HOW WE HANDLE
YOUR DATA.

Who we are

Maelo is operated by Maelo Design, a trading name based in the Netherlands. When this policy refers to "Maelo", "we", "our" or "us", it means Maelo Design. When it refers to "you" or "your", it means the person accessing or using our service.

We are the data controller for personal data collected through maelo.app and any related services.

What we collect

Account data — when you register: your email address, hashed password, and optional brand name, logo, website, contact email, and business details you choose to enter in your profile.

Project data — the tech packs, pattern specs, measurements, colorways and other content you create and save within Maelo. This data belongs to you and is stored on our servers only to provide the service.

Usage data — pages visited, features used, export events, and error reports. We collect this to understand how the product is used and to fix bugs.

Device data — browser type, operating system, IP address, and approximate location (country/city level). We use this for security, fraud prevention, and aggregate analytics.

Why we collect it

To run the product — providing the tech pack generator, saving your projects, generating PDFs, and maintaining your account requires processing your data.

To bill you — if you purchase credits or a subscription, we pass payment details to our payment processor (Stripe). We do not store full card numbers.

To support you — when you contact us with a question or report a bug, we need your account information and the relevant project data to help you.

To improve the service — aggregate usage data helps us understand which features are used, which are broken, and what to build next. We never sell individual usage data.

Legal basis under GDPR: contract performance (running the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and legal obligation where applicable.

Who we share it with

Hosting infrastructure — our servers run on Railway and Vercel, both operating EU-region data centres. Your data is stored and processed within the EU.

Payment processing — Stripe processes payment card data on our behalf. Stripe is PCI-DSS compliant. We receive only a token and a summary of the transaction.

Transactional email — we use a third-party email provider to send account confirmation, password reset, and invoice emails. No marketing emails are sent without explicit opt-in.

Error tracking — we use an error monitoring service to capture crash reports and stack traces. These may include your user ID but not your project content.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes, ever.

Where it is stored

All personal data and project data is stored in EU data centres (Netherlands / Germany). We do not transfer personal data outside the European Economic Area.

If you access Maelo from outside the EU, your data is still stored in the EU. Network transit between you and our servers may cross borders, but the data at rest remains in the EU.

Backups are encrypted and stored in the same geographic region as primary storage.

How long we keep it

Active accounts — we retain your account data and project data for as long as your account is active. You can request deletion at any time.

Cancelled accounts — when you delete your account, your personal data and project data are purged within 90 days. Aggregate, anonymised analytics derived from your usage are retained indefinitely.

Invoices and transaction records — retained for 7 years to comply with Dutch tax and accounting law.

Server logs — retained for 30 days, then automatically deleted.

Your rights

Access — you have the right to request a copy of the personal data we hold about you.

Correct — if any data we hold about you is inaccurate, you have the right to ask us to correct it. Most profile data can be updated directly in your account settings.

Port — you can request a machine-readable export of your project data at any time.

Restrict — you can ask us to stop processing your data in certain circumstances, for example if you contest its accuracy.

Delete — you can request that we delete your personal data. We will comply within 30 days, subject to any legal retention obligations.

Object — you have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis.

Complain — you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) if you believe your data is being processed unlawfully.

To exercise any of these rights, email info@maelodesign.com. We will respond within 30 days.

Cookies

We use the following essential cookies only:

Authentication cookies — set by our authentication provider, Supabase, to keep you securely logged in and to protect against cross-site request forgery. They are cleared when you sign out or your session expires.

maelo-cookie-consent — a persistent cookie that stores your acknowledgement of this cookie notice so we do not show it on every visit.

No analytics cookies, no advertising cookies, no third-party tracking pixels.

Children

Maelo is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at info@maelodesign.com and we will delete it.

Changes to this policy

We will notify you of material changes to this policy by email at least 30 days before the changes take effect, and by posting a notice on this page.

Your continued use of Maelo after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you should delete your account before the effective date.

Minor changes (such as fixing a typo or clarifying a sentence without changing meaning) may be made at any time without notice.