Privacy Policy
This Privacy Policy explains what personal data ICVFXTools collects, why we collect it, who we share it with, how long we keep it, and what rights you have under applicable data-protection law, including the EU GDPR, the UK GDPR, and the California CCPA/CPRA.
1.Who we are
ICVFXTools is the data controller for personal data processed through our websites, applications, and APIs. Contact us at support+privacy@icvfxtools.com for any data-rights request.
For privacy questions, our designated contact is support+privacy@icvfxtools.com. If you are based in the European Union or the United Kingdom and prefer to raise a question in your local language, please use the same email; we will respond in English.
2.What we collect
2.1 Information you give us directly
- Account and contact data: name, email address, company name, phone number (optional), and any notes you choose to share when contacting support.
- Forum content: if you post on our forum, the post text and any attachments you upload.
- Calibration uploads (LensLab): we accept your images for processing; image content is not retained after the job completes. Only job metadata is logged (job id, timestamp, success/failure, image count, requesting key).
- Lens-library uploads (LensLab): filenames, lens names, camera make/model, focal length, folder path, and the file itself. You decide what to upload.
2.2 Information generated by your use
- Licence binding hash (WallSync): a SHA-256 hash of stable machine identifiers (e.g. machine GUID, BIOS serial) salted with our product salt. We do not receive or store raw hardware identifiers.
- Machine display name (optional): a string you choose so support can identify the right Master.
- App version reported by your installation.
- Audit events: activation, refresh, deactivation, and validation calls; including timestamp, event type, result, requesting IP, app version, and the licence binding hash.
- API call metadata (LensLab): requesting key id, timestamp, solver type, image count, success/failure. No image bytes, project names, or scene content are stored.
- Web server logs: IP address, user agent, requested URL, response code, timestamp, referrer.
2.3 Information from third parties
- Paddle: when you purchase a subscription, Paddle shares with us your billing name, billing email, billing country, subscription identifier, transaction identifier, the product and tier purchased, and subscription status changes. We do not receive your full payment-card number, CVV, or bank account details; Paddle handles all card data under PCI DSS.
3.What we don't collect
Our architecture is built around storing the minimum data necessary. We deliberately do not collect:
- raw hardware identifiers such as MachineGuid, MAC addresses, BIOS serials, disk serials (only hashed forms are stored);
- image content uploaded for calibration after the job has completed (we keep job metadata only);
- source/layer/canvas configuration, render telemetry, or client-node lists;
- payment-card numbers, CVV, or bank-account details (Paddle handles all card data);
- any data from your wider network that the Software does not need to operate the licence.
4.Why we collect it
The table below sets out, for each purpose, the relevant lawful basis under EU/UK GDPR. Equivalent treatment applies under other applicable privacy laws:
- Running the service
- Operating the Service, issuing licences, verifying tokens, processing API calls.
Lawful basis: performance of contract with you. - Billing and tax
- Maintaining customer records, reconciling Paddle reports, complying with tax obligations.
Lawful basis: legal obligation; performance of contract. - Security and abuse prevention
- Detecting and preventing fraud, licence sharing, denial-of-service, brute-force attempts.
Lawful basis: legitimate interests in protecting the Service. - Support
- Responding to your questions and resolving issues.
Lawful basis: performance of contract; legitimate interests. - Service improvement
- Aggregated and anonymised analysis of usage to improve performance and reliability.
Lawful basis: legitimate interests. - Legal duties
- Responding to lawful requests, complying with subpoenas, defending claims.
Lawful basis: legal obligation; legitimate interests. - Marketing communications
- Sending product announcements, only if you opt in.
Lawful basis: consent (which you may withdraw at any time).
6.International data transfers
Our servers and sub-processors are located in several countries (including the United Kingdom, the United States, and the European Economic Area). Where personal data is transferred outside your country of residence, we rely on one or more of the following safeguards:
- European Commission adequacy decisions for the country of destination;
- UK International Data Transfer Agreement or the EU Standard Contractual Clauses (with UK Addendum where applicable);
- other safeguards required by applicable privacy law.
You may request a copy of the relevant safeguard by emailing support+privacy@icvfxtools.com.
7.How long we keep it
- Active customer records
- For the lifetime of your subscription and 24 months after closure, then deleted or anonymised.
- Licence binding hash and audit log
- Up to 12 months after each event, then automatically purged. Aggregated counts may be retained longer.
- Billing records (Paddle invoices)
- Retained by Paddle and by us as required by tax law (typically 6-10 years depending on jurisdiction).
- Calibration job metadata
- Retained for the lifetime of your API key plus 12 months, for support and quota tracking. Image bytes are deleted immediately on job completion.
- Lens-library uploads
- Retained while your account is active; deleted on request or 24 months after account closure.
- Support email
- Retained for 36 months for service-quality and dispute purposes.
- Web server logs
- Retained for up to 90 days for security and operations.
- Marketing-consent records
- Retained for the lifetime of consent plus 3 years to evidence opt-in.
8.Your rights
Depending on your country of residence, you have the following rights regarding your personal data:
- Access: ask for a copy of the data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”): ask us to delete your data, subject to legal obligations to retain (e.g. tax records).
- Restriction: ask us to limit how we use your data.
- Portability: receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
- Objection: object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent, withdraw it at any time, without affecting prior lawful processing.
- Lodge a complaint with your local data-protection authority. For UK residents, the ICO (ico.org.uk); for EU residents, your national authority.
- California residents have additional rights under CCPA/CPRA, including the right to know categories of personal information collected, the right to opt out of any “sale” or “sharing” of personal information (we do neither), and the right to non-discrimination for exercising these rights.
To exercise any right, email support+privacy@icvfxtools.com from the address on file. We will respond within 30 days (or as required by applicable law) and may need to verify your identity before acting on the request.
10.Security
We protect data with a layered set of controls including:
- HTTPS/TLS 1.2+ for all client-server traffic;
- password hashing (bcrypt) for API keys and SHA-256 hashing for licence keys;
- signed licence tokens (ECDSA P-256); the signing private key is stored outside source control and never leaves the server;
- rate limiting and origin enforcement at the edge;
- least-privilege access to the production database;
- regular backups stored encrypted;
- code review and dependency scanning before release.
No method of transmission or storage is 100% secure. In the event of a personal-data breach affecting you, we will notify you and the relevant data-protection authority as required by applicable law (typically within 72 hours).
11.Children
The Service is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact support+privacy@icvfxtools.com and we will delete it.
12.Automatic decisions
We do not make fully automatic decisions that produce legal or similarly significant effects on you. Automatic rate limiting and abuse detection may temporarily restrict access but are reversible by contacting support.
13.Changes to this policy
We may update this policy from time to time. The “Effective date” at the top of this page reflects the most recent change. Material changes will be notified by email to active customers and by a banner on the website. Prior versions are available on request.
14.Contact
Privacy questions and rights requests: support+privacy@icvfxtools.com
Full business details on our Contact page.