Privacy Policy

Section 1

Introduction

Max2Blend ("Service"), operated by Real3D ("Company," "we," "us," or "our"), is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our cloud-based 3ds Max to Blender file conversion service.

We comply with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and other applicable data protection laws. As a company based in France, we are subject to the oversight of the Commission Nationale de l'Informatique et des Libertés (CNIL).

Section 2

Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address — provided directly or obtained via Google OAuth.
• Name — provided directly or obtained via Google OAuth.
• Profile picture URL — if signing in with Google OAuth (stored as a reference only).
• Account creation date and associated metadata.

2.2 Usage Data

We automatically collect certain information about how you interact with the Service:

• Pages visited and features used within the application.
• Conversion history (file names, sizes, conversion parameters, timestamps, and status).
• Browser type, operating system, device type, and screen resolution.
• IP address and approximate geographic location (country/region level).
• Referral source (how you arrived at our site).

2.3 File Data

When you use the conversion service, we temporarily store:

• Uploaded .max source files.
• Generated .blend output files.
• Conversion processing logs (technical data, no file contents).

Files are stored solely for the purpose of providing the conversion service and are automatically deleted after the retention period. See Section 5: Data Retention for details.

2.4 Payment Data

Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We collect and store:

• Transaction records (amounts, dates, invoice references).
• Subscription status and billing history.
• Billing email address (if different from account email).

2.5 Cookies

We use the following categories of cookies:

Type	Purpose	Consent Required
Essential	Session management, authentication, security tokens	No (strictly necessary)
Analytics	Usage tracking, performance monitoring, service improvement	Yes

Section 3

How We Use Your Data

We use the data we collect for the following purposes:

• Provide the conversion service: Process your uploaded files, perform the conversion, and deliver the output for download.
• Process payments: Handle billing, process transactions, manage subscriptions, and issue invoices.
• Improve service quality: Analyze usage patterns and conversion metrics to improve our conversion engine, user interface, and overall service reliability.
• Send service notifications: Notify you about conversion status (completed, failed), account-related updates, and important service changes.
• Provide customer support: Respond to your inquiries and resolve technical issues related to the Service.
• Maintain security: Detect, prevent, and address fraud, abuse, security incidents, and technical issues.

We do not use your data for automated decision-making or profiling that produces legal effects.

Section 4

Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal bases:

4.1 Contract Performance (Article 6(1)(b))

Processing your account data and files is necessary to perform the conversion service you have requested. This includes creating your account, processing uploads, performing conversions, and delivering results.

4.2 Legitimate Interest (Article 6(1)(f))

We process certain usage data based on our legitimate interest in improving the Service, maintaining security, and preventing abuse. We have conducted balancing tests to ensure these interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest.

4.3 Consent (Article 6(1)(a))

We obtain your explicit consent before:

• Placing analytics cookies on your device.
• Sending you marketing communications (if applicable).

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. See Section 6: Your Rights for details.

4.4 Legal Obligation (Article 6(1)(c))

We retain certain financial records (payment transactions, invoices) as required by French tax and accounting laws.

Section 5

Data Retention

We retain different categories of data for different periods, based on the purpose for processing and legal requirements:

Data Category	Retention Period	Basis
Account data	Until account deletion	Contract performance
Uploaded files (.max)	Configurable; default 30 days	Contract performance
Converted files (.blend)	Configurable; default 30 days	Contract performance
Conversion logs	90 days	Legitimate interest
Payment records	Up to 10 years	Legal obligation (French tax law)
Usage / analytics data	24 months	Legitimate interest

When the retention period expires, data is permanently deleted from all of our systems, including backups and caches. File deletion is irreversible.

You may request early deletion of your data at any time, subject to legal retention requirements. See Section 6: Your Rights.

Section 6

Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

6.1 Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you, along with information about how it is processed. We will provide this information in a commonly used electronic format within 30 days of your request.

6.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

6.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain the data or another lawful basis for continued processing.

6.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance.

6.5 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interest.

6.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interest at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

6.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

How to Exercise Your Rights

Section 7

Data Sharing

We do not sell your personal data to third parties.

We share your data only with the following categories of third-party processors, all of whom are bound by data processing agreements and are GDPR compliant:

Third Party	Purpose	Data Shared
Google	OAuth authentication	Email, name (during sign-in)
Stripe	Payment processing	Billing email, transaction data
Cloud hosting provider	Infrastructure and file storage	All data processed by the Service

We may also disclose your data if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Section 8

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encrypted storage: Sensitive data (including OAuth tokens and authentication credentials) is encrypted at rest using AES-256 encryption.
• Access controls: Access to personal data is limited to authorized personnel who require it for their duties, enforced through role-based access controls.
• Isolated processing: File conversions are performed in isolated, sandboxed environments to prevent cross-contamination between user data.
• Regular security audits: We conduct periodic security reviews and vulnerability assessments of our infrastructure and application code.
• Incident response: We maintain a data breach response plan and will notify affected users and relevant authorities within 72 hours of discovering a breach, as required by the GDPR.

Section 9

Cookies

Our use of cookies is limited to the following:

9.1 Essential Cookies

These cookies are strictly necessary for the Service to function and cannot be disabled. They include:

• Session identifiers for maintaining your authenticated state.
• Security tokens for protecting against cross-site request forgery.
• Cookie consent preferences.

9.2 Analytics Cookies

These cookies help us understand how users interact with the Service so that we can improve it. Analytics cookies are only placed with your explicit consent. They collect anonymized data about:

• Page views and navigation patterns.
• Feature usage frequency.
• Performance metrics (page load times, error rates).

9.3 Managing Your Cookie Preferences

When you first visit the Service, a cookie consent banner will allow you to accept or decline non-essential cookies. You can change your preferences at any time through the cookie settings available in the Service footer or your account settings.

You may also configure your browser to block or delete cookies. Note that blocking essential cookies may prevent the Service from functioning correctly.

Section 10

International Data Transfers

Your data may be processed in servers located within the European Union and the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all non-EEA processors to ensure an adequate level of data protection.
• Adequacy decisions: Where applicable, we transfer data to countries that the European Commission has recognized as providing an adequate level of data protection.
• Supplementary measures: We implement additional technical and organizational safeguards where necessary, including encryption and pseudonymization.

You may request details about the specific safeguards applied to international transfers of your data by contacting us at kevin@real3d.fr.

Section 11

Children's Privacy

Max2Blend is not designed for or directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data as promptly as possible. If you believe that a child under 16 has provided us with personal data, please contact us at kevin@real3d.fr.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Send an email notification to all registered users at their registered email address.
• Update the "Last updated" date at the top of this page.
• Display a prominent notice within the Service upon your next login.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

Section 13

Contact & Data Protection Inquiries

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us:

We aim to respond to all data protection inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (www.cnil.fr).