Privacy
Privacy Policy
Effective: 3 April 2026
1. Who we are
Ganda is operated by Ganda (“we”, “us”, “our”). Our website is ganda.ai. If you have questions about this policy or your personal data, contact us at [email protected].
We are the data controller for the personal data described in this policy, as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data we collect
| Category | Data | Lawful basis |
|---|---|---|
| Account | Name, email address, hashed password, account tier, invite code | Contract |
| Content | Chat messages, CadQuery scripts, STL/STEP files, error messages | Contract |
| Payment | Stripe customer ID, subscription status, credit usage. Card details are held entirely by Stripe — we never see or store them | Contract |
| Technical | Session cookies, IP address (for rate limiting and security), browser user-agent | Legitimate interest (security) |
| Communications | Email address for transactional emails (welcome, password reset, credit warnings) | Contract |
3. How we use your data
- Service delivery — processing your prompts, generating CAD scripts, rendering 3D models, storing your conversations
- Payment processing — managing subscriptions, top-up packs, and billing through Stripe
- Transactional emails — account confirmation, password resets, credit usage warnings
- Security — rate limiting, abuse prevention, session management
- Service improvement — anonymised error patterns help us improve CAD generation reliability. Individual prompts and designs are never used for training
4. AI processing
When you use Ganda, your messages and any attached images are sent to Anthropic's Claude API to generate CadQuery scripts. Anthropic processes this data solely to provide the AI response and does not use API data to train its models.
AI-generated outputs (CAD scripts, 3D models) are not engineer-verified. You are responsible for reviewing all generated designs before manufacturing or use. See our Terms of Service for full details.
5. Sub-processors
We share personal data with the following third-party processors:
| Processor | Location | Purpose |
|---|---|---|
| Anthropic | United States | AI model inference (processes messages and images to generate CAD scripts) |
| Stripe | United States | Payment processing (customer email, name, subscription management) |
| Email relay | Varies | Transactional email delivery (email address, user name) |
6. International transfers
Our sub-processors operate in the United States. Transfers to the US are covered by the UK-US Data Bridge (the UK extension to the EU-US Data Privacy Framework). Where the Data Bridge does not apply, we rely on Standard Contractual Clauses or equivalent safeguards.
7. Data retention
| Data | Retention |
|---|---|
| Conversations and messages | Kept until you delete them |
| STL/STEP file versions | 10 most recent per part, older versions auto-pruned |
| Session data | 7 days |
| Diagnostic logs | 7–30 days, then automatically deleted |
| Error patterns (anonymised) | 30 days for single occurrences; consolidated patterns kept indefinitely |
| Account data | Kept until you delete your account |
8. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data
- Restriction — restrict processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
To exercise any of these rights, email [email protected]. We will respond within one month. To delete your account and all associated data, email us and we will process the request within 30 days.
9. Cookies
We use essential cookies for authentication and a functional cookie for your theme preference. We do not use analytics, advertising, or third-party tracking cookies. See our Cookie Policy for full details.
10. Children
Ganda is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. For material changes, we will notify you by email or by a prominent notice on our website at least 30 days before the changes take effect.
12. Contact
For any questions about this policy or your personal data, email [email protected].
13. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.