Skip to main content
The Laser Workshop

Privacy Policy

Last Updated: 2/11/2026 | Adapted from the Basecamp open-source policies / CC BY 4.0

The Laser Workshop is dedicated to collecting only what we need. This policy explains what data we collect, why we collect it, and how we handle it. We comply with GDPR, CCPA, and other privacy regulations.

Identity & Access

When you sign up for The Laser Workshop, we ask for identifying information such as your name and email address. That's so you can personalize your new account, and we can send you product updates and other essential information.

Authentication: We use Supabase for secure authentication. OAuth providers (Google, etc.) may share your name, email, and profile picture when you sign up using their services.

Community Features & Maker Map

If you choose to join the Community Map, we collect location data (such as address or zip code) and workshop details.

  • We use third-party geocoding services (OpenStreetMap/Nominatim) to convert addresses into map coordinates.
  • By default, your location is displayed as approximate (Zip code center) unless you explicitly opt-in to show your exact address.
  • Information you provide for the Maker Map profiling (bio, services, featured equipment) is public to other registered users.
  • If you enable "Lead Intake," we process and store client messages to deliver them to you, but we do not use the content for marketing purposes.

Billing & Subscription Information

If you sign up for a paid subscription, you will be asked to provide your payment information.

  • RevenueCat: We use RevenueCat to manage subscriptions across web, iOS, and Android. RevenueCat acts as a data processor and may share data with Stripe (for web payments) and Apple/Google (for in-app purchases). See RevenueCat's Privacy Policy.
  • Stripe: Credit card information is submitted directly to Stripe (our payment processor) and doesn't hit The Laser Workshop servers. See Stripe's Privacy Policy.
  • We store a record of the payment transaction for account history and billing support.
  • If you participate in our Affiliate Program, we collect your PayPal email address solely for commission payouts.

Product Interactions

We store on our servers the content that you upload or create in your account (such as material profiles, machine settings, SVG files, and project logs).

  • Supabase: Database and authentication. Data is encrypted at rest and in transit. See Supabase's Privacy Policy.
  • Cloudflare R2: File storage for avatars, SVG files, and project images. See Cloudflare's Privacy Policy.
  • We keep this content as long as your account is active. Upon account deletion, content is deleted within 60 days.

Analytics & Telemetry

We collect information about your browsing activity for analytics and statistical purposes. This helps us improve the service.

  • Google Analytics: We use Google Analytics to understand site usage patterns. Google may use cookies to collect data. You can opt-out using the Google Analytics Opt-out Browser Add-on. See Google's Privacy Policy.
  • Umami Analytics: Privacy-focused, self-hosted analytics. Umami does not collect personally identifiable information and anonymizes all data.
  • PostHog: Product analytics and feature flags. We use PostHog to understand feature usage and improve the product. PostHog data is self-hosted and does not share data with third parties. See PostHog's Privacy Policy.
  • Data collected includes browser type, operating system, pages visited, time on page, and referring URLs.

Cookies & Tracking

We use cookies to store preferences, authentication, and perform analytics. See our Cookie Policy for details.

  • Essential Cookies: Required for authentication and site functionality (Supabase auth tokens).
  • Analytics Cookies: Google Analytics, Umami, and PostHog use cookies to track site usage.
  • Affiliate Cookies: We store referral codes in cookies to track affiliate commissions (30-day expiry).
  • You can disable cookies in your browser settings, but some features may not work correctly.

Communication & Support

  • AWS SES: We use Amazon Web Services Simple Email Service to send transactional emails (password resets, notifications, receipts). See AWS Privacy Notice.
  • UserJot: User feedback widget for authenticated users. UserJot may collect your email, name, and feedback messages. See UserJot's Privacy Policy.
  • We do not use your email for marketing without explicit consent.

Error Tracking & Monitoring

Sentry (Optional): If enabled, we use Sentry for error tracking and performance monitoring. Sentry may collect error messages, stack traces, user IDs, and browser information. See Sentry's Privacy Policy.

How We Secure Your Data

  • All data is encrypted via SSL/TLS when transmitted from our servers to your browser.
  • Database backups are encrypted at rest.
  • We use industry-standard security measures including password hashing (bcrypt), secure session management, and regular security audits.
  • Access to customer data is restricted to authorized personnel only.

Data Sharing, Retention & Your Rights

When we access or share your information:

  • Third-Party Processors: We use the following third-party subprocessors who may access your data: Supabase (database/auth), RevenueCat (subscriptions), Stripe (payments), Cloudflare R2 (file storage), AWS SES (email), Google Analytics, Umami, PostHog (analytics), Sentry (error tracking), UserJot (feedback).
  • To help you troubleshoot: We will ask for your consent before accessing your content for support.
  • When required under applicable law: We will only share customer data if compelled by a government authority with a legally binding order.
  • We do not sell your data: We will never sell, rent, or trade your personal information to third parties for marketing purposes.

Data retention:

  • We keep your information for the time necessary for the purposes for which it is processed.
  • Active accounts: Data retained indefinitely while account is active.
  • Deleted accounts: Content deleted within 60 days. Billing records retained for 7 years for tax/legal compliance.
  • Analytics data: Aggregated and anonymized data may be retained indefinitely for product improvement.

Your rights (GDPR & CCPA):

  • Access: Request a copy of your personal data.
  • Deletion: Request deletion of your account and data.
  • Portability: Export your data in JSON/CSV format from settings.
  • Correction: Update your profile information anytime in settings.
  • Opt-out: Unsubscribe from marketing emails (we don't send marketing without consent).
  • To exercise these rights, email us at support@thelaserworkshop.com or delete your account from settings.

International data transfers:

  • Our services are hosted in the United States (Supabase, AWS, Cloudflare).
  • By using our services, you consent to the transfer and storage of your information in the United States.
  • We rely on Standard Contractual Clauses (SCCs) and adequacy decisions for international transfers where applicable.

Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at support@thelaserworkshop.com.

Questions & Contact

If you have any questions about this policy or wish to exercise your privacy rights, please contact us at support@thelaserworkshop.com.

We will respond to your request within 30 days.