asdf club - 3D Printing Marketplace

This is a convenience translation. The legally binding version is the German document.

Note on language: This English version is provided as a convenience translation for international users. The legally binding version is the German one. In case of any inconsistency between the two versions, the German version prevails.

Last updated: May 2026

Controller and contact
General information about this Privacy Policy
What data we process and why
- 3.1 Visiting the website
- 3.2 Cookies and similar storage technologies
- 3.3 Registration with email and password
- 3.4 Sign-in via Google
- 3.5 Profile information and public profile
- 3.6 Browsing, cart and country selection
- 3.7 Order and payment
- 3.8 STL purchases (digital content)
- 3.9 Physical orders
- 3.10 Reviews and comments
- 3.11 Refund proceedings and evidence uploads
- 3.12 Notifications inbox
- 3.13 Emails and email preferences
- 3.14 Onboarding as a designer or maker (Stripe Connect; maker platform application)
- 3.15 Designer rights attestation and content reports
- 3.16 GPSR and packaging register (LUCID)
- 3.17 Contacting us by email
- 3.18 Tax reporting obligations (DAC7)
Recipients and processors
Transfers to third countries
Retention periods
Your rights
Right to lodge a complaint with a supervisory authority
Obligation to provide personal data
Automated decision-making
Data security
Minors
Note on the beta phase
Changes to this Privacy Policy

1. Controller and contact

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Ludovicus Gees Aryo Herwastho

Rudi-Arndt-Straße 14

10407 Berlin

Germany

Email: contact@asdf-club.com Website: https://www.asdf-club.com

No data protection officer has been appointed. asdf club is not under a statutory obligation to appoint one (Art. 37 GDPR in conjunction with § 38 BDSG).

2. General information about this Privacy Policy

This Privacy Policy informs you about the processing of your personal data when you use the asdf club platform, accessible at https://www.asdf-club.com (the "Platform"). It applies to all user groups of the platform: buyers ("Shoppers"), Designers and Makers.

asdf club is an online marketplace platform for 3D-printable designs (STL files) and printed products. Designers sell digital STL files; Makers sell physical, 3D-printed products. The operator acts as an intermediary and as merchant of record for payment processing via Stripe Connect.

Personal data are any information relating to an identified or identifiable natural person (Art. 4 no. 1 GDPR). This Privacy Policy uses the terms of the GDPR.

3. What data we process and why

3.1 Visiting the website

Each time you access our Platform, technically necessary data are transmitted to our hosting provider (Vercel) and processed for a short time in server logs:

IP address,
date and time of the request,
URL requested,
HTTP status code,
volume of data transferred,
referrer (referring website, where available),
user agent (browser and operating system identifier).

On your first visit, we derive your likely country from the hosting IP header (x-vercel-ip-country / cf-ipcountry) in order to propose a default shopping country in the navigation bar. The IP address itself is not stored persistently for this purpose; only the derived country code (e.g. "DE", "US") is stored in a cookie – see Cookie Policy.

Purposes: provision of the website, security, error analysis, pre-selection of the shopping region.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a functional and secure service).

Retention period: On the current hosting plan (Vercel Hobby), runtime and edge logs are discarded by default after approximately 1 hour. Build logs are retained per deployment. We will update this disclosure if we change hosting plans.

3.2 Cookies and similar storage technologies

We use cookies and storage technologies (such as localStorage) only to the extent necessary for the operation of the Platform. A full overview – including legal basis, storage duration and how to manage them – is provided in our separate Cookie Policy.

3.3 Registration with email and password

If you register with an email address and password, we process:

email address,
chosen password (stored as a hash, not in plain text),
chosen username,
time of registration,
IP address at the time of registration (processed on our behalf by Supabase for security and abuse protection).

Purposes: creation and administration of your user account, authentication, protection against abuse.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract – platform usage agreement) and Art. 6 (1) (f) GDPR (security).

3.4 Sign-in via Google ("Continue with Google")

You may alternatively sign in using your Google account. To do so, you are redirected to Google and sign in there. Upon successful authentication, Google transmits the following data to us:

email address,
first and last name (where stored at Google),
profile picture URL (where stored at Google),
unique Google user ID ("sub").

The processing of this data received from Google is based on Art. 14 GDPR (processing of data not collected directly from the data subject).

You are then redirected to a "complete profile" page on which you must provide a username and a country, if not already set.

Google is an independent controller for the data processing taking place during the sign-in flow on Google's pages. The Google Privacy Policy and Google's cookie policies apply.

Purposes: simplified registration and sign-in.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract – platform usage agreement).

3.5 Profile information and public profile

After registration, you may or must provide the following profile data:

Username (required): a unique public handle (3–30 characters, lower-case letters/digits/underscore). Displayed on public profile pages and in reviews/comments.
Full name: required field for registration via email/password; for sign-in via Google, the name is imported from Google where stored there. Displayed only on your public profile page (/users/{uuid}), not in URLs and not on showcase cards.
Avatar (optional): profile picture that you upload or that is taken over from Google during OAuth sign-in.
Country ("Shopping Location"): the shopping country you have chosen.

Public profile: at /users/{uuid}, the following are publicly visible: avatar, username, full name (if provided), role (Designer/Maker, where activated), public reviews and comments you have submitted, and your own product listings.

Your email address, password, address and order history are never publicly visible.

Purposes: identification to other users, trust in the marketplace, association of reviews and listings with persons.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract – platform usage agreement).

3.6 Browsing, cart and country selection

Shopping country: stored in the cookie asdf-club-country and the localStorage entry asdf-club-currency-country. You may select any country in the navigation bar. This governs the display currency for non-binding price estimates and whether physical products are offered (only in full markets: EU member states, United States, Canada) or whether only STL downloads are available.
Guest cart: you may add STL items and physical items to your cart without signing in. The contents of the cart are stored locally in your browser's localStorage (asdf_club_cart) only and are not transmitted to our servers before you initiate the checkout. Sign-in is required for payment.

Purposes: provision of the marketplace function, correct regional display, cart management.

Legal basis: Art. 6 (1) (b) GDPR (initiation and performance of the purchase contract), § 25 (2) no. 2 TDDDG (strictly necessary storage).

3.7 Order and payment

When you complete an order, we process the following data:

identity (username, full name, email address),
selected items (STL and/or physical) and quantities,
selected maker (for physical items),
delivery address (for physical items),
order amount (in EUR, settlement/accounting basis),
where applicable: amount and currency presented at Stripe Checkout,
order number and order timestamp,
for STL purchases additionally: confirmation of the withdrawal waiver (with timestamp and order number as evidence under § 312f (3) BGB).

Payment: Payment is processed via Stripe Checkout (including Stripe Adaptive Pricing where available). You may be charged in your local currency or in EUR, depending on your location and Stripe's settings; the amount and currency shown on Stripe immediately before payment are authoritative. The operator records the EUR settlement amount for accounting; the presented checkout amount and currency are stored where applicable for order display and refunds. You are redirected to a page provided by Stripe during checkout. Payment details (card or account information) are entered solely with Stripe; we do not process or store them. Stripe is an independent controller in respect of payment processing. The Stripe Privacy Policy applies.

Transfer to Makers (for physical orders): the Maker chosen by you receives only the data necessary for production and shipping: first and last name (or the recipient name you have entered), delivery address, and contact details for shipping notifications where applicable. The Maker does not receive payment details and no further information about you.

Transfer to Designers: Designers do not receive personal data of buyers. They see only aggregated sales figures and earnings.

Purposes: performance of the contract, payment processing, brokering to the Maker, creation of the records required by law.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (c) GDPR (statutory retention obligations, in particular § 147 AO and § 14b UStG).

3.8 STL purchases (digital content)

When you purchase an STL file, we additionally process:

Withdrawal waiver: time and wording of the confirmed withdrawal waiver. Documented to you in the order confirmation email before the download is unlocked.
Download access: an entry in your personal library (stl_access), which permanently entitles you to access the STL file you have purchased.
Download log: technical record of downloads (e.g. timestamp, count) for protection against abuse.
Version notifications: if the Designer releases a new version of the STL, you receive a notification by email and in your inbox.

Purposes: performance of the contract for digital content, evidence of the withdrawal waiver, provision of updates.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract), Art. 6 (1) (c) GDPR (evidence obligation under § 312f (3) BGB).

3.9 Physical orders

For physical orders, we additionally process:

delivery address (name, street, postcode, city, country),
contact details for shipping notifications (email, telephone where applicable),
order lifecycle (status: pending → processed → shipped → delivered),
selected Maker and any shipping carrier tracking information (entered by the Maker),
product safety information under the General Product Safety Regulation (Regulation (EU) 2023/988) provided by the relevant Maker for the product.

Same-country shipping: For legal and logistical reasons, physical products are shipped only within the same country (e.g. US Maker → US buyer, DE Maker → DE buyer). Cross-border shipping within the EU or between continents does not take place in the current MVP.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).

3.10 Reviews and comments

After completing an order, you may submit a review. Reviews and comments on product pages are publicly readable (also by unauthenticated visitors); to submit a review or a comment, sign-in is required.

Data processed:

username (publicly displayed),
star rating,
review text,
optionally uploaded images,
time of publication,
link to the order (internal, not public).

We reserve the right to remove reviews and comments that violate our Terms and Conditions or applicable law.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract), Art. 6 (1) (f) GDPR (legitimate interest in a trustworthy marketplace).

3.11 Refund proceedings and evidence uploads

For refund requests (delivery issues, defective STL files, defective physical products, cancellations), we process:

identification data of the involved parties (buyer, Maker, Designer),
order data,
communication history concerning the refund,
evidence uploads (e.g. photos of a defective product, screenshots), stored in a protected storage bucket (evidence) and accessible only to authorised persons (involved parties and administration).

Purposes: handling of refund and warranty claims, dispute resolution.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract), Art. 6 (1) (c) GDPR (fulfilment of statutory warranty obligations under the BGB), Art. 6 (1) (f) GDPR (preservation of evidence in disputes).

3.12 Notifications inbox

Within the Platform, we operate a persistent notifications inbox (user_notifications) showing events relevant to your account (orders, shipping, refunds, payouts, maker applications, new product versions, etc.). Entries remain visible in the inbox after being read and after the underlying process has been concluded, but can be archived by you.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).

3.13 Emails and email preferences

We send transactional emails via the service provider Resend (see processor list), for example:

registration and sign-in confirmations,
order confirmations (including the documentation of the withdrawal waiver for STL purchases),
shipping and delivery notifications,
refund notifications,
payout notifications (for Designers/Makers),
application and status notifications (Maker → Designer),
notifications regarding price updates or new product versions,
notifications regarding disputes / chargebacks.

In your account under "Settings", you can opt out of many of these emails (e.g. order confirmations, version notifications).

Note: For legal reasons (§ 312f (3) BGB – evidence of the withdrawal waiver on a durable medium), the order confirmation for STL purchases is always sent, even if you have opted out of order confirmations.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract), Art. 6 (1) (c) GDPR (statutory evidence obligation), Art. 6 (1) (a) GDPR (consent for optional notifications).

3.14 Onboarding as a designer or maker (Stripe Connect)

If you register as a Designer or Maker to sell on the Platform, you must create a Stripe Connect Express account. The necessary identification and account data (KYC) are entered exclusively with Stripe. Stripe is an independent controller for these data. The Stripe Connected Account Agreement and the Stripe Privacy Policy apply.

We receive from Stripe only the status information necessary for payouts and identification (e.g. "onboarding completed", payout capability, country and display name of the account where applicable).

In addition, we process on the Platform side:

Maker profile: printer model, supported materials, build volume, weekly capacity, and where applicable the LUCID registration number (see section 3.16),
Designer profile: self-disclosures and rights attestations per listing.

Purposes: enabling sales on the Platform, payouts, compliance.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract – creator agreement), Art. 6 (1) (c) GDPR (statutory obligations).

Maker platform application and equipment verification

Before you can accept physical orders on the Platform as a Maker, you must submit a one-time platform application during the beta phase. This review is separate from Stripe Connect identification (KYC) (see above) and concerns solely our decision whether to grant you the Maker role on the Platform.

Data processed:

Application text and, optionally, a link to a website or social media profile,
Verification type: either photos with you and your printer (preferred) or workspace photos only (no face) — in the latter case, a website or social media link is required,
Equipment verification photos (one or more images of your printer or print workspace; if you choose the “with person” option, your face may be visible),
Technical details: printer model(s) and quantity, supported materials, maximum build volume, weekly capacity,
your profile country (from your user profile),
processing status (pending / approved / rejected), time and reviewer of the decision, and where applicable a rejection reason (communicated to you).

Photos are stored in our Supabase storage (bucket images, path prefix maker-applications/{your user ID}/…). Access is limited to authorised administrators and staff with the collaborator role in the admin area; the images are not shown on your public profile or to other users.

Purposes: verifying that you have the equipment and capacity stated; abuse and fraud prevention; protecting the Platform and buyers from dishonest Maker claims.

Process: review is carried out manually by our team; there is no automated scoring or biometric recognition. If rejected, you may submit a new application; previously submitted form fields and existing verification photos are prefilled so you only need to update what has changed.

Notifications: you receive email and in-app notifications when your application is received, approved, or rejected (see sections 3.12 and 3.13).

Recipients: the operator (owner and authorised collaborators); Supabase Inc. as processor for storage and database (see section 4).

Retention: see the table in section 6 (“Maker platform application”).

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures and performance of the creator agreement); Art. 6 (1) (f) GDPR (legitimate interest in marketplace integrity and fraud prevention). If you voluntarily submit a photo on which your face is recognisable, processing of your likeness takes place on the same legal bases for manual identity and equipment verification; no automated facial recognition is used.

3.15 Designer rights attestation and content reports

When uploading a design, the Designer must confirm that they hold the necessary rights to the STL file. This confirmation is stored together with the timestamp and a reference to the relevant product (preservation of evidence).

Content reports: rights holders or other users can report unlawful content (e.g. IP infringement) via contact@asdf-club.com. We process the data submitted (identification of the reporter, contact details, contested material, justification) in order to assess the report and, where appropriate, remove the content.

Legal basis: Art. 6 (1) (b) GDPR (designer agreement), Art. 6 (1) (c) GDPR (obligations under the DSA / DDG), Art. 6 (1) (f) GDPR (protection of the Platform and third parties).

3.16 GPSR and packaging register (LUCID)

GPSR: Makers must provide product-safety information per physical listing under Regulation (EU) 2023/988 ("General Product Safety Regulation"). This information is published together with the listing.

LUCID (packaging register): As soon as German Makers sell physical products via the Platform, we are obliged as an electronic marketplace under § 3 (14b) VerpackG to verify compliance with the registration obligation. To this end, we process the LUCID registration number of the relevant Maker and verify it against the public packaging register (ZSVR).

Note: In the MVP (beta), no German Makers currently sell physical products. Processing of LUCID numbers will commence only once we open DE Makers for physical product sales.

Legal basis: Art. 6 (1) (c) GDPR (statutory obligation).

3.17 Contacting us by email

If you contact us by email at contact@asdf-club.com, we process your email address, your name (if provided) and the content of your message in order to handle your enquiry. We use Google Workspace for our email operations (see processor list).

Retention period: business correspondence is retained in accordance with commercial and tax retention obligations and for the duration of the limitation periods for asserting or defending claims (typically 3 years). Contract-relevant correspondence that also constitutes a booking record is retained for 8 years (§ 147 (3) AO as amended by the Fourth Bureaucracy Relief Act; § 257 HGB).

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual or contractual measures), Art. 6 (1) (f) GDPR (handling of enquiries), Art. 6 (1) (c) GDPR (retention obligations).

3.18 Tax reporting obligations (DAC7)

As the operator of a digital marketplace, we may be obliged under the Platform Tax Transparency Act (PStTG) to report certain identification and revenue data of our Designers and Makers to the German Federal Central Tax Office (BZSt). This concerns sellers exceeding certain annual thresholds (e.g. 30 transactions or EUR 2,000 in revenue per calendar year).

Where a reporting obligation is triggered, we transmit the legally prescribed data (e.g. name, address, tax identification number, bank details, quarterly turnover) to the BZSt.

Legal basis: Art. 6 (1) (c) GDPR in conjunction with PStTG.

4. Recipients and processors

We use the following service providers as processors (Art. 28 GDPR) or independent controllers:

Service provider	Function	Registered office / processing location	Role
Supabase Inc.	Database, authentication, file storage	Hosting in Frankfurt (EU); corporate seat USA	Processor
Stripe Payments Europe, Limited (Ireland); Stripe Technology Europe, Limited (Ireland)	Payment processing, payouts via Stripe Connect; regulated electronic money institution (STEL)	Ireland (EU)	Independent controller
Stripe, Inc. (USA)	Group-wide data processing as joint controller / processor within the Stripe group	USA	Processor in the context of Stripe's intra-group processing
Resend, Inc.	Sending transactional emails	USA	Processor
Vercel Inc.	Website hosting, edge delivery, server logs	USA / EU edge locations	Processor
Google Ireland Limited / Google LLC	Email operations (Google Workspace, contact@asdf-club.com) and sign-in service (Google OAuth)	Ireland (EU) and USA	Processor (Workspace) or independent controller (OAuth)

We have entered into written data processing agreements with all processors in accordance with Art. 28 GDPR.

Domain and DNS: Our domain registrar Hostinger International Ltd. (Lithuania, EU) administers the registration of the asdf-club.com domain. Since Hostinger is not involved in the processing of user data (no hosting, no email traffic via Hostinger), no processing relationship arises in this respect.

5. Transfers to third countries

A transfer of personal data to third countries outside the European Economic Area (in particular the USA) takes place in connection with the use of the following service providers:

Stripe, Inc. (USA),
Resend, Inc. (USA),
Vercel Inc. (USA),
Google LLC (USA),
Supabase Inc. (USA – corporate seat; however, the data processing itself takes place in Frankfurt (EU)).

Transfers take place on the basis of:

the EU-US Data Privacy Framework (DPF), where the respective recipient is certified (adequacy decision of the European Commission of 10 July 2023), and/or
the Standard Contractual Clauses of the European Commission (Art. 46 (2) (c) GDPR) in their current version.

Certifications under the EU-US DPF can be reviewed at https://www.dataprivacyframework.gov.

6. Retention periods

We store personal data only for as long as is necessary for the respective purposes or as required by statutory retention obligations:

Category of data	Retention period
Account data (profile, username, avatar etc.)	Up to 30 days after a deletion request; thereafter, personal identifiers are anonymised or deleted
Order, invoice and payment data	8 years from the end of the financial year (§ 147 (3) AO as amended by the Fourth Bureaucracy Relief Act of 29 Oct 2024, BGBl. 2024 I No. 323; § 14b (1) UStG; § 257 HGB) – this statutory retention obligation takes precedence over deletion requests
Withdrawal waiver confirmation (STL)	Together with the associated order record (8 years)
Evidence uploads in refund proceedings	Duration of the case + 3 years (statutory warranty limitation period); up to 8 years where linked to invoice data
Notifications inbox	While the account exists; deletion together with the account
Cookie consent records	3 years
Server logs (hosting, Vercel Hobby)	Runtime/edge logs approx. 1 hour; build logs per deployment
Resend delivery logs (delivery diagnostics stored at the provider Resend)	up to 30 days at the provider (Resend Free); the Platform itself does not store delivery logs
Email correspondence to contact@asdf-club.com	3 years (general business correspondence, regular limitation period); 6 years if the correspondence is a commercial letter (§ 257 (4) in conjunction with (1) no. 2/3 HGB; § 147 (3) AO); 8 years if the correspondence is a booking record (§ 147 (3) AO as amended by BEG IV; § 257 HGB)
Data held by Stripe (payment service provider)	In accordance with Stripe's own retention policy (outside our control)
Maker platform application (form data, verification photos)	Pending: until a decision is made; if approved: for the duration of your Maker role and thereafter 3 years (evidence, abuse prevention); if rejected: until you submit a new application or 24 months after rejection, whichever period is longer; verification images in storage follow the same periods; on account deletion: profile identifiers are anonymised (see account data) — application records and verification photos may be retained longer where required by law or for legitimate interests (e.g. evidence in disputes or completed orders)

Even after closure of your account, data relevant for accounting (in particular order data and invoice records) remain stored in pseudonymised form until the statutory retention periods have expired. Processing of such data is restricted to what is statutorily required pursuant to Art. 18 GDPR (in particular retention for evidentiary purposes vis-à-vis tax and supervisory authorities).

7. Your rights

You have the following rights vis-à-vis us with regard to the personal data relating to you:

Right of access (Art. 15 GDPR) – you may request information as to which personal data concerning you we process.
Right to rectification (Art. 16 GDPR) – you may request rectification of inaccurate data.
Right to erasure (Art. 17 GDPR) – you may request deletion of your data, subject to statutory retention obligations.
Right to restriction of processing (Art. 18 GDPR),
Right to data portability (Art. 20 GDPR),
Right to object (Art. 21 GDPR) – you may object to the processing of your data where it is based on Art. 6 (1) (f) GDPR (legitimate interest),
Withdrawal of consent (Art. 7 (3) GDPR) – you may withdraw any consent given at any time with effect for the future.

To exercise your rights, an email to: contact@asdf-club.com is sufficient.

8. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

The supervisory authority responsible for the controller is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) Alt-Moabit 59–61 10555 Berlin Phone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de

A list of all German state data protection authorities is available at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

9. Obligation to provide personal data

The provision of personal data is neither required by law nor by contract. You are not obliged to provide us with data. However, without the data necessary for performance of the contract (e.g. username, email address, delivery address where applicable), we cannot conclude or perform the respective contract (usage, purchase or creator agreement).

10. Automated decision-making

Automated decision-making within the meaning of Art. 22 GDPR – including profiling – does not take place.

11. Data security

We take technical and organisational measures to protect your data against loss, manipulation and unauthorised access. These include in particular:

transport encryption with TLS both on the Platform and in traffic with all service providers,
storage of passwords exclusively as a hash (not in plain text),
access restrictions to internal systems based on the principle of least privilege,
separation of production and test/staging environments,
regular updates of the software used,
careful selection of processors with documented security measures.

We continuously adapt our security measures in line with technological developments.

12. Minors

Our service is not directed at persons under 16 years of age. Persons under 16 may not register on the Platform and may not place orders. Should we become aware that an account has been created for a minor without the consent of the legal guardian(s), we will block or delete the account.

13. Note on the beta phase

The Platform is currently in a beta phase. Features, processes and the associated data processing activities may change at short notice. We will update this Privacy Policy accordingly and will inform you of material changes pursuant to section 14.

14. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy where changes to the technology used, to our services or to statutory requirements make this necessary. The current version is published on this page and dated as shown above.

Material changes, in particular those concerning new processing purposes or new categories of recipients, will be communicated to you in advance, e.g. by email or by a prominent notice on the Platform.

End of Privacy Policy.

Privacy Policy

Table of contents