all personal data (name, email, password hash, payment methods, cloud projects) is permanently removed from our servers. Purchase records may be retained in anonymised form for financial reporting as required by UK law (HMRC).

11. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

Right	Description	How to Exercise
Access (Art. 15)	Obtain a copy of all personal data we hold about you	Email support@hsan-studios.com or view in your Dashboard
Rectification (Art. 16)	Correct inaccurate or incomplete data	Update via your Dashboard profile settings
Erasure (Art. 17)	Request deletion of your personal data ("right to be forgotten")	Delete account via Dashboard "Danger Zone" or email us
Restriction (Art. 18)	Request we limit processing of your data	Email support@hsan-studios.com
Portability (Art. 20)	Receive your data in a structured, machine-readable format	Export projects as .ark (JSON) files; email us for account data export
Objection (Art. 21)	Object to processing based on legitimate interest	Email support@hsan-studios.com
Withdraw consent (Art. 7)	Withdraw consent at any time (where consent is the lawful basis)	Email support@hsan-studios.com

            Response time: We will respond to all data subject requests within one calendar month of receipt, as required by UK GDPR Art. 12(3). If the request is complex, we may extend this by a further two months with notification.
        

To verify your identity for a data subject request, we may ask you to confirm your email address and provide additional identifying information. We will not charge a fee for reasonable requests.

12. Cookies & Local Storage

ARC3D™ does not use cookies for tracking, advertising, or analytics.

We use the following browser storage mechanisms for essential functionality only:

Storage	Purpose	Type
localStorage: `arc3d_auth_token`	JWT session token for authenticated API calls	Strictly necessary
localStorage: `arc3d_server_url`	Custom server URL (if configured)	Strictly necessary
localStorage: `userSession`	Current login session data	Strictly necessary
localStorage: `cadModelerAutoSave`	Emergency auto-save of current project	Strictly necessary
IndexedDB: `ARC3D_UserDB`	Local user accounts, payment methods, purchases	Strictly necessary
IndexedDB: `ARC3D™ProjectsDB`	Saved project files and thumbnails	Strictly necessary

Under the Privacy and Electronic Communications Regulations 2003 (PECR), strictly necessary storage does not require consent. These storage items are essential for the software to function and are never used for tracking.

13. Children's Data

ARC3D™ is professional architectural design software and is not directed at children under the age of 16.

We do not knowingly collect personal data from anyone under 16. If we become aware that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact support@hsan-studios.com.

14. Data Breach Procedures

In the event of a personal data breach, HSAN Studios will:

Assess the breach within 24 hours of discovery to determine its scope and severity
Notify the ICO within 72 hours of becoming aware of the breach, if it is likely to result in a risk to the rights and freedoms of individuals (UK GDPR Art. 33)
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Art. 34)
Document the breach, its effects, and the remedial actions taken in our internal breach register
Remediate by fixing the vulnerability, rotating affected credentials, and implementing additional safeguards

15. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, technology, or legal requirements.

Material changes will be communicated via the website, in-app notification, or email
The "Last updated" date at the top of this page will always reflect the most recent revision
Continued use of ARC3D™ after a policy update constitutes acceptance of the revised policy

We encourage you to review this policy periodically.

16. Complaints & Contact

If you have any questions, concerns, or complaints about how your data is handled, you can contact us:

HSAN Studios — Data Protection

45 Merefield Street, Rochdale, OL11 3RH, United Kingdom