Privacy Policy

§ 1. Quick summary

The shortest version we can give you that’s still accurate:

You give us a photo of your failed print plus a few form fields (printer, slicer, filament, an optional description).
We send the photo and your inputs to our AI provider (Anthropic, via the Claude API) to generate a diagnosis.
We do not store the image on our servers. We store the diagnosis text and metadata so we can show it to you, run quality checks, and serve you again.
We use a device cookie (random UUID) to know you’ve used your free trial and to track credits you’ve purchased.
Once you buy credits, we collect your email address (via Stripe at checkout). That’s how credits follow you across devices.
We do not sell or share your personal information for advertising.

§ 2. Who we are

WhyItFailed (“WhyItFailed,” “we,” “us,” or “our”) operates the website at whyitfailed.fyi and the diagnostic service available there. We are a small, independent operation. There is no third-party data broker behind the curtain.

The party responsible for your personal information under applicable law (the “data controller” under GDPR, the “business” under CCPA) is the operator of WhyItFailed. You can reach us at support@whyitfailed.fyi.

§ 3. What we collect

From you, when you ask for a diagnosis

A photo of your failed 3D print. Sent to our AI provider (see Section 7) and discarded — never written to our database.
The printer model you select.
Optional: slicer, filament type, and a free-text description (capped at 500 characters).
If you refine the diagnosis: an optional second photo, plus additional context text. Same treatment as the originals.

Automatically, through normal web operation

A device cookie named wif_device_id — a random UUID, valid for one year, stored as an HTTP-only cookie. Lets us know whether you’ve used your free diagnosis on this device and (after purchase) associates credits with you until you sign in via magic link.
A theme preference (light/dark) stored in your browser’s localStorage as wif-theme only if you toggle it.
Your IP address, used only at the moment of a request to enforce per-IP rate limits and a global daily diagnosis cap. We do not retain IP addresses in our database.
Standard request metadata (user-agent, referer, timestamp) that’s briefly logged by our hosting provider for operational purposes.

When you make a purchase (when this is rolled out)

Your email address, collected by our payment processor (Stripe) at checkout.
A record of the purchase (product, amount, timestamp, Stripe session ID). We never see or store your card details — those go directly from your browser to Stripe.

When you give us feedback

Your thumbs-up or thumbs-down on a diagnosis, attached to that diagnosis ID.

When you click an affiliate link

We record that you clicked, and on which diagnosis. This lets us measure whether our recommendations are useful. Amazon does not receive your name, the diagnosis, or any other personal data from us — see Section 7.

§ 4. What we do not collect

To be explicit:

We do not store your uploaded images. They’re processed in memory, sent to our AI provider, and discarded as soon as the diagnosis returns.
We do not collect your name, postal address, phone number, date of birth, or government ID.
We do not use third-party advertising trackers, pixel tags, fingerprinting, or session-replay tools.
We do not track you across other websites or apps.
We do not record audio or video.
We do not access your camera roll, file system, or location beyond what your browser sends with a single file upload you explicitly initiate.
We do not buy or otherwise acquire personal data from data brokers.

§ 5. How we use your information

We use what we collect to:

Generate the diagnosis. Your photo and inputs are sent to Anthropic’s Claude API to produce the AI response.
Run the free trial.The device cookie lets us know you’ve already used your free diagnosis on this device.
Track credits and purchases. Once you buy credits, the device ID and email link your purchase to future diagnoses.
Improve quality. We review our own usage patterns and your feedback (helpful / not helpful) to refine our diagnostic prompts. We do not sell or share this data.
Prevent abuse. IP-based rate limits and a global daily cap protect the service against bots and overuse.
Process payments. When you purchase credits, the payment is handled by Stripe under their privacy policy.
Communicate with you. Send purchase receipts and magic-link sign-in emails.
Comply with legal obligations. Tax records, lawful requests, and the like.

We do not use your data for advertising, profiling, or to train AI models. (See Section 15 for the AI-specific note.)

§ 6. Legal bases (GDPR)

If you are in the EU, UK, or EEA, the GDPR requires us to identify the legal basis for each kind of processing. Here are ours:

Activity	Lawful basis
Generating a paid diagnosis	Performance of a contract — you asked us to deliver the service.
Generating a free-trial diagnosis	Legitimate interest — you initiated the service; we need to deliver it.
Free-trial enforcement (device cookie)	Legitimate interest in preventing abuse of a free service. The cookie is strictly necessary for the offer.
Aggregate quality and abuse-prevention analysis	Legitimate interest in running and improving the service.
Payment processing	Performance of a contract + legal obligation (tax records).
Sending transactional emails (receipts, magic links)	Performance of a contract.
Marketing emails (currently none)	Consent, only if and when you opt in.
Legal compliance and dispute resolution	Legal obligation and legitimate interest.

You can object to processing based on legitimate interest at any time — see Section 11.

We use a small set of trusted service providers (“sub-processors”) to operate the service. We share with them only what they need to do their job. They are bound by their own privacy obligations and by data-processing agreements we maintain with them.

Provider	Purpose	What they receive
Anthropic, PBC (USA)	AI image diagnosis (Claude API)	Your uploaded photo + the form inputs (printer, slicer, filament, description) at the moment of diagnosis. Per Anthropic’s API Terms, customer inputs are not used to train their models by default.
Supabase, Inc. (USA)	Database, future user authentication	Diagnosis records (no images), device IDs, future email + purchase records, future authentication tokens.
Vercel, Inc. (USA)	Web hosting, edge runtime	Standard request metadata (IP, user-agent, URL) for short-retention operational logs (typically 30 days), then deleted.
Stripe, Inc. (USA, future)	Payment processing	Email, payment method, billing details. Card data is collected by Stripe directly from your browser; we never see it.
Upstash, Inc. (USA, future)	Rate limiting	Hashed IP addresses for short-term counters; counts only, no persistent record of who you are.
PostHog, Inc. (USA, future)	Anonymous product analytics	Event data (page views, feature usage) keyed to device ID. No PII is intentionally sent.
Google LLC (USA)	Web analytics (Google Analytics 4)	Aggregate page views, referrers, device/browser type, and approximate location (city-level, derived from IP). We do not send your diagnosis content, photos, email, or device cookie to Google. Google sets its own first-party cookies (`_ga`, `_ga_*`) on your browser to distinguish unique sessions. You can opt out using the Google Analytics opt-out browser add-on.
Sentry (USA, future)	Error monitoring	Server-side error stack traces. We make a deliberate effort to scrub user content from error reports.
Microsoft (USA)	Email hosting (support@whyitfailed.fyi)	Any email correspondence you send us.
Amazon.com, Inc. (USA)	Affiliate program	When you click an affiliate link, our redirect appends an affiliate tag to the Amazon URL. Amazon receives the click itself but does not receive your name or our diagnosis content.
GoDaddy (USA)	Domain registration	WHOIS contact (masked behind their privacy proxy), DNS records.

We do not sell your personal information to anyone, ever. We do not share your personal information for cross-context behavioral advertising.

§ 8. International transfers

Most of our service providers are headquartered in the United States. If you access WhyItFailed from the EU, UK, EEA, or another region with international transfer rules, your data will be transferred to and processed in the United States.

For these transfers, we rely on:

Standard Contractual Clauses (SCCs) where required, included in our agreements with each sub-processor;
The EU-US Data Privacy Framework where the provider is certified (e.g., currently applicable to several major US-based vendors);
Each provider’s own approved transfer mechanisms and certifications.

You can contact us if you’d like more detail on the specific transfer mechanism for any sub-processor.

§ 9. How long we keep data

Data	Retention
Uploaded photo bytes	Never stored. Discarded immediately after the AI returns a diagnosis (typically < 30 seconds).
Diagnosis records (printer, inputs, AI response, feedback flag, affiliate-click flag)	Retained for the operational lifetime of the service so we can show your past diagnoses (after sign-in), evaluate and improve prompt quality, and detect abuse — unless you request deletion.
Device ID cookie	One year from the most recent visit, or until you clear it.
IP addresses	Not retained beyond the moment of use for rate limiting. Hosting provider request logs are typically retained for 30 days, then deleted.
Purchase records	Retained as required by tax and accounting law (typically 7 years in the US).
Email correspondence	Until you ask us to delete it, or 7 years, whichever is shorter.

You can ask us to delete your records at any time — see Sections 11 and 12.

§ 10. Cookies and storage

We use a minimum of cookies and browser storage. We do not use advertising cookies or third-party social cookies, and we do not sell your data. We do use Google Analytics, which sets first-party cookies on your browser to measure how the site is used in aggregate. If you visit from the EU, UK, or another region where ePrivacy / GDPR consent is required, we will add a consent banner before launching there; if you’re visiting from one of those regions today, you can opt out of Google Analytics using the official browser add-on linked in the row below.

Name	Type	Purpose	Lifespan
`wif_device_id` (cookie)	Strictly necessary	Identifies your device for the free-trial limit and credit tracking. HTTP-only.	1 year
`wif-theme` (localStorage)	Functional	Remembers your dark/light mode preference.	Until cleared
`_ga`, `_ga_*` (cookies, set by Google)	Analytics	Distinguishes unique browsers / sessions for Google Analytics 4. Opt out: GA opt-out add-on.	Up to 2 years

§ 11. Your rights

You have rights over the personal information we hold about you. The specific rights depend on where you live; you can exercise the ones that apply to you regardless of where we’re located.

Everywhere

Access. Ask for a copy of what we have about you.
Correction.Ask us to fix something that’s wrong.
Deletion. Ask us to delete your records.

EU, UK, EEA (GDPR)

The above, plus:
Restrict processing. Tell us to pause processing your data.
Data portability. Receive your data in a portable, machine-readable format.
Object to processing based on legitimate interest.
Lodge a complaint with your national data protection authority. You can find yours via the European Data Protection Board.

California (CCPA / CPRA)

Right to know what categories of personal information we collect, use, and share — detailed throughout this policy.
Right to opt outof “sale” and “sharing.” We do not sell your personal information and we do not share it for cross-context behavioral advertising. There is therefore nothing to opt out of, but we honor browser-based privacy signals (Global Privacy Control) as opt-out requests for any future cases.
Right to limit the use of sensitive personal information. We do not collect any.
Right to non-discrimination — we won’t deny you service, raise prices, or degrade quality because you exercised a privacy right.

Virginia, Colorado, Connecticut, Utah, Texas, and other US states

Each of these has a similar suite: access, correction, deletion, portability, and opt-out of sale / targeted advertising / certain profiling. We honor all of these by default. To exercise any right, see Section 12.

Other regions

If you are covered by another comprehensive privacy law (Canada PIPEDA, Brazil LGPD, Japan APPI, Australia Privacy Act, and others), the substantive rights are similar. Use the contact in Section 12 to make a request, identify your jurisdiction, and we will respond accordingly.

§ 12. How to exercise your rights

Email support@whyitfailed.fyi with the word Privacy in the subject line. To help us find your records, please include:

Your wif_device_id cookie value (visible in your browser’s DevTools under Application → Cookies), or
The email address you used at checkout if you purchased credits.

We respond within 30 days (or 45 for unusually complex requests, in which case we’ll let you know). It’s free. We may verify your identity to prevent fraudulent requests, especially if the request involves deletion of purchase or account data.

If you have an account (after signing in via the magic link sent after purchase), you can delete most of your records yourself from the account settings page.

You may also designate an authorized agent to make a request on your behalf, where allowed by law.

§ 13. Children’s privacy

WhyItFailed is not directed at children under 16 (or under 13 in the United States, under COPPA), and we do not knowingly collect personal information from children. If you are a parent or guardian and you believe a child has submitted information, contact us at support@whyitfailed.fyi and we will delete it.

Many of our users are parents helping children with their first 3D prints. In that case, the parent or guardian is the user of our service, not the child, and the parent/guardian is responsible for the inputs they provide.

§ 14. Security

We follow industry-standard practices to protect data:

HTTPS everywhere — TLS terminated at our CDN with modern cipher suites.
No image storage — the most sensitive thing you give us, we never persist.
Encryption at rest in our database (Supabase) for all stored records.
Server-side secrets (database credentials, API keys) are stored in our hosting provider’s encrypted environment-variable store, never in the source repository.
Least privilege — only the systems that need data have access to it.
Hosting on managed infrastructure (Vercel, Supabase) that maintain their own security certifications (SOC 2, ISO 27001 where applicable).

No system is perfectly secure. If we discover a breach affecting your data, we will notify affected users and the appropriate regulators within the timelines required by applicable law (72 hours under GDPR; promptly under US state laws).

§ 15. AI-specific disclosures

Because we route image and text data through an AI provider, we want to be specific:

We send onlythe photo and the form inputs you provide to Anthropic’s Claude API. We do not send your IP address, device ID, email, or any other identifier.
As of the “Last updated” date on this page, Anthropic’s Commercial Terms state that they do not train their models on customer API inputs by default. If that changes we will update this notice.
The AI’s output is generated probabilistically and may be wrong, incomplete, or unsuitable for your specific situation. Diagnoses are guidance, not professional service or repair authorization. Following AI advice is at your own risk — see our Terms of Service.
The AI is not a substitute for professional repair, calibration, or safety inspection. If a recommendation could create a fire, electrical, or mechanical hazard, do not act on it without professional consultation.

§ 16. Affiliate relationships

We participate in the Amazon Associates Program. When you click an affiliate link from a diagnosis result and make a qualifying purchase, we earn a small commission at no additional cost to you. Amazon does not receive your diagnosis content or other personal information from us — only that the click came from a WhyItFailed.fyi page (via the affiliate tag in the URL).

See our Affiliate Disclosure for the full FTC-compliant statement.

§ 17. Changes to this policy

We may update this policy as the service evolves. The “Last updated” date at the top tells you when. For material changes, we will:

Post a banner on the homepage for at least 14 days, and
Email any user with active credits whose email we have on file.

Continued use of the service after the effective date of a change constitutes acceptance. Prior versions of this policy are kept on file and available on request.

§ 18. Contact

For privacy-related questions or requests, reach us at support@whyitfailed.fyi. Please put Privacy in the subject line so the request is routed correctly.

§ 19. Jurisdiction-specific notes

EU/UK Article 27 representative

We are not currently established in the EU or UK and have not appointed an Article 27 representative because our processing does not meet the thresholds requiring one (no continuous, systematic monitoring of EU/UK residents; no large-scale processing of special-category data). We accept GDPR requests from any data subject regardless. If our processing changes such that we must appoint a representative, we will update this notice.

California “Shine the Light”

California Civil Code §1798.83 lets California residents request information about disclosure of their personal information to third parties for those parties’ direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Privacy signals (Do Not Track, Global Privacy Control)

Some browsers transmit a Do Not Track (DNT) or Global Privacy Control (GPC) signal. The only third-party analytics we use is Google Analytics 4, which honors GPC where Google has chosen to support it; you can also opt out directly via the Google Analytics opt-out browser add-on. We do not share data for cross-context behavioral advertising and will treat any GPC signal as a continuing opt-out request for any future data sharing that may occur.

Nevada residents

Under Nevada SB 220, Nevada residents may submit a verified request to opt out of the sale of certain personal information. We do not sell personal information as defined by Nevada law, but if you wish to make a verified request, contact us as described in Section 12.

This privacy policy is provided for transparency and to comply with applicable laws. It is informational only and does not constitute legal advice. The current version supersedes all prior versions and is governed by the laws applicable to WhyItFailed’s operations. For specific privacy questions, please contact us at support@whyitfailed.fyi.