Privacy

Privacy policy

Short version: we store the absolute minimum. No tracking, no ads, no AI-training. If you delete your account, we delete your data.

What we collect — and why

Anonymous use of the tool

You can open cncfoam.com, load shapes, simulate cuts, stream G-code to your machine and download files without ever creating an account. In that mode we store nothing about you on our server. Your tool settings live in your browser's localStorage on your device.

If you create an account

We store: your email address, a bcrypted hash of your password, your chosen display name (optional), the timestamp you signed up, the timestamp of your last sign-in, and a JSON blob of your saved tool settings. That's it. We do not ask for your real name, address, phone number, or any payment details — there is nothing to pay for.

If you publish shapes or comments

We store the source file you uploaded (SVG / DXF / G-code), the title and description you typed, the category you picked, the auto-generated preview image, your comments, and any photos you attach to comments. These are visible to anyone who visits the shape's page.

Server logs

Our web server records each request's IP address, time, URL and browser User-Agent in standard access logs. Logs rotate after 14 days. We use them only to debug problems and to enforce rate-limits against brute-force or spam.

Analytics — Google Analytics 4

We use Google Analytics 4 (property ID G-NDJFG09ZZC) to count visitors, see which pages get the most traffic, and understand where users drop off. GA4 sets two cookies in your browser when you visit any page:

_ga — a randomised visitor ID, expires 13 months after the last visit
_ga_NDJFG09ZZC — session state, expires after 24 months

We configure GA4 with IP anonymisation enabled and ad personalisation signals disabled — Google only ever sees the first three octets of your IP, and the data is never used to retarget ads to you.

How to opt out: install the official Google Analytics opt-out browser add-on, OR turn on your browser's "Do Not Track" / Global Privacy Control setting (we'll respect it once that standard is finalised), OR use any cookie-blocking extension that targets googletagmanager.com.

What we don't do

No analytics OTHER than the Google Analytics 4 setup described above.
No tracking pixels (other than GA's), no fingerprinting, no advertising network.
No selling, renting, or sharing of your data with any third party other than Google (for analytics, under their privacy policy) and Brevo (for transactional email).
No training of AI models on your shapes, comments, or anything else. AI-training crawlers are blocked at robots.txt.
The session cookies that keep you signed in (cncf_session, HttpOnly, SameSite=Lax) and that protect forms (PHPSESSID) are not used for tracking — they only carry an opaque random token tied to your active session and clear when you sign out.

Email

We email you only for transactional purposes: account verification, password reset, and (rarely) a heads-up if we need to migrate or shut something down. No newsletters, no marketing. Outbound mail is delivered via Brevo (data centres in the EU); inbound mail to @cncfoam.com addresses is routed by Cloudflare Email Routing and forwarded to a private inbox.

Cloudflare

Cloudflare sits in front of cncfoam.com as a CDN + reverse proxy + DDoS shield. They terminate the TLS connection at their edge and pass the request to our origin server. Cloudflare can therefore see your IP, request URL, and (for the brief moment of relay) your form submissions. Their privacy policy is at cloudflare.com/privacypolicy. We do not enable any Cloudflare analytics, marketing, or bot-management products on this site.

Cookies — full list

cncf_session — your sign-in session token. HttpOnly, SameSite=Lax, Secure on HTTPS. 30-day lifetime. Essential.
PHPSESSID — short-lived form-CSRF state. Essential.
_ga, _ga_NDJFG09ZZC — Google Analytics 4 visitor stats (see Analytics section above). Set when you visit any page. Anonymised IP, no ad personalisation.

If you opt out of analytics via any of the methods listed above, only the two essential cookies are set.

Hosting & jurisdiction

Hosted on a single VPS managed by us. Server is located in the EU. Data is stored in a single SQLite file on that server.

Your rights

You can delete your account at any time — email [email protected] and we'll wipe your row plus everything linked to it (shapes, comments, likes, saved projects, settings). Self-service delete is on the to-do list. You can also ask for a copy of all data we hold about you (it's basically the same as above); we'll email it within 14 days.

Children

The site is not directed at children under 13 and we do not knowingly collect data from them. If you are a parent and believe we hold data about your child, email us and we'll remove it.

Changes

If we change this policy meaningfully, we'll update the date below and post a one-line note on the front page for at least a week.

Last updated: 23 May 2026 · Questions: [email protected]