Privacy Policy
Last updated:
Pick3DP operates the product comparison and review marketplace at pick3dp.com (the "Platform"). We are the data controller for the personal data described in this policy.
This Privacy Policy explains exactly what data we collect, why we collect it, who we share it with, and what rights you have. We aim to write this clearly — not in legal jargon — because you deserve to understand how your data is used.
If you have questions at any time, use our contact page.
1. Who We Are
Pick3DP is a product comparison and review marketplace. We operate as the data controller for the personal data described in this policy. Pick3DP is operated by MHA ONE LLC, a company incorporated in Wyoming, United States. We have assessed our obligations to EU, EEA, and UK data subjects under applicable data protection law. EU/EEA and UK data subjects may exercise their rights and submit privacy queries via our contact page.
2. Data We Collect
We collect different categories of data depending on how you use the Platform.
2.1 Identity and Account Data
When you create an account or submit forms, we may collect:
- Email address, first name, last name
- Phone number, company name, country (where provided)
- Hashed password (we never store your password in plain text)
- Google or Facebook OAuth identifiers (if you use social login)
- Two-factor authentication (2FA) status
2.2 Legal Consent Records
When you accept our Terms of Service or Privacy Policy, we record:
- Timestamp of acceptance
- Version of the document accepted
This lets us prove we obtained your consent properly and notify you if the terms change significantly.
2.3 Marketing Preferences
If you subscribe to marketing, we store your granular opt-in choices, which may include:
- Quote and product enquiry emails
- Special offers and promotions
- Product recommendations
- Newsletter and blog updates
You can update these preferences at any time in your account settings.
2.4 Interest Profile and Browsing Data
To personalise your experience, we store a record of the page types and product categories you have browsed. This data is linked to your account or visitor session and is used solely to improve the relevance of what you see on the Platform. It is not shared with advertisers.
2.5 Technical and Session Data
Every visit to the Platform automatically generates:
- IP address and a hashed version of your IP (for fraud prevention)
- Browser type, operating system, and device type
- Referring URL and accept-language header
- Session page context (the pages you viewed in a session)
- Visitor identifier (
p3dp_vid) — a persistent first-party cookie that distinguishes your browser across sessions - Session identifier (
p3dp_sid) — a cookie that tracks a single browsing session
2.6 Product Inquiry (Lead) Data
When you submit a contact form on a product page, we collect and store:
- Your name, email address, message, and any custom field responses
- Uploaded files (e.g. a 3D model or reference image)
- Lead type and funnel level (derived from your inquiry content)
- Lead Score (0–100) and Lead Temperature (Hot, Warm, Cold) — calculated automatically from your responses
2.7 Maker Match Data
If you use our Maker Match quiz (an AI-powered product recommendation tool), we store your quiz answers and the products recommended to you. This data is used to improve the quiz and to show relevant products if you return to the Platform.
2.8 Ad Interaction Data
For display advertisements served through Google AdSense, we collect ad interaction events including impressions, viewability signals, and clicks per creative and placement. This data is used to manage our advertising inventory and is processed under Google's own privacy terms.
2.9 Affiliate Click Data
When you click an outbound affiliate link (e.g. to an external retailer), we record:
- Your visitor ID (
p3dp_vid) and session ID (p3dp_sid) - A snapshot of your browsing journey at the time of the click
This data stays entirely within Pick3DP's systems and is used to track affiliate commission attribution. It is not shared with advertisers or third-party ad networks.
2.10 Payment Data (Suppliers Only)
Supplier subscription and invoice payments are processed by Stripe. Pick3DP does not store payment card numbers. We retain Supplier billing records (name, email, plan, payment reference) for accounting and legal compliance purposes.
2.11 Geolocation Data
We derive your approximate country, region, city, and timezone from your IP address using the IPInfo API. This is done at the time of your request and used to show you regionally relevant products. The raw IP is not shared with IPInfo's result in a way that re-identifies you beyond this lookup.
3. How We Collect Data
- Forms: Account registration, contact forms, newsletter sign-up, the Maker Match quiz, and checkout.
- Browsing and cookies: Automatically as you navigate the Platform, via our own first-party cookies and third-party analytics and advertising scripts (see Section 5).
- Social login (OAuth): If you sign in with Google or Facebook, they share your name and email address with us. We do not receive your social media passwords.
- Payment processor: Stripe shares transaction confirmation details with us when a Supplier payment succeeds.
- Email events: Our email platform (Brevo) reports email opens and link clicks back to us. You can opt out of marketing emails at any time using the unsubscribe link in each email.
4. Legal Basis for Processing (GDPR)
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b) GDPR) |
| Forwarding product inquiries to Suppliers | Contract performance; legitimate interests (Art. 6(1)(b) and (f)) |
| Sending transactional emails (inquiry replies, password resets) | Contract performance |
| Sending marketing emails and newsletters | Consent (Art. 6(1)(a) GDPR) |
| Storing marketing preference flags | Consent |
| Analytics cookies and session tracking | Consent |
| Marketing and advertising cookies | Consent |
| Interest profile (browsing history) | Legitimate interests — to personalise your experience (Art. 6(1)(f) GDPR). A Legitimate Interest Assessment (LIA) has been performed and is on file. You may object to this processing at any time by contacting us via our contact page. |
| Affiliate click tracking | Legitimate interests — attribution and commission management |
| IP logging, fraud prevention, and security | Legitimate interests (Art. 6(1)(f) GDPR) |
| Processing Supplier payments | Contract performance; legal obligation (Art. 6(1)(b) and (c)) |
| Legal consent records | Legal obligation |
| Geolocation for product filtering | Legitimate interests |
5. Cookies and Tracking
We use the following cookies and tracking technologies:
| Name / Provider | Type | Purpose | Duration | Provider Privacy Policy |
|---|---|---|---|---|
p3dp_consent |
Necessary | Stores your cookie consent choices | 365 days | — |
p3dp_vid |
Functional | Persistent visitor identifier — used for affiliate attribution and session stitching. Requires analytics consent; falls back to the session cookie when consent is not granted. | 1 year | — |
p3dp_sid |
Necessary | Session identifier — tracks a single browsing session | Session | — |
| Iron Session cookie | Necessary | Encrypted server-side authenticated session (for logged-in users) | Session | — |
Google Analytics (_ga, _ga_*) |
Analytics | Audience analytics and page-view reporting, operating under Google Consent Mode v2 (cookieless mode when consent is not granted) | 2 years | Google Privacy Policy |
| Google AdSense | Marketing | Personalised display advertising | Varies (up to 13 months) | Google Privacy Policy |
| Facebook Pixel | Marketing | Conversion tracking and ad attribution | 90 days | Meta Privacy Policy |
| Microsoft Clarity | Analytics | Session recordings and heatmaps to identify usability issues | Up to 1 year | Microsoft Privacy Statement |
| Hotjar | Analytics | Session recordings and heatmaps | Up to 1 year | Hotjar Privacy Policy |
| LinkedIn Insight Tag | Marketing | B2B advertising attribution for LinkedIn campaigns | 6 months | LinkedIn Privacy Policy |
| Pinterest Tag | Marketing | Traffic measurement from Pinterest and audience targeting for Pinterest ad campaigns | Up to 1 year | Pinterest Privacy Policy |
Necessary cookies cannot be disabled — they are essential for the Platform to function. Analytics and Marketing cookies require your consent and can be managed at any time by clicking "Cookie Settings" in the footer of any page.
6. Third-Party Services
We use Google Analytics 4 (GA4) and Google Tag Manager (GTM) for website analytics, Google AdSense for display advertising, Google OAuth for social login, and Google Cloud Storage for file attachments. All data processed by Google is subject to Google's Privacy Policy: policies.google.com/privacy. Google AdSense participates in the IAB Transparency and Consent Framework (TCF).
Meta (Facebook)
We use the Facebook Pixel to measure the performance of any Facebook or Instagram advertising campaigns we run. The Pixel sends event data (e.g. page views) to Meta. This requires your consent. Data is governed by Meta's Privacy Policy: facebook.com/privacy/policy.
Microsoft Clarity
We use Microsoft Clarity to record anonymised session replays and heatmaps that help us understand how visitors use the site. Clarity does not capture passwords or payment information. Privacy policy: privacy.microsoft.com.
Hotjar
Hotjar provides session recordings, heatmaps, and on-site surveys to help us improve usability. Hotjar suppresses sensitive fields by default. Privacy policy: hotjar.com/legal/policies/privacy.
The LinkedIn Insight Tag allows us to measure the effectiveness of LinkedIn advertising campaigns and to understand the professional demographics of our visitors in aggregate. Data is processed by LinkedIn under their Privacy Policy: linkedin.com/legal/privacy-policy.
We may use the Pinterest tag to measure traffic from Pinterest and reach relevant audiences. Privacy policy: policy.pinterest.com/en/privacy-policy.
Brevo (Sendinblue)
We send all transactional and marketing emails through Brevo. Brevo tracks email opens and link clicks on our behalf (see Section 9 for details on how to opt out). Data is stored on servers within the European Union. Privacy policy: brevo.com/legal/privacypolicy.
Stripe
Supplier payments are processed by Stripe. We share only the minimum data needed (name, email, billing address, payment amount) to complete a transaction. Stripe stores payment card data on our behalf and is PCI-DSS certified. Privacy policy: stripe.com/privacy.
IPInfo
We use IPInfo's API to derive your approximate location (country, region, city, timezone) from your IP address at the time of a server request. This is used for product filtering and lead scoring. Privacy policy: ipinfo.io/privacy-policy.
Social Embeds (Instagram, Reddit, YouTube)
Some blog posts and product pages contain embedded content from Instagram, Reddit, or YouTube. These embeds use a click-to-load approach: third-party scripts and cookies are only activated after you explicitly click the "Load" button on the placeholder. Until you click, no data is sent to those platforms. Once loaded, those platforms may set their own cookies and collect data about your visit in accordance with their own privacy policies. We recommend reviewing them: Instagram, Reddit, YouTube.
7. Advertising
We display ads through Google AdSense. AdSense may show you personalised ads based on your browsing history and interests using cookies — but only if you have given your consent to marketing cookies on the Platform.
We have implemented Google Consent Mode v2. This means that before you make any consent choice, Google's tags operate in a cookieless mode — they collect anonymous, aggregated measurements only. Once you accept marketing cookies, personalised advertising becomes active. If you decline, ads remain non-personalised.
You can opt out of Google personalised advertising at any time by visiting myadcenter.google.com or by installing the Google Analytics Opt-out Browser Add-on.
8. Affiliate Links
Some links on Pick3DP are affiliate links — if you click through and make a purchase, we may earn a commission at no extra cost to you. All affiliate links are clearly disclosed.
When you click an affiliate link, we record your visitor ID (p3dp_vid), session ID (p3dp_sid), and a snapshot of your browsing journey (the pages you viewed before clicking). This data is stored solely within Pick3DP's own systems and is used to track which pages generate affiliate revenue and to calculate commission attribution. It is not shared with the retailer, affiliate network, or any advertising platform.
9. Email Communications
Transactional emails are sent when you take an action on the Platform — for example, receiving a reply to your product inquiry, resetting your password, or confirming your account. These emails are not marketing and cannot be unsubscribed from without deleting your account.
Marketing emails are newsletters, promotional emails, and product recommendations sent only to users who have opted in. Every marketing email includes an unsubscribe link at the bottom. You can also manage your email preferences in your account settings at any time.
What Brevo tracks: Brevo (our email platform) reports whether you opened an email and whether you clicked any links within it. This information helps us understand what content is useful and to suppress unsubscribes. If you unsubscribe, your email address is added to a suppression list and you will not receive further marketing emails — this happens immediately upon your request (within one business day at most).
10. Data Retention
| Data category | Retention period |
|---|---|
| Account identity data | For the lifetime of your account, plus 90 days after deletion |
| Legal consent records (ToS / Privacy Policy acceptance) | 7 years (legal obligation) |
| Product inquiry / Lead data | 3 years from the submission date, or the duration of the Supplier's agreement plus 1 year |
| Maker Match quiz answers | For the lifetime of your account or visitor session, plus 12 months |
| Interest profile (browsing history) | 12 months on a rolling basis |
| Affiliate click records | 3 years (for commission dispute resolution) |
| Ad interaction data | 13 months |
| Marketing email preference records | Until you unsubscribe, plus 30 days |
| Server access logs (IP addresses) | 90 days |
| Analytics data (GA4) | 14 months (as configured in Google Analytics) |
| Payment records (Suppliers) | 7 years (legal obligation) |
Cookie consent records (p3dp_consent) | 365 days (renewed when you update your choices) |
11. Data Sharing and Disclosure
With Suppliers
When you submit a product inquiry, the Supplier whose product you enquired about receives your inquiry data (name, message, custom field responses, and any uploaded files). Your email address is withheld from the Supplier until they respond to your inquiry. Suppliers are independent data controllers and each operate under an individual data processing agreement with Pick3DP.
With Service Providers (Sub-Processors)
We engage the following third-party service providers to operate the Platform. Each is bound by a data processing agreement and may only use your data for the specific purpose described.
| Provider | Data shared | Purpose | Privacy Policy | DPA / Processor Terms |
|---|---|---|---|---|
| Neon (PostgreSQL) | All structured personal data | Primary database hosting | Privacy Policy | DPA |
| Google Cloud Storage | Uploaded files (may contain personal data) | File storage for inquiry attachments | Privacy Policy | Processor Terms |
| Google Analytics / GTM | Anonymised usage data; with consent: pseudonymous identifiers | Website analytics | Privacy Policy | Processor Terms |
| Google AdSense | Ad interaction data; with consent: cookie identifiers | Display advertising | Privacy Policy | Processor Terms |
| Brevo (Sendinblue) | Name, email address, email content | Transactional and marketing email delivery | Privacy Policy | DPA |
| Stripe | Supplier billing details (name, email, payment amount) | Payment processing (Suppliers only) | Privacy Policy | DPA |
| IPInfo | IP address (at time of request only) | IP-based geolocation | Privacy Policy | DPA |
| Meta (Facebook Pixel) | Event data; with consent: cookie identifiers | Ad conversion measurement | Privacy Policy | Data Processing Terms |
| Microsoft Clarity | Interaction data; with consent: session recordings | Heatmaps and session replay | Privacy Policy | DPA |
| Hotjar | Interaction data; with consent: session recordings | Heatmaps and session replay | Privacy Policy | DPA |
| LinkedIn Insight Tag | Page view events; with consent: cookie identifiers | B2B campaign analytics | Privacy Policy | DPA |
| Visitor identifiers and page URLs; with consent: cookie identifiers | Ad measurement and audience creation | Privacy Policy | Data Processing Terms |
Legal Disclosures
We may disclose personal data to law enforcement, courts, or regulatory authorities if required by applicable law, court order, or to protect the safety and rights of Pick3DP, our users, or third parties.
We Do Not Sell Your Data
Pick3DP does not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes.
12. International Data Transfers
Pick3DP's primary database and servers are based in the United States. Several of our third-party service providers (Google, Meta, Stripe, IPInfo, Microsoft Clarity) also process data in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to a country without an EU adequacy decision, we rely on one or more of the following safeguards:
- The EU–US Data Privacy Framework — Google, Meta, Microsoft, and Stripe are all certified;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- UK International Data Transfer Agreements (IDTAs) where applicable.
Brevo processes email data primarily within the European Union. Hotjar's servers are also EU-based.
13. Your Rights (GDPR — EEA and UK Users)
If you are located in the European Economic Area or the United Kingdom, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Ask us to delete your data, subject to legal retention requirements.
- Restriction: Ask us to pause processing while a dispute is resolved.
- Portability: Receive your data in a machine-readable format (where processing is based on consent or contract).
- Object: Object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop immediately.
- Withdraw consent: Withdraw any consent at any time (e.g. by unsubscribing from emails or adjusting cookie settings). Withdrawal does not affect the lawfulness of prior processing.
- Lodge a complaint: File a complaint with your local data protection supervisory authority. EEA residents can find their authority at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, use our contact page. We will respond within 30 days.
14. Your Rights (CCPA/CPRA — California Users)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you additional rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, including the business purposes for which it was collected and any third parties it was shared with.
- Right to Delete: Request deletion of personal information we hold, subject to certain exceptions (e.g. where retention is required by law or to complete a transaction).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: Pick3DP does not sell personal information or share it for cross-context behavioural advertising purposes as defined by the CPRA.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Platform.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To submit a California privacy request, use our contact page. We will verify your identity before processing the request.
15. Children's Privacy
The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, new services, or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email or by a prominent notice on the Platform.
Continued use of the Platform after a policy update constitutes your acceptance of the revised policy.
17. Contact and Data Controller
Pick3DP is the data controller for the personal data described in this policy. Pick3DP is operated by MHA ONE LLC, a company incorporated in Wyoming, United States, with no establishment inside the EEA or UK. We have assessed our obligations to EU, EEA, and UK data subjects under Art. 27 EU GDPR and the equivalent UK GDPR provision. EU, EEA, and UK data subjects may contact us directly via the contact page below to exercise their rights.
To exercise your rights, ask a question, or report a privacy concern, contact us via our contact page:
MHA ONE LLC (trading as Pick3DP)
1603 Capitol Ave Ste 310 A430
Cheyenne, Wyoming, 82001
United States
Contact: pick3dp.com/contact
Website: pick3dp.com
We aim to respond to all privacy-related requests within 30 days.