Privacy Policy
Last updated May 2026
Controller
Nternet Studio B.V., KvK 42054888, Jacob van Lennepstraat 78H, 1053 HM Amsterdam, the Netherlands. Contact: nendo@nternet.company.
What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation and sign-in | Contract (Art. 6(1)(b)) |
| Uploaded images | Figurine generation | Contract (Art. 6(1)(b)) |
| Generated 3D models | Your figurine gallery | Contract (Art. 6(1)(b)) |
| Shipping address | Order fulfillment | Contract (Art. 6(1)(b)) |
| Payment info | Payment processing (via Stripe) | Contract (Art. 6(1)(b)) |
| Usage data | Product improvement | Legitimate interest (Art. 6(1)(f)) |
Automated processing
Nendo uses AI (OpenAI GPT Image 2 for styling, FAL.ai Hunyuan 3D for model generation) to transform your images. This is automated processing but does not constitute automated decision-making with legal effects under GDPR Art. 22.
Sub-processors
| Service | Purpose | Location | Transfer |
|---|---|---|---|
| Cloudflare | Hosting, CDN, database | EU/US | SCCs + DPF |
| Stripe | Payments | US (EU entity) | SCCs + DPF |
| OpenAI | Image styling | US | SCCs + DPF |
| FAL.ai | 3D generation | US | SCCs |
| PostHog | Analytics | EU | N/A (EU) |
| JLC3DP | 3D printing | China | SCCs |
Data retention
We keep your data while your account is active. Payment records retained 7 years (Dutch tax law). After account deletion, personal data removed within 30 days except where legally required.
Your rights
Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and withdrawal of consent where processing is based on consent (Art. 7(3)). Email nendo@nternet.company. We respond within 30 days.
Complaints
You may lodge a complaint with the Dutch DPA: autoriteitpersoonsgegevens.nl.
Cookies
Nendo uses only strictly necessary cookies for authentication. No tracking cookies. No consent banner needed (Art. 11.7a Telecommunicatiewet).
Children
Minimum age 16 (UAVG Art. 5). We do not knowingly collect data from children under 16 without parental consent.
Security
We use TLS encryption in transit, encryption at rest for stored data, access controls with least-privilege principles, and regular security reviews of our sub-processors (Art. 32 GDPR). If a personal data breach creates a legal notification duty, we notify the Dutch DPA and affected users as required by GDPR.
Providing your data
Providing your email is required to create an account. Providing images is required to use the figurine generation service. Providing a shipping address is required to order a physical print. If you choose not to provide this data, you cannot use the respective features.