1. Data Controller and Contact

Controller: Özgü Arda Türkmen (Ferrumium), Marktstraße 12, 76726 Germersheim, Germany.

For privacy requests, use the Contact action in the website footer. Service provider details are available in the Legal Notice.

2. Data We May Collect

• Account data such as username, email address, and profile information you provide.
• Content you create or upload, including factory plans, blueprints, comments, and project data.
• Support messages and communication details submitted through contact channels.
• Technical data such as IP address, device type, browser type and version, operating system, and user agent string.
• Usage data such as pages visited, referral source, session identifiers, and interaction patterns.
• Approximate location data (country and city) derived from your IP address using a local geolocation database.
• Local browser storage data used for session behavior, interface preferences, and workspace state.

3. Why We Process Data

• To provide and maintain the Service.
• To secure accounts, detect abuse, and prevent fraud.
• To respond to support requests and platform reports.
• To comply with legal obligations and enforce our Terms.
• To improve product quality and performance.

4. Legal Bases for Processing (Where Applicable)

• Performance of a contract when processing is needed to provide your account and requested service features.
• Legitimate interests for platform security, abuse prevention, troubleshooting, and service improvements.
• Compliance with legal obligations, including lawful requests from authorities and recordkeeping duties.
• Consent where legally required. You can withdraw consent at any time for future processing.

5. Cookies and Similar Technologies

Cookie use details are listed in our Cookie Policy. We use an HttpOnly authentication cookie for signed-in sessions, a CSRF protection cookie, and a language preference cookie. Signed-in users sync account preferences and site choices to their account. Guest mode does not store that data on Ferrumium servers or sync it to an account. We also use browser storage for temporary tab state and duplicate-event prevention. Full details are in the Cookie Policy.

6. Third-Party Services and Integrations

We integrate with or rely on the following third-party services to operate the platform:

• Authentication providers: You may sign in or link your account using Google, Steam, Reddit, or Discord. When you do, we receive a limited profile (such as your user ID and display name) from that provider. We do not receive your password from these services.
• Patreon and Ko-fi: If you choose to support Ferrumium, payment and tax handling are managed by those platforms. We receive transaction confirmations and supporter identifiers but do not process payment card data on this website.
• Backblaze B2: User-uploaded images (such as avatars and blueprint previews) are stored on Backblaze B2 cloud storage.
• Cloudflare Turnstile: We use Cloudflare Turnstile for CAPTCHA verification during registration and contact form submission. Turnstile may process your IP address and device data under Cloudflare's privacy policy.
• Email delivery: We use AWS Simple Email Service (SES) for transactional emails such as verification and password reset messages.
• Error monitoring: We may use Sentry for error tracking. When enabled, technical error data (such as stack traces and request metadata) may be sent to Sentry for diagnosis.
• Geolocation: We use a locally hosted MaxMind GeoIP2 database to derive approximate location (country and city) from IP addresses. No data is sent to MaxMind for this lookup.

7. Data Sharing

We do not sell personal data. We may share limited data with service providers that help us operate the platform (for example hosting, email delivery, and security tools), strictly for service operation.

We may disclose data when required by law, legal process, or valid requests from authorities.

8. International Data Transfers

Service providers may process data in countries outside your own. If you are in the EEA/UK, we aim to use legally recognized safeguards for restricted transfers, such as adequacy decisions or standard contractual clauses.

Transfer mechanisms may vary by provider, processing purpose, and legal requirements in force at the time of transfer.

9. Data Retention

• Account and profile records are generally retained while your account is active and for a limited period after closure for security, abuse prevention, and backup recovery.
• User-generated content is retained until deletion by you, account removal, or moderation/legal removal needs.
• Support and contact records are typically retained for operational follow-up and dispute handling.
• Security logs are retained for a shorter lifecycle unless an active incident, legal hold, or abuse investigation requires longer storage.

10. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your personal data, and to object to certain processing.

To submit a privacy request, use the Contact channel in the footer and clearly mark the subject as "Privacy Request." Depending on jurisdiction, we may ask for identity verification before processing. You may also file a complaint with your local data protection authority when applicable.

11. Children

The Service is not intended for use in violation of applicable age requirements in your jurisdiction. If you believe a child has provided personal data unlawfully, contact us for review.

12. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date on this page.