Privacy policy.
We collect as little as possible, never sell your data, and serve every page without a single third-party CDN call.
1 · Who we are (controller)
3 Layer Prototyping (sole proprietorship, Valentin Lenz)
We don't appoint a data-protection officer (Datenschutzbeauftragter) because we're below the §38 BDSG threshold. Privacy questions and GDPR-rights requests go directly to info@magicstairs.tech.
2 · Summary
- You can use every calculator without an account. No third-party servers are contacted when you load the site — every font, image, and script is served from our own domain.
- We run cookieless first-party analytics on public marketing pages only — no ads, no third-party trackers, no Google Fonts, no "just include this script" widgets.
- One cookie for keeping you logged in, set only after you sign in.
- We never see your card number — payments go through Stripe.
- We don't sell, rent, or share your data with anyone except the named processors below.
3 · What we collect, when, and why
3.1 Browsing the site (no account)
Visiting magicstairs.tech, opening the calculators, viewing pricing — none of this creates a personal record on our end. Calculator inputs (your stair dimensions) live in your browser's URL bar; they never touch our server unless you explicitly buy a download or save a project. Our hosting provider (IONOS) keeps standard web-server access logs for operational purposes (anti-abuse, incident debugging) for up to 14 days.
Aggregate page-view analytics on public marketing pages — see § 3.7.
3.2 Creating an account
We store: your email, a salted hash of your password (never the password itself), your name if you choose to enter it, the plan you're on, accepted-terms timestamps, and last-login. Legal basis: Art. 6 (1) (b) GDPR — contract performance.
3.3 Paying for a download or subscription
Payments are processed by Stripe Payments Europe Ltd (Dublin, Ireland). We receive a Stripe customer ID, payment-intent ID, and transaction amount — never your card number. Stripe's privacy policy applies to that processing: stripe.com/privacy.
3.4 Downloading files
Pay-per-download and subscription downloads are generated on-demand. We store one row per generated file (calculator type, format, file size, IP address for fraud detection, signed-token). Files are retained 1 year (Business: indefinitely while subscription active), then deleted.
3.5 Transactional email
Service emails go via AWS SES (Frankfurt). AWS retains bounce/complaint metadata.
3.6 Error reporting + performance telemetry
Uncaught exceptions go to Sentry (EU/Frankfurt). Sentry receives: error message, stack trace, URL, anonymised browser info, hashed member ID. We do not send your email or form contents. Web Vitals tracing at 10% sample rate. Legal basis: Art. 6 (1) (f) GDPR.
3.7 Page-view analytics
Self-hosted, cookieless analytics on public marketing pages only — not on account, admin, sign-in, checkout, or download pages. Per hit we record URL path, referer, screen size, browser language, and country. IP addresses are hashed with a daily-rotated salt and discarded within 8 hours. No third-party processor. DoNotTrack is respected. Legal basis: Art. 6 (1) (f) GDPR.
3.8 Encrypted off-site backups
Nightly age-encrypted database snapshots to a Hetzner Storage Box (Germany). Hetzner stores only the encrypted blob.
3.9 Hosting
IONOS SE virtual server in Germany. Standard webserver logs rotated at 14 days.
4 · Cookies + local storage
The site sets one cookie:
| Name | Purpose | Lifetime | Necessary? |
|---|---|---|---|
ms_prod_-token | Keeps you signed in (JWT-style session token) | 7 days, refreshes on activity | Yes — strictly necessary per TTDSG §25 (2) Nr. 2; no consent required. |
We don't use cookies for analytics, advertising, or cross-site tracking.
5 · Third-party services we do NOT use
For clarity: no Google Analytics, Google Fonts, Google Tag Manager, Google Maps, Meta Pixel, LinkedIn Insight, TikTok Pixel, X conversion tracking, Hotjar, Microsoft Clarity, Cloudflare Insights, Plausible, Matomo, Mixpanel, Amplitude. All fonts and analytics are self-hosted on our own server.
6 · Your rights (GDPR)
- Access (Art. 15) — request via /account/privacy
- Rectify (Art. 16) — edit in account settings
- Erase (Art. 17) — one-click in /account/privacy; anonymised within 30 days
- Restrict (Art. 18) — write to us
- Data portability (Art. 20) — JSON dump
- Object to processing (Art. 21) — write to us
- Lodge a complaint with the Berlin Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI): datenschutz-berlin.de
7 · Retention summary
| Data type | Retention |
|---|---|
| Account record | Until deletion + 30 days |
| Saved projects | Until deletion |
| Generated download files | 1 year (Business: while sub active) |
| Tax-relevant invoices | 10 years (§ 147 AO) |
| Webserver access logs | 14 days |
| Encrypted backups | 30-day rolling window |
| Sentry error reports | 90 days |
| Analytics — raw IP hash | 8 hours |
| Analytics — aggregated page-view counts | Indefinitely (no personal data) |
8 · Changes to this policy
Material changes notified by email at least 30 days before effective.
9 · Contact
info@magicstairs.tech — we respond within 30 days.