Privacy Policy

MechanixCalc ("we", "us", "our") is the data controller for personal data processed through this Service. This policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR), UK GDPR, and other applicable privacy laws.

We collect the following categories of personal data:

• Account data: Name, email address, and OAuth provider tokens provided when you create an account or sign in via a third-party provider (managed by Clerk).
• Billing data: Subscription status and transaction IDs. We never see or store your card numbers — all payment data is held by Paddle, our Merchant of Record.
• Calculation data: When you use the cloud-save feature, we store the inputs and results of your saved calculations in our database (Neon Postgres, hosted in EU — Frankfurt, Germany). If you organise saved calculations into projects, we also store the project names and groupings you create. If you call our REST API (directly or through a CAD add-in), the inputs you submit are processed the same way as in the web app — computed on our servers and stored only if you choose to save the result; a CAD add-in sends only the model parameters you select to run, not your CAD file.
• Schematic data:Saved P&ID, fluid power, and electrical diagrams you create and store within the Service.
• API key data: If you create a personal REST API key (Expert plan), we store a one-way SHA-256 hash of the key, a short non-secret prefix for display (e.g. mxc_live_ab12cd34), any name you give the key, and its creation and last-used timestamps. The full key is shown to you only once, at creation, and is never stored. Legal basis: Contract performance (Art. 6(1)(b)) — operating the API access you have subscribed to.
• Session & security data: IP address, hashed user agent, and session ID — collected to detect and prevent concurrent session abuse and credential sharing. Raw user agent strings are never stored; only a one-way hash is retained. Legal basis: Legitimate Interest (Article 6(1)(f) GDPR). Retained for 90 days, then automatically deleted.
• Trial usage data: To enforce the anonymous 30-minute free preview and prevent fraudulent abuse, we collect a browser fingerprint (derived from browser settings and hardware characteristics using FingerprintJS — an open-source library, no external CDN calls, runs entirely in your browser), your IP address, and a server-side cookie (httpOnly). These three signals are combined into a single SHA-256 hash key — no raw fingerprint or raw IP is stored permanently. The hash key is stored in Vercel KV (Redis) for up to 30 days, after which it is automatically deleted. No personal identity can be recovered from this hash. Legal basis: Legitimate Interest (Art. 6(1)(f) GDPR) — preventing fraud and protecting the integrity of our subscription model. CCPA category: Internet / electronic network activity information, used for security purposes only (not sold or shared).
• AI chat data: When you use the AI Engineering Assistant (available on Core plan and above), the text of your messages and a plain-text summary of your current calculation inputs and results are sent to Anthropic, Inc. for processing. We do not store your chat messages on our servers — they are transmitted to Anthropic, processed, and discarded. Anthropic may retain data in accordance with their own Privacy Policy. No personally identifiable information beyond what you explicitly type is included in the transmission. Legal basis: Contract performance (Art. 6(1)(b)) — delivery of the AI feature you have subscribed to.
• Usage & analytics data: Anonymised page views and feature usage via Vercel Analytics. No personally identifiable information is attached to these events.

We use your data for the following purposes, each with its GDPR legal basis:

• Provide the Service — deliver calculations, cloud save, schematics, and all product features. Legal basis: Contract performance (Art. 6(1)(b))
• Manage subscriptions — handle billing, plan entitlements, and renewals via Paddle. Legal basis: Contract performance (Art. 6(1)(b))
• Enforce session limits — detect and prevent concurrent logins / credential sharing that violate our Terms of Service. Legal basis: Legitimate Interest (Art. 6(1)(f)) — protecting the integrity of our subscription model
• Enforce free trial limits — the anonymous 30-minute preview uses a hashed composite of browser fingerprint + IP + httpOnly cookie to prevent repeated abuse. No personal identity is derivable from this hash. The hash expires after 30 days. Legal basis: Legitimate Interest (Art. 6(1)(f)) — fraud prevention. We have conducted a balancing test and concluded our interest in protecting our commercial model does not override user privacy, given the limited personal data involved and the absence of profiling.
• Transactional emails — account confirmation, billing receipts, and service notices. Legal basis: Contract performance (Art. 6(1)(b))
• Power AI Assistant responses— transmit your chat messages and a plain-text context of your current calculation to Anthropic's API to generate an engineering response. No chat content is stored by us. Legal basis: Contract performance (Art. 6(1)(b))
• Legal compliance — respond to lawful requests and retain records required by law. Legal basis: Legal obligation (Art. 6(1)(c))

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

We retain data only as long as necessary for the stated purpose:

We work with the following sub-processors. All have executed Data Processing Agreements (DPAs) with us.

We use only strictly necessary cookies. No advertising or tracking cookies are set:

• Authentication cookies (set by Clerk) — keep you signed in. Required for login to function.
• Trial cookie (mxc_trial) — an httpOnly, SameSite=Lax cookie that stores a base64-encoded record of your trial start and expiry times. This cookie is set only for anonymous (unauthenticated) visitors and is part of the trial-abuse prevention system described in Section 2. It expires after 30 days. Legal basis: Legitimate Interest (Art. 6(1)(f)).

We do not use advertising cookies, third-party tracking cookies, or any cookies that require consent under the ePrivacy Directive. Vercel Analytics is cookieless. Because we use only essential / legitimate-interest cookies, no consent banner is required under EU law.

You can disable cookies in your browser, but doing so will prevent login and trial functionality from working correctly.

If you are in the European Economic Area or United Kingdom, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you. Contact us at the address below.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data. Use Settings → Privacy → Delete Account, or email us at privacy@mechanixcalc.com.
• Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20) — download your saved data in a machine-readable format via Settings → Privacy → Export My Data, or email us and we will provide it.
• Right to object (Art. 21) — object to processing based on legitimate interest, including session-security logging.
• Right to lodge a complaint — you may complain to your national supervisory authority (e.g. ICO in the UK, your local DPA in the EU).

To exercise any of these rights, contact: privacy@mechanixcalc.com. We will respond within 30 days.

We apply industry-standard security measures including:

• TLS encryption for all data in transit
• Encrypted database connections to Neon Postgres
• Hashed user agents — we never store raw user agent strings; only a one-way cryptographic hash is retained for session-security purposes
• Access controls limited to authorised personnel
• Clerk is SOC 2 Type II certified, providing enterprise-grade auth infrastructure

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but commit to prompt notification in the event of a breach affecting your personal data, as required by GDPR Art. 33–34.

Clerk and Vercel are headquartered in the United States. Where personal data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved under GDPR Art. 46(2)(c) to ensure an adequate level of protection. Neon stores data exclusively in the EU (Frankfurt) and no international transfer occurs for database data. Paddle is established in the UK and subject to UK GDPR.

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with data, please contact us at privacy@mechanixcalc.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your account, or by a prominent notice within the Service, at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Privacy enquiries and data subject requests: privacy@mechanixcalc.com

Data controller: MechanixCalc