L
LayerzLoom

Data Protection

We are committed to protecting your personal data in compliance with applicable data protection regulations.

Effective Date: February 2026

1. Our Commitment

Spyxpo Technologies Private Limited ("we," "us," or "our") is committed to protecting the personal data of all users of layerzloom.com. This Data Protection Policy outlines our practices for collecting, processing, storing, and securing personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), India's Digital Personal Data Protection Act, 2023, and other applicable data protection laws.

2. Data Processing

2.1 Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

  • Contractual Necessity: Processing is necessary to fulfil our contract with you, including manufacturing and delivering your 3D printing orders.
  • Consent: Where you have given explicit consent for specific processing activities, such as receiving marketing communications.
  • Legitimate Interest: Processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security.
  • Legal Obligation: Processing is required to comply with applicable laws, regulations, or legal proceedings.

2.2 Data We Process

We process the following categories of personal data:

  • Identity Data: Name, email address, phone number.
  • Contact Data: Shipping and billing addresses.
  • Transaction Data: Order history, payment references, and amounts paid.
  • Technical Data: IP address, browser type, device information, and usage logs.
  • Content Data: 3D model files uploaded for printing.

3. Your Data Rights

Depending on your location and applicable laws, you may exercise the following rights regarding your personal data:

3.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days of receiving your request.

3.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

3.3 Right to Deletion (Right to be Forgotten)

You have the right to request deletion of your personal data. We will comply with such requests unless we are required to retain the data for legal, regulatory, or contractual obligations. Upon deletion, your account and associated data will be permanently removed from our systems within 30 days.

3.4 Right to Data Portability

You have the right to receive your personal data in a portable, structured, and machine-readable format (such as JSON or CSV), and to transmit that data to another service provider without hindrance from us.

3.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or object to its processing.

3.6 Right to Object

You have the right to object to the processing of your personal data for direct marketing purposes or where processing is based on legitimate interests.

3.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

3.8 CCPA-Specific Rights (California Residents)

If you are a California resident, you additionally have the right to:

  • Know what personal information is collected and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of your personal information. We do not sell personal information.
  • Non-discrimination for exercising your privacy rights.

4. Data Security Measures

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
  • Authentication: User authentication is managed through Firebase Authentication with support for secure password hashing and optional multi-factor authentication.
  • Access Controls: Internal access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls in place.
  • Infrastructure Security: Our platform is hosted on secure cloud infrastructure with firewalls, intrusion detection, and regular security patching.
  • Regular Audits: We conduct periodic security reviews and vulnerability assessments to identify and address potential risks.
  • Employee Training: All team members with access to personal data receive data protection and security awareness training.

5. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document the breach, including its nature, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address and mitigate the breach.
  • Take immediate steps to contain the breach and prevent further unauthorised access.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence. We use cloud services (including Firebase by Google) that may store data in data centres located in various countries. When transferring data internationally, we ensure appropriate safeguards are in place:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries without an adequacy decision.
  • Our third-party service providers are contractually obligated to maintain equivalent data protection standards.
  • We assess the data protection laws of recipient countries and implement additional safeguards where necessary.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account Data: Retained until account deletion is requested, then permanently removed within 30 days.
  • Order and Transaction Data: Retained for a minimum of 5 years for tax, accounting, and legal compliance purposes.
  • 3D Model Files: Deleted within 90 days after order fulfilment. You may request earlier deletion.
  • Analytics Data: Anonymised and aggregated data may be retained for trend analysis and service improvement.
  • Communication Records: Support and correspondence records are retained for 2 years after the last interaction.

8. Data Protection Officer

For data protection inquiries, complaints, or to exercise your data rights, please contact our data protection team:

  • Company: Spyxpo Technologies Private Limited
  • Website: layerzloom.com
  • Email: privacy@layerzloom.com

We will respond to all data protection requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

9. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices or applicable laws. Material changes will be communicated by updating the effective date on this page and, where appropriate, by notifying registered users via email. We encourage you to review this policy periodically.