1. Who We Are
ModelDirectory.org ("we", "us", "our") is an open platform for discovering, sharing, and timestamping 3D model files. For the purposes of EU/UK GDPR, we are the data controller of personal data collected through this website and its API.
Our privacy contact: [email protected]
This policy applies to all visitors, registered users, and anyone who submits data via the platform's forms or API.
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Email address — required for authentication and transactional communications.
- Display name — shown on your public profile and attributed to your uploads.
- OAuth profile data — if you sign in via Google, we receive your Google account name, email, and profile picture URL. We do not receive your Google password.
- Password hash — if you register with email/password, your password is hashed by Supabase Auth using bcrypt. We never store plaintext passwords.
2.2 Upload and Content Data
When you upload a model, we collect and permanently store:
- The 3D model file itself (stored in encrypted object storage).
- File name, size, format, and SHA-256 hash.
- Model name, description, category, and tags you provide.
- The license you select.
- Your rights assertion (a boolean flag plus timestamp).
- Geometry metadata: triangle count, bounding box dimensions.
- Antivirus scan result.
- Upload timestamp.
- Content rating metadata: a machine-assigned
content_ratingvalue (general,mature,adult, orweapon), anage_gateboolean, and acontent_flagsJSON object recording the signals (keyword match, AI vision result, human review outcome) that produced the rating. See Section 13.
2.3 Blockchain Timestamp Data
If you opt in to blockchain timestamping, we submit your file's SHA-256 hash and our smart contract transaction to the Polygon (or other selected) blockchain. This data is permanently public and cannot be deleted. It does not include your name, email, or any personal identifier — only the file hash and block timestamp.
2.4 Usage and Technical Data
When you use the platform, our servers and Cloudflare automatically log:
- Your IP address (used for security and rate-limiting; not linked to your account for general browsing).
- Browser user agent string.
- Pages visited, timestamp, and HTTP response code.
- Download events (model ID and timestamp, linked to your account if signed in).
We do not use third-party analytics trackers (e.g., Google Analytics). Access logs are processed by Cloudflare in accordance with their privacy policy.
2.5 Payment Data
Payments are processed by Stripe. We do not store your card number, CVV, or full payment details. We receive and store a Stripe payment reference, amount, currency, and timestamp. Stripe is a data processor acting under a Data Processing Agreement with us; see Section 7.
2.6 DMCA and Support Data
If you submit a DMCA takedown notice, counter-notice, or support request, we collect the data you provide in that submission, including name, contact details, and the content of your communication. This is stored for the minimum period required by law (see Section 5).
2.7 Data We Do Not Collect
We do not collect: race or ethnicity, health data, biometric data, precise geolocation (beyond IP-derived country), political opinions, or religious beliefs.
3. How We Use Your Data
| Purpose | Data used |
|---|---|
| Authenticating your account and maintaining your session | Email, password hash, OAuth tokens |
| Displaying your profile and attributing your uploads | Display name, profile picture, uploads |
| Processing file uploads and running validation | File, metadata, SHA-256 hash |
| Submitting blockchain timestamps (if opted in) | File SHA-256 hash only |
| Processing purchases and paying creators | Stripe payment reference, account ID |
| Sending transactional emails (upload confirmation, blockchain proof, purchase receipt) | Email address, upload/purchase details |
| Responding to DMCA notices and legal disputes | DMCA submission data, upload provenance records |
| Platform security, abuse prevention, and rate limiting | IP address, access logs |
| Improving platform performance and diagnosing errors | Anonymised/aggregated access logs |
We do not sell your personal data to third parties. We do not use your data for targeted advertising.
4. Lawful Basis for Processing (GDPR / UK GDPR)
If you are located in the EU or UK, we rely on the following lawful bases under Article 6 GDPR:
| Processing Activity | Lawful Basis |
|---|---|
| Account management, authentication, and contract fulfilment | Art. 6(1)(b) — Contract |
| Sending transactional emails (uploads, purchases, proofs) | Art. 6(1)(b) — Contract |
| Processing DMCA notices and legal claims | Art. 6(1)(c) — Legal obligation |
| Security, fraud prevention, rate limiting | Art. 6(1)(f) — Legitimate interests |
| Anonymised analytics and platform improvement | Art. 6(1)(f) — Legitimate interests |
| Marketing and newsletter communications | Art. 6(1)(a) — Consent (opt-in only) |
Where we rely on legitimate interests, you have the right to object (see Section 6). We have conducted or will conduct a Legitimate Interests Assessment for each relevant activity.
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
5. Data Retention
We keep your data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (email, name, preferences) | Duration of account + 12 months after deletion | Contract; potential legal claims |
| Uploaded model files | Until you delete the model, or account termination + 12 months | Contract; IP dispute window |
| Upload provenance records (hashes, timestamps, rights assertion) | 3 years minimum from upload date | IP dispute resolution |
| Blockchain transaction records | Permanent (immutable on-chain) | Inherent to blockchain technology |
| Access and server logs | 90 days (raw); 3 years (aggregated) | Security; legal defense |
| DMCA claims and counter-notices | 3 years minimum | DMCA statutory requirement |
| Payment records | 7 years | Tax and accounting obligation |
| Marketing email consent records | Until opt-out, or 2 years of inactivity | Consent management |
Content rating metadata (content_rating, age_gate, content_flags) | Duration of model record; deleted with model or at account deletion + 12 months | Moderation audit trail; 18 U.S.C. § 2257 compliance where applicable |
| Age verification records (where collected) | Duration of the verified session or 12 months for persistent verification | Statutory compliance and fraud prevention |
| Data under legal hold | Until hold is lifted | Litigation |
After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to you.
6. Your Rights
If you are in the EU, UK, or a jurisdiction with similar data protection laws, you have the following rights over your personal data. You can exercise most of these directly from your account dashboard. For requests that cannot be handled automatically, email [email protected].
| Right | What it means | How to exercise | Response time |
|---|---|---|---|
| Access | Receive a copy of all personal data we hold about you | Account dashboard → Settings, or email us | 30 days |
| Rectification | Correct inaccurate or incomplete data | Account Settings, or email us | 30 days |
| Erasure ("right to be forgotten") | Delete your personal data. Does not apply to data we are required to keep by law or that is necessary for an ongoing legal dispute. | Account → Settings → Delete account, or email us | 30 days |
| Restriction | Pause processing of your data while a dispute is being resolved | Email us | 30 days |
| Portability | Receive your data in a structured, machine-readable format (JSON or CSV) | Email us | 30 days |
| Objection | Object to processing based on legitimate interests. We will stop unless we have compelling grounds. | Email us | 30 days |
| Withdraw consent | Withdraw consent for marketing emails at any time | Unsubscribe link in any email, or email us | Immediate for marketing; 30 days for full update |
If you are unhappy with how we handle a data request, you have the right to lodge a complaint with your national data protection authority:
- EU: Your national supervisory authority (find yours at edpb.europa.eu).
- UK: The Information Commissioner's Office (ICO) at ico.org.uk.
Note on blockchain data: Your file's SHA-256 hash, if submitted to a public blockchain, is permanently public and technically cannot be deleted. This hash does not contain your name, email address, or any other directly identifying information. We consider it pseudonymous data.
7. Third-Party Services and Data Processors
We share data with the following third-party service providers, each acting as a data processor under a signed Data Processing Agreement (DPA), processing data only on our instructions:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, session management | Account data, upload metadata, session tokens | EU (Frankfurt) / US |
| Cloudflare | CDN, DDoS protection, DNS, Tunnel | IP addresses, HTTP request metadata | Global edge network |
| Stripe | Payment processing | Payment card data (held by Stripe), transaction records | US / EU |
| Resend | Transactional email delivery | Email address, email content | US |
| MinIO (self-hosted) | 3D model file storage | Uploaded files and provenance metadata | Self-hosted on our own infrastructure |
| Polygon / Alchemy | Blockchain timestamping (if opted in) | File SHA-256 hash only (no PII) | Public blockchain (global) |
We do not share your personal data with third parties for their own marketing purposes. We may disclose data to law enforcement or government authorities where required by a valid legal process (court order, subpoena, or applicable law).
8. International Data Transfers
Some of our third-party processors (Stripe, Resend, Cloudflare) are based in the United States. Where we transfer personal data of EU/UK data subjects outside the EEA/UK, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Agreements (IDTAs) where applicable.
- Adequacy decisions where the destination country provides equivalent protection.
You may request a copy of the relevant transfer mechanism by contacting [email protected].
9. Cookies and Tracking
9.1 What We Use
We use a minimal number of cookies and local storage entries, strictly necessary for the platform to function:
| Name / Type | Purpose | Duration |
|---|---|---|
| Supabase session token (localStorage) | Keeps you signed in across page loads | Session / until sign-out |
Cloudflare security cookies (__cf_bm, cf_clearance) | Bot detection and DDoS mitigation | 30 minutes / 1 year |
9.2 What We Do Not Use
We do not use advertising cookies, cross-site tracking cookies, or analytics cookies from Google, Meta, or similar third parties. We do not serve ads.
9.3 Managing Cookies
You can control cookies through your browser settings. Deleting the Supabase session token will sign you out. Blocking Cloudflare security cookies may affect the site's ability to serve you pages under DDoS conditions.
10. Children's Privacy
The platform is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact [email protected] and we will delete it promptly.
Users between 13 and 16 in the EU require verifiable parental consent under GDPR Article 8. If you are aware of a user in this age range who registered without parental consent, please contact us.
11. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will:
- Post the revised policy on this page with an updated "Last updated" date.
- Notify registered users by email at least 14 days before significant changes take effect.
Your continued use of the platform after the effective date of a revised policy constitutes acceptance of the new policy.
12. Contact and Data Protection
For any privacy-related questions, data subject access requests, or to exercise any of your rights, please contact:
Privacy — ModelDirectory.org
Email: [email protected]
We aim to acknowledge all privacy requests within 5 business days and respond fully within 30 days.
If we are required to appoint a formal Data Protection Officer (DPO) under GDPR (Article 37), we will update this section with the DPO's contact details. At this stage the privacy function is handled directly by the legal/compliance team.
See also: Terms of Service
13. Content Rating, Age Verification, and Record-Keeping Obligations
13.1 Content Rating Metadata
Every model file hosted on the platform is assigned a content rating drawn from a four-tier taxonomy: general, mature, adult, or weapon. This rating is stored in our database alongside the model record. It is not personal data in its own right, but it is associated with your account and upload provenance record.
Ratings are determined by one or more of the following automated methods, the results of which are stored in a content_flags JSON field:
- Keyword detection — the model's name, description, and tags are scanned against curated keyword sets at ingest time.
- AI vision classification — a locally-hosted vision model (minicpm-v) analyses the model's thumbnail image and returns a content-rating recommendation. No thumbnail data is transmitted to external third parties for this purpose.
- Human moderator review — a moderator may override or confirm the automated rating. The reviewer's decision and timestamp are recorded.
The content_flags field records which signals fired (e.g., {"source_platform_nsfw": true, "ai_detected": true, "human_reviewed": false}). This field is not exposed publicly. It is visible to moderators, Legal, and — on request — to the uploading creator.
13.2 Age Verification
Models rated adult are subject to an age-gate: they are not accessible to unauthenticated visitors or to accounts that have not completed age verification. When we implement age verification, we will collect the minimum data necessary to confirm that a user is 18 or older. This may include:
- A date-of-birth declaration (self-attested), stored as a boolean confirmation ("user confirmed age ≥ 18") rather than the date itself.
- Where a third-party age verification service is used in future, only a verification token or pass/fail result will be stored by us; the underlying identity document data is held by that service and governed by its own privacy policy.
The lawful basis for collecting age verification data is legal obligation (Art. 6(1)(c) GDPR) where applicable, and legitimate interests (Art. 6(1)(f)) in protecting minors from exposure to age-restricted content.
Age verification records are retained for the duration of the verified session or for 12 months for persistent verification, after which re-verification may be required.
13.3 18 U.S.C. § 2257 Record-Keeping
Where content uploaded to the platform depicts actual sexually explicit conduct as defined under 18 U.S.C. § 2257 (United States law), the uploader is responsible for maintaining the required records and making them available to us upon request. By uploading such content, the uploader warrants that all performers depicted are adults (18 years of age or older), that the required records exist and are maintained, and that they are available for inspection as required by law.
We maintain a secondary custodian record cross-referencing the content URL, the uploader's account ID, and the date of the uploader's warranty. These records are retained for a minimum of 7 years or as required by applicable law.
Our designated records custodian for § 2257 compliance can be reached at: [email protected]
13.4 Lawful Basis Summary for This Section
| Activity | Lawful Basis |
|---|---|
| Storing content rating and content_flags metadata | Art. 6(1)(f) — Legitimate interests (platform safety, moderation) |
| Age verification for access to age-gated content | Art. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests |
| § 2257 custodian records | Art. 6(1)(c) — Legal obligation |