Privacy Policy

This Privacy Policy describes how MetalCutHQ(“we”, “us”) collects, uses, and protects your information when you use the MetalCutHQ website and platform.

We operate from Squamish, British Columbia, Canada, and we follow the Personal Information Protection and Electronic Documents Act (PIPEDA). This policy is written in plain English and grounded in the data our product actually handles — not boilerplate.

When you use MetalCutHQ, we collect:

• Account information — your name, email address, and a hashed password (we never see your plain-text password). Password hashing is handled by our authentication provider (Supabase).
• Shop information (if you run a shop) — shop name, public URL slug, logo URL, materials, services, finishes, pricing rules, and tax / delivery settings you configure.
• Project and assembly data — the names, statuses, and configurations of the projects you create.
• CAD files — STEP, STP, and DXF files you upload, stored in a private Supabase Storage bucket.
• Parsed geometry — derived attributes our browser parser extracts from your files: area, perimeter, bends, holes, bounding box, thickness. Stored as structured data alongside your project.
• Order data — quotes, price snapshots, order line items, statuses, delivery addresses, and any notes or messages you add.
• Messaging— the content of messages you exchange through the Platform's built-in messaging with a Shop (or with a customer, if you're a Shop).
• Contact form submissions — if you submit the Contact or Enquire forms on our marketing pages, we store the fields you provided.

What we do not collect: we do not run analytics, ad tracking, session recording, or fingerprinting on our site. We do not store your IP address or user-agent string from contact form submissions.

We use the information we collect to:

• Operate the Platform — create and authenticate accounts, render your projects, compute quotes, and process orders.
• Enable communication between you and a Shop (or a customer).
• Respond to contact or enquiry form submissions.
• Comply with legal obligations, including tax and record-keeping requirements for completed transactions.
• Protect the Platform and our Users — detect fraud, abuse, and security incidents.

We do not sell your information, we do not use it to train AI models, and we do not share it with third parties for advertising.

CAD files warrant their own section because they're the most sensitive thing you upload.

• Parsed in the browser. Your STEP / DXF geometry is extracted in your browser using a WASM parser. The raw file is uploaded to our private storage, but initial geometry extraction never leaves your device.
• Stored privately.Files live in a Supabase Storage bucket, partitioned by shop and user, with row-level security policies that restrict access to (i) you and (ii) the Shop you're actively quoting or ordering from.
• Access is signed. Downloads happen through short-lived signed URLs, not public links. There is no public CAD-file endpoint.
• No third-party processing. Your files are not sent to any external CAD service, AI model, or third-party processor.
• You can delete them. Deleting a part removes the file from storage.

We keep this list deliberately short. As of the date above, MetalCutHQ relies on:

• Supabase — managed PostgreSQL database, authentication, file storage, and realtime messaging infrastructure. Supabase acts as our data processor.
• Resend — transactional email delivery for contact and enquiry form notifications sent to our team.

We do not use: third-party analytics, ad networks, session recording, customer data platforms, or AI APIs that receive your content.

We keep your data as long as we need it to run the Platform and to meet legal obligations.

• Account data — until you ask us to delete it, or after a prolonged period of inactivity.
• Orders and invoices — kept for at least six (6) years after the transaction, to comply with Canadian tax and record-keeping rules.
• CAD files — kept while they are part of an active project or order. When you delete a part, the associated file is removed from storage.
• Contact form submissions — kept for up to two years unless we need them longer for an ongoing conversation.

If you're in Canada, PIPEDA gives you the right to:

• Know what personal information we hold about you and how we use it.
• Access a copy of that information.
• Correct information that is inaccurate or incomplete.
• Withdraw consent for uses that are not strictly necessary to run the Platform (noting that some withdrawals may require us to close your account).
• File a complaint with us — and, if unresolved, with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email info@metalcuthq.com. We'll respond within 30 days.

We take reasonable technical and organizational measures to protect your information, including:

• Row-level security (RLS) — database policies enforced at the Postgres layer that restrict every query to the data the requesting User is entitled to see.
• Encryption in transit — HTTPS/TLS for all Platform traffic.
• Encryption at rest — database and storage encryption provided by our infrastructure provider.
• Password hashing — passwords are hashed by our authentication provider; we never store or log plain-text passwords.
• Service-role isolation — privileged database operations run only from trusted server code, never from the browser.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at info@metalcuthq.com.

MetalCutHQ is intended for business users. We don't knowingly collect personal information from anyone under 18. If you believe a minor has provided us with information, please contact us and we'll delete it.

Our infrastructure provider (Supabase) operates in data centres outside Canada; your information may be processed in jurisdictions other than where you live. Where this happens, we rely on contractual and technical safeguards to protect your information in line with PIPEDA standards.

We may update this Privacy Policy from time to time. When we do, we'll update the “Last updated” date above. For material changes, we'll give active Users reasonable notice before the change takes effect.

Questions about this policy, or want to exercise a privacy right? Reach us at info@metalcuthq.com, or by mail at MetalCutHQ, Squamish, British Columbia, Canada.