Privacy Policy

1. Who we are

This Policy describes how I. Angelov ("we", "us") processes your personal data when you use CuttingOpt.Pro ("the Service"), available at https://cuttingopt.pro/.

Contact: cuttingopt.pro@gmail.com

We are the Data Controller of your personal data within the meaning of Art. 4(7) GDPR (Regulation (EU) 2016/679).

2. What personal data we collect

2.1 Data you provide directly

• Email address — for identification and communication
• Password — stored only as a cryptographic hash (PBKDF2-SHA256, 600,000 iterations). The actual password is NEVER stored and cannot be recovered.
• Payment data — processed entirely by Stripe (PCI-DSS compliant). We do NOT store card numbers.

2.2 Data generated through use

• Project data — stocks, parts, settings you save
• Calculation count — number of cuts per month (for plan limits)
• Login activity — last login, failed attempts (brute-force protection)

2.3 Technical data

• IP address — stored hashed (sha256 + monthly salt). Real IP is NEVER stored in plain text. Used only for rate limiting and abuse prevention.
• Browser language — for language selection (BG/EN)

2.4 We do NOT collect

• Real names (only email)
• Addresses, phone numbers
• Tracking cookies for advertising
• Google Analytics or similar third-party trackers

3. Why we process your data (legal bases)

4. Sharing with third parties

We share minimal data with the following processors:

These providers have their own privacy policies and process data only for the specific purposes assigned.

5. How long we keep data

• Active accounts: as long as the account is active
• Deleted accounts: erased immediately upon request (GDPR Art. 17). Database backups cycle out within ~30 days.
• Verification / reset tokens: 24 hours
• Hashed IPs (anon counter): 1 month, then auto-deleted
• Payment logs: 5 years (accounting law requirement)

6. Your rights (GDPR)

As a user of the service you have the right to:

• Access (Art. 15) — request a copy of your data → button "📥 Export my data" in Settings
• Erasure (Art. 17) — "right to be forgotten" → button "🗑 Delete my account"
• Portability (Art. 20) — JSON export → same export button
• Rectification (Art. 16) — you can update your email in settings
• Objection (Art. 21) — for processing based on legitimate interest
• Complaint to supervisory authority — your country's data protection authority

Requests: cuttingopt.pro@gmail.com

7. Data security

• Password hashing: PBKDF2-SHA256, 600,000 iterations (OWASP 2024 standard)
• Session security: JWT with auto-invalidation on password change
• Account lockout: after 5 failed attempts (15 min)
• Encryption in transit: HTTPS (TLS 1.2+) mandatory
• Encryption at rest: Supabase encrypts at rest
• Email notifications: on password change and account deletion

8. Cookies and Local Storage

We do NOT use advertising/tracking cookies. We use localStorage in your browser for:

• Auth token (keep-you-logged-in)
• Language preference (BG/EN)
• Theme (dark/light)
• Anonymous calc counter

These are not cookies in the legal sense (not sent to the server automatically with every request). You can clear them via browser settings without affecting the service (you'll just need to log in again).

9. Children under 16

The service is not directed at children under 16. We do not knowingly collect data from minors.

10. Changes to the policy

For material changes we will notify registered users via email at least 30 days in advance. Minor changes (typo fixes, clarifications) are made without notice.

11. Contact and complaints

For questions about this policy:

• Email: cuttingopt.pro@gmail.com

If you believe your rights have been violated, you may file a complaint with your local data protection authority. For Bulgaria:

• Commission for Personal Data Protection (Bulgaria)
• Address: 2 Tsvetan Lazarov Blvd., Sofia 1592
• Web: https://www.cpdp.bg/en/