Stimalo
Find a maker Search How it works Blog
Sign in Sign up free
Back to home

Privacy Policy

Last updated: May 10, 2026

1. Data controller

The data controller for personal data processing is:

Paolo Spada
Email: [email protected]
Website: stimalo.com

2. Data we collect

Stimalo collects the following data:

2.1 Data you provide

2.2 Data collected automatically

3. Purposes of processing

4. Data retention

5. Data sharing and processors

Your personal data is never sold or shared with third parties for commercial purposes. Data is accessible only to the following technical processors, necessary for service operation. All processors listed below are bound by contractual data processing terms (DPA / Standard Contractual Clauses where applicable):

ProcessorCountryPurposeLegal basis transfer
Cloudflare Inc. USA CDN, DDoS protection, DNS, reverse proxy EU-US DPF + SCC
Resend Inc. USA Transactional & marketing emails (OTP, notifications) SCC
Google LLC USA Analytics (consent only) EU-US DPF
Stripe Inc. USA / Ireland Payment processing for Pro subscriptions EU-US DPF + SCC
Groq Inc. USA AI inference for Pro features (invoice scanning, descriptions) SCC

Data transfer to the USA is covered by the EU-US Data Privacy Framework for certified services and by Standard Contractual Clauses (SCC) as fallback. Adequacy decision and transfer impact assessment have been considered.

Self-hosted services (no third-party processor): Matomo Analytics and Chatwoot Live Chat run on our own servers. Their respective vendors (Matomo, Chatwoot Inc.) do not have access to the data processed through these services. Data never leaves our infrastructure.

5.1 Aggregated and anonymous data

Stimalo may generate and share with third parties (printer manufacturers, material suppliers, commercial partners) statistical reports based on completely anonymous and aggregated data, e.g.: most used printer models, popular materials, average print times, quote price ranges. This data contains no personal information and cannot be used to identify individual users in any way.

6. Your rights (GDPR)

You have the right to:

To exercise these rights you can use the integrated functions in your profile or contact us via email. We will respond within 30 days.

7. Cookie

Stimalo uses 4 categories of cookies. You can change your choice anytime by clicking Manage cookie preferences here or in the site footer.

7.1 Strictly necessary cookies (no consent required)

These cookies are required for the site to function: login, session security, your consent choice. They cannot be disabled.

NamePurposeDuration
sessionFlask login session, CSRF protectionBrowser session
remember_token"Remember me" persistent login30 days
cc_consentStores your cookie choice (4 categories)1 year

7.2 Functional cookies (consent required)

Remember your preferences and enable the support chat widget.

NamePurposeDuration
langLanguage preference (IT/EN)1 year
cw_conversationChatwoot live chat session (only if you open the chat widget)1 year

7.3 Statistics / Analytics cookies (consent required)

Anonymous usage data. Help us understand how Stimalo is used and improve it. Matomo is self-hosted, cookieless, IP-anonymized and (per EU CNIL guidance) does not require explicit consent; we list it here for transparency. The other items require explicit consent.

NameServicePurposeDuration
_ga, _ga_*Google Analytics 4Distinguish unique users, traffic analysis2 years
stimalo_utmFirst-touch attributionUTM marketing source/medium/campaign for analytics30 days
stimalo_vidInternal AdsLanding (server-side)Unique landing-page visitor dedup (UUID, no PII)90 days
none (server-only)Matomo (self-hosted)Cookieless, IP-anonymized analytics

7.4 Marketing cookies (consent required)

Measure the effectiveness of advertising campaigns on Meta (Facebook/Instagram) and Google Ads. We never sell personal data; CCPA opt-out is honored.

NameServicePurposeDuration
_fbpMeta PixelFacebook/Instagram ads conversion measurement90 days
_gcl_*Google AdsGoogle Ads conversion tracking90 days

7.5 Consent record (audit log)

Every time you make a choice in the cookie banner we save a record (timestamp, IP hash truncated to 32 chars, abridged user agent, chosen categories) to demonstrate, in case of audit, when and what you consented to. Retained for 24 months (GDPR Art. 7.1 burden of proof).

8. Marketplace "Find a Maker"

Requesters' data

When a user requests a quote through the marketplace, we collect name and email to forward the request to the selected maker. Legal basis: pre-contractual measures (art. 6.1.b GDPR). Data is shared exclusively with the contacted maker.

Reviews

Published reviews show the name provided by the reviewer. Publication occurs with the user's explicit consent at submission.

Maker profiles

Makers who activate marketplace visibility consent to publication of: name or business name, city, province, service categories. Visibility can be deactivated at any time from the profile.

Erasure

Requesters may ask for erasure of their data by contacting [email protected].

8.1 3D files uploaded by users

Stimalo gives separate protection commitments for 3D files (G-code, 3MF, STL, OBJ, STEP) depending on context, documented in detail in the Stimalo Protocol:

9. International users (non-EU residents)

Stimalo serves users worldwide. Although the data controller is based in Italy and primarily complies with the EU GDPR, we recognize and respect the privacy rights granted by other jurisdictions. The rights described below are extended to all users globally, regardless of their location.

California residents (CCPA / CPRA)

If you reside in California, USA, you have the right to: know what personal information we collect, delete it, correct it, opt-out of the "sale" or "sharing" of personal information (we don't sell or share it for cross-context advertising), and not be discriminated against for exercising your rights. We do not sell personal information for monetary compensation. Contact [email protected] to exercise these rights.

Do Not Sell or Share My Personal Information
Click here to opt out of any "sharing" of personal information for cross-context advertising (Meta Pixel, Google Ads), as defined by the CPRA: Manage my privacy preferences →

Global Privacy Control (GPC): we honor the Global Privacy Control browser signal as a legally binding opt-out preference. If your browser (Firefox, Brave, DuckDuckGo, or extensions like Privacy Badger) sends the Sec-GPC: 1 header, Stimalo automatically applies "Reject all" for statistics and marketing categories on first visit — no further action required. Your choice in the banner, if any, always overrides GPC.

Brazilian residents (LGPD)

Brazilian users (Lei Geral de Proteção de Dados, LGPD) have rights aligned with GDPR: confirmation of processing, access, rectification, anonymization/deletion, portability, information about sharing, revocation of consent. Contact us at the email above.

Canadian residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act, Canadian users have the right to access their personal information, request correction, and withdraw consent.

UK residents (UK GDPR)

UK users are covered by UK GDPR, which grants substantively the same rights as EU GDPR. The supervisory authority is the Information Commissioner's Office (ICO).

Other jurisdictions

If your country has specific data protection laws not listed above (e.g. Australia's APP, Japan's APPI, South Africa's POPIA), the rights described in this policy apply by default. Contact us if you wish to exercise specific rights under your local law.

10. Changes

This privacy policy may be updated periodically. The last update date is shown at the top of the page. In case of substantial changes, we will notify users via the site or email.

11. Contact

For any question regarding the privacy of your data:
Email: [email protected]