Privacy Policy
Last updated: 27.05.2026.
1. Data Controller
This Privacy Policy explains how MP Dizajn, a sole proprietorship registered in the Republic of Croatia (OIB: 10747953458), with registered office at Brigade braće Radića 96, 42230 Donji Martijanec, Croatia, collects and processes personal data when you use the Laser Layers service ("Service") at laser.mp-dizajn.com.
We act as the Data Controller within the meaning of EU Regulation 2016/679 (GDPR). For data protection enquiries: podrska@mp-dizajn.com
2. What data we collect
We collect only the minimum data necessary to operate the Service:
- Email address — used to create your account and send magic-link login emails. Stored in normalised form for abuse prevention.
- Token and usage data — token balance, account creation date, last login date.
- Processing job metadata — job ID, timestamp, processing status, number of output layers. We do NOT retain your image content after your session ends.
- Uploaded images — temporarily stored during processing only. Deleted automatically when the session expires (guest: 1 hour; registered: after download or after 30 days). We never use your uploaded images to train machine learning or AI models.
- Output files (SVG layers, PNG previews) — temporarily stored to enable download. Deleted automatically after 30 days from generation.
- Technical data — IP address (for rate limiting and abuse prevention), browser user-agent (for debugging), request timestamps. Logs retained for up to 30 days.
- Payment data — we do NOT collect or access your payment card details. All payment processing is handled by Lemon Squeezy (Merchant of Record). We receive only: customer ID, order ID, purchase status.
3. Legal basis for processing (GDPR Art. 6)
- Performance of contract (Art. 6(1)(b)) — authentication, image processing, delivery of output files.
- Legitimate interests (Art. 6(1)(f)) — rate limiting, abuse prevention, service security and stability.
- Consent (Art. 6(1)(a)) — marketing emails and analytics (only if and when these features are activated; separate consent will be requested).
- Legal obligation (Art. 6(1)(c)) — accounting and invoicing records (retained by Lemon Squeezy as Merchant of Record under applicable law).
4. Data retention periods
- Guest uploads and output files: deleted automatically 1 hour after upload.
- Registered user uploads and output files: deleted automatically 30 days after generation.
- Account data: retained while your account is active. Accounts inactive for 24 consecutive months will receive an email warning; if no action is taken within 30 days, the account and associated data will be deleted.
- Server logs: retained up to 30 days.
- Database backups: rotational, up to 30 days.
- Email delivery logs (Brevo): up to 30 days.
- Accounting and payment records (Lemon Squeezy): retained as required by applicable law (up to 11 years for Croatian fiscal purposes).
5. Recipients of data (sub-processors)
We share personal data only with the following processors, each contractually bound to protect your data:
- Lemon Squeezy (Lemon Squeezy LLC, USA, dio Stripe Inc.) — payments and Merchant of Record. Processes billing data. Privacy policy: lemonsqueezy.com/privacy. Data transfers to the USA are covered by Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework.
- Render (Render Services, Inc., USA) — application and database hosting. Servers located in EU (Frankfurt, Germany). GDPR-compliant, SCC-bound.
- Brevo (Brevo SAS, France) — transactional email delivery (magic-link login emails). EU servers.
We do NOT sell your personal data. We do NOT share it for advertising purposes.
6. Where data is stored
Account data, usage records, and active processing jobs are stored on servers in the European Union (Frankfurt, Germany). Transfers to processors outside the EU (Lemon Squeezy, Render) are covered by Standard Contractual Clauses.
7. Your rights under GDPR (Art. 15–22)
You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data ("right to be forgotten")
- Restrict or object to processing
- Receive a portable copy of your data
- Withdraw consent at any time (where consent is the legal basis)
- Lodge a complaint with the supervisory authority: Agencija za zaštitu osobnih podataka (AZOP), Selska cesta 136, Zagreb, www.azop.hr
To exercise these rights, contact us at podrska@mp-dizajn.com. We will respond within 30 days.
8. Cookies
We use three categories of cookies:
Essential cookies (always active — the Service cannot function without them):
- Session cookie — keeps you logged in. Required for the Service to function.
- Language preference cookie — remembers your HR/EN choice.
- CSRF token — protects form submissions from cross-site request forgery.
- Cookie consent cookie — stores your analytics and marketing choices for 12 months.
Analytics cookies (active only with your consent):
- Google Analytics 4 (Google LLC, USA) — measures traffic and user behaviour in aggregate form. Used with IP anonymisation and Google Consent Mode v2 (Google does not store data until your explicit consent is given).
Marketing cookies (active only with your consent):
- Meta Pixel (Meta Platforms Ireland Ltd, Ireland) — measures the effectiveness of advertising on Facebook and Instagram.
On your first visit we display a banner with three options: "Accept all", "Essential only", "Settings". Without your click we do not load analytics or marketing scripts. You can change your choice at any time by clicking "Cookie settings" in the footer.
Withdrawing consent stops further tracking from the moment of withdrawal. We cannot retroactively delete data already collected by these platforms before that point.
9. Security
We use industry-standard security practices: HTTPS for all communication, passwordless authentication (no stored passwords), encrypted database storage at the hosting provider level, and restricted access to production systems. No system is fully secure; you use the Service at your own risk.
10. Minors
The Service is not intended for persons under 16 years of age. We do not knowingly collect data from minors. If you believe a minor has registered an account, contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy. Material changes will be announced via email to registered users. The "Last updated" date at the top reflects the most recent revision.
12. Contact
MP Dizajn
Brigade braće Radića 96, 42230 Donji Martijanec, Croatia
OIB: 10747953458
podrska@mp-dizajn.com