Privacy Policy

At a Glance

• We collect: Account info from Google Sign-In, payment records, download logs, and usage data — only what is needed to run the Platform and enforce your license.
• We do not sell: Your personal data. We do not sell, rent, or share it with advertisers.
• We share with: Google (Sign-In and analytics), Stripe (payments), our hosting provider, and our email service. Full list in Section 4.
• Your rights: Access, correct, delete, and export your data. EU/UK and California rights in Section 7. Canadians: Section 7.3.
• Cookies: Cookie categories described in Section 8. You manage preferences via the cookie banner.
• Contact: hello@leorastudio.com — we respond within 30 days (faster where law requires).

1. Who We Are and How to Contact Us

This Privacy Policy is issued by Leora IO Limited Liability Company, a Delaware limited liability company ("Leora," "we," "us," or "our"), registered at 131 Continental Dr, Suite 305, Newark, DE 19713, USA. Leora is the data controller for personal data collected through the Platform — meaning we decide why and how your data is processed.

For all privacy questions, rights requests, or complaints, contact us at:
Email: hello@leorastudio.com (subject: "Privacy Request")

We will respond within the timeframe required by your applicable law: 1 calendar month for EU/UK (GDPR); 45 days for California (CCPA); 30 days for Canada (PIPEDA) and all others.

EU and UK Representative: Leora does not currently have a formal representative appointed under GDPR Article 27 or UK GDPR Article 27. EU and UK residents may contact us directly at hello@leorastudio.com. This section will be updated when a representative is appointed.

2. What Data We Collect and Why

The table below lists every category of personal data we collect, what is included, why we collect it, and the GDPR legal basis. We do not intentionally collect any special category data (health, biometric, racial or ethnic origin, political, religious, or sexual orientation data). If you submit such data inadvertently, we will delete it upon becoming aware.

How data reaches us

• Directly from you: when you sign in via Google, purchase a subscription, use the customization tool, contact support, or submit feedback.
• Automatically: when you use the Platform — technical and usage data is collected by our systems and via Google Analytics (with your consent).
• From Google: your name, verified email, Google Account ID, and profile picture are sent to us by Google when you authorize sign-in. Leora requests only the minimum scopes necessary. You can see exactly which scopes are requested on the Google permissions screen shown during sign-in.
• From Stripe: transaction confirmation, billing country, and fraud signals when you purchase a subscription.
• From MakerWorld: a one-time eligibility check for campaign backers — account identifier and tier confirmation only.

Automated decision-making

Leora does not make any decisions about you based solely on automated processing that produce legal or similarly significant effects. Subscription access controls are rule-based (your subscription status in our database), not AI-driven. We do not use your data to train AI or machine learning models.

Educational content and photo library

When you access educational content (webinars, tutorials) or download images from the Leora Photo Library, we log the access event (account ID, item accessed, timestamp) for license compliance. This data is retained for as long as necessary for license compliance purposes. Commercial Use subscribers who submit product photographs to Leora (e.g. via email) for promotional use may object to that use at any time by contacting hello@leorastudio.com.

3. How We Use Your Data

We use your personal data only for the following purposes. Where we rely on legitimate interests, we have assessed that those interests — operating a licensed 3D printing business, protecting our IP, and preventing piracy — are not overridden by your privacy rights.

• Delivering the Platform: account management, payment processing, license issuance, file downloads, and customer support.
• Transactional communications: purchase receipts, download confirmations, renewal reminders, and expiry notices. These are mandatory service communications — you cannot opt out while your account is active.
• License compliance and enforcement: maintaining download logs and consent records to detect unauthorized file sharing and enforce the Terms and Conditions.
• Legal obligations: tax and accounting records, responding to lawful legal process, and maintaining the mandatory breach register under GDPR Article 33(5).
• Platform security and integrity: detecting unauthorized access, monitoring download patterns for piracy indicators, and maintaining infrastructure performance.
• Platform improvement: analyzing anonymized usage patterns to improve the customization tool. Your data is not used to train AI models.
• Marketing: promotional emails about new models or features — only where you have opted in or where permitted by applicable law (e.g. soft opt-in for existing customers under UK PECR). You may unsubscribe at any time via the link in any email or by emailing hello@leorastudio.com.

4. How We Share Your Data

We do not sell, rent, or trade your personal data. We share it only with the vendors below, who are bound by Data Processing Agreements, and in the limited circumstances described.

You may request the name and privacy policy of any specific service provider by emailing hello@leorastudio.com.

We may also disclose data to law enforcement, courts, or regulators where required by law or to protect the rights, property, or safety of Leora or its users. If Leora is acquired or merges with another entity, your data may transfer to the successor — we will notify you by email at least 30 days before any such transfer and you may delete your account before it takes effect.

5. International Data Transfers

Leora is based in the United States, which does not have a general EU adequacy decision. Where your personal data is transferred from the EEA or UK to the US, we rely on the following mechanisms:

• EU-US Data Privacy Framework (DPF): Both Stripe and Google are DPF-certified. We rely on their DPF certification for transfers to those providers. This section will be updated if Leora obtains its own DPF certification.
• Standard Contractual Clauses (SCCs): For transfers to processors not covered by DPF or an adequacy decision, we will rely on the 2021 European Commission SCCs (Decision 2021/914).
• UK International Data Transfer Addendum (IDTA): Applied for UK-specific transfers where SCCs are used.

MakerWorld (Bambu Lab) has operations in China. The one-time eligibility check described in Section 2 involves transmitting your account identifier to MakerWorld, whose servers may be located in or accessible from China. This is minimized to the data strictly necessary for verification.

Canadian users: your data is processed in the United States, which has different privacy laws than Canada. US authorities may access data under US law in ways Canadian law would not permit. You may contact us to ask what countries your data is sent to.

You may request details of the specific safeguards in place for any transfer by emailing hello@leorastudio.com.

6. How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes in this Policy or as required by law. When a retention period expires, data is securely deleted or irreversibly anonymized. Data subject to active legal proceedings may be retained until the matter is resolved.

7. Your Privacy Rights

How to exercise any right: email hello@leorastudio.com with subject "Privacy Request," your name, email address registered to your account, and the right you wish to exercise. We may verify your identity before acting. We will not charge a fee unless a request is manifestly unfounded or excessive.

7.1 EU and UK Residents (GDPR / UK GDPR)

You have the following rights under GDPR and UK GDPR:

• Access (Article 15): receive a copy of the personal data we hold about you, including how it is used and who it is shared with.
• Rectification (Article 16): ask us to correct inaccurate or incomplete data. We will respond within 1 calendar month.
• Erasure (Article 17): ask us to delete your data. This right is not absolute — we may retain data required by law (e.g. tax records, license compliance logs). Where we cannot delete in full, we will tell you what we can delete and what we must retain.
• Restriction (Article 18): ask us to pause processing while you contest accuracy or an objection is pending.
• Portability (Article 20): receive your data in a structured, machine-readable format (such as JSON or CSV) where processing is based on consent or contract.
• Object — legitimate interests (Article 21(1)): object to processing based on our legitimate interests. We will stop unless we have compelling overriding grounds or need the data for legal claims.
• Object — direct marketing (Article 21(2)): object to marketing use of your data at any time. This right is absolute — we must stop immediately with no override.
• Automated decisions (Article 22): as stated in Section 2, Leora does not make legally significant automated decisions about you. This right is not currently engaged.

Right to complain: you may lodge a complaint with the supervisory authority in your EU member state (directory: edpb.europa.eu/about-edpb/board/members_en) or, for UK residents, with the ICO (ico.org.uk | 0303 123 1113). We encourage you to contact us first.

7.2 California Residents (CCPA / CPRA)

You have the following rights under CCPA/CPRA:

• Know: request disclosure of the categories and specific pieces of personal information collected about you in the last 12 months, including sources, purposes, and third parties.
• Delete: request deletion of your personal information, subject to exceptions (completing transactions, security, legal obligations).
• Correct: request correction of inaccurate personal information.
• Opt out of sale or sharing: Leora does not sell personal information and does not share it for cross-context behavioral advertising. There is nothing to opt out of. We will update this section if our practices change.
• Non-discrimination: we will not deny service, charge different prices, or reduce quality because you exercised a privacy right.

To submit a California request: email hello@leorastudio.com (subject: "California Privacy Request"). We respond within 45 days (extendable by 45 days with notice). You may designate an authorized agent with written proof of authorization. If we deny your request, you may appeal — email us with "CCPA Appeal" in the subject; if denied on appeal, we will provide instructions to escalate to the California Privacy Protection Agency (CPPA).

7.3 Canadian Residents (PIPEDA and Quebec Law 25)

Under PIPEDA you have the right to access personal information we hold about you, challenge its accuracy, and withdraw consent to its collection, use, or disclosure (subject to legal and contractual restrictions — withdrawal may mean we can no longer provide the Platform). Under Quebec Law 25, you also have rights to erasure, portability, and restriction. To exercise any of these rights, email hello@leorastudio.com. We respond within 30 days. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca | 1-800-282-1376) or, for Quebec residents, with the Commission d'acces a l'information du Quebec (cai.gouv.qc.ca).

8. Cookies and Tracking

We use cookies and similar technologies on the Platform. The full list of cookies currently in use is shown in the cookie consent banner when you first visit the Platform. Below is a description of the categories we use.

Strictly Necessary

These cookies are essential for the Platform to function and cannot be switched off. They include session authentication, security protection during sign-in, and storing your cookie consent choice. No consent is required for these cookies.

Functional

These cookies remember your preferences — such as language settings and tool configurations — so you do not have to re-enter them on each visit. We will only place these with your consent.

Analytics

We use Google Analytics 4 to understand how users interact with the Platform. Analytics cookies collect usage data from your browser and send it to Google, which returns aggregated reports to us. We receive reports — not individual user data. Google processes this data as our data processor under a Data Processing Agreement. Analytics cookies require your consent in EU/UK and will not be placed until you accept them via the cookie banner.

Marketing

We do not currently use marketing or advertising cookies. If this changes, this Policy will be updated and consent will be sought before any such cookies are placed.

You can manage your cookie preferences at any time via the cookie settings link in the Platform footer, or through your browser settings. Note that disabling strictly necessary cookies will prevent the Platform from functioning correctly.

Google Analytics Opt-Out: tools.google.com/dlpage/gaoptout

Do Not Track (DNT): the Platform does not currently alter its behavior in response to DNT signals as no uniform technical standard has been adopted. The cookie consent banner provides an effective alternative.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest.
• Authentication via Google Sign-In — Leora does not store passwords. Your credentials are protected by Google’s own security infrastructure. If you have enabled two-factor authentication on your Google account, that protection applies to your Leora sign-in.
• Payment security: full card data is never transmitted to or stored on Leora’s servers. All payment processing is handled by Stripe under PCI-DSS Level 1 certification.
• Download watermarking: downloaded files may contain an embedded watermark linked to your account, deterring unauthorized redistribution.
• Access controls: access to personal data is restricted to Leora personnel who need it for their role.
• Vendor security: all service providers are contractually required to maintain appropriate security under Data Processing Agreements.

No system is completely secure. If you believe your account has been compromised, contact hello@leorastudio.com immediately and review your Google account security at myaccount.google.com/security.

Google account and Leora account relationship: if you revoke Leora’s Google permissions (myaccount.google.com/permissions), your Leora session will end and you will not be able to sign back in until you re-authorize. Your Leora account data will remain in our system. If you delete your Google account entirely, you will permanently lose the ability to sign in to Leora as we have no alternative authentication method — contact us at hello@leorastudio.com before doing so if you need to manage your account data.

Data breach notification: in the event of a breach likely to risk your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33) and notify affected individuals without undue delay where required. For Canadian users, we will report breaches to the OPC as soon as feasible. We maintain an internal breach register as required by GDPR Article 33(5).

10. Children’s Privacy

The Platform is intended for adults and is not directed at children. We apply the following minimum age thresholds: under 13 (US — COPPA); under 16 (EU/UK — GDPR Article 8, applied as our platform-wide EU standard); under 14 (Canada — Quebec Law 25); under 18 (Platform policy — all jurisdictions, confirmed at registration).

Because Leora uses Google Sign-In exclusively, Google’s own Terms of Service — which prohibit accounts for users below the applicable minimum age — provide an additional baseline layer of age filtering. If you are a parent or guardian and believe your child has created a Leora account, contact hello@leorastudio.com immediately and we will delete the account and associated data.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices or legal requirements. When we make material changes we will: post the updated Policy on the Platform with a new Last Updated date; send email notice to your registered address at least 14 days before changes take effect; and seek fresh consent for any new processing activities that require it under GDPR.

12. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, USA. This does not deprive you of any mandatory privacy protections under the law of your habitual residence — GDPR, UK GDPR, PIPEDA, Quebec Law 25, and CCPA/CPRA all apply to our processing of your data regardless of this clause. In the event of any conflict between this Privacy Policy and the Terms and Conditions regarding personal data, this Privacy Policy prevails.