Last updated: May 10, 2026
The data controller for personal data processing is:
Paolo Spada
Email: [email protected]
Website: stimalo.com
Stimalo collects the following data:
Your personal data is never sold or shared with third parties for commercial purposes. Data is accessible only to the following technical processors, necessary for service operation. All processors listed below are bound by contractual data processing terms (DPA / Standard Contractual Clauses where applicable):
| Processor | Country | Purpose | Legal basis transfer |
|---|---|---|---|
| Cloudflare Inc. | USA | CDN, DDoS protection, DNS, reverse proxy | EU-US DPF + SCC |
| Resend Inc. | USA | Transactional & marketing emails (OTP, notifications) | SCC |
| Google LLC | USA | Analytics (consent only) | EU-US DPF |
| Stripe Inc. | USA / Ireland | Payment processing for Pro subscriptions | EU-US DPF + SCC |
| Groq Inc. | USA | AI inference for Pro features (invoice scanning, descriptions) | SCC |
Data transfer to the USA is covered by the EU-US Data Privacy Framework for certified services and by Standard Contractual Clauses (SCC) as fallback. Adequacy decision and transfer impact assessment have been considered.
Self-hosted services (no third-party processor): Matomo Analytics and Chatwoot Live Chat run on our own servers. Their respective vendors (Matomo, Chatwoot Inc.) do not have access to the data processed through these services. Data never leaves our infrastructure.
Stimalo may generate and share with third parties (printer manufacturers, material suppliers, commercial partners) statistical reports based on completely anonymous and aggregated data, e.g.: most used printer models, popular materials, average print times, quote price ranges. This data contains no personal information and cannot be used to identify individual users in any way.
You have the right to:
To exercise these rights you can use the integrated functions in your profile or contact us via email. We will respond within 30 days.
Stimalo uses 4 categories of cookies. You can change your choice anytime by clicking Manage cookie preferences here or in the site footer.
These cookies are required for the site to function: login, session security, your consent choice. They cannot be disabled.
| Name | Purpose | Duration |
|---|---|---|
| session | Flask login session, CSRF protection | Browser session |
| remember_token | "Remember me" persistent login | 30 days |
| cc_consent | Stores your cookie choice (4 categories) | 1 year |
Remember your preferences and enable the support chat widget.
| Name | Purpose | Duration |
|---|---|---|
| lang | Language preference (IT/EN) | 1 year |
| cw_conversation | Chatwoot live chat session (only if you open the chat widget) | 1 year |
Anonymous usage data. Help us understand how Stimalo is used and improve it. Matomo is self-hosted, cookieless, IP-anonymized and (per EU CNIL guidance) does not require explicit consent; we list it here for transparency. The other items require explicit consent.
| Name | Service | Purpose | Duration |
|---|---|---|---|
| _ga, _ga_* | Google Analytics 4 | Distinguish unique users, traffic analysis | 2 years |
| stimalo_utm | First-touch attribution | UTM marketing source/medium/campaign for analytics | 30 days |
| stimalo_vid | Internal AdsLanding (server-side) | Unique landing-page visitor dedup (UUID, no PII) | 90 days |
| none (server-only) | Matomo (self-hosted) | Cookieless, IP-anonymized analytics | — |
Measure the effectiveness of advertising campaigns on Meta (Facebook/Instagram) and Google Ads. We never sell personal data; CCPA opt-out is honored.
| Name | Service | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta Pixel | Facebook/Instagram ads conversion measurement | 90 days |
| _gcl_* | Google Ads | Google Ads conversion tracking | 90 days |
Every time you make a choice in the cookie banner we save a record (timestamp, IP hash truncated to 32 chars, abridged user agent, chosen categories) to demonstrate, in case of audit, when and what you consented to. Retained for 24 months (GDPR Art. 7.1 burden of proof).
When a user requests a quote through the marketplace, we collect name and email to forward the request to the selected maker. Legal basis: pre-contractual measures (art. 6.1.b GDPR). Data is shared exclusively with the contacted maker.
Published reviews show the name provided by the reviewer. Publication occurs with the user's explicit consent at submission.
Makers who activate marketplace visibility consent to publication of: name or business name, city, province, service categories. Visibility can be deactivated at any time from the profile.
Requesters may ask for erasure of their data by contacting [email protected].
Stimalo gives separate protection commitments for 3D files (G-code, 3MF, STL, OBJ, STEP) depending on context, documented in detail in the Stimalo Protocol:
Stimalo serves users worldwide. Although the data controller is based in Italy and primarily complies with the EU GDPR, we recognize and respect the privacy rights granted by other jurisdictions. The rights described below are extended to all users globally, regardless of their location.
If you reside in California, USA, you have the right to: know what personal information we collect, delete it, correct it, opt-out of the "sale" or "sharing" of personal information (we don't sell or share it for cross-context advertising), and not be discriminated against for exercising your rights. We do not sell personal information for monetary compensation. Contact [email protected] to exercise these rights.
Do Not Sell or Share My Personal Information
Click here to opt out of any "sharing" of personal information for cross-context advertising (Meta Pixel, Google Ads), as defined by the CPRA:
Manage my privacy preferences →
Global Privacy Control (GPC):
we honor the Global Privacy Control browser signal as a legally binding opt-out preference. If your browser (Firefox, Brave, DuckDuckGo, or extensions like Privacy Badger) sends the Sec-GPC: 1 header, Stimalo automatically applies "Reject all" for statistics and marketing categories on first visit — no further action required. Your choice in the banner, if any, always overrides GPC.
Brazilian users (Lei Geral de Proteção de Dados, LGPD) have rights aligned with GDPR: confirmation of processing, access, rectification, anonymization/deletion, portability, information about sharing, revocation of consent. Contact us at the email above.
Under the Personal Information Protection and Electronic Documents Act, Canadian users have the right to access their personal information, request correction, and withdraw consent.
UK users are covered by UK GDPR, which grants substantively the same rights as EU GDPR. The supervisory authority is the Information Commissioner's Office (ICO).
If your country has specific data protection laws not listed above (e.g. Australia's APP, Japan's APPI, South Africa's POPIA), the rights described in this policy apply by default. Contact us if you wish to exercise specific rights under your local law.
This privacy policy may be updated periodically. The last update date is shown at the top of the page. In case of substantial changes, we will notify users via the site or email.
For any question regarding the privacy of your data:
Email: [email protected]
Choose which cookies you allow. Strictly necessary cookies are always active because the site cannot work without them. Read the full policy →
session, remember_token, cc_consent.
lang, cw_conversation.
_ga, _ga_*), self-hosted Matomo (cookieless, allowed without consent under EU rules), UTM attribution cookies (stimalo_utm, stimalo_vid).
_fbp), Google Ads (_gcl_*). We never sell personal data.