Last updated 2026-04-24

Privacy Policy

This policy describes what personal data NestSheet collects, why we collect it, who we share it with, and what rights you have. It is written to meet the EU General Data Protection Regulation (GDPR) and applies equivalently to users in the UK, EEA, and other jurisdictions with comparable laws.

1. Who we are

The data controller for nestsheet.com and the NestSheet application is MAIPRINT LLC (ТОВ "МАЙ ПРІНТ"), EDRPOU 43427227, registered in Ukraine and operating the service at nestsheet.com. For data-protection enquiries, contact [email protected].

2. What data we collect

Account data

Email address, display name, and a bcrypt hash of your password. We do not store plaintext passwords at any point.

Usage data

Sheet metadata (dimensions, item counts, packing settings), export counts and formats, request logs including IP address and browser user-agent, and timestamps. We use this for operating the service, debugging, billing, and preventing abuse.

Uploaded content

The raster and vector artwork you upload. We store it encrypted at rest on our servers and process it to render previews, pack sheets, and generate exports at your request.

Billing data

Payment card numbers and billing addresses are never collected by NestSheet. They go directly to Paddle, our Merchant of Record (see Subprocessors below). We receive only Paddle's invoice reference, the plan purchased, the country used for VAT, and the billing status.

Communications

Messages you send us at [email protected] and any product feedback you submit.

3. Legal basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — for account data, uploaded content, and usage data needed to deliver the subscription you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, service debugging, and limited product improvement from aggregated statistics. We balance these against your rights and you can object at any time.
  • Consent (Art. 6(1)(a)) — for optional marketing email (you must opt in) and for optional AI features (each AI-assisted action is a fresh, explicit click). You can withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation (Art. 6(1)(c)) — for retaining billing records to meet tax and accounting laws.

4. How we use it

  • To provide the service and the features you use.
  • To authenticate you and keep your account secure.
  • To send transactional email (password reset, receipts, important service notices).
  • To prevent abuse, fraud, and violations of our Terms.
  • To debug errors and improve the product (aggregated, not targeted at individuals).
  • To comply with legal obligations (tax records, lawful requests from authorities).

We do not sell, rent, or share personal data for third-party advertising. We do not profile individual users for automated decision-making that has legal or similarly significant effects.

5. Third-party subprocessors

We use the following subprocessors to operate the service. Each receives only the data it needs for its specific function, under a written data-processing agreement.

Subprocessor Purpose Location Data
Hetzner Online GmbH Hosting & backups Germany (EU) Everything stored on our servers
Paddle.com Market Limited Merchant of Record — payments, VAT, invoicing United Kingdom / USA Billing details, card number, address
Anthropic PBC Claude API for optional AI features (background removal / mask generation) — only when you click an AI-assisted action United States The specific image you acted on + minimal prompt

We do not use third-party web analytics, advertising networks, session-replay tools, or social-media pixels on nestsheet.com or inside the application. Traffic patterns are derived from our own server logs, never from a third party.

6. International transfers

Primary data storage and processing is in Germany (Hetzner EU), so EU-origin data stays in the EU at rest. When you invoke AI features we transmit the image to Anthropic in the United States; this transfer is covered by the EU Standard Contractual Clauses (SCCs, 2021/914). Paddle processes card data in accordance with their own SCC-backed transfer framework.

For each international transfer, we have assessed whether local law provides essentially equivalent protection to GDPR and implemented supplementary measures (encryption in transit and at rest, minimised data exposure). You can request the relevant transfer documents from [email protected].

7. Retention

  • Active accounts — we keep your account data and uploaded content for as long as your account is active.
  • After cancellation — account and uploaded content are kept for 90 days (so you can restore them), then deleted from primary storage. Encrypted backups expire on a 30-day rolling window on top of that.
  • Billing records — kept for 7 years to meet tax and accounting law in Ukraine and the EU.
  • Support email — kept for 24 months from the last message, then archived or deleted.
  • Security logs — rolling 90 days, except for records tied to an active incident investigation.

8. Your rights (GDPR)

Regardless of where you live, you have the following rights over personal data we hold about you. To exercise any of them, email [email protected] from the address on your account. We respond within 30 days (usually within a few business days).

  • Access — a copy of the data we hold about you.
  • Correction — fix anything that is inaccurate.
  • Deletion — delete your account and associated data, subject to billing-record retention above.
  • Portability — receive your data in a structured, machine-readable format (JSON) where it was collected under contract or consent.
  • Objection — object to processing based on legitimate interests.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Withdraw consent — for anything you consented to (marketing email, AI features), at any time.
  • Complaint to a supervisory authority — in the EU/EEA you have the right to complain to your national data protection authority. A list is at edpb.europa.eu/about-edpb/members .

9. Security

We protect your data with industry-standard measures: TLS on every connection, bcrypt password hashing, encrypted storage volumes, principle-of-least-privilege access for our engineers, and daily off-site encrypted backups. Production systems run in an isolated private network at our Hetzner region; no public database access.

If a security breach affects your personal data in a way likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within the 72 hours required by GDPR Art. 33/34.

10. Cookies

The application sets only essential cookies (session, CSRF token, consent preference) and a couple of non-essential preference cookies (UI theme, sidebar state). We do not set advertising cookies. See our Cookie Policy for specifics and how to manage them.

11. Children

NestSheet is a professional tool and is not directed at people under 18. We do not knowingly collect personal data from children under 18. If you believe we have, contact us and we will delete the account.

12. Changes to this policy

Material changes (new subprocessors, new categories of data, new purposes) are announced by email to the address on your account and in-app at least 30 days before they take effect. Editorial changes are made in place and reflected in the "Last updated" date at the top of this page.

13. Contact

Data controller: MAIPRINT LLC (ТОВ "МАЙ ПРІНТ"), EDRPOU 43427227, Ukraine. Data-protection enquiries, access requests, and complaints: [email protected]. Business customers can request a Data Processing Addendum by emailing the same address.

MAIPRINT LLC (ТОВ "МАЙ ПРІНТ"), EDRPOU 43427227, Ukraine. Operator of nestsheet.com. Questions about this document: [email protected].

Launch-v1 baseline. Drafted by the NestSheet team for public compliance at launch; it will be refined by counsel post-launch and any material change will be announced via email and dated above.