Data & privacy
Data protection policy
We only collect data necessary for the platform's operation and the smooth running of manufacturing projects. Here are our commitments in accordance with GDPR.
Preamble
This Privacy Policy is established in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — GDPR) and French Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, as amended (Data Protection Act). It describes the personal data processing carried out on the openfab.io platform, for both Customers and Maker partners. Information is presented in a clear and structured manner to promote understanding, in accordance with the principle of transparency.
Data controller
The data controller is OpenFab (company being formed). Email: privacy@openfab.io. Phone: 06 80 72 13 02. OpenFab has not appointed a Data Protection Officer (DPO) within the meaning of the GDPR. Any request relating to personal data can be sent to privacy@openfab.io.
Legal bases for processing
Our data processing relies on the following legal bases: contract performance (Article 6.1.b GDPR) for account management, orders and Customer-Maker connection; legal obligation (Article 6.1.c) for invoicing, accounting and contractual document retention; legitimate interest (Article 6.1.f) for Platform security, fraud prevention and service improvement; consent (Article 6.1.a) for non-essential audience measurement cookies and commercial communications. When we rely on legitimate interest as a legal basis, we carry out a balancing test to ensure that our interests do not override your fundamental rights and freedoms, and we document our analyses. You may withdraw your consent at any time without affecting the lawfulness of processing already carried out.
Data collected
We only collect data necessary for the service: first and last name, email address, phone number (optional), role (Customer or Maker), postal address (for delivery), technical files and project descriptions, exchanges and quotes, order history, technical logs and IP address. Payment data is processed by a certified third-party provider (Stripe) and is never stored by OpenFab. Data is collected directly from you when creating an account, submitting a request, or communicating on the Platform. The site is not intended for minors under 15 years of age. No voluntary collection of minors' data is carried out. If a parent or guardian discovers that a minor has submitted data without authorization, they can contact privacy@openfab.io to request immediate deletion.
Purposes of collection
Your data is used to: manage your user account and profile; qualify and transmit manufacturing requests to suitable Makers; enable quote exchanges and centralization of technical communications; ensure secure payment processing and invoicing; monitor production and quality control; provide responsive customer support; improve the Platform experience (anonymized statistics); comply with our legal and regulatory obligations.
Recipients and data sharing
Your data is never sold. It is shared only with: Maker partners, strictly to the extent necessary for order fulfillment (name, delivery details, technical files); the payment provider (Stripe) for secure transaction processing; the hosting provider (Hostinger) for technical infrastructure; carriers where applicable for delivery. Some providers may be located outside the European Economic Area. In such cases, transfers are governed by standard contractual clauses approved by the European Commission and supplementary security measures. All our subcontractors are contractually bound to comply with GDPR obligations, particularly regarding confidentiality, security, and non-reuse of data.
Retention periods
Retention periods vary by data type: active user account: retained as long as the account is active, deleted upon request; order and billing data: 6 years (accounting and tax obligations); technical logs and IP addresses: 12 months; marketing data: 3 years after last account activity. At the end of these periods, data is deleted or anonymized. Data subject to a legal retention obligation is archived with restricted access until the legal period expires.
Security
We implement technical and organizational measures to protect your data: HTTPS encryption in transit, restricted data access following the principle of least privilege, regular backups, periodic access rights review, security monitoring. Makers only access information strictly necessary for production. In the event of a data breach likely to pose a risk to your rights and freedoms, OpenFab commits to notifying the supervisory authority (CNIL) within 72 hours and informing affected individuals as soon as possible, in accordance with Articles 33 and 34 of the GDPR.
Cookies
The site uses cookies strictly necessary for operation (authentication, security, session). No advertising cookies are used. Anonymous audience measurement cookies may be placed with your consent to improve the service. You can manage your cookie preferences from your browser. Deleting necessary cookies may affect site functionality.
Your rights
In accordance with the GDPR, you have the following rights: right of access to your personal data; right to rectification and update; right to erasure ('right to be forgotten'); right to restriction of processing; right to object to processing; right to data portability. To exercise your rights, write to privacy@openfab.io specifying the right invoked and the email address of your account. A reasoned response will be provided within one month (extendable by two months for complex requests). The right to erasure does not apply when retention is required by a legal obligation (invoicing, accounting) or necessary for the establishment, exercise or defense of legal claims. In case of refusal or no response, you may lodge a complaint with the CNIL (www.cnil.fr – 3 place de Fontenoy, 75007 Paris).
Changes to this policy
This privacy policy may be updated to reflect legal, technical or functional developments. The current version is always available on this page. In the event of a substantial change, a notice will be displayed on the Platform or sent by email to registered users. Last updated: February 17, 2026.