// legal

Privacy Policy

Last updated: January 1, 2025 · Designed to comply with the EU General Data Protection Regulation (GDPR)

1. Data Controller

The data controller responsible for your personal data is:

Benjamin Gueyte

Mulhouse, France

Email: privacy@mvrshare.com

MVRshare is operated independently by Benjamin Gueyte and is not incorporated as a company.

2. Data We Collect

2.1 Account data

  • Email address
  • Username, first name, last name (if provided)
  • Profile photo (if uploaded directly or retrieved via OAuth at account creation)
  • Location and website URL (optional, if provided in your profile)
  • Software preferences (optional)

2.2 Authentication data

When you sign in using GitHub, Google, Discord, or Facebook, we receive only the authentication identifiers and basic profile information (name, email, avatar) necessary to create or authenticate your MVRshare account. Temporary OAuth tokens may be processed during authentication solely to verify your identity. We do not store long-term OAuth access tokens or use them to access your accounts on those platforms beyond the initial sign-in.

2.3 Content data

  • Files uploaded by you (MVR, GDTF, 3D scenes, etc.)
  • Comments, forum posts, and other user-generated content

2.4 Usage data

  • Download counts and file interaction statistics (anonymized and aggregated)
  • Basic server logs collected by our hosting provider (Vercel), including IP addresses and request metadata, retained for a limited period for security and operational purposes. We do not use Vercel Analytics or any behavioural tracking or profiling tools.

3. How We Use Your Data

Account operation

To create and manage your account, authenticate your identity, and provide access to Platform features. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Transactional communications

To send essential account notifications (security alerts, password resets, service updates). Legal basis: Contract performance / Legitimate interest (Art. 6(1)(b) and (f) GDPR).

Newsletter and marketing communications

To send the MVRshare newsletter and community updates, only if you have explicitly opted in at registration or via your account settings. Legal basis: Consent (Art. 6(1)(a) GDPR) — freely given, specific, and withdrawable at any time.

Platform improvement

To understand how the Platform is used and improve our services, using anonymized and aggregated data only. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Legal compliance

To comply with applicable legal obligations, including responding to lawful requests from authorities. Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

4. Public Content

Content you publish on the Platform — including uploaded files, profile information, comments, and forum posts — is publicly accessible and may be indexed by search engines. By publishing content, you acknowledge and accept this public visibility. The terms under which your files may be reused by others are governed by the license you select at upload and by our Terms and Conditions.

You may remove your public content at any time via your account settings or by contacting us at privacy@mvrshare.com.

5. Data Sharing

We do not sell your personal data. We share data only with the following trusted service providers, strictly for the purpose of operating the Platform:

  • Supabase — database, authentication, and file storage. Data is stored in the EU West region. Supabase processes data in accordance with GDPR and provides Standard Contractual Clauses where applicable.
  • Vercel — frontend hosting and deployment infrastructure. Vercel may process request metadata (IP addresses, headers) on servers globally as part of its CDN infrastructure, for security and performance purposes only.
  • OAuth providers (GitHub, Google, Discord, Facebook) — used solely for authentication at sign-in. We receive only the minimum profile information necessary to create your account and do not share your MVRshare data with these providers.

6. International Data Transfers

Some of our service providers (including Vercel, GitHub, Google, Discord, and Facebook) may process data outside the European Economic Area (EEA). Where such transfers occur, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) as approved by the European Commission, to ensure your data receives an equivalent level of protection.

Our primary database and file storage (Supabase) is hosted in the EU West region, minimising the transfer of your core personal data outside the EEA.

7. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, your personal data will be deleted from active systems within 30 days and removed from backups according to our backup retention schedule, except where retention is required by applicable law.

Uploaded files that have been publicly shared on the Platform may remain available after account deletion where necessary to preserve community content integrity, on the basis of our legitimate interest in maintaining a consistent shared resource. You may request the removal of your files at any time by contacting us at privacy@mvrshare.com.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete data via your account settings or by contacting us.
  • Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to applicable exceptions.
  • Right to restriction (Art. 18) — Request that we limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20) — Request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent (Art. 7) — Where processing is based on consent (e.g. newsletter), withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@mvrshare.com. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority (CNIL) at cnil.fr, or with the supervisory authority in your country of residence.

9. Cookies

MVRshare uses only strictly necessary cookies for session management and authentication. These cookies are essential for the Platform to function and do not require consent under the ePrivacy Directive. We do not use advertising cookies, behavioural tracking tools, or third-party analytics services.

Vercel, as our hosting provider, may set technical cookies or collect request metadata (such as IP addresses) as part of its infrastructure operations. This data is used solely for security and performance purposes and is not used to profile or track users.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted data storage (Supabase), HTTPS-only connections, and row-level security policies on all database tables. However, no system is entirely secure and we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

11. Children's Privacy

MVRshare is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that a user is under 16, we will delete their account and associated data promptly. If you believe a child has registered, please contact us at privacy@mvrshare.com.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email. The "Last updated" date at the top of this page will always reflect the most recent version.

13. Contact

For any privacy-related questions or to exercise your rights: privacy@mvrshare.com

MVRshare · Operated by Benjamin Gueyte · Mulhouse, France